Page 35 - Cyber Defense eMagazine August 2024
P. 35
GLBA. In contrast, the Oregon law exempts only information collected, processed, sold, or disclosed in
accordance with the GLBA.
Most but not all of the state privacy laws also contain exemptions for other categories of businesses,
such as nonprofit organizations or institutions of higher education. It is important for businesses to be
cognizant of these other exemptions and any exceptions to the typical exemptions. For example, unlike
most state privacy laws, the Oregon law does not contain a general exemption for nonprofit organizations.
The Oregon law exempts public corporations, including the Oregon Health and Science University and
the Oregon State Bar, as well as nonprofits established to detect and prevent fraudulent acts in
connection with insurance, or those that are engaged in noncommercial activity when providing
programming to radio or television networks. Oregon does provide additional time for nonprofit
organizations to comply – until July 1, 2025.
Privacy Policy Disclosures
All data privacy laws require businesses to publish privacy policies that describe how personal
information is collected and used. They also generally require privacy policies to disclose whether the
business sells personal data to third parties, or processes it for purposes of targeted advertising or
profiling. For example, the Oregon law requires privacy policies to include a clear and conspicuous
description of any processing of personal data for the purpose of targeted advertising or profiling. But
under the Florida and Texas laws, businesses that engage in the sale of sensitive data must specifically
include the following disclosure in their privacy policies: “NOTICE: We may sell your sensitive personal
data.” Businesses that engage in the sale of biometric data must also specifically include the following
disclosure in their privacy policies: “NOTICE: We may sell your biometric personal data.”
Data Subject Rights
Data subject rights commonly granted by state consumer privacy laws include the right to know and
access, right to correct, right to delete, right to data portability, and right to opt out of the sale of personal
data, targeted advertising, or profiling. Oregon grants consumers an additional right to obtain a list of
specific third parties to which a business has disclosed personal data. The Florida law also includes a
right to opt out of the collection or processing of sensitive data, as well as the right to opt out of the
collection of personal data collected through the operation of a voice recognition or facial recognition
feature.
Definition of “Sensitive Data”
Many state privacy laws define “sensitive data” to include personal data revealing an individual’s racial
or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or
immigration status, as well as genetic or biometric data processed for the purpose of uniquely identifying
an individual, the personal data of a child, and precise geolocation data. The definition of sensitive data
Cyber Defense eMagazine – August 2024 Edition 35
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
