Page 34 - Cyber Defense eMagazine August 2024
P. 34
Applicability Thresholds
How can a company determine whether it falls within the scope of a particular state consumer privacy
law? Typically, state privacy laws specify a minimum number of consumers for which personal data is
processed, or a smaller minimum number of consumers if the business derives a specific percentage of
revenue from selling personal data. These are the primary thresholds that trigger the applicability of a
state privacy law, although some, like the California Consumer Privacy Act and the Utah Consumer
Privacy Act, incorporate revenue directly into the applicability analysis.
Consistent with the majority of state privacy laws, the Oregon Consumer Privacy Act includes a data
processing volume threshold, applying to any entity that conducts business in Oregon or provides
products or services to Oregon residents, and that, during a calendar year, controls or processes (1) the
personal data of 100,000 or more consumers (other than personal data controlled or processed solely
for the purpose of completing a payment transaction); or (2) the personal data of 25,000 or more
consumers while deriving 25 percent or more of annual gross revenue from selling personal data.
In contrast, the bulk of the obligations under the Florida Digital Bill of Rights apply to entities that, among
other things, make more than $1 billion in global gross annual revenue and that satisfy at least one of the
following: (1) derive 50 percent or more of global gross annual revenue from the sale of advertisements
online (including providing targeted advertising); (2) operate a consumer smart speaker and voice
command component service with an integrated virtual assistant connected to a cloud computing service
that uses hands-free verbal activation; or (3) operate an app store or a digital distribution platform that
offers at least 250,000 different software applications for consumers to download and install. In other
words, FDBR applicability does not depend on exceeding a threshold number of consumers for data
processing. Instead, FDBR applicability is narrowly confined to a specific set of very large businesses
based on revenue and certain business activities.
The Texas Data Privacy and Security Act takes yet another approach to applicability. The TDPSA
generally applies to entities that (1) conduct business in Texas, or produce products or services used by
Texas residents; (2) process or engage in the sale of personal data; and (3) are not small businesses as
defined by the U.S. Small Business Administration. There are no revenue thresholds or minimum
numbers of individuals here. Instead, applicability will depend on the size of a business relative to a
specific industry, as defined by the Small Business Administration.
Entity-Type Exemptions
All state data privacy laws contain an assortment of entity or data-specific exemptions, although the laws
vary significantly in this area as well. Some exempt certain types of entities (for example, financial
institutions subject to the Gramm-Leach-Bliley Act (GLBA) or health care entities subject to the Health
Insurance Portability and Accountability Act (HIPAA)). Others exempt certain categories of data (for
example, data subject to Title V of the GLBA, or protected health information subject to HIPAA).
Therefore, it is important to confirm whether the exemption applies to the entity as a whole or to a specific
type of data. For example, the Texas law does not apply to financial institutions or data subject to the
Cyber Defense eMagazine – August 2024 Edition 34
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
