Two more states have enacted consumer privacy protection laws, with Oregon and Delaware joining the existing fray of state comprehensive consumer privacy laws in California, Colorado, Virginia, Utah, Connecticut, Iowa, Indiana, Montana, Tennessee, Florida, and Texas.

In addition, federal legislation advances in the U.S. Senate to amend the Children’s Online Privacy Protection Act of 1998 (“COPPA”) to strength protections related to online collection, use, and disclosure of personal information of children and teens, and for other purposes.

Oregon

On June 22, 2023, both houses of the Oregon Legislature passed the Oregon Consumer Privacy Act (SB 619), which was signed by the Governor on July 18, 2023.

• The scope of application is similar to other laws, including businesses that provide products or services (Note: it does not include “targeted to” or “intentionally targeted to”) state residents and control or process: (a) personal data of 100,000 or more consumers (excluding payment transaction date); or (b) 25,000 or more consumers and derive 25% or more annual gross revenue from selling personal data.
• “Sales” are defined to include disclosures in exchange for monetary “or other valuable” consideration, with exemptions included similar to other state laws.
• Entity-level exemptions are fairly standard, but with some nuances. Exemptions for financial institutions and health care entities are not entity-level exemptions but rather extend to the data processed by those entities. There are no exemptions for nonprofits. The exemption for public bodies expressly includes Oregon Health and Science University and the Oregon State Bar.
• The law is effective on July 1, 2024 (July 1, 2025 for nonprofits). In addition, provisions eliminating the cure period and regarding honoring of authorized agents and global opt out signals become effective January 1, 2026.
• The state attorney general will have exclusive authority to enforce the provision, and may bring penalties of up to $7,500 per violation.  Businesses will have a 30-day cure period, which sunsets on January 1, 2026.

To view the Oregon law, click here.

Delaware

On June 30, 2023, the Delaware Personal Data Privacy Act (“DPDPA”) passed the House and Senate and is awaiting signature from the Governor. If not vetoed, it becomes effective January 1, 2025.

The DPDPA is similar to many of the other state privacy laws, although the applicability threshold for controlling data (35,000 consumers or 10,000 consumers and 20% of revenue from sale of the date) is lower than many of the other states.

Its exemptions are also a bit unique. There is no entity-level exemption for businesses subject to HIPAA, although data-level information exemptions are covered. In addition, its exemption for state agencies or political subdivisions excludes higher education institutions (thus arguably making them subject to the law), although data regulated by FERPA is exempt. In addition, there is no blanket exemption for nonprofits, although it does exempt: (a) nonprofits dedicated exclusively to preventing and addressing insurance crime; and (b) nonprofits that provide services to victims of or witnesses to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking.

• The DPDA requires businesses to honor universal opt-out signals such as the Global Privacy Control (GPC). 
• Businesses have 45 days to respond to consumer requests with possible 45-day extensions.
• For businesses controlling or processing personal information of more than 100,000 consumers, data protection assessments are required.
• There is a right to a 60-day cure period, which will sunset on December 31, 2025, and be discretionary thereafter.
• The state Department of Justice will implement and enforce violation as an unfair trade practice, with fines of up to $10,000 per violation.

To view the Delaware bill, click here.

Amendments to Bills on Children’s Online Privacy and Safety

On July 17, 2023, the Senate Committee on Commerce, Science and Transportation advanced two bills that would strengthen online safeguards for the personal information of children and teens: (1) the Children and Teen’s Online Privacy Protection Act (“CTOPPA”, commonly known as “COPPA 2.0”) (S.1418) and (2) the Kids Online Safety Act (“KOSA”) (S. 1409).

CTOPPA would block social media platforms from collecting information from teenagers without their consent, amending existing COPPA requirements that only applied to children younger than 13.  It would also bar websites from targeting kids and teens with advertisements.

KOSA would establish a duty of care for social media websites to protect kids from online harassment and content that promotes suicide, substance abuse, eating disorders, and sexual exploitation. It would also require platforms to provide safeguard to kids and control to parents to manage their kids’ time spent online.

The legislation responds to increase pressures to improve young people’s experience on social media due to research suggesting that excessive online use could be worsening their mental health. Critics of the legislation argue that it would instead weaken privacy protections, and certain platforms have pointed to existing protections in place for young users.

The committee voted both bills out with substitute amendments. The bills should now be reported for a full vote in the Senate after which, if approved, they would go to the House.

To view the original CTOPPA and substitute committee amendments, click here.   

To view the original KOSA bill and substitute committee amendments, click here.