On July 1, 2024, newly enacted privacy laws in Texas and Oregon will come into effect. Optery’s data removal requests are now fully customized to leverage the rights granted by the Texas and Oregon legislation. With Optery as your authorized agent, you can put these privacy laws to work for you immediately. The new consumer data protection measures, along with authorized agent provisions, will enhance the control residents have over their personal data, aligning with the trend of increasing state-level privacy legislation across the U.S.

Texas and Oregon have become the tenth and eleventh states, respectively, to enact general privacy legislation, following California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, and Montana. Like the groundbreaking privacy laws in California and those of other states, the Texas and Oregon laws will improve consumer privacy and security nationwide as more businesses move to comply with these regulations. Both the Texas and Oregon bills generally follow the Virginia Consumer Data Protection Act but also contain their own unique provisions.

Below, we highlight some of the consumer rights and obligations of businesses under these new laws.

Texas Data Privacy and Security Act (TDPSA)

The Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024, introduces consumer rights and business obligations regarding personal data processing.

Scope and Applicability: 

The law applies to businesses that:

• Conduct business in Texas or produce products or services consumed by Texas residents.
• Process or engage in the sale of personal data.
• Are not a small business as defined by the U.S. Small Business Administration.

Consumer Rights:

• Access and Correction: Consumers can confirm whether their data is being processed and correct inaccuracies.
• Deletion: Consumers can request the deletion of their personal data.
• Data Portability: Consumers have the right to obtain a copy of their data in a portable format.
• Opt-Out: Consumers can opt out of the processing of their data for targeted advertising, sale of personal data, or profiling.
• Authorized Agent Requests: Consumers can appoint authorized agents to make privacy requests on their behalf, making it much easier to manage their data privacy rights.

Business Obligations:

• Data Minimization and Purpose Limitation: Businesses must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed.
• Consent for Sensitive Data: Businesses must obtain explicit consent before processing sensitive data.
• Privacy Notices: Businesses must provide clear privacy notices that include:
  • Categories of personal data processed.
  • Purposes for processing personal data.
  • Categories of personal data shared with third parties.
  • Categories of third parties with whom data is shared.
  • Consumer rights and how to exercise them, including the appeal process if a request is denied.
• Data Protection Assessments: Required for high-risk processing activities, including targeted advertising, sale of personal data, profiling, and processing sensitive data.
• Opt-Out Mechanisms: Businesses must comply with opt-out requests made through various technologies, including browser settings and extensions, by January 1, 2025. This means consumers can use these technologies to communicate their privacy preferences directly to businesses.

Protect your personal information from being sold or shared with the free Optery Global Privacy Control (GPC) Extension.

Compliance and Enforcement:

• The Texas Attorney General’s office will enforce these regulations.

Oregon Consumer Privacy Act (OCPA)

The Oregon Consumer Privacy Act (OCPA) also goes into effect on July 1, 2024.

Scope and Applicability: 

The law applies to businesses that:

• Control or process data of 100,000 or more Oregon consumers.
• Control or process data of 25,000 consumers if 25% of their revenue comes from selling personal data.

Consumer Rights:

• Similar to the TDPSA, Oregon residents can access, correct, delete, and obtain their personal data.
• Oregon law includes a unique provision allowing consumers to request a list of third parties with whom their data has been shared.
• Authorized Agent Requests: Consumers can appoint authorized agents to manage their data privacy rights.

Business Obligations:

• Data Minimization and Purpose Limitation: Businesses must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed.
• Consent for Sensitive Data: Businesses must obtain explicit consent before processing sensitive data.
• Affirmative Consent for Teens: Required for processing data from individuals aged 13-15 for targeted advertising, sale of personal data, or profiling.
• Privacy Notices: Businesses must provide detailed privacy notices that include:
  • Categories of personal data processed.
  • Purposes for processing personal data.
  • Categories of personal data shared with third parties.
  • Categories of third parties with whom data is shared.
  • Consumer rights and how to exercise them, including how to opt-out of the sale of personal data and targeted advertising.
• Data Protection Assessments: Mandatory for certain high-risk processing activities such as targeted advertising and processing sensitive data.
• Non-Profit Inclusion: The law also applies to non-profit organizations, effective July 1, 2025.
• Global Privacy Control (GPC) Signal: Businesses must honor the GPC signal as a valid consumer request to opt out of data sales and sharing starting January 1, 2025. This means consumers can use a browser extension to communicate their privacy preferences directly to businesses.

Compliance and Enforcement: 

• The Oregon Attorney General’s office will enforce these regulations. 

Importance of Authorized Agent Requests

Authorized agent requests in both the TDPSA and OCPA provide significant benefits:

• Accessibility: Consumers who may not have the time, technical expertise, or physical ability to manage their data privacy rights can rely on trusted agents such as Optery to handle their privacy concerns.
• Efficiency: Agents can streamline the process of managing privacy rights, making it more efficient and less burdensome for consumers.
• Control: Enhances the ability of consumers to maintain control over their personal data, ensuring their privacy rights are respected and exercised effectively.

Appointing Optery as Your Authorized Agent with Limited Power of Attorney

Summary and Compliance

These new laws in Texas and Oregon signify a substantial shift towards enhanced consumer data protection. Businesses operating in these states must prepare to comply with these new regulations to avoid penalties and ensure consumer trust.

By allowing authorized agent requests, both states are making it easier for individuals to manage their privacy rights. Similar to the CCPA and the CPRA in California, these laws will benefit consumers across the country, as most businesses will prefer not to maintain separate policies for states with and without privacy laws. The new regulations will also contribute to a reduction in phishing, identity theft, doxing, and other PII-based attacks. As more citizens exercise their rights to opt out of personal data collection and sharing, it will become increasingly more challenging for cybercriminals to obtain and exploit personal data.

As a trusted authorized agent, Optery is dedicated to helping consumers exercise their rights efficiently and effectively. For more detailed information and guidance on compliance, consulting the full texts of the TDPSA and OCPA or seeking legal advice is recommended.