Page 266 - Cyber Defense eMagazine Annual RSA Edition for 2024
P. 266
The key difference in Oregon’s law is that consumers have the right to obtain a list identifying all third
parties with which their personal data was shared, rather than just general categories of third parties.
July 1: Florida’s Digital Bill of Rights
Florida’s Digital Bill of Rights will join the privacy law patchwork but with more narrow application.
This law is aimed at big tech — the law will apply to companies with at least $1 billion in gross revenue.
Those companies which satisfy this first requirement must also then meet one of another set of criteria
in order to be covered by the law, including deriving 50% or more of their global gross revenue from the
sale of online advertisements. Under the law, companies are prohibited from selling sensitive data unless
the consumer opts-in. Sensitive data includes personal data like race, ethnicity, religious beliefs, a mental
health diagnosis, and immigration status, among others.
Consumers are afforded certain rights under the bill, including the ability to limit targeted advertising and
collection of data that is considered sensitive.
October 1: Montana’s Consumer Data Privacy Act
Montana’s Consumer Data Privacy Act will apply to companies that conduct business in the state or
target Montana consumers. There are other criteria those companies have to meet such as processing
the personal data of at least 50,000 residents or processing personal data of no less than 25,000
residents while getting no less than 25% of gross revenue from the sale of personal data.
The law considers both consumer rights and transactions between companies and their service
providers. Similar to many other state privacy laws, the law includes opt-out provisions for consumers
regarding certain uses of their personal information, a consumer right to know, correct, delete, and obtain
a copy of the personal information held by a company, and a required processing agreement between
controllers and service providers that regulates the processing of personal data.
What Else is Coming Up on the Calendar?
In addition to the above state laws going into effect or beginning enforcement, there is also a wide range
of privacy-related state and federal agency deadlines occurring this year.
May 13, 2024 — Financial institutions under the federal Gramm-Leach-Bliley Act must begin reporting
data breaches within 30 days if the unencrypted personal information of 500 or more consumers was
acquired without their authorization.
June 15, 2024 — Smaller reporting companies, as defined by the Securities and Exchange Commission,
must begin disclosing certain cybersecurity incidents.
266