Background and Scope of Application

Oregon. On June 22, 2023, the Oregon House of Representatives unanimously passed Oregon’s Consumer Data Privacy Act (“Oregon Privacy Act”), following a majority vote in the Oregon State Senate. The Oregon Privacy Act increases consumer data protections by imposing affirmative obligations on entities controlling or processing consumer personal data (including persons and entities that conduct business in the State of Oregon or provide products or services to Oregon residents) and during a calendar year meet one of the following criteria:

1. Control and process personal data of 100,000 or more consumers or a combination of consumers and devices; or
2. Control and process the personal data of 25,000 or more consumers, while deriving 25 percent or more of their annual gross revenue from selling personal data.[4]

Delaware. Subsequently, on June 30, 2023, the Delaware House passed the Personal Data Privacy Act (“Delaware Privacy Act”), also following a passing vote in the Delaware Senate. The Delaware Privacy Act, while similar in many respects to other United States privacy laws, has lower application thresholds than those found in comparable laws, including Oregon, which gives it broader reach. The Delaware Privacy Act will apply to entities that conduct business in Delaware or produce products or services that are targeted to Delaware residents, and that meet one of the following criteria during the preceding calendar year:

1. Controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely to complete a payment transaction, or
2. Controlled or processed the personal data of not less than 10,000 consumers and derived more than 20 percent of their gross revenue from the sale of personal data.[5]

Importantly, neither state’s privacy act applies to protected health information that a covered entity processes in accordance with HIPAA.[6] However, healthcare entities outside of HIPAA’s purview may still be subject to the acts.

Duties of Controllers and Processors

Controllers. Both the Oregon Privacy Act and Delaware Privacy Act impose various, and largely similar, obligations on qualifying controllers’[7] use of consumer data, including:

• Obtaining consumer consent before processing sensitive data.[8]
• Providing consumers with a privacy notice that lists, among other things: (i) categories of personal data the controller processes[9], (ii) the express reasons for which the controller is collecting and processing personal data,[10] (iii) processes for consumers’ exercise of rights, including appeals processes upon a controller’s denial of a consumer request, and (iv) categories of data shared with third parties and categories of third parties receiving such data.[11]
• Limiting the controller’s collection of personal data to only that which is adequate, relevant, and reasonably necessary to serve the specified purpose.[12]
• Establishing, implementing, and maintaining safeguards for personal data to protect the confidentiality, integrity, and accessibility of personal information.[13]
• Establishing an effective means by which a consumer may revoke their consent to the controller’s processing of their personal information.[14]
• Limiting the processing of the following “sensitive data” without the consumer’s affirmative “opt in” consent:
  • Personal data revealing racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, gender identity, crime victim status, or citizenship or immigration status.
  • Genetic or biometric data and precise geolocation data.

In addition, both the Oregon Privacy Act and Delaware Privacy Act require that controllers conduct a data protection assessment for each processing activity that presents a heightened risk of harm to a consumer.[15] The assessment must weigh how processing personal data may directly or indirectly benefit the controller or consumer, and how safeguards may mitigate such risks.[16] Delaware, however, only requires such an assessment for controllers who control or process the data of not less than 100,000 consumers and excludes data controlled or processed solely for the purpose of completing a payment transaction. Delaware also requires assessments to be conducted regularly.[17]

Processors. The Oregon Privacy Act and Delaware Privacy Act both require processors[18] to adhere to controllers’ instructions and assist controllers in meeting their obligations.[19]

Consumer Rights

The Oregon Privacy Act and Delaware Privacy Act impose specific obligations on businesses that collect, use, store, disclose, analyze, delete, or modify consumer personal data, providing consumers the following rights over their personal information:

• Right to Know. Confirm whether the controller is processing the consumer’s personal data, as well as the categories of data being processed and third parties to whom the data has been disclosed. [20]
• Right to Access. Obtain a copy of the consumer’s personal data that a controller has or is processing. [21]
• Right to Data Portability. Obtain a copy of the consumer’s processed data in a portable and useable format. [22]
• Right to Correction. Correct inaccuracies in the consumer’s personal data. [23]
• Right to Deletion. Enjoin deletion of the consumer’s data held by a controller, even if obtained from another source. [24]
• Right to Opt-Out. Opt-out of a controller’s processing of the consumer’s personal data, for the purposes of targeted advertising, data sales, or profiling the consumer to support decisions that produce effects of similar significance.[25] [26]

Enforcement

The Oregon Privacy Act authorizes consumers to directly sue a controller for violations, while the Delaware Privacy Act contains no private right of action, giving the Delaware Department of Justice exclusive enforcement authority. Specifically, under the Oregon Privacy Act, consumers may bring a private right of action in an Oregon circuit court within two years of the consumer’s discovery of harm resulting from a controller’s violation.[27] The Oregon Attorney General may also bring an action to seek a civil penalty of no more than $7,500 for each violation, enjoin the violation, or seek other equitable relief.[28] In Delaware, where no private right of action would be available, a violation of the Delaware Privacy Act will be deemed an unfair trade practice under Del. Code tit. 6 § 25, Subchapter II, which could result in civil penalties of up to $10,000 per violation. [29]

