From Sea to Shining Sea: State Legislatures in Oregon, Texas, and Delaware Pass Comprehensive Data Privacy Laws
Introduction
On June 18, 2023, Texas became the tenth U.S. state to enact a comprehensive data privacy law. A month later, on July 18, 2023, Oregon’s governor signed into law the Oregon Consumer Privacy Act. And in the last month, the Delaware legislature followed suit by passing its own comprehensive data privacy law. Although the Delaware bill still awaits the governor’s signature, the bill is expected to become the twelfth state comprehensive data privacy law.
In addition to Delaware, there are currently four states (Massachusetts, North Carolina, Pennsylvania, and New Jersey) that have comprehensive data privacy bills pending passage in their respective legislatures. This new wave in privacy legislation across the U.S. is increasing privacy obligations and risks for entities doing business in the U.S. In this blog post, we provide a high-level overview of various key aspects of the Texas, Oregon, and Delaware state comprehensive data privacy laws, including information regarding effective dates, applicability, exemptions, consumer rights, key obligations, and enforcement. We also provide brief coverage regarding other privacy legislation developments. It is important to note that each of these three laws defines “personal data” in a broad manner to include any information that is linked, or reasonably linkable to, an identified or identifiable individual (although deidentified data and publicly available information are not considered personal data).
Texas Data Privacy and Security Act (TDPSA)
- Effective Dates. The majority of the TDPSA goes into effect on July 1, 2024, with section 541.055(e) relating to authorized agents coming into effect on January 1, 2025.
- Applicability. The TDPSA applies to entities that (1) conduct business in Texas or produce a product or service consumed by residents of Texas; (2) process or engage in the sale of personal data; and (3) are not a small business as defined by the United States Small Business Administration, except that small businesses who satisfy prongs (1) and (2) above must obtain consumer consent prior to selling sensitive data.
- Entity and Data Level Exemptions. The TDPSA contains several entity-level exemptions. The law does not apply to certain types of entities including, but not limited to, financial institutions subject to the GLBA, entities governed by HIPAA, and non-profit organizations. The law contains many data level exemptions as well, including but not limited to, protected health information under HIPAA, nonpublic personal information subject to the GLBA, and personally identifiable personal information in education records regulated by FERPA.
- Consumer Rights. The TDPSA gives consumers rights to know, correct, delete, opt-out of certain processes (e.g., targeted advertising, sale of personal data, and certain types of profiling), and obtain a portable copy of personal data if such data is available in a digital format (right to data portability).
- Key Obligations. Some key obligations listed under the law are: (1) entities are obligated to comply with consumer data rights requests within 45 days after the receipt of the request; (2) entities are obligated to provide a clear privacy notice with required disclosures under the law (including an explicit notice that the entity may sell the consumers sensitive personal data if the entity does in fact sell the consumers sensitive personal data); and (3) entities are obligated to implement reasonable security practices to protect personal data and shall limit the collection of personal data to what is adequate, relevant, and reasonably necessary.
- Enforcement. The TDPSA does not provide for a private right of action. The Texas Attorney General has exclusive authority to enforce the law and may seek injunctive relief and civil penalties of up to $7,500 for each violation. The TDPSA does afford organizations a mandatory 30-day cure period that does not sunset.
Oregon Consumer Privacy Act (OCPA).
- Effective Dates. The OCPA will take effect on July 1, 2024, for for-profit companies. For non-exempt non-profit organizations, the law will not become effective until July 1, 2025.
- Applicability. The OCPA applies to entities that conduct business in Oregon, or that provide products or services to residents of Oregon, and that during a calendar year, control or process: (a) the personal data of 100,000 or more consumers (other than personal data controlled or processed solely for the purpose of completing a payment transaction); or (b) the personal data of 25,000 or more consumers, while deriving 25% or more of the entities annual gross revenue from selling personal data. A consumer is “a natural person who resides in this state and acts in any capacity other than in a commercial or employment context.”
- Entity and Data Level Exemptions. Unlike other state comprehensive data privacy laws, the OCPA contains very few entity level exemptions. For example, the OCPA does not broadly exempt non-profit organizations, financial institutions subject to the GLBA, or entities governed by HIPAA. Of note, the OCPA does exempt financial institutions as defined by Oregon banking law. The OCPA also contains many data-level exemptions, including but not limited to, protected health information under HIPAA, nonpublic personal information subject to the GLBA, personally identifiable personal information in education records regulated by FERPA.
