Blog
Texas privacy bill signed into law
June 26, 2023
Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.
United States
Texas privacy bill signed into law
The Texas Governor signed HB 4, implementing the Texas Data Privacy and Security Act. Most of the Act will take effect July 1, 2024, with the obligation to respect global opt-out mechanisms taking effect January 1, 2025.
TAKEAWAY
The Texas bill borrows several elements from existing privacy laws and also contains some unique elements. For example, requirements for sensitive data are dictated based on the size of the company: large companies must obtain opt-in consent for all processing of sensitive data, while small companies must only obtain consent for the sale of sensitive data.
The Texas bill also requires specific language (“NOTICE: we may sell your [sensitive personal data / biometric personal data]”) be disclosed with the privacy notice, where applicable. Finally, although opt-out preference signals must be recognized under the law starting in 2025 (making Texas the fifth state, after California, Colorado, Connecticut and Montana, to require recognition of such signals) Texas includes some exceptions absent in the other laws, including if a company “does not possess the ability to process the request”.
Oregon Privacy Bill to be Sent to Governor for Signature
Oregon SB 619 has passed the House and Senate. If signed by the Governor, most of the law will go into effect July 1, 2024, with the obligation to respect opt-out preference signals going into effect January 1, 2026. A right to cure will also expire as of January 1, 2026.
TAKEAWAY
The Oregon bill would introduce some unique elements not seen in existing state laws. For example, the definition of sensitive data (the processing of which would require opt-in consent), is broader than other states, including “status as transgender or nonbinary” and “status as a victim of crime” as categories of sensitive data.
The law would also require that controllers provide to consumers a list of third parties to which personal data has been disclosed, which is an extension of the obligation seen in other state laws to disclose “categories of third parties”.
EUROPE
CNIL Fines Criteo For Failing to Verify Consent
The French Data Protection Authority (CNIL) announced a EUR 40 million fine against ad tech company Criteo based on allegations the company failed to verify that user consent had been obtained for the processing of personal data collected from its publisher partner properties.
The company had also allegedly failed to respect certain user rights, including the right to withdraw consent and erasure of data. When a user requested to exercise these rights, Criteo allegedly stopped the display of personalized advertisements to the user but did not delete the identifier assigned to the person or erase navigational events related to the identifier.
TAKEAWAY
This case highlights the importance of conducting due diligence on a company’s partners. Although personal data in this case was collected from the websites of Criteo’s publisher partners (making it the publishers’ responsibility to obtain consent from users for Criteo’s collection and processing of such personal data), the CNIL makes clear that “this does not exempt Criteo from its obligation to verify and be able to demonstrate that Internet users gave their consent.”
At the time of the investigation, Criteo allegedly had not put any measure in place to ensure that its partners were validly collecting the consent and had not undertaken any audit campaign of its partners.
Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.
A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.
Latest Blog Posts
How Süddeutsche Zeitung Partnered with Sourcepoint to Deploy a Contract Solution
January 9, 2025Süddeutsche Zeitung wanted to implement a solution that supported...
Four Additional State Comprehensive Privacy Laws Took Effect January 1
January 6, 2025Four additional state comprehensive privacy laws took effect January...
How The Independent Became One of the First UK Publishers to Launch ‘Consent or Pay’
December 31, 2024The Independent is focused on maintaining the highest standards...
Latest White Papers
E-book: Enterprise Guide To Cookie management & Tracker List Curation
July 1, 2024How to review the tracking tech on your websites...
Benchmark Report: US Privacy Compliance
August 19, 2022The current state of publisher compliance with CCPA, and...
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.