Get Ready to Comply with Two New State Data Privacy Laws by July 1 

April 30, 2024

Businesses have only a short window remaining to ensure compliance with two new privacy laws. Effective July 1, two new comprehensive state data privacy laws come into effect – the Texas Data Privacy and Security Act (TDPSA) and the Oregon Consumer Privacy Act (OCPA). While Oregon’s law mostly conforms to the model set by states like Virginia, Connecticut, and Colorado, Texas’s law diverges significantly from that model with respect to its applicability thresholds, which will be the most expansive of any state law to date. Businesses should carefully evaluate whether they meet the threshold requirements of each law, as detailed below.

The thresholds for Oregon’s OCPA follow the pattern used by most other state data privacy laws currently in effect. The law applies to all persons or entities who do business in the state and process the personal information of over 100,000 residents of the state or over 25,000 residents if the person or entity derived 25% of their gross revenue from the sale of personal information. OCPA contains a number of exemptions, including for information collected by a business from its employees. Notably, unlike many other state data privacy laws, OCPA does not contain a blanket exemption for nonprofit organizations. OCPA does not create a private right of action, as its provides for exclusive enforcement authority by the state's Attorney General. 

The thresholds for Texas’s TDPSA, on the other hand, deviate substantially from the archetype established by other states, with the result being that many businesses are likely to find themselves within the scope of the new Texas law. As with every other state data privacy law currently in force, an entity must do business in Texas to be subject to the TDPSA. However, unlike any other state law to date, TDPSA does not set a minimum revenue threshold or a minimum number of consumers from whom an entity must gather personal data to be subject to the law. Instead, businesses are subject to Texas’s law if they

  1. process or engage in the sale of personal data of any Texas residents and
  2. are not a small business, as defined by the U.S. Small Business Administration.

These thresholds are markedly broader than those of any other state data privacy law enacted to date and will likely have the effect of requiring businesses not subject to any other state law to comply with TDPSA. TDPSA does, however, contain a number of exemptions that are common to other states’ privacy laws, including exemptions for nonprofits, entities regulated by either the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA), and data regulated by the Family Educational Rights and Privacy Act (FERPA). Finally, as is the case with OCPA and most of the other current state privacy laws, the TDPSA does not afford a private right of action, and the law may only be enforced by Texas’s Attorney General.

While many of the compliance requirements imposed by the OCPA and TDPSA align with those found in other state data privacy laws, each contains nuances that may require subject entities to update their current data privacy compliance programs. As described above, Texas’s law will have the broadest applicability thresholds of any state law to date. As such, businesses should carefully evaluate whether they meet any compliance thresholds for these new laws. 

Share on LinkedIn