On July 18, 2023, Oregon Governor Tina Kotek signed into law Senate Bill 619 (the "Oregon Consumer Privacy Act"), Oregon's new state consumer privacy law, which will become effective July 1, 2024. Oregon now joins California, Utah, Colorado, Connecticut, Virginia, Iowa, Indiana, Tennessee, Montana, Texas, and Florida, (together, "US State Data Privacy Laws") as states with their own consumer privacy laws. Many state legislatures have been quite active in enacting state data privacy laws this year. The Oregon Consumer Data Privacy Act does have somewhat more stringent requirements than other existing US State Data Privacy Laws on certain topics, including applicability to non-profits and required disclosures with respect to processing by third parties. Controllers must be aware of the law's requirements, but should have little difficulty adapting their existing data privacy compliance program to the Oregon Consumer Privacy Act.
Similar to our other articles on recently enacted US State Data Privacy Laws, we summarize the key components of the Oregon Consumer Privacy Act below.
To whom does the Oregon Consumer Privacy Act apply?
The Oregon Consumer Privacy Act imposes transparency and disclosure obligations on a "controller" (an individual or legal entity who, "alone or jointly with another person, determines the purposes and means for processing personal data") who either:
- conducts business in Oregon; or
- produces products or services that are targeted to the residents of Oregon;
and that during a calendar year:
- controls or processes personal data of not less than 100,000 Oregon residents, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
- controls or processes personal data of not less than 25,000 Oregon residents and derives more than 25 percent of its gross revenue from the sale of personal data.
Notably, the Oregon Consumer Privacy Act does not have a revenue threshold for entities to be subject to privacy obligations. In addition, the Oregon Consumer Privacy Act does not generally apply to government entities, institutions of higher education, HIPAA-covered entities and business associates, and Gramm-Leach-Bliley Act-regulated entities and data. The Oregon Consumer Privacy Act also does not generally apply to certain classes of data, including health records, scientific research data, consumer credit-reporting data, data regulated by the Family Educational Rights and Privacy Act, and employment-related information.
The Oregon Consumer Privacy Act, like the Colorado Privacy Act, applies to most non-profit organizations, with that application beginning on July 1, 2025.
What rights does the Oregon Consumer Privacy Act grant consumers?
The Oregon Consumer Privacy Act grants Oregon residents acting in an individual capacity, and not in a commercial or employment context ("consumers"), certain access and control rights concerning their personal data. A consumer may submit authenticated requests to a controller to:
- confirm whether the controller is processing the consumer's personal data;
- obtain a copy of the consumer's personal data (i.e., data portability);
- correct inaccurate personal data of the consumer;
- delete personal data about the consumer;
- disclose, at the controller's discretion, the list of third parties to whom the controller has disclosed the consumer's, or any consumer's personal data;
- opt out of the processing of the consumer's personal data for purposes of targeted advertising, the sale of personal data (whether for monetary or other valuable consideration), or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer (profiling); and
- revoke previously given consent to process the consumer's personal data, which must be honored within 15 days of receiving the request.
A controller must respond to consumer requests to exercise their rights granted by the statute within 45 days. The controller may extend that time period for an additional 45 days when reasonably necessary considering the complexity and number of the consumer's requests, but must notify the consumer. The Oregon Consumer Privacy Act also grants consumers the right to appeal the controller's refusal to take action on requests to exercise their rights. A controller must respond to an appeal in writing within 45 days and, if the appeal is denied, the controller must provide the consumer with a method for contacting the Oregon Attorney General.
The Oregon Consumer Privacy Act also provides that controllers must first obtain the consumer's consent if it knowingly processes the personal data of children aged 13-15 for the purposes of targeted advertising, sale of personal data, or profiling.
What obligations does the Oregon Consumer Privacy Act impose on controllers and processors?
The Oregon Consumer Privacy Act applies to "personal data." Personal data is defined as any information that is linked or reasonably linkable to a consumer or to a device that is reasonably linkable to a consumer. The definition of personal data notably excludes de-identified data or publicly available information.
