Like other states, there is no private right of action. Instead, the Oregon Attorney General is to enforce the law. Companies will have a 30-day cure period, which cure period sunsets on January 1, 2026. The law provides for civil penalties of up to $7,500.

Key provisions include:

• Applicability. Like all states except California, the law covers consumer information. It does not apply to employee or job applicant information. Personal information processed under GLBA and HIPAA is exempt. Like California, Oregon does not offer entity-wide exemptions for “financial institutions” or “covered entities.” The law contains thresholds similar to other states. Namely, it is applicable to businesses that either (1) process personal data of at least 100,000 Oregonians or (2) process personal data of 25,000 state residents and receive 25% of gross revenue from sale of personal information.
• Privacy notice content. Under the Oregon law, businesses will need to include the same kind of content in their privacy policies as currently required under other laws. This includes listