Listen to this post

As we enter into the heart of the summer there is no time to relax in privacy-land with the next batch of “comprehensive” privacy laws coming into effect on July 1. Namely, those in Texas and Oregon (and Florida if you count it as “comprehensive”). These states will join those already in effect in California, Colorado, Connecticut, Utah, and Virginia. (For a recap of effective dates and requirements, visit our tracker.)

For the most part, the Texas and Oregon laws mirror the obligations in other states. They do not provide for a private right of action, and both have a 30 day cure period (although Oregon’s sunsets on January 1, 2026). There are, though, a few things to keep in mind for under these new laws:

  • Where other states establish numeric or monetary thresholds, Texas’ data privacy law applies to any business in Texas (except for those classified as “Small Businesses” under the Small Business Administration).
  • Texas will join California in requiring specific disclosures if processing sensitive information. Namely, companies that sell sensitive data will need to post the following specific statement. “NOTICE: We may sell your sensitive personal data.” The notice needs to appear in the “same manner and location” as where the company posts its privacy policy. (Sale includes the exchange for monetary or other consideration, but not to vendors, affiliates, or if it is needed to provide a product or service to the consumer.) A similar requirement exists if selling biometric data.
  • While providing mostly the same rights as other states, Oregon has slightly different wording for its access rights. Namely, the right is to give consumers, upon request, a list of specific third parties, but this specificity is “at the controller’s option.” 

Finally, as a reminder, the law in Florida is quite narrow, and applicable only to a handful of companies, as we discussed when the law was first passed.

Putting it into Practice: As more states enact privacy laws, companies may want to revisit their privacy programs. Now is a good time to see if they are sufficiently adaptable and expandable in the face of the changing legal patchwork.