Texas privacy bill signed into law

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

United States

Texas privacy bill signed into law

 The Texas Governor signed HB 4, implementing the Texas Data Privacy and Security Act. Most of the Act will take effect July 1, 2024, with the obligation to respect global opt-out mechanisms taking effect January 1, 2025.

TAKEAWAY

The Texas bill borrows several elements from existing privacy laws and also contains some unique elements. For example, requirements for sensitive data are dictated based on the size of the company: large companies must obtain opt-in consent for all processing of sensitive data, while small companies must only obtain consent for the sale of sensitive data.

The Texas bill also requires specific language (“NOTICE: we may sell your [sensitive personal data / biometric personal data]”) be disclosed with the privacy notice, where applicable. Finally, although opt-out preference signals must be recognized under the law starting in  2025 (making Texas the fifth state, after California, Colorado, Connecticut and Montana, to require recognition of such signals) Texas includes some exceptions absent in the other laws, including if a company “does not possess the ability to process the request”.

Oregon Privacy Bill to be Sent to Governor for Signature

Oregon SB 619 has passed the House and Senate. If signed by the Governor, most of the law will go into effect July 1, 2024, with the obligation to respect opt-out preference signals going into effect January 1, 2026. A right to cure will also expire as of January 1, 2026. 

TAKEAWAY

The Oregon bill would introduce some unique elements not seen in existing state laws. For example, the definition of sensitive data (the processing of which would require opt-in consent), is broader than other states, including “status as transgender or nonbinary” and “status as a victim of crime” as categories of sensitive data.

The law would also require that controllers provide to consumers a list of third parties to which personal data has been disclosed, which is an extension of the obligation seen in other state laws to disclose “categories of third parties”. 

EUROPE

CNIL Fines Criteo For Failing to Verify Consent

The French Data Protection Authority (CNIL) announced a EUR 40 million fine against ad tech company Criteo based on allegations the company failed to verify that user consent had been obtained for the processing of personal data collected from its publisher partner properties.

The company had also allegedly failed to respect certain user rights, including the right to withdraw consent and erasure of data. When a user requested to exercise these rights, Criteo allegedly stopped the display of personalized advertisements to the user but did not delete the identifier assigned to the person or erase navigational events related to the identifier. 

TAKEAWAY

This case highlights the importance of conducting due diligence on a company’s partners. Although personal data in this case was collected from the websites of Criteo’s publisher partners (making it the publishers’ responsibility to obtain consent from users for Criteo’s collection and processing of such personal data), the CNIL makes clear that “this does not exempt Criteo from its obligation to verify and be able to demonstrate that Internet users gave their consent.”

At the time of the investigation, Criteo allegedly had not put any measure in place to ensure that its partners were validly collecting the consent and had not undertaken any audit campaign of its partners. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.