Comprehensive Privacy Laws Take Effect in Texas and Oregon

Want to receive these privacy recaps that matter to consent management, adtech and martech in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

Comprehensive Privacy Laws Take Effect in Texas and Oregon

Comprehensive privacy laws became effective July 1 in Texas and Oregon, bringing the total number of states with active comprehensive privacy laws to seven, alongside California, Colorado, Connecticut, Utah and Virginia.

TAKEAWAY

Notably, the Oregon Consumer Privacy Act introduces some new “sensitive data” categories, specifically victims of crime, national origin, and status as transgender or non-binary. Oregon also requires that, upon consumer request, companies must provide consumers with a list of third parties to which personal data has been disclosed (diverging from the requirement in some other states to provide categories of third parties rather than a specific list of third parties). This stresses the importance of maintaining an accurate and up-to-date list of what third parties a company discloses personal data to.

The Texas Data Privacy and Security Act introduces some new footer language that companies processing sensitive or biometric data must use in their notices to consumers, specifically: “NOTICE: we may sell your [sensitive personal] [biometric] data”. 

Recognition of GPC Signals is Officially Required in Colorado

July 1 marked the date that Colorado began requiring recognition of Universal Opt-Out Mechanisms (UOOMs) as a means for consumers to opt out of the sale of their personal data or targeted advertising.

TAKEAWAY

Although the Colorado Privacy Act allows for approval by the Colorado Attorney General’s Office of an unlimited number of UOOMs that companies may be required to recognize under the law, the AG’s office has so far only adopted one: Global Privacy Control, which is also the only “opt-out preference signal” that has officially been recognized by the California AG’s office.

Colorado is the second state (after California) with an active requirement to recognize UOOMs (or OOPSs) as a valid opt out under their respective laws, but ten additional states (and counting) will require such recognition within the next two years.

Looking for guidance on all the U.S. States’ privacy regulation? Download Sourcepoint’s Ultimate Guide to U.S. State Privacy Laws.

EUROPE

Oslo Court Upholds Fine Against Grindr for Sensitive Data Tracking

The Oslo District Court officially upheld the Norwegian Data Protection Authority’s NOK 65,000,000 (5.65MM euro) fine against Grindr based on a conclusion that Grindr intentionally violated the GDPR by sharing special categories of personal data from users of its dating app with third-party advertising partners without a valid legal basis.

TAKEAWAY

A notable aspect of the case is the Court’s analysis and interpretation of “special categories of personal data”. Specifically, the Court concluded that [as unofficially translated] “connection to an app can be enough to fall under the processing of particular categories of personal data if the app in question handles particular categories of personal data…this applies regardless of whether the information is correct and regardless of the purpose of the processing.”

Applying this to the Grindr case, the Court found that, by providing the Apple ID of its users (that, in isolation, does not say anything about a persona’s sexual relationship or sexual orientation) with advertisers, Grindr released information that a specific user is a user of Grindr, an app that “mainly targets a group of people who seek sexual contact with others based on sexual orientation and preferences”, which, in the court’s view, “is information about a person’s sexual relationship.”  

Want more of the privacy highlights that matter for consent management, adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.