Key Takeaways from Our Conversation with Oregon and Texas Regulators About Privacy Enforcement
With new comprehensive privacy laws in Texas and Oregon going into effect on Monday, July 1, we invited enforcers from the Texas and Oregon Attorneys General Offices – Tyler Bridegan and Kristen Hilton – to join our Wiley Connected podcast to share their insights into how they view and are planning to enforce these new laws.
We encourage you to listen to the full discussion (available here), and we have pulled out some key takeaways below.
- States work together when it comes to implementation and enforcement of privacy laws. Throughout the discussion, it was clear that states like Texas and Oregon are collaborating with – and learning from – each other, as well as other states that already have comprehensive privacy laws in effect. Indeed, states are aware of and paying attention to key developments across the country, from Colorado’s privacy rules to Connecticut’s enforcement report. We also discussed multi-state enforcement efforts, which range from informal information sharing and collaboration to formal investigations and suits.
- While state privacy laws are proliferating, many share common themes and threads. Overall, the new Texas and Oregon laws follow a similar model to each other and most of the comprehensive privacy laws already on the books. For example, the Oregon law was specifically modeled on the comprehensive privacy laws in Connecticut and Colorado, and as such, Oregon may have common interpretations of terms imported from those other states.
- At the same time, state enforcers are focused on what make their laws distinct (and companies should be too). While state privacy laws have several commonalities, companies should pay careful attention to how each law is unique in certain respects. For example, there are several deliberate differences between the new Oregon law and others – including that the Gramm-Leach-Bliley Act (GLBA) exemption only applies to GLBA data not GLBA entities, meaning that many financial institutions will be covered in some way. Further in Oregon, there is no general exemption for nonprofits, and there is a unique right to access that speaks in terms of controllers disclosing the names of specific third parties to whom personal data has been shared. The new Texas law has a unique applicability threshold that does not depend on a company’s revenue or the amount of consumers’ data collected. These differences may result in companies having to comply with the Texas and/or Oregon laws, when they have not had to comply with other comprehensive privacy laws yet.
- States are not waiting for their comprehensive privacy laws to be effective to bring privacy enforcement under other laws. The new comprehensive privacy laws are just one more tool in the states’ toolboxes to deal with consumer privacy and data security issues, and companies need to be aware of other applicable laws as well. For example, Texas also has laws regarding data breaches, data brokers, biometrics, genetic privacy, and children’s privacy, while Oregon also has laws on the books regarding data breach notification and safeguards, student privacy, IoT security, and data brokers. And the Texas Attorney General has already announced inquiries regarding collection and sale of drivers’ data from connected vehicles, as well as compliance with the Texas data broker law, while Oregon has been involved in multi-state breach settlements and health data privacy and security cases. Companies’ compliance efforts need to take account of the wide range of these state laws – and how they fit together – and not just the latest comprehensive privacy laws.
- There are best practices and tips that companies should follow if they hear from a state enforcer on a privacy or data security issue. Our guests shared tips for companies that are dealing with enforcement issues. These include engaging early and often, especially if there is a cure period that may potentially apply to a violation. (Though also note that not every state privacy statute has a cure period, even if the comprehensive privacy statute does.) It’s also important not to be evasive and to show good faith efforts at compliance and avoid the need for follow-up questions.
- Finally, there are best practices and tips for companies to comply with these new laws.
- Carefully review your company’s practices to ensure they are keeping pace with new laws, and keep in mind how consumer expectations of privacy may be changing.
- Make good faith efforts to comply – states are not necessarily looking for perfection from every company from day one, but want to see that good faith efforts are made.
- Document your decisions about compliance or why a particular law does not apply to your company – and be ready to show your work.