The new general data privacy laws in Oregon and Delaware expand on existing requirements under other state privacy laws.
- On July 20, 2023, Oregon’s governor signed the Oregon Consumer Privacy Act into law. The law will take effect on July 1, 2024.
- On June 30, 2023, Delaware’s legislature passed the Delaware Personal Data Privacy Act. Once signed by the governor, the law will take effect on January 1, 2025.
- Both laws expand individuals’ right of access to their data to now include a list of names of the third parties to which a business has disclosed an individual’s personal data.[i]
- Unlike most of the other state general data privacy laws, both laws apply to nonprofit entities, with some limited exceptions. Oregon gives nonprofit entities a one-year grace period beyond the law’s effective date.
- Delaware requires covered businesses to obtain consent of individuals between the ages of 13 and 18 prior to processing their personal data for purposes of selling, targeted advertising, or certain profiling activities.
Oregon and Delaware have become the seventh and eighth US states this year to enact general data privacy legislation — growing the US state privacy framework to 13 states.[ii] This blog post analyzes the key requirements of both laws, including how the laws’ provisions compare to those of the laws that passed in other states.[iii]
Notably, outside of California, we are beginning to see a trend emerge for states to adopt the more consumer-friendly Colorado model, compared to the (arguably more business-friendly) Virginia model.[iv] While the existing state laws largely impose the same requirements on covered businesses and provide the same privacy rights to individuals as Virginia, the Colorado model refers to state laws that are generally considered more consumer-friendly by, for example, adopting the broader definition of “sale” of personal data and requiring covered businesses to recognize certain privacy requests submitted through authorized agents and universal opt-out mechanisms.
Additionally, while almost all of the existing general state privacy laws provide covered businesses with a right to cure alleged noncompliance (except California, where any cure period is now up to the discretion of state regulators), the right to cure is typically temporary under the Colorado model (generally expiring one year after the effective date), whereas the right to cure under the Virginia model is permanent.
As described below, both Oregon and Delaware follow the Colorado model, which brings the Colorado model total to five states (Colorado, Connecticut, Montana, Oregon, and Delaware), with the Virginia model still at seven states (Virginia, Utah, Florida, Texas, Tennessee, Iowa, and Indiana). Given that California diverges in many respects from the other state privacy laws, we generally do not consider it to fall within either model.
Below is a summary of the effective dates for all 13 US general state data privacy laws.
Overview of Requirements
Like the laws in Colorado and Connecticut, both Oregon and Delaware apply to “consumers,” who are defined as residents of the state, except those acting in a commercial or employment context. Below, we use “consumers” and “individuals” interchangeably to refer to residents who fall within the scope of these laws.
1. Scope. Both Oregon and Delaware adopt similar applicability tests as other state privacy laws; however, Delaware sets a lower threshold than many of the laws, likely a result of its smaller population.
For Oregon, the law applies to any person who conducts business in the state or provides products or services to Oregon residents, and during a calendar year controls or processes:
- the personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or
- the personal data of 25,000 or more consumers while deriving 25% or more of its annual gross revenue from selling personal data.
For Delaware, the law applies to any person who conducts business in the state or provides products or services to Delaware residents, and during a calendar year controls or processes:
- the personal data of 35,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or
- the personal data of 10,000 or more consumers while deriving 20% or more of its annual gross revenue from selling personal data.
Similar to California, Oregon’s law does not provide an exception for institutions and affiliates that are subject to the federal Gramm-Leach-Bliley Act (GLBA). Rather, the law exempts “financial institutions” as defined under Oregon’s Revised Statute 706.008, which has a narrower definition than the GLBA’s equivalent term, and in effect exempts only traditional banks and credit unions.[v]
In contrast, the GLBA broadly defines “financial institutions” as businesses significantly engaged in financial activities, which includes not only banks and credit unions but also a broad range of other entities engaged in financial services, including appraisal services, tax preparation, loan servicing, check-cashing and payday loan services, mortgage lending, and financial and investment advisory services. As a result, financial institutions under the GLBA’s definition will need to assess whether they fall within Oregon’s narrower definition of a “financial institution.” If not, Oregon does provide some relief by continuing to provide a data-level exemption for nonpublic personal information that is collected and processed under the GLBA (similar to California’s law). However, any personal data that falls outside the scope of nonpublic personal information will remain subject to the provisions of Oregon’s law. As a result, financial institutions and their affiliates will need to closely assess their privacy compliance program to determine whether additional steps are necessary to comply with the law.
Outside of financial data, both laws align with other state privacy laws by also exempting data subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), data subject to the Fair Credit Reporting Act, and data subject to the federal Family Educational Rights and Privacy Act. Neither law provides an entity-level exemption for entities subject to HIPAA.
Another aspect of these two laws that distinguish them from Virginia and others is that they both apply to nonprofit entities, with some limited exceptions. For instance, both laws exempt nonprofit entities that help prevent insurance fraud, as well as personal data of a victim or witness maintained by a nonprofit entity that provides services to victims of or witnesses to child abuse, domestic violence, human trafficking, sexual assault, violent felonies, or stalking. All other nonprofit entities and data maintained by nonprofits are within scope of these laws, assuming the entity meets the thresholds set out above.
2. Privacy Notice. Oregon and Delaware have similar privacy notice disclosure requirements as other state privacy laws, including the following:
- the categories of personal data (including sensitive data) processed;
- the purposes for which personal data is processed;
- the categories of personal data shared with third parties;
- the categories of third parties to whom personal data is disclosed; and
- how individuals can exercise rights in relation to personal data about them, including how to appeal a denied rights request.
Additionally, if the business sells personal data or processes personal data for purposes of targeted advertising or profiling, such activity must be clearly and conspicuously disclosed in the privacy notice.
