On July 18, 2023, Oregon’s Governor signed Senate Bill 619 which enacts Oregon’s comprehensive consumer data privacy statute. Oregon joins California, Colorado, Connecticut, Indiana, Iowa, Montana, Tennessee, Texas, Utah, and Virginia in enacting a comprehensive consumer privacy law. Most of the sections of the law are scheduled to take effect on July 1, 2024, with a delayed effective date of July 1, 2025, for non-profit organizations.
When does the law apply?
The statute applies to any person that conducts business in the State of Oregon or that provides products or services to residents of the state and who during a calendar year, controls, or processes:
- The personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or,
- The personal data of 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal data.
The following are some of the types of businesses that are exempted from the statute:
- A public corporation
- Covered entities or business associates processing protected health information under the Health Insurance Portability and Accountability Act (HIPAA)
- Organizations subject to the Gramm-Leach-Bliley Act.
Who is protected by the law?
The law protects consumers defined as a natural person who resides in the State of Oregon and acts in any capacity other than in a commercial or employment context.
What data is protected by the law?
Personal data that is protected under the statute is defined as “data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household.”
It does not include:
- Deidentified data
- Data that is lawfully available through federal, state, or local government records or through widely distributed media
- Data the controller reasonably understood to have been lawfully made available to the public by the consumer.
The statute also includes biometric data under personal data. Under the legislation biometric data is defined as personal data generated by automatic measurements of a consumer’s biological characteristics, such as the consumer’s fingerprint, voice print, iris pattern, gait, or other unique biological characteristics that allow or confirm the unique identification of a consumer.
What are the rights of consumers?
Under the new legislation, consumers have the right to:
- Confirm whether a controller is processing the consumer’s personal data and to access the personal data;
- Correct inaccuracies in the consumer’s personal data;
- Delete personal data provided by or obtained about the consumer;
- Obtain a digital copy of the data the consumer previously provided, if available; and
- Opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.
- Obtain a list of “specific third parties” to whom a controller discloses personal data.
What obligations do businesses have?
Covered businesses must also include a “clear and conspicuous” description of any processing done for the purpose of targeted advertising.
Eventually, covered businesses will be required to recognize universal opt-out mechanisms, though that portion of the statute does not take effect until January 1, 2026.
How is the law enforced?
The State Attorney General has exclusive authority to enforce the statute and it does not allow for a private right of action to enforce.
If you have questions about Oregon’s privacy law or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.