The new general data privacy laws in Oregon and Delaware expand on existing requirements under other state privacy laws.*
- On July 20, 2023, Oregon’s governor signed the Oregon Consumer Privacy Act into law. The law will take effect on July 1, 2024.
- On September 11, 2023, Delaware’s governor signed the Delaware Personal Data Privacy Act into law. The law will take effect on January 1, 2025.
- The Oregon law expands individuals’ right of access to their data to now include a list of names of the third parties to which a business has disclosed an individual’s personal data.[i]
- Unlike most of the other new state general data privacy laws (and several other existing data privacy regimes), both laws apply to nonprofit entities, with some limited exceptions. Oregon gives nonprofit entities a one-year grace period beyond the law’s effective date.
- Delaware requires covered businesses to obtain consent of individuals between the ages of 13 and 18 prior to processing their personal data for purposes of selling, targeted advertising, or certain profiling activities.