Hello all, and happy Thursday!
A year ago, I might have said that U.S. states were slowly but surely adopting data privacy legislation. Today, I’d have to drop the “slowly” bit.
Oregon has become the 11th state to gain a comprehensive privacy law. (And Delaware may soon follow!)
There isn’t too much that’s new to the Oregon Consumer Privacy Act, or OCPA, compared to other state privacy laws. Businesses that meet the OCPA thresholds are required to engage in familiar compliance activities like:
- Providing notice.
- Adhering to data minimization and purpose limitation principles.
- Enabling consumers to exercise their rights.
- Obtaining consent prior to processing sensitive data.
- Entering into contracts with processors.
- Conducting data protection assessments for high-risk processing activities.
- And more.
The law doesn’t go into effect until July 1, 2024—after that point, the Oregon State Attorney General may grant violators 30 days to cure their infractions and penalize controllers $7,500 per violation.
We developed an action plan checklist for the 2023 state laws that you may be interested in reviewing. U.S. privacy law has—for the most part—followed the same standards, and by following the guidance within the checklist, you’ll be well-positioned for compliance. Of course, each law has its own peculiarities, which we recommend reviewing with your counsel.
Best,
Arlo
Top Privacy Stories of the Week
Oregon Is the 11th State to Enact Comprehensive Privacy Legislation
On July 18, the Oregon governor signed the Oregon Consumer Privacy Act to establish a framework for controlling and processing consumer personal data in the state. Oregon follows California, Colorado, Connecticut, Virginia, Utah, Iowa, Indiana, Tennessee, Montana, and Texas in enacting comprehensive consumer privacy measures.
Illinois Instagram Users Could Receive Payment From Class-Action Settlement
The Illinois Biometric Information Privacy Act (BIPA) prohibits companies from collecting and storing biometric information. As a result of a class-action lawsuit, Instagram was found to have violated BIPA, entitling Illinois residents who used the app in the last eight years compensation.
Apple Introduces New SDK Privacy Controls in iOS 17
Apple recently announced new SDK privacy controls that will be part of iOS 17, including privacy manifests and signatures, required reason APIs, tracking domains, and more.
Biden-Harris Administration Secures Voluntary Commitments from Leading Artificial Intelligence Companies to Manage the Risks Posed by AI
The Biden-Harris Administration recently secured commitments from seven leading AI companies to carry out a variety of activities to protect American rights and safety. These include testing, cybersecurity, transparency, bias minimization, and other commitments.
CPPA Debuts New CPRA Complaint Form
California residents who believe their rights under the CPRA have been violated can now make complaints directly on the California Privacy Protection Agency’s website. Out of the complaints received thus far, violations associated with the right to limit the use of sensitive personal information were the most commonly alleged.
European Data Protection Board Informs Stakeholders About the Rights and Obligations Under the Data Privacy Framework
Recently, the European Data Protection Board (EDPB) released an information note that explains the rights of individuals and organizations’ obligations under the international data transfer framework—known as the Data Privacy Framework—between the EU and U.S.
California’s Expansive New Children’s Online Privacy Law Faces First Amendment Challenge
A pending federal lawsuit, NetChoice LLC v. Bonta, seeks to block California's recent children’s data protection law, the Age-Appropriate Design Code Act (AADC). The plaintiffs argue the law violates the First Amendment to the U.S. Constitution and is preempted by existing federal laws.
Delaware Could Become the Next State to Enact a Comprehensive State Privacy Law
On June 30, 2023, the Delaware House of Representatives passed the Delaware Personal Data Privacy Act, a day after the Delaware Senate passed the legislation. The DPDPA heads to Governor John Carney for a final signature.
Apple’s App Tracking Triggers Statement of Objections From French Competition Authority
The French national competition authority has issued a statement of objections related to how Apple tracks iOS users. The watchdog said that it suspects Apple of abusing a dominant position by implementing what it described as “discriminatory, non-objective and non-transparent” conditions for the use of user data for advertising purposes.
The Osano Privacy Program Maturity Model
For both privacy experts and novices alike, developing a privacy program can feel like taking a shot in the dark. With the Osano Privacy Program Maturity Model, you'll gain a points-based method of evaluating your privacy program’s operational efficiency and identifying exactly what your next steps should be. Click the link to gain access to your copy today.
If you’re interested in working at Osano, check out our Careers page!
Arlo Gilbert
Arlo Gilbert
Arlo Gilbert is the CEO & co-founder of Osano. An Austin, Texas native, he has been building software companies for more than 25 years in categories including telecom, payments, procurement, and compliance. In 2005 Arlo invented voice commerce, he has testified before congress on technology issues, and is a frequent speaker on data privacy rights.