3. Privacy Rights. Similar to other state privacy laws, Oregon and Delaware will require businesses to honor consumers’ privacy rights, including the right to access, correct, delete, and opt out of the following activities: (i) the sale of personal data, (ii) the processing of personal data for the purposes of targeted advertising, and (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
Where the laws start to diverge, however, is the scope of such rights. For instance, Oregon and Delaware expand the right of access by requiring covered businesses to provide a list of third parties to which the business has disclosed the specific individual’s personal data. Other state privacy laws, in comparison, require that the business only provide the categories of third parties to which the business has disclosed the specific individual’s personal data. Therefore, covered businesses subject to the Oregon and Delaware laws will now need to maintain a historical list of all third parties to which the business has disclosed a specific individual’s personal data and provide the list upon request.
Additionally, both laws provide individuals with the ability to opt out of the sale of their personal data and the processing of their personal data for targeted advertising purposes through a universal opt-out mechanism. Under both laws, businesses are required to comply with such opt-out requests received via a universal opt-out mechanism by January 1, 2026.
4. Appeals Process. Similar to the majority of the other state privacy laws, Oregon and Delaware require covered businesses to establish a process for individuals to appeal a business’s decision not to take action on a rights request. Delaware aligns with the majority of the other state privacy laws by providing covered businesses with 60 days to respond to the appeal request, informing the individual of the reasons for its decision. Oregon, however, imposes a shorter time frame of 45 days to respond to an individual’s appeal request. Under both laws, if the appeal is denied, the business must provide the individual with a method to contact the state Attorney General to submit a complaint.
5. Consent. Like many of the other state privacy laws, Oregon and Delaware require covered businesses to obtain freely given, specific, informed, and unambiguous consent from individuals prior to (i) processing their personal data for secondary purposes, (ii) processing their sensitive personal data, and (iii) for individuals between the ages of 13 and 15 (inclusive), processing their personal data for purposes of selling it or for targeted advertising. Notably, Delaware expands the last category to apply to individuals between the ages of 13 and 17 (inclusive), and also requires consent prior to processing personal data for profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer, in addition to selling and targeted advertising purposes.
6. Contractual Obligations. Both laws impose specific contractual requirements for agreements between controllers and processors. These requirements mirror those in many of the other state privacy laws.
7. Data Protection Impact Assessments. Similar to many other states, Oregon and Delaware requires businesses to conduct a data protection impact assessment (DPIA) prior to: (i) processing sensitive personal data, (ii) selling personal data, (iii) processing personal data for targeted advertising, (iv) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer, and (v) processing activities involving personal data that present a heightened risk of harm to consumers. Like other laws, a DPIA conducted for purposes of complying with another applicable law may satisfy the requirements of the Oregon and Delaware law, so long as it is reasonably similar in scope and effect.
The Oregon and Delaware laws will be exclusively enforced by the respective state Attorneys General. Oregon’s law provides for civil penalties of up to $7,500 per violation and injunctive relief. The law also provides a 30-day right to cure to remedy alleged noncompliance; however, the right to cure is set to sunset on January 1, 2026.
For Delaware, the law does not expressly state what penalties the Attorney General may seek other than stating that violations will be prosecuted in accordance with the provisions of Subchapter II of Chapter 25 of Title 29, which provides for civil penalties of up to $10,000 per violation, as well as injunctive relief, which, if violated, can result in enhanced civil penalties of up to $25,000 per violation. The law also provides covered businesses a 60-day right to cure to remedy alleged noncompliance; however, the right to cure is set to sunset on December 31, 2025.
The passage of the laws in Oregon and Delaware adds to the increasing complexity for larger businesses, including certain nonexempt financial institutions and their affiliates, to comply with a patchwork of state privacy laws. Though the laws largely adopt the Colorado model, by expanding on existing requirements under other state privacy laws, the laws in Oregon and Delaware arguably set a new compliance bar for businesses that meet the laws’ applicability thresholds. As a result, businesses subject to the new laws will need to reassess their existing privacy compliance programs to ensure compliance.
A handful of additional states may be next to pass their own general data privacy legislation, including Pennsylvania, New Jersey, New York, North Carolina, and Illinois. As such, the US privacy landscape will likely continue to evolve as each state’s legislative session comes to a close.
[i] The Oregon law provides covered businesses the option to provide either: (a) the list of third parties it has disclosed a particular individual’s personal data to or (b) the list of all third parties to which the business has disclosed any personal data. Many covered businesses may find it simpler to keep the latter list.
[ii] The list of current general state privacy law includes: California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia. Other states have recently passed health-specific privacy laws, including Nevada and Washington, as discussed here.
[iv] Colorado and Virginia were the first states to pass general data privacy laws reflecting these approaches.
[v] Oregon’s Revised Statute 706.008 defines “financial institutions” as:
- Insured Institutions, defined as a company subject to the federal Bank Holding Company Act of 1956, the deposits of which are insured under the provisions of the Federal Deposit Insurance Act;
- Extranational Institutions, defined as a corporation, unincorporated company, partnership or association of two or more persons organized under the laws of a nation other than the United States, or other than a territory of the United States, Puerto Rico, Guam, American Samoa or the Virgin Islands, that engages directly in banking business;
- Credit Unions, defined as a cooperative, non-profit association, incorporated under the laws of [Oregon], for the purposes of encouraging thrift among its members, creating a source of credit at a fair and reasonable rate of interest and providing an opportunity for its members to use and control their own money in order to improve their economic and social condition;
- Interstate Credit Unions, defined as a credit union organized under the laws of another state may conduct business as a credit union in [Oregon] with the approval of the Director of the Department of Consumer and Business Services and satisfies the conditions described in subsection (3) under Oregon’s Revised Statute 723.042 ; and
- Federal Credit Unions.