The Oregon Consumer Privacy Act requires controllers to:
- limit the collection of personal data to what is adequate, relevant, reasonably necessary, and proportionate in relation to the purposes for which the personal data is processed;
- establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and security of consumers' personal data;
- process consumers' sensitive data only after obtaining the consumer's consent. Sensitive data is defined to include information revealing racial or ethnic origin, religious beliefs, sexual orientation, status as transgender or non-binary, status as victim of a crime, citizenship or immigration status, and health status; genetic or biometric data; past or present geolocation within 1,750 feet; or any personal data of a child;
- refrain from discriminating against consumers who exercise the rights granted by the statute;
- provide a reasonably accessible, clear, and meaningful privacy notice that includes: the categories of personal data and sensitive data processed; the purpose for processing personal data; the manner in which consumers may exercise their rights, including how a consumer may appeal a controller's decision; list the categories of data shared with third parties, the categories of third parties, and, to the extent possible, how each third party may process data; provide an active email address or other mechanism that the consumer may use to contact the controller; and identify the controller. The privacy notice must also disclose the express purpose for which the controller is collecting and processing personal data;
- clearly and conspicuously disclose if the controller sells consumers' personal data to third parties or engages in targeted advertising, and provide consumers an opportunity to opt out;
- allow consumers to exercise their right to opt out via an opt-out preference signal;
- conduct a data protection impact assessment on the processing of personal data that presents a heightened risk of harm to a consumer, including targeted advertising, the sale of personal data, the processing of sensitive data, and profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment of or unlawful disparate impact on consumers, financial, physical, or reputational injury to consumers, or a physical or other form of intrusion on private affairs, in which the intrusion would be offensive to a reasonable person; and
- when in possession of de-identified data, take reasonable measures to ensure that the data cannot be associated with an individual, commit publicly to maintaining and using data as de-identified data, and contractually obligate any recipients of the data to comply with the Oregon Data Privacy Act.
The Oregon Consumer Privacy Act imposes additional requirement on processors (an individual or legal entity that processes personal data on behalf of a controller). Processors must assist the controller in meeting its obligations under the act, including its obligations regarding consumer rights requests and security of data processing. The Oregon Consumer Privacy Act also requires that all processing be governed by a contract between the controller and processor that outlines relevant consumer privacy provisions.
Key Aspects of the Oregon Consumer Privacy Act
- Right for Consumers to Opt Out: The Oregon Consumer Privacy Act permits consumers to opt out of the processing of personal data for the sale of personal data or for targeted advertisements. Like the recently enacted Montana Consumer Data Privacy Act and Indiana data privacy law, the Oregon Consumer Privacy Act also grants consumers the ability to opt out of profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning a consumer.
- Processing Agreement Required between Controllers and Processors: Like certain other US State Data Privacy Laws, the Oregon Consumer Privacy Act requires controllers to enter into contracts with processors that regulate how processors process data. Contracts under the Oregon Consumer Privacy Act must clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the parties' rights and obligations. The contracts also must include a duty of confidentiality and must require that processors only engage subcontractors pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data. The Oregon Consumer Privacy Act also requires processors to delete or return personal data upon the controller's request.
- Third Party Disclosures: Unlike most other US State Data Privacy Laws, the Oregon Consumer Privacy Law requires controllers to disclose, to the extent possible, how third parties may process personal data the controller shares with them. This requirement is in addition to the more-common requirements that controllers disclose the categories of data shared with third parties and the categories of third parties.
- Attorney General Investigations and Enforcement: Like most of the US State Data Privacy Laws, the Oregon Consumer Privacy Act does not provide for a private right of action. The Oregon Office of the Attorney General has exclusive authority to enforce violations. However, the Oregon Attorney General must issue a notice of violation to the controller prior to initiating any action. A controller will then have 30 days to cure the noticed violation. Importantly, the cure provision will terminate on January 1, 2026. The Oregon Attorney General may seek civil penalties of $7,500 per violation.
While the Oregon Consumer Data Privacy Act is not significantly distinguishable in substance from other US State Data Privacy Laws, businesses should not overlook the law, as it provides for somewhat more stringent requirements than some other state laws on topics including applicability to non-profits, opt-in requirements for children ages 13 to 15, and disclosures with respect to processing of data by third parties.