Blog

Comprehensive Privacy Laws Take Effect in Texas and Oregon

Julie Rubash, General Counsel and Chief Privacy Officer
July 9, 2024

USA

Comprehensive Privacy Laws Take Effect in Texas and Oregon

Comprehensive privacy laws became effective July 1 in Texas and Oregon, bringing the total number of states with active comprehensive privacy laws to seven, alongside California, Colorado, Connecticut, Utah and Virginia.

TAKEAWAY

Notably, the Oregon Consumer Privacy Act introduces some new “sensitive data” categories, specifically victims of crime, national origin, and status as transgender or non-binary. Oregon also requires that, upon consumer request, companies must provide consumers with a list of third parties to which personal data has been disclosed (diverging from the requirement in some other states to provide categories of third parties rather than a specific list of third parties). This stresses the importance of maintaining an accurate and up-to-date list of what third parties a company discloses personal data to.

The Texas Data Privacy and Security Act introduces some new footer language that companies processing sensitive or biometric data must use in their notices to consumers, specifically: “NOTICE: we may sell your [sensitive personal] [biometric] data”. 

Recognition of GPC Signals is Officially Required in Colorado

July 1 marked the date that Colorado began requiring recognition of Universal Opt-Out Mechanisms (UOOMs) as a means for consumers to opt out of the sale of their personal data or targeted advertising.

TAKEAWAY

Although the Colorado Privacy Act allows for approval by the Colorado Attorney General’s Office of an unlimited number of UOOMs that companies may be required to recognize under the law, the AG’s office has so far only adopted one: Global Privacy Control, which is also the only “opt-out preference signal” that has officially been recognized by the California AG’s office.

Colorado is the second state (after California) with an active requirement to recognize UOOMs (or OOPSs) as a valid opt out under their respective laws, but ten additional states (and counting) will require such recognition within the next two years.


Looking for guidance on all the U.S. States’ privacy regulation? Download Sourcepoint’s Ultimate Guide to U.S. State Privacy Laws.

EUROPE

Oslo Court Upholds Fine Against Grindr for Sensitive Data Tracking

The Oslo District Court officially upheld the Norwegian Data Protection Authority’s NOK 65,000,000 (5.65MM euro) fine against Grindr based on a conclusion that Grindr intentionally violated the GDPR by sharing special categories of personal data from users of its dating app with third-party advertising partners without a valid legal basis.

TAKEAWAY

A notable aspect of the case is the Court’s analysis and interpretation of “special categories of personal data”. Specifically, the Court concluded that [as unofficially translated] “connection to an app can be enough to fall under the processing of particular categories of personal data if the app in question handles particular categories of personal data…this applies regardless of whether the information is correct and regardless of the purpose of the processing.”

Applying this to the Grindr case, the Court found that, by providing the Apple ID of its users (that, in isolation, does not say anything about a persona’s sexual relationship or sexual orientation) with advertisers, Grindr released information that a specific user is a user of Grindr, an app that “mainly targets a group of people who seek sexual contact with others based on sexual orientation and preferences”, which, in the court’s view, “is information about a person’s sexual relationship.”  

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

FTC and Sensitive Location Data; New Pen Register Class Actions

December 9, 2024

FTC takes action against the sale of sensitive data...

California CPPA Issues Notice of Proposed Rulemaking

November 25, 2024

News out of California this week. The CPPA moved...

Mitigating risk under the Video Privacy Protection Act (VPPA)

November 23, 2024

Because VPPA is just one of many tools being...

Latest White Papers

E-book: Enterprise Guide To Cookie management & Tracker List Curation

July 1, 2024

How to review the tracking tech on your websites...

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]