The key difference in Oregon’s law is that consumers have the right to obtain a list identifying all third
            parties with which their personal data was shared, rather than just general categories of third parties.



            July 1: Florida’s Digital Bill of Rights

            Florida’s Digital Bill of Rights will join the privacy law patchwork but with more narrow application.

            This law is aimed at big tech — the law will apply to companies with at least $1 billion in gross revenue.
            Those companies which satisfy this first requirement must also then meet one of another set of criteria
            in order to be covered by the law, including deriving 50% or more of their global gross revenue from the
            sale of online advertisements. Under the law, companies are prohibited from selling sensitive data unless
            the consumer opts-in. Sensitive data includes personal data like race, ethnicity, religious beliefs, a mental
            health diagnosis, and immigration status, among others.

            Consumers are afforded certain rights under the bill, including the ability to limit targeted advertising and
            collection of data that is considered sensitive.



            October 1: Montana’s Consumer Data Privacy Act

            Montana’s Consumer Data Privacy Act will apply to companies that conduct business in the state or
            target Montana consumers. There are other criteria those companies have to meet such as processing
            the  personal  data  of  at  least  50,000  residents  or  processing  personal  data  of  no  less  than  25,000
            residents while getting no less than 25% of gross revenue from the sale of personal data.

            The  law  considers  both  consumer  rights  and  transactions  between  companies  and  their  service
            providers. Similar to many other state privacy laws, the law includes opt-out provisions for consumers
            regarding certain uses of their personal information, a consumer right to know, correct, delete, and obtain
            a copy of the personal information held by a company, and a required processing agreement between
            controllers and service providers that regulates the processing of personal data.



            What Else is Coming Up on the Calendar?

            In addition to the above state laws going into effect or beginning enforcement, there is also a wide range
            of privacy-related state and federal agency deadlines occurring this year.

            May 13, 2024 — Financial institutions under the federal Gramm-Leach-Bliley Act must begin reporting
            data breaches within 30 days if the unencrypted personal information of 500 or more consumers was
            acquired without their authorization.

            June 15, 2024 — Smaller reporting companies, as defined by the Securities and Exchange Commission,
            must begin disclosing certain cybersecurity incidents.








                                                                                                            266