Summary of Regulations
On July 1, the Florida Digital Bill of Rights (FDBR), Oregon Consumer Privacy Act (OCPA), and Texas Data Privacy and Security Act (TDPSA) came into effect.
FDBR primarily applies to large enterprises with annual revenue exceeding $1 billion, especially those engaged in digital advertising or operating large online platforms. FDBR emphasizes the handling of biometric data, requiring clear notifications for the sale of sensitive and biometric data, and offering opt-out rights for data collected through voice and facial recognition technologies for personalized advertising. The implementation of FDBR sets a higher standard for consumer data privacy protection, requiring companies to prepare for compliance by updating privacy policies, signing compliance contracts with third parties, conducting employee training, and performing privacy impact assessments.
OCPA applies to businesses with annual revenue exceeding $25 million or those processing data for more than 100,000 consumers. OCPA requires clear opt-in consent before processing children's data and sensitive data. In addition to obtaining explicit consent when processing data for minors aged 13 to 15, businesses must comply with the Children’s Online Privacy Protection Act (COPPA) for data related to children under 13. The law also expands the definition of sensitive data to include "transgender or non-binary" identity and "crime victim" status, as well as biometric, genetic, and location data, requiring businesses to conduct a DPIA before processing such data.
TDPSA applies to entities conducting business in Texas or offering products or services to Texas residents, excluding small businesses as defined by the U.S. Small Business Administration or entities exempt under the act. The act requires businesses to implement data security measures when processing personal data and to sign data processing agreements. For high-risk data processing activities, a data protection impact assessment is necessary. Additionally, TDPSA emphasizes additional disclosure obligations for sensitive data and biometric data and requires businesses to provide clear opt-out mechanisms for the sale of personal data or targeted advertising.
Comparison of Regulations
Regulation Name / Content | California CCPA | Florida FDBR | Oregon OCPA | Texas TDPSA |
Effective Date | January 1, 2020 | July 1, 2024 | July 1, 2024 | July 1, 2024 |
Scope | Applies to businesses that meet any of the following criteria: (1) Annual revenue exceeding $25 million in the previous calendar year; (2) Annually buys, receives, sells, or shares the personal information of 50,000 or more California residents for business purposes; (3) Derives 50% or more of its annual revenue from selling or sharing consumers’ personal information. The law also applies to businesses that control or are controlled by such businesses and share a common brand and consumer information with them. | Applies to entities doing business in Florida or whose products or services are used by Florida residents, and that process or participate in the sale of personal data. The law does not apply to: 1. State agencies or political subdivisions of the state. 2. Financial institutions regulated under Title V of the Gramm-Leach-Bliley Act. 3. Entities or business associates regulated under HIPAA. 4. Nonprofit organizations. 5. Public institutions of higher education. | Applies to entities doing business in Oregon or providing products or services to Oregon residents, with annual revenue exceeding $25 million; or processing data for more than 100,000 consumers, with 25% or more of annual revenue derived from selling personal data. | TDPSA applies to entities conducting business in Texas or offering products or services to Texas residents, excluding small businesses as defined by the U.S. Small Business Administration or entities exempt under the act. |
Definition of Personal Information | "Personal information" means information that identifies, relates to, describes, or is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. | "Personal information" means any information linked or reasonably linkable to an identified or identifiable individual, including sensitive data. Pseudonymous data is included when it is used in conjunction with additional information that reasonably links the data to an identified or identifiable individual. The definition excludes de-identified data or publicly available information. | "Personal data" refers to data derived from or associated with a consumer or a device belonging to a consumer or household. It excludes: De-identified data or data legally obtained through federal, state, or local government records or widely disseminated media; and data that the controller has a reasonable basis to believe the consumer has lawfully made public. | "Personal data" includes any information that is linked or reasonably linkable to an identified or identifiable individual, including pseudonymous data when used with additional information that reasonably links the data to an identified or identifiable individual. It excludes de-identified data or publicly available information. |
