Texas privacy bill signed into law
June 26, 2023
Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.
Texas privacy bill signed into law
The Texas Governor signed HB 4, implementing the Texas Data Privacy and Security Act. Most of the Act will take effect July 1, 2024, with the obligation to respect global opt-out mechanisms taking effect January 1, 2025.
The Texas bill borrows several elements from existing privacy laws and also contains some unique elements. For example, requirements for sensitive data are dictated based on the size of the company: large companies must obtain opt-in consent for all processing of sensitive data, while small companies must only obtain consent for the sale of sensitive data.
The Texas bill also requires specific language (“NOTICE: we may sell your [sensitive personal data / biometric personal data]”) be disclosed with the privacy notice, where applicable. Finally, although opt-out preference signals must be recognized under the law starting in 2025 (making Texas the fifth state, after California, Colorado, Connecticut and Montana, to require recognition of such signals) Texas includes some exceptions absent in the other laws, including if a company “does not possess the ability to process the request”.
Oregon Privacy Bill to be Sent to Governor for Signature
Oregon SB 619 has passed the House and Senate. If signed by the Governor, most of the law will go into effect July 1, 2024, with the obligation to respect opt-out preference signals going into effect January 1, 2026. A right to cure will also expire as of January 1, 2026.
The Oregon bill would introduce some unique elements not seen in existing state laws. For example, the definition of sensitive data (the processing of which would require opt-in consent), is broader than other states, including “status as transgender or nonbinary” and “status as a victim of crime” as categories of sensitive data.
The law would also require that controllers provide to consumers a list of third parties to which personal data has been disclosed, which is an extension of the obligation seen in other state laws to disclose “categories of third parties”.
CNIL Fines Criteo For Failing to Verify Consent
The French Data Protection Authority (CNIL) announced a EUR 40 million fine against ad tech company Criteo based on allegations the company failed to verify that user consent had been obtained for the processing of personal data collected from its publisher partner properties.
The company had also allegedly failed to respect certain user rights, including the right to withdraw consent and erasure of data. When a user requested to exercise these rights, Criteo allegedly stopped the display of personalized advertisements to the user but did not delete the identifier assigned to the person or erase navigational events related to the identifier.
This case highlights the importance of conducting due diligence on a company’s partners. Although personal data in this case was collected from the websites of Criteo’s publisher partners (making it the publishers’ responsibility to obtain consent from users for Criteo’s collection and processing of such personal data), the CNIL makes clear that “this does not exempt Criteo from its obligation to verify and be able to demonstrate that Internet users gave their consent.”
At the time of the investigation, Criteo allegedly had not put any measure in place to ensure that its partners were validly collecting the consent and had not undertaken any audit campaign of its partners.
Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.
A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.
Latest Blog Posts
The Federal Trade Commission sent warning letters to five...
Delaware HB 154, implementing the Delaware Personal Data Privacy Act,...
How do different U.S. state laws define and protect...
Latest White Papers
The current state of publisher compliance with CCPA, and...
How to review your vendor list to mitigate compliance...
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.