Regulation updates
      Back to home
      1. Knowledge base
      2. Regulation updates

      July 2024 - Oregon and Texas

      The Oregon Consumer Privacy Act and Texas Data Privacy Act became effective on July 1, 2024. Additionally, provisions of the Colorado Privacy Act concerning universal opt-out mechanisms are becoming effective and will be covered by this release.

      Oregon

      Oregon Consumer Privacy Act has been signed on July 18, 2023. Similarly to the Colorado Privacy Act, it includes provisions on universal opt-out mechanisms, which will become effective on January 1, 2025. 

      The Oregon Consumer Privacy Act (OCPA) applies to any person who conducts business in the state of Oregon or who provides products or services to residents of Oregon and who, during a calendar year, controls or processes the personal data of 100,000 or more consumers or the personal data of 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal data.

      The business is required to publish a privacy notice and provide consumers with a way to exercise their rights with regard to their personal information, in particular: 

      • Right to access;
      • Right to correct;
      • Right to delete;
      • Right to obtain a copy or send information to another business in a portable way; 
      • The Right to opt-out of personal data processing for the purposes of targeted advertising;
      • Right to opt-out of the sale of personal data;
      • Right to opt-out of profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

      As of 1 July, these rights will become available for website visitors coming from Oregon State in the Clym widget as a default configuration. You may adjust this configuration by following this instruction

      As regards the opt-out from the processing of personal data, Oregon’s law recognizes universal opt-out mechanisms, which means you have to comply with an opt-out request submitted via an authorized agent designated “by means of an internet link, browser setting, browser extension, global device setting or other technology.” This feature will be activated as of January 1, 2025, and you will receive a separate communication. 

      Texas 

      The Texas Data Privacy and Security Act (TDPSA) is Texas’ data privacy law, signed into law on June 18, 2023. Its effective date is July 1, 2024. However, Section 541.055, outlining the obligation of controllers to recognize universal opt-out mechanisms, such as GPC signals, becomes effective as of January 1, 2025. 

      TDPSA requires that controllers publish a Privacy Notice to maintain transparency and provide consumers with information about how their information is being processed, as well as two separate notices specifically highlighting when sensitive or biometric data is being sold. This can be achieved by posting “NOTICE: We may sell your sensitive personal data" or “NOTICE: We may sell your biometric personal data” in the same location as a Privacy Notice on your website. 

      Following this guideline, you may add a link to the Privacy Center next to the Privacy Policy to make it easier for website visitors to access the widget. 


      Unlike other US privacy laws currently in force, the Texas Data Privacy and Security Act does not set out annual revenue or number of consumers whose personal data is processed as the threshold for applicability and only applies to entities that meet the below criteria:

      • conduct business in Texas or produce a product or service consumed by residents of Texas; 
      • process or engage in the sale of personal data; and
      • are not considered small businesses (as defined by the United States Small Business Administration), except for the requirement that small businesses obtain consent before selling the sensitive personal data of data subjects.

      Still, this means that most companies conducting business in Texas must comply with the Texas Data Privacy and Security Act (TDPSA).

      As of July 1, website visitors coming from Texas would see the following request types in the Clym widget menu: 

      • Right to access; 
      • Right to correct; 
      • Right to delete; 
      • Right to obtain a copy or send information to another business in a portable way; 
      • The Right to opt-out of personal data processing for the purposes of targeted advertising;
      • Right to opt-out of the sale of personal data;
      • Right to opt-out of profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

      As in Oregon, the recognition of universal opt-out signals for website visitors coming from Texas, such as GPC signals, would be turned off by default on January 1, 2025. 

      If either the Oregon Consumer Privacy Act or the Texas Data Privacy and Security Act does not apply to your business and you wish to change the widget's configurations on your website, you may manually change the default configurations by following this guideline on how to change the regulation for a jurisdiction

      Colorado

      The Colorado Privacy Act (CPA) became effective on July 1, 2023, last year. As of July 1, 2024, if your organization is covered by Colorado’s privacy law, you will be required to allow consumers to opt-out using a Universal Opt-Out Mechanism (UOOM). This functionality can be managed through the "Global Privact Control" functionality in the Clym widget. 

      On November 21, 2023, the Colorado Attorney General published a shortlist of Universal Opt-Out Mechanisms (UOOMs) being considered. For more information on UOOMs, we invite you to read our blog post