Sensitive Personal Information | Sensitive personal information includes information related to the following: (1) A consumer’s social security number, driver’s license number, state identification card number, or passport number; (2) A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (3) A consumer’s precise geolocation; (4) A consumer’s racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, or union membership; (5) The content of a consumer’s mail, email, and text messages unless the business is the intended recipient; (6) A consumer’s genetic data; (7) Biometric information processed for the purpose of uniquely identifying a consumer; (8) Personal information collected and analyzed concerning a consumer’s health; and (9) Personal information collected and analyzed concerning a consumer’s sex life or sexual orientation. Publicly available sensitive personal information is not considered sensitive personal information or personal information. | "Sensitive data" is a category of personal data that includes but is not limited to: 1. Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, or citizenship or immigration status. 2. Genetic or biometric data processed to uniquely identify an individual. 3. Personal data collected from a known child. 4. Precise geolocation data. | "Sensitive data" includes the following categories of personal data: 1. Data revealing specific identity characteristics: including data revealing a consumer’s racial or ethnic background, nationality, religious beliefs, mental or physical condition or diagnosis, sexual orientation, transgender or non-binary gender identity, crime victim status, citizenship, or immigration status. 2. Personal data of children: Data related to children, though the law does not specifically define the age range for children. 3. Precise location data: Data that can accurately identify the current or past location of a consumer, typically within a radius of 1,750 feet, or the location of a device associated with the consumer, using technologies such as GPS. 4. Genetic or biometric data: Includes genetic data and biometric data that can be used to identify a consumer. It excludes communication content or any data associated with advanced utility metering infrastructure systems or devices. | "Sensitive data" is a category of personal data that includes: 1. Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, or citizenship or immigration status. 2. Genetic or biometric data processed for the purpose of uniquely identifying an individual. 3. Personal data collected from a known child. 4. Precise geolocation data. |
Requirements for Providing Privacy Policy/Disclosures/Transparency | Businesses must clearly inform consumers in their privacy policies about how their personal information is collected, used, and sold, as well as inform them of their rights. | Data controllers must provide consumers with a reasonably accessible and clear privacy notice, updated at least annually. The privacy notice must include the following information: 1. Categories of personal data processed, including sensitive data (if applicable). 2. The purpose of processing personal data. 3. How consumers can exercise their rights, including the appeals process if the controller refuses to act. 4. If applicable, categories of personal data shared with third parties. 5. If applicable, categories of third parties with whom the controller shares personal data. 6. How to submit a request to exercise consumer rights through the prescribed methods. | Privacy policies must be clear, easily understandable, and include the following content: 1. Categories of personal data processed, including sensitive data categories. 2. The purpose of processing personal data. 3. How consumers can exercise their rights, including how to appeal a controller’s denial of a request. 4. All categories of personal data shared with third parties, including sensitive data. 5. All categories of third parties with whom the controller shares personal data. 6. An email address or other online contact information for consumers to contact the controller. 7. Clearly identify the controller, including any business names registered with the Secretary of State and any assumed business names used by the controller in the state. 8. A clear and prominent description of any personal data processing by the controller for targeted advertising or decision-making that results in legal effects or similarly significant impacts, as well as the procedures for consumers to opt out of such processing. 9. Describe how consumers can submit requests under Section 4 of this Act. | Data controllers must provide consumers with an easily accessible and clear privacy policy that includes the categories of personal data processed, the purpose of processing personal data, how consumers can exercise their rights, the categories of personal data shared with third parties, the categories of third parties with whom personal data is shared, and the methods consumers can use to submit requests to exercise their rights. |
