New Comprehensive Privacy Laws Take Effect in Oregon and Texas on July 1, 2024
July 1, 2024 marked a pivotal moment in U.S. data privacy regulation as two new comprehensive state laws came into force: Oregon’s Consumer Privacy Act (OCPA) and Texas’s Data Privacy and Security Act (TDPSA). These laws join California, Colorado, Connecticut, Virginia, and Utah in further expanding the patchwork of privacy legislation across the nation.
Application Thresholds
The OCPA applies to businesses processing personal data of 100,000 or more Oregon consumers annually (except for data used exclusively to facilitate payments), or those handling data from 25,000 consumers while deriving 25% or more of their revenue from data sales.
The TDPSA applies to businesses operating in Texas or producing products and services for Texas residents which process or sell personal data and are not small businesses.
Privacy Rights
Both acts grant consumers several key privacy rights, including the right to access, correct, and delete their personal data, as well as the right to opt out of certain data processing activities. These provisions align with the growing trend of empowering individuals with greater control over their personal information.
Enforcement
Enforcement of both the OCPA and the TDPSA falls under the purview of the respective States’ Attorneys General, with potential civil penalties of up to $7,500 per violation. Neither of these acts provide for a private right of action.
Compliance Tips
For businesses, compliance with these new laws will require significant adjustments to data handling practices. Key obligations include updating privacy policies, implementing mechanisms for data subject access requests (DSARs), obtaining consent for processing sensitive data, establishing contracts with data processors, and implementing reasonable security measures.
Businesses are advised to take the following steps:
- Assess applicability based on data processing volumes and revenue thresholds.
- Review and update privacy policies and data processing practices.
- Implement or enhance mechanisms for handling consumer rights requests.
- Ensure proper consent mechanisms are in place for sensitive data processing.
- Review and update contracts with data processors.
- Conduct staff training on new requirements and procedures.
The implementation of the OCPA and TDPSA represents a continuation of the evolving privacy regulatory environment in the United States. Businesses operating across multiple states should remain vigilant about emerging state privacy laws and consider seeking legal counsel to ensure comprehensive compliance.
As data privacy regulations continue to proliferate, companies that proactively adapt their practices may find themselves better positioned to navigate this complex legal landscape and meet the growing expectations of consumers regarding the protection of their personal information.
NEED HELP WITH PRIVACY LAW COMPLIANCE?
The CommLaw Group Can Help!
If your company has questions about its data privacy obligations under state and federal laws or would like to reassess its data collection and processing practices in compliance with state regulation, please contact us:
Linda McReynolds – Tel: 703-714-1318 / E-mail: lgm@commlawgroup.com
Diana James – Tel: 703-663-6757 / E-mail: daj@commlawgroup.com