- Consumer Rights. The OCPA affords consumers rights to know, correct, delete, opt-out of certain processes (e.g., targeted advertising, sale of personal data, and certain types of profiling), and obtain a portable copy of personal data (right to data portability). However, Oregon is unique among U.S. state comprehensive data privacy laws in that consumers also have the right to request a list of “specific third parties, other than natural persons,” to which the controller has disclosed the consumers personal data. Delaware has a similar provision in its proposed bill; however, the Delaware Bill only allows a consumer to request “a list of categories of third parties to which the controller has disclosed the consumer’s personal data.”
- Key Obligations. Some key obligations listed under the law are: (1) entities are obligated to comply with consumer data rights requests within 45 days after the receipt of the request; (2) entities are obligated to provide a clear privacy notice with required disclosures under the law; and (3) entities are obligated to implement reasonable security practices to protect personal data and shall limit the collection of personal data to what is adequate, relevant, and reasonably necessary.
- Enforcement. The OCPA does not provide for a private right of action. The Oregon Attorney General has exclusive authority to enforce the law and may seek injunctive relief and civil penalties of up to $7,500 for each violation. The OCPA affords organizations a mandatory 30-day cure period, which will sunset on January 1, 2026.
Delaware Personal Data Privacy Act (DPDPA)
- Effective Dates. Assuming the DPDPA becomes law, it will take effect on January 1, 2025.
- Applicability. The DPDPA applies to entities that conduct business in Delaware or any entity that produces products or services that are targeted to residents of Delaware and that during the preceding calendar year did any of the following: (1) controlled or processed the personal data of not less than 35,000 consumers (other than personal data controlled or processed solely for the purpose of completing a payment transaction); or (2) controlled or processed the personal data of not less than 10,000 consumers and derived more than 20% of their gross revenue from the sale of personal data. A consumer is “an individual who is a resident of [Delaware],” but the definition “does not include an individual acting in a commercial or employment context.”
- Entity and Data Level Exemptions. The DPDPA contains various entity level exemptions, including but not limited to, any government body of the state (with the unique exception that the law does apply to institutions of higher education) and financial institutions, or their affiliates, subject to the GLBA. However, like the OCPA, there is no broad exemption for non-profit organizations or HIPAA regulated entities. The law does contain several data-level exemptions, including but not limited to, protected health information under HIPAA, data subject to the GLBA, and data regulated by FERPA.
- Consumer Rights. The DPDPA gives consumers rights to know, correct, delete, opt-out of certain processes (e.g., targeted advertising, sale of personal data, and certain types of profiling), and obtain a portable copy of personal data (right to data portability). The DPDPA also allows consumers to request a list of categories of third parties to whom the controller has disclosed the consumer’s personal data.
- Key Obligations. Some key obligations listed under the DPDPA are: (1) entities are obligated to comply with consumer data rights requests within 45 days after the receipt of the request; (2) entities are obligated to provide a clear privacy notice with required disclosures under the law and (3) entities are obligated to implement reasonable security practices to protect personal data and shall limit the collection of personal data to what is adequate, relevant, and reasonably necessary.
Enforcement. The DPDPA does not provide a private right of action. The Delaware Department of Justice has exclusive authority to enforce the law and any willful violation is considered an unlawful practice subject to a max $10,000 fine per violation. The DPDPA affords organizations a mandatory 60-day cure period that sunsets on December 31, 2025.
Other Developments
Each of these laws adds to the privacy compliance obligations for the entities to which the laws apply. For more information on actions your organization can take to meet its obligations under comprehensive state privacy laws, please read our blog post on the topic, available here.
Although this blog post is intended to address recent comprehensive state data privacy law developments, we note that other noteworthy data privacy laws have been passed or enacted in recent months. For example, on June 6, 2023, Florida enacted the Florida Digital Bill of Rights, which is similar to other state comprehensive data privacy laws in the rights it affords and restrictions it imposes. However, except for entities that sell consumers’ sensitive personal data, the Florida law only applies to a limited number of entities. On June 16, 2023, the Nevada governor signed a new health data law, Senate Bill 370, that is modeled after Washington’s My Health My Data Act. The Nevada law seeks to protect the health data of residents in the state. Each of these laws is narrower in scope than those discussed above, but important, nonetheless.
Written by Maddie Level, Associate Attorney