Marketing Opt-In/Opt-Out Requirements | Consumers have the right to instruct entities selling their personal information to third parties not to engage in such sales at any time. Entities must also notify consumers of this right and inform them that they have the right to opt out of the sale of their personal information. | Consumers have the right to opt out of certain processing activities, including: 1. Targeted advertising 2. Sale of personal data 3. Profiling in decisions that may have legal or similarly significant impacts on consumers. | For sensitive data processing, including targeted advertising, profiling for decisions that result in legal effects or similarly significant impacts, and selling consumers’ personal data, controllers must obtain explicit consent if the consumer is aged 13 to 15. Consumers have the right to opt out of the following processing activities: 1. Targeted advertising; 2. Sale of personal data; 3. Profiling, if such profiling may result in unfair or deceptive practices or decisions that result in legal effects or similarly significant impacts on consumers. | Opt-Out Rights: Consumers have the right to opt out of their personal data being used for targeted advertising, data sales, or analysis that results in legal effects or other similarly significant impacts. |
Consent Management/User Consent Requirements | Any freely given, specific, informed, and unambiguous indication of the consumer’s wishes…such as a statement or clear affirmative action signifying agreement to the processing of personal information for specific, limited purposes. The following do not constitute consent: 1. General behavior by the consumer, such as agreeing to broad terms of use that describe the processing of personal information alongside unrelated information; 2. “Hovering, muting, pausing, or closing” certain content, or using so-called “dark patterns” to manipulate or mislead consumers into providing consent. | User consent refers to freely given, specific, informed, and unambiguous consent for processing personal data related to the user. Consent can be expressed through a written statement, electronic means, or other clear affirmative actions. The following do not constitute user consent: 1. Acceptance of general or broad terms of use or other documents containing descriptions of personal data processing. 2. Muting, pausing, or closing specific content. 3. Consent obtained through the use of “dark patterns.” Consent for sensitive data: Controllers must obtain user consent before processing sensitive data. For sensitive data of known children, explicit authorization must be obtained from the child. Consent for processing children's data: Controllers must obtain appropriate parental consent or the child’s authorization for known children’s personal data according to the child’s age and COPPA requirements. | User consent must be an explicit act, meaning that the user expresses consent to others’ actions in a clear and prominent manner. User interfaces designed to obtain consent must not include any mechanisms intended to, or resulting in, obtaining consent by obscuring, undermining, or harming user autonomy, decision-making, or choice. A user’s inaction (e.g., failure to opt out) does not constitute consent. Controllers must obtain user consent before processing sensitive data. If the controller knows the user is a child, it must handle sensitive data according to COPPA requirements. Users have the right to withdraw their consent to the controller’s processing of personal data at any time. Once consent is withdrawn, the controller must cease processing personal data as soon as practically possible but no later than 15 days after receiving the withdrawal notice. | Consent is freely given, specific, informed, and unambiguous, signified by a clear affirmative action to process personal data related to the consumer. This includes written or electronic declarations or other clear affirmative actions. It does not include: 1. Acceptance of general or broad terms of use 2. Consent obtained through the use of “dark patterns.” |
DSR Scope | Right to know, right to choose, right to access, right to delete (right to be forgotten), right to non-discrimination | Consumers have the right to: 1. Confirm and access their personal information 2. Correct inaccuracies in personal information 3. Delete their personal information 4. Obtain a copy of personal information 5. Opt out of targeted advertising, personal information sales, or profiling in decisions that may have legal or similarly significant impacts 6. Opt out of the collection and processing of sensitive data 7. Opt out of the collection of personal data via voice or facial recognition features 8. Request that devices stop monitoring when not in use | 1. Right to confirm and access: Consumers have the right to confirm whether their personal data is being processed and obtain a copy of that data. 2. Right to correction: Consumers have the right to request correction of inaccuracies in their personal data. 3. Right to deletion: Consumers have the right to request the deletion of their personal data. 4. Right to opt-out: Consumers have the right to opt out of the processing of their personal data, including for targeted advertising, data sales, or analysis for decisions that have legal or similarly significant impacts. | Consumers have the right to know whether a business is processing their personal data, to access, correct, and delete this data, and to request a copy of the data. Consumers can also opt out of certain processing activities, such as targeted advertising, data sales, or analysis that may result in significant legal or similar effects. |
Definition of Child’s Age | Individuals under 16 years old | Consumers under the age of 18 | Individuals under the age of 13 | Individuals under the age of 13 |
