The new general data privacy laws in Oregon and Delaware expand on existing requirements under other state privacy laws.
- On July 20, 2023, Oregon’s governor signed the Oregon Consumer Privacy Act into law. The law will take effect on July 1, 2024.
- On June 30, 2023, Delaware’s legislature passed the Delaware Personal Data Privacy Act. Once signed by the governor, the law will take effect on January 1, 2025.
- Both laws expand individuals’ right of access to their data to now include a list of names of the third parties to which a business has disclosed an individual’s personal data.[i]
- Unlike most of the other state general data privacy laws, both laws apply to nonprofit entities, with some limited exceptions. Oregon gives nonprofit entities a one-year grace period beyond the law’s effective date.
- Delaware requires covered businesses to obtain consent of individuals between the ages of 13 and 18 prior to processing their personal data for purposes of selling, targeted advertising, or certain profiling activities.
Oregon and Delaware have become the seventh and eighth US states this year to enact general data privacy legislation — growing the US state privacy framework to 13 states.[ii] This blog post analyzes the key requirements of both laws, including how the laws’ provisions compare to those of the laws that passed in other states.[iii]