By: Mark Sanborn
Senior Product and Regulatory Counsel
On July 1, 2024, two new state consumer data privacy laws will become effective in Oregon and Texas. These states will join 16 others that already have active data privacy laws or laws with a pending effective date, bringing the total to 18 states with comprehensive consumer data privacy legislation. (Florida is not included in this count due to the limited scope of its law.) Several other states also have data privacy laws under consideration, which may further increase the number of states with such legislation in the near future. While there is pending legislation at the federal level, the likelihood of its passage and potential preemption of state laws remains uncertain at this point.
Oregon
The Oregon Consumer Privacy Act (OCPA) applies to businesses operating in Oregon or serving Oregon residents that annually control or process the personal data of at least 100,000 Oregonians (excluding payment transaction data). It also applies to those controlling or processing data of 25,000 or more consumers while deriving at least 25% of their yearly gross revenue from selling personal data.
The OCPA grants Oregon residents a variety of rights over their personal and sensitive data, including the unique right to request the specific third parties to which a controller has disclosed their personal data, going beyond other state privacy laws that only require disclosure of third-party categories. Like California, Colorado, Connecticut, Montana, and Texas, Oregon will require recognition of universal opt outs (e.g., GPC).
Another unique element to the Oregon law is that its definition of “sensitive data” includes transgender or non-binary status and crime victim status; currently, no other state has these categories of sensitive data. Businesses will also need to disclose specific information in their privacy policies, including the categories of personal data, including sensitive data that they “process.”
Texas
The Texas Data Privacy and Security Act (TDPSA) applies to persons that conduct business in Texas or produce products or services consumed by Texas residents; process or engage in the sale of personal data; and are not “small businesses” as defined by the SBA.
The TDPSA mandates controllers selling sensitive or biometric personal data to display specific notices alongside their privacy notice and requires consent before processing a consumer’s “sensitive” data. As noted above, like Oregon and several other states, Texas will require recognition of universal opt-outs (e.g., GPC).
Neither Oregon nor Texas apply to information obtained in an employment or commercial (B2B) context. Both states use the broader definition of the “sale” of personal information to include the exchange of personal information with a third party for monetary or other valuable consideration. Neither state law has a private right of action.
Stay tuned for more details about these laws, and for those of you in Oregon or Texas, reach out to your Customer Success Manager to learn more about the state-specific tools ComplyAuto has for you to comply with these laws and related regulations and obligations.
Need Help?
Please contact us for more information at info@complyauto.com.