New Requirements Include Identifying Specific Third Parties to Whom Businesses Disclose Data and Consent for Targeted Advertising to Teens

Texas, Oregon, and Delaware are the latest states to join the growing landscape of comprehensive data privacy laws, adding to the many state privacy laws that were passed this year.¹ On June 18, 2023, Governor Greg Abbott signed the Texas Data Privacy and Security Act. On July 18, 2023, Governor Tina Kotek signed Oregon Senate Bill 619, referred to as the Oregon Consumer Privacy Act. Similarly, on June 30, 2023, the Delaware legislature passed the Delaware Personal Data Privacy Act. In doing so, Texas and Oregon officially became the 10th and 11th states, respectively, to enact a comprehensive privacy law. Assuming Governor John Carney also signs the Delaware Personal Data Privacy Act, his state would join as the 12th with that status. All three of the most recent laws are substantially similar to the prior state comprehensive consumer privacy laws, but they each include some key particularities that companies should be aware of as they plan their compliance strategies.

Texas Data Privacy and Security Act

Substantively, the Texas privacy law is similar to the comprehensive privacy laws in Colorado, Virginia, and Connecticut. The majority of the law's substantive provisions will go into effect on July 1, 2024.

The Texas privacy law is most notable for its different applicability threshold. It applies to persons that 1) conduct business in Texas or produce a product or service consumed by Texas residents; 2) process or engage in the sale of Texans’ personal data; and 3) are not a small business as defined by the U.S. Small Business Administration (SBA).² Note, however, that SBA-designated small businesses will still be required to obtain consumer consent before selling sensitive personal data.³ Additionally, while most state privacy laws apply to entities that conduct business in the state or “target” their products or services to those respective state residents, the Texas privacy law states that it would apply to businesses whose products or services are merely “consumed by” Texas residents. While the language in the Texas privacy law does raise some basic jurisdictional questions, businesses outside of Texas should be mindful of its requirements.

Further, unlike the U.S. state privacy laws enacted after Virginia’s, the Texas privacy law does not contain any minimum number of Texans' data that a business must process in order to be covered. The Texas privacy law also specifically requires certain language to be posted if the business sells sensitive or biometric information. For example, a company that engages in the sale of sensitive personal data must post the following language in the same location and in the same manner as its privacy notice: “NOTICE: We may sell your sensitive personal data.”

Key Similarities

• The Texas privacy law grants similar consumer rights to other states, including the right to opt out of the processing of personal data for targeted advertising, sale, and profiling.
• Like California, Colorado, Connecticut, and Montana, Texas will require controllers to recognize universal opt-out mechanisms for personal data sales and targeted advertising, but this requirement does not take effect until January 1, 2025.
• Texas’s data protection assessment requirements closely align with the obligations set out in Colorado and Virginia.
• In line with other state privacy laws, the Texas privacy law includes a 30-day right to cure. To take advantage of this right, however, a business must notify the Texas attorney general in writing and provide documentation about how the business cured the violation.
• The Texas privacy law includes broad, status-based and data-based exemptions,⁴ similar to previously enacted state laws such as Iowa, Colorado, and Virginia. The law also does not apply to B2B or employee data.
• The Texas attorney general has the exclusive enforcement authority.

Oregon Consumer Privacy Act

The Oregon privacy law is most similar to those in Colorado and Connecticut and would go into effect on July 1, 2024. Like Colorado, the Oregon privacy law also applies to nonprofits.

Significantly, while the Oregon privacy law contains consumer rights consistent with those found in other state privacy laws, the law also includes a right to obtain a list of specific third parties with whom the controller has shared the consumer’s personal data or personal data generally.

The Oregon privacy law’s definition of personal data is also broader than other state privacy laws. Personal data is defined as “data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household.” Comments provided by the Oregon Department of Justice during the law’s amendment process explained that “derived data” was included in the definition of personal data to avoid controllers being able use derived data to make inferences about consumers even after a consumer requested their data be deleted.⁵

The Oregon privacy law defines sensitive data similar to other state laws but is slightly broader. First, transgender or nonbinary status is considered sensitive data. Second, biometric data, which is also sensitive data, is defined in a way that does not require controllers to use biometric data to actually identify the individual, as required under Connecticut’s privacy law.⁶ In the drafting comments mentioned above, the Oregon Department of Justice explained that biometric data is “extremely sensitive and something many consumers wish to keep private, regardless of whether it is used for identification purposes.” Further, the law does not consider audio and video recordings on its own as biometric data “[b]ecause of the pervasiveness of photos, audio and video on the Internet,” but if they are used for identification purposes then they would be considered biometric data.

The Oregon privacy law provides only data-based (not status-based) exemptions for financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) or covered entities and business associates regulated under the Health Insurance Portability and Accountability Act (HIPAA). The Oregon privacy law also does not provide any carve outs exempting pseudonymous data from consumer rights requests as with a number of other state privacy laws.

