Oregon Passes State Privacy Law

Odia Kagan
Fox Rothschild LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Fox Rothschild LLP

 

The state of Oregon has passed a comprehensive data protection law (SB0619), which will go into effect in July 2024.

What do you need to know about SB0619, also known as the Oregon Consumer Privacy Act?

  • Similar to the Colorado progeny of laws, but with differences – not the least of which is that it applies to nonprofits starting July 2025.
  • Different definition of personal data than the other state laws (though practical difference is unclear). It doesn’t include information made available through widely distributed media.
  • Biometric data is such that is capable of identifying a person, even if not used for this.
  • Deidentified data includes data derived from patient data and Deidentified under HIPAA.
  • Sale is for monetary or other valuable consideration, but carves out sharing to an affiliate, or as part of a merger/acquisition or made publicly available.
  • Scope: processing the information of 100,000 consumers or 25,000 consumers, where 25% of the revenue is from sale of data.
  • There is a list of carve outs that the law doesn’t prohibit a controller from doing, which include: (1) Conducting internal research to develop, improve or repair products, services or technology; (2) Performing internal operations that are reasonably aligned with a consumer’s expectations, that the consumer may reasonably anticipate based on the consumer’s existing relationship with the controller or that are otherwise compatible with processing.
  • The law provides a much needed clarification (obvious under GDPR, but not explicitly stated in the parallel state laws) that the carve out applies only subject to controller fulfilling the data minimization, purpose limitation and retention limitations of the law (adequate and reasonably necessary for, relevant to, proportionate in relation to and limited to the purposes) and adequately protecting the data from unauthorized use.
  • Specifically stating that the burden of proof regarding the carve out is on the controller.
  • The consumer may designate an authorized agent by means of an internet link, browser setting, browser extension, global device setting or other technology that enables the consumer to opt out of the controller’s processing of the consumer’s personal data.
  • Controllers must provide a clear and conspicuous description of any processing of personal data in which the controller engages for the purpose of targeted advertising or for the purpose of profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance, and a procedure by which the consumer may opt out of this type of processing.
  • A controller that discloses deidentified data must exercise reasonable oversight to monitor compliance with any contractual commitments to which the deidentified data is subject and shall take appropriate steps to address any breaches of the contractual commitments.
  • Enforceable by the Attorney General’s Office.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fox Rothschild LLP | Attorney Advertising

Written by:

Fox Rothschild LLP
Fox Rothschild LLP
Contact
more
less

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide