Written by Haim Ravia and Dotan Hammer
Earlier this month, the governor of Texas signed the Texas Data Privacy and Security Act (“TDPSA”) into law. Meanwhile, the Oregon legislature passed the Oregon Consumer Privacy Act (“OCPA”), sending it to the Governor of Oregon for signature. These two laws mark Texas and Oregon as the tenth and eleventh states in the U.S. to enact data protection legislation, following California, Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Montana, and Tennessee.
The TDPSA, set to take effect on July 1, 2024, applies to any company that provides a product or service to Texas residents and processes their personal information. Companies classified as “small businesses” according to the Small Business Administration are exempt from most provisions of the law, except for those related to the sale of personal information. The definition of “small business” according to the Small Business Administration is complicated and varies based on the industry sector to which the business belongs.
The OCPA in Oregon, also set to take effect on July 1, 2024, applies to businesses that process the personal data of 100,000 or more Oregon residents. It also applies to businesses that process the personal data of 25,000 or more Oregon residents while deriving at least 25% of their gross revenue from the sale of personal information.
The TDPSA and OCPA each grant several rights to individuals whose data is processed, including the right to delete or correct information, the right to receive a copy of their information held by the business, and the right to receive their information in a digital format. Individuals also have the right to opt out of the sale of their information, and its use for targeted online advertising or for making automated decisions that have a significant impact.
Both the TDPSA and the OCPA also mandate that companies minimize the personal information they process and ensure they collected and used the information only for specified and legitimate purposes. Companies handling sensitive personal information, such as medical or biometric data, must obtain the individual’s consent. Privacy impact assessments are required for sensitive information processing activities, such as the sale of personal information. Additionally, companies are required to publish privacy policies, and when they engage another entity for information processing, they must sign a data processing agreement.
Businesses subject to the OCPA must honor “opt-out” signals that indicate the consumer’s desire not to have their data sold or used for online targeted advertising, similar to the laws in California, Colorado, and Connecticut.
Also this month, the Connecticut legislature approved an amendment to the forthcoming Act Concerning Personal Data Privacy and Online Monitoring. Once signed into law by the Governor of Connecticut, the amendment will apply to the Connecticut data protection law, which is set to take effect this July 1, 2023. The amendment prohibits any sale of health information of a person absent that person’s explicit consent. It also bans the use of a virtual geofence around mental health facilities or reproductive or sexual health facilities to process data or send notifications to a person regarding their health data. In addition, other parts of the amendment govern children’s online data and are due to take effect on October 1, 2024. Among others, businesses will be restricted from processing children’s data for targeted ads or the sale of the data without their consent. Businesses will also be restricted from collecting a child’s precise geolocation without their consent.
The Governor of Nevada signed into law an act governing a “regulated entity” that conducts business in Nevada or targets consumers in Nevada. Under the new act, businesses may collect consumer health data only under the consumer’s prior consent, or, in the absence of consent, only as necessary to provide a product or service that the consumer requested from the business. Onward sharing of the consumer’s health information is permitted only with the consumer’s opt-in consent which must be separate from the initial consent to collect the health information, or as necessary to provide a product or service that the consumer requested from the business.
The new act in Nevada is set to take effect on March 31, 2024. It also restricts businesses from processing consumer health data only as described in the business’s privacy policies. Processing that goes beyond the descriptions in the privacy policy is prohibited unless the business obtains the consumer’s opt-in consent.
Click here to read Texas Data Privacy and Security Act.
Click here to read the Oregon Consumer Privacy Act.
Click here to read the amendments to the Connecticut Act Concerning Personal Data Privacy and Online Monitoring.
Click here to read the Nevada Act regarding consumer health data.