Special Provisions for Processing Children’s Data | For children under 13, businesses cannot sell or share their personal information unless explicitly authorized by their parents or guardians. For consumers aged 13 to 16, parental or guardian consent is required before selling or sharing their personal information. | Controllers must obtain explicit authorization for processing personal data of identified children, especially for children aged 13 to 18. For known children under 13, controllers must comply with COPPA requirements. | Controllers must obtain appropriate consent before collecting, sharing, or selling children’s personal data. For children under 13, parental or guardian consent is required. Controllers must obtain parental or guardian consent before targeting advertising to children, performing analysis, or selling children’s data. | For known children’s personal data, controllers must obtain parental or guardian consent before processing. Controllers must obtain parental or guardian consent before processing sensitive data of known children and must comply with COPPA requirements. |
Risk Assessment Requirements | / | Controllers must conduct documented data protection impact assessments for processing activities involving personal data, particularly when these activities involve: 1. Targeted advertising 2. Sale of personal data 3. Profiling in decisions that may result in unfair or deceptive treatment, unlawful differential treatment, financial, physical, or reputational harm to consumers 4. Processing of sensitive data 5. Any other processing activities that pose a high risk to consumers. | Controllers must conduct data protection assessments for processing activities that may pose significant harm to consumers. These activities include but are not limited to: 1. Processing personal data for targeted advertising; 2. Processing sensitive data; 3. Selling personal data; 4. Using personal data for analysis, if such analysis presents the following risks: - Unfair or deceptive practices towards consumers; - Decisions that result in legal effects or similarly significant impacts on consumers; - Financial, physical, or reputational harm to consumers; - Invasion of consumers’ privacy if the invasion would be unacceptable to a reasonable person; - Other significant harm to consumers. | For processing activities, such as targeted advertising, data sales, and analysis, that may pose significant risks to consumers, businesses must conduct assessments. |
Penalties for Violations | Businesses that violate the CCPA and fail to correct the violation and remedy the damage within 30 days of notification from the California Attorney General may face injunctive relief or lawsuits seeking civil penalties. Each violation is subject to a fine of at least $2,500. Intentional violations may incur fines of up to $7,500 per violation. Consumers can also sue businesses for personal information breaches, with potential civil penalties of up to $750 per person or actual damages, whichever is higher. | Unless otherwise specified, the FDBR does not create a private right of action, meaning consumers cannot directly sue for violations of the FDBR. The state attorney general may impose civil penalties of up to $50,000 for violations of the FDBR. For violations involving identified children, fines may triple if the controller willfully disregards the consumer's age. In some cases, the state attorney general may allow 45 days to correct violations after being notified. If the violation is corrected within 45 days and proof is provided, the state attorney general may not pursue the violation. This provision does not apply to violations involving identified children. | The Attorney General may impose civil penalties of up to $7,500 per violation. The OCPA does not grant consumers the right to bring direct lawsuits. Before filing a lawsuit, the Attorney General must notify the controller of the violation and determine whether the controller can rectify the violation. If the controller fails to rectify the violation within 30 days of receiving notice, the Attorney General may file a lawsuit without further notice. | Individuals or businesses that violate TDPSA may face civil penalties of up to $7,500 per violation. Before filing a lawsuit, the Attorney General must provide written notice to the alleged violator and allow 30 days to correct the violation. If the alleged violator fails to correct the violation within the 30-day correction period or violates the written correction statement provided to the Attorney General, the Attorney General may file a lawsuit. Consumers or other individuals cannot directly bring private lawsuits under this act. |
Implications
In accordance with the requirements of the new laws, businesses operating in these states must promptly update their privacy policies, conduct privacy impact assessments, and implement appropriate security measures to ensure compliance and protect consumers' privacy rights. Additionally, businesses should train employees on privacy compliance to ensure they understand the new legal requirements
and corporate responsibilities. Companies must also review data-sharing agreements with third-party partners, strengthen data security measures to prevent data breaches and misuse, and establish effective mechanisms for handling regulatory inquiries and consumer requests. Continuous monitoring of legal developments is essential to timely adjust compliance strategies.