Operational Considerations

Organizations operating in Oregon and Delaware should begin to review the scope and reach of their respective state’s privacy act to assess whether they fall within its purview. If so, organizations should:

• Evaluate whether current (or intended) operations are compliant with the identified limitations.
• Conduct a data protection assessment to identify existing vulnerabilities (and continue to perform regular assessments if processing data for at least 100,000 consumers in Delaware).
• Review consumer-facing privacy notices and/or policies and ensure that consumer rights are updated and clearly delineated in such notice or policy.
• Implement administrative, physical, and technical systems and prepare policies and procedures that ensure they are equipped to respond to the various consumer requests.
• Review existing processor-controller agreements to ensure they contain all necessary components and terms required for such arrangements.

Sheppard Mullin will continue to track developments in U.S. consumer data privacy laws.

*Lena Zinner is a law clerk in the firm’s New York office.

FOOTNOTES

[1] Oregon defines a “consumer” as “a natural person who resides in Oregon and acts in any capacity other than engaging commercial activity or performing duties as an employer or employee.” S.B. 619, 2023 Leg., 82^nd Sess. (Or. 2023). (“SB 619”) § 1(7). However, Delaware defines a “consumer” simply as an individual who is a resident of Delaware. H.B. 154, 2023 Leg., 152^nd Sess. (Del. 2023) (“HB 154”) § 12D-102(8). Notably, Oregon excludes persons operating in a commercial capacity or performing employer or employee related duties from its definition of consumer, while Delaware does not.

[2] Oregon Consumer Privacy Act, Or. Dept. of Just. 1, 1-2, https://olis.oregonlegislature.gov/liz/2023R1/Downloads/PublicTestimonyDocument/59856; House Passes Data Privacy Legislation, De. BusinessNow! (June 9, 2023), https://delawarebusinessnow.com/2023/06/house-passes-data-privacy-legislation/.

[3] As of this publication, the Delaware and Oregon legislations are currently awaiting final signature by each state’s Governor.

[4] SB 619 § 2(1).

[5] HB 154 § 12D-103(a).

[6] SB 619 § 2(2)(b); HB 154 § 12D-103(c)(1).

[7] Oregon defines a “controller” as a person that acts alone or in concert with another person to determine purposes and means for processing personal data. SB 619 § 1(8). Delaware defines a “controller” as a person that, alone or jointly with others, determines the purpose and means of processing personal data. HB 154 § 12D-102(9).

[8] SB 619 § 5(2)(b); HB 154 § 12D-106(4).

[9] SB 619 § 5(4)(a); HB 154 § 12D-106(c)(1).

[10] SB 619 § 5(1)(a) and (4)(b); HB 154 § 12D-106(c)(2).

[11] SB 619 § 5(4)(c-e);SB 619 § 4(f-i); HB 154 § 12D-106(c)(3-5) and (e)(1).

[12] SB 619 § 5(1)(b); HB 154 § 12D-106(a)(1).

[13] SB 619 § 5(1)(c); HB 154 § 12D-106(a)(3).

[14] SB 619§ 5(1)(d); HB 154 § 12D-106(a)(6).

[15] A processing activity presents a heightened risk of harm to a consumer if: (a) the controller processes personal data for the purpose of targeted advertising; (B) the controller processes sensitive data; (C) the controller sells the personal data; or (D) the controller uses the personal data for profiling a consumer, where such profiling presents a reasonably foreseeable risk of harm. SB 619 § 8(1)(a-b); HB 154 § 12D-108(a).

[16] SB 619 § 8(2); HB 154 § 12D-108(b).

[17] HB 154 § 12D-108(a).

[18] Oregon defines a “processor” as a person who processes personal data on behalf of a controller. SB 619 § 1(15). Delaware defines a “Processor” as a person that processes personal data on behalf of a controller. HB 154 § 12D-102(24).

[19] SB 619 § 6; HB 154 § 12D-107.

[20] SB 619 § 3(1)(a)(A); HB 154 § 12D-104(a)(1).

[21] SB 619 § 3(1)(a)(A); HB 154 § 12D-104(a)(4).

[22] SB 619 § 3(2); HB 154 § 12D-104(a)(4).

[23] SB 619 § 3(1)(a)(C)(b); HB 154 § 12D-104(a)(2).

[24] SB 619 § 3(1)(a)(C)(c); HB 154 § 12D-104(a)(3).

[25] SB 619 § 3(1)(a)(C)(d); HB 154 § 12D-104(a)(6).

[26] Except as provided in HB 154 § 12D-106(b).

[27] SB 619 § 10(1), (3).

[28] Id. § 9(4)(a).

[29] HB 154 § 12D-111(d), (e); see also Del. Code 29 § 2522(b).