Key Similarities

• The Oregon privacy law grants consumers rights similar to other states, including the right to opt out of the processing of personal data for targeted advertising, sale, and profiling.
• Like California, Colorado, Connecticut, and Montana, Oregon will require controllers to recognize universal opt-out mechanisms beginning on January 1, 2026.
• Controllers must describe the purposes and categories of personal data processed in their privacy notices under the law.
• Oregon’s data protection assessment requirements closely align with the obligations set out in Colorado and Virginia.
• In line with other state privacy laws, the Oregon privacy law includes a 30-day right to cure, but this sunsets on January 1, 2026.
• The Oregon privacy law does not apply to B2B or employee data.
• The Oregon Attorney General will have the exclusive enforcement authority.

Delaware Personal Data Privacy Act

The Delaware privacy law is most similar to that of Connecticut, with some notable differences and requirements. The Delaware law would go into effect on January 1, 2025, if the bill is enacted into law before January 1, 2024. If the bill is enacted after January 1, 2024, the law would become effective on January 1, 2026.

The Delaware privacy law has the lowest express applicability threshold of any comprehensive state privacy law thus far (setting aside the Texas privacy law’s unique requirements). It applies to persons that conduct business in Delaware or produce products or services targeted to Delaware residents (referred to as “consumers”) and that: 1) control or process the personal data of at least 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or 2) control or process the personal data of at least 10,000 consumers and derives more than 20 percent of gross revenue from the sale of personal data.

Like Oregon and Colorado, Delaware’s privacy law also applies to nonprofits, with the exception of nonprofits that are “dedicated exclusively to preventing and addressing insurance crime” and exempts certain personal information collected by nonprofits related to victims or witnesses of certain crimes, including domestic violence, child abuse, and human trafficking.

Further, like Oregon, the definition of sensitive data in Delaware’s privacy law includes transgender or nonbinary status as a sensitive data category.

Notably, Delaware’s privacy law prohibits processing the personal data of a consumer for the purposes of targeted advertising or from selling personal data without the consumer’s consent where a controller has actual knowledge or willfully disregards that the consumer is between the ages of 13 and 18.⁷

Similar to Oregon, Delaware’s privacy law only provides data-based (not status-based) exemptions for covered entities and business associates regulated under HIPAA. Delaware’s privacy law does, however, provide both status- and data-based exemptions for financial institutions and information subject to the GLBA.

Key Similarities

• The Delaware privacy law grants consumer rights similar to other states, including the right to opt out of the processing of personal data for targeted advertising, sale, and profiling.
• Like California, Colorado, Connecticut, and Montana, Delaware will require controllers to recognize universal opt-out mechanisms beginning one year after the law’s effective date.
• Delaware’s data protection assessment requirements closely align with the obligations set out in Colorado and Virginia, but only apply to controllers that control or process the data of at least 100,000 consumers.
• In line with other state privacy laws, the Delaware privacy law includes a 60-day right to cure, but this sunsets on January 1, 2026.
• The Delaware privacy law does not apply to B2B or employee data.
• The Delaware privacy law can only be enforced by the Delaware Department of Justice.

^[1]Wilson Sonsini’s client alerts summarizing the prior comprehensive privacy laws can be found at: California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Montana, and Tennessee.

^[2]According to the SBA, the definition of a small business varies by industries. Generally, for a business to qualify as “small” it must not exceed the size standards as outlined here. To see whether your business qualifies, you can use the SBA resources linked here.

^[3]The Texas privacy law’s definition of “sensitive data,” however, is slightly different compared to other states’ definitions. For example, the law only limits its protection of health information to information that specifically relates to a “mental or physical health diagnosis” (as opposed to applying to additional categories of health information). Also, instead of “sexual orientation,” the law instead protects “sexuality.”

^[4]The Texas law extends status-based exemptions for state and local government entities, financial institutions, affiliates, and entities subject to the Gramm-Leach-Bliley Act (GLBA), covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA) or the HITECH Act, nonprofit organizations, institutions of higher education, and an electric utility, a power generation company, or a retail electric provider as defined by the Texas state’s Utilities Code. The law also extends certain data-based exemptions, particularly regarding protected health information under HIPAA and health records under related laws, regulations, and standards, the Fair Credit Reporting Act, the Family Educational Rights and Privacy Act, the Driver’s Privacy Protection Act, and the Farm Credit Act.

^[5]See the draft bill with comments here.

^[6]Biometric data is defined as:

1. “Biometric data” means personal data generated by automatic measurements of a consumer’s biological characteristics, such as the consumer’s fingerprint, voiceprint, retinal pattern, iris pattern, gait, or other unique biological characteristics that allow or confirm the unique identification of the consumer.
2. “Biometric data” does not include:
   1. a photograph recorded digitally or otherwise;
   2. an audio or video recording;
   3. data from a photograph or from an audio or video recording, unless the data were generated for the purpose of identifying a specific consumer or were used to identify a particular consumer; or
   4. facial mapping or facial geometry, unless the facial mapping or facial geometry was generated for the purpose of identifying a specific consumer or was used to identify a specific consumer.

^[7]Although Connecticut’s privacy law had a similar prohibition for processing data from children between the ages of 13 through 16, Connecticut’s newest amendments on children privacy essentially result in the same protections as Delaware. See passed Senate Bill 3 (enacted on June 2, 2023).