Texas privacy bill signed into law

Julie Rubash, Chief Privacy Counsel
June 26, 2023

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

United States

Texas privacy bill signed into law

 The Texas Governor signed HB 4, implementing the Texas Data Privacy and Security Act. Most of the Act will take effect July 1, 2024, with the obligation to respect global opt-out mechanisms taking effect January 1, 2025.


The Texas bill borrows several elements from existing privacy laws and also contains some unique elements. For example, requirements for sensitive data are dictated based on the size of the company: large companies must obtain opt-in consent for all processing of sensitive data, while small companies must only obtain consent for the sale of sensitive data.

The Texas bill also requires specific language (“NOTICE: we may sell your [sensitive personal data / biometric personal data]”) be disclosed with the privacy notice, where applicable. Finally, although opt-out preference signals must be recognized under the law starting in  2025 (making Texas the fifth state, after California, Colorado, Connecticut and Montana, to require recognition of such signals) Texas includes some exceptions absent in the other laws, including if a company “does not possess the ability to process the request”.

Oregon Privacy Bill to be Sent to Governor for Signature

Oregon SB 619 has passed the House and Senate. If signed by the Governor, most of the law will go into effect July 1, 2024, with the obligation to respect opt-out preference signals going into effect January 1, 2026. A right to cure will also expire as of January 1, 2026. 


The Oregon bill would introduce some unique elements not seen in existing state laws. For example, the definition of sensitive data (the processing of which would require opt-in consent), is broader than other states, including “status as transgender or nonbinary” and “status as a victim of crime” as categories of sensitive data.

The law would also require that controllers provide to consumers a list of third parties to which personal data has been disclosed, which is an extension of the obligation seen in other state laws to disclose “categories of third parties”. 


CNIL Fines Criteo For Failing to Verify Consent

The French Data Protection Authority (CNIL) announced a EUR 40 million fine against ad tech company Criteo based on allegations the company failed to verify that user consent had been obtained for the processing of personal data collected from its publisher partner properties.

The company had also allegedly failed to respect certain user rights, including the right to withdraw consent and erasure of data. When a user requested to exercise these rights, Criteo allegedly stopped the display of personalized advertisements to the user but did not delete the identifier assigned to the person or erase navigational events related to the identifier. 


This case highlights the importance of conducting due diligence on a company’s partners. Although personal data in this case was collected from the websites of Criteo’s publisher partners (making it the publishers’ responsibility to obtain consent from users for Criteo’s collection and processing of such personal data), the CNIL makes clear that “this does not exempt Criteo from its obligation to verify and be able to demonstrate that Internet users gave their consent.”

At the time of the investigation, Criteo allegedly had not put any measure in place to ensure that its partners were validly collecting the consent and had not undertaken any audit campaign of its partners. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

Bicameral, bipartisan discussion draft of federal privacy bill announced

April 15, 2024

If passed, the American Privacy Rights Act, a comprehensive...

CPPA issues an enforcement advisory on data minimization

April 9, 2024

Their first "enforcement advisory", reminds companies of their data...

Kentucky sends comprehensive privacy bill to governor

April 1, 2024

Kentucky's privacy bill mirrors Virginia's, is set for 2026....

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]