From Sea to Shining Sea: State Legislatures in Oregon, Texas, and Delaware Pass Comprehensive Data Privacy Laws

The summer of 2023 has been a busy one for state data privacy legislation. Oregon, Texas, and Delaware have all passed comprehensive data privacy laws, joining the growing list of states with broad privacy protections for their residents.

Texas Data Privacy and Security Act (TDPSA)

Texas became the ninth state to pass a comprehensive privacy law when Governor Greg Abbott signed the Texas Data Privacy and Security Act (TDPSA) on June 18, 2023. The TDPSA takes effect July 1, 2024.

Applicability: The TDPSA applies to entities that conduct business in Texas or produce products or services consumed by Texas residents, and that process or sell personal data. Notably, the TDPSA does not contain a revenue or volume threshold for applicability, making it potentially broader than other state laws.

Consumer Rights: The TDPSA grants Texas consumers rights to access, correct, delete, obtain a copy of, and opt-out of the sale, targeted advertising, and profiling of their personal data.

Sensitive Data: Sensitive data processing requires consumer consent. Sensitive data includes data that reveals racial/ethnic origin, religious beliefs, mental/physical health diagnosis, sexuality, immigration status, genetic or biometric data, and children’s data.

Enforcement: The Texas Attorney General has exclusive enforcement authority. There is no private right of action.

Oregon Consumer Privacy Act (OCPA)

Oregon Governor Tina Kotek signed the Oregon Consumer Privacy Act (OCPA) on July 18, 2023. The OCPA takes effect July 1, 2024 (with a delayed effective date of July 1, 2025 for nonprofits).

Applicability: The OCPA applies to entities that:

• Control or process personal data of at least 100,000 Oregon consumers per year; or
• Control or process personal data of at least 25,000 consumers and derive 25% or more of gross revenue from the sale of personal data.

Consumer Rights: Oregon consumers have rights to access, correct, delete, obtain a portable copy of their personal data, and to opt-out of targeted advertising, the sale of personal data, and profiling.

Civil Penalties: Up to $7,500 per violation after a 30-day cure period.

Delaware Personal Data Privacy Act (DPDPA)

Governor John Carney signed the Delaware Personal Data Privacy Act (DPDPA) on September 11, 2023, making Delaware the twelfth state with a comprehensive privacy law. The DPDPA takes effect January 1, 2025.

For full details, see our post Delaware Makes a Dozen.

Florida and Nevada: Additional Developments

Florida: The Florida Digital Bill of Rights (FDBR), signed June 6, 2023 and effective July 1, 2023, applies only to entities with over $1 billion in annual global revenue, significantly narrowing its reach. It creates several consumer rights including a right to opt-out of targeted advertising and data sales.

Nevada: Senate Bill 370 broadens Nevada’s existing privacy law by expanding the definition of “sale” of personal data. It took effect October 1, 2023.

Takeaways for Organizations

The rapid expansion of state privacy laws continues to create compliance challenges for organizations operating across state lines. Organizations that have already built CCPA/CPRA, CPA, CTDPA, VCDPA, and UCPA compliance programs are well-positioned to extend those programs to cover new state requirements. For a comprehensive compliance framework, see our earlier post, Winter Is Coming: 10 Steps Organizations Should Be Taking Now.