USA LAW AND PRACTICE Contributed by: Nancy Libin, David Rice, Spencer Persson, Michael Borgia, Robert Stankey, Kara Trowell and Alexander Sisto, Davis Wright Tremaine LLP
ers the right to opt out of (not opt in to) sensitive data processing. Nebraska The Nebraska Data Privacy Act (NDPA) applies to entities that: • do business in Nebraska or produce products or services targeted at Nebraska residents; • process or engage in the sale of personal information; and • are not small businesses under the federal Small Business Administration. The NDPA does not apply to non-profits. Delaware The Delaware Personal Data Privacy Act (DPDPA) largely follows the Colorado model but applies to controllers that control or process the personal data of at least 35,000 Delaware consumers. The DPDPA applies to non-profits and has no HIPAA- entity level exemption. New Hampshire The New Hampshire Expectation of Privacy stat - ute is similar to Delaware, except that it does not apply to non-profits. New Jersey The New Jersey Data Privacy Act (NJDPA) roughly follows the Colorado model, except that: • controllers must obtain opt-in consent to pro - cess personal information when the controller has actual knowledge or wilfully disregards that the consumer is a child who is at least 13 years of age and younger than 17 years of age, when that processing is for the purpose of targeted advertising, a sale or profiling; • the NJDPA defines “sensitive” data to include potentially all of a consumer’s financial infor -
mation (to the extent that it is not covered by GLBA); and • personal information processed solely for the purpose of completing a payment transaction is excluded from the personal data needed to meet the jurisdictional threshold. Oregon (effective 1 July 2024 generally, and 1 July 2025 for non-profits) The Oregon Consumer Privacy Act (OCPA) fol - lows the Colorado model, and, like the CPA, applies to non-profit entities, with some excep - tions. The OCPA has no GLBA or HIPAA entity- level exemptions. The OCPA gives consumers the right to obtain the names of specific third parties to which the controller has disclosed the consumers’ personal information, but the controller can respond by disclosing the names of the specific third parties to which it has dis - closed personal data generally. Oregon requires controllers to obtain consent (from parents, for children under 13) before selling or using the personal information of children under 16 for targeted advertising. Texas The Texas Data Privacy and Security Act (TDP - SA), like the Nebraska law, has no per-consumer collection threshold and instead applies to enti - ties that: • conduct business in Texas or produce a prod - uct or service consumed by Texas residents; • process or engage in the sale of personal data; and • are not small businesses as defined by the federal Small Business Administration. Controllers that sell sensitive personal data must prominently disclose the following: “NOTICE: We may sell your sensitive personal data.”
528 CHAMBERS.COM
Powered by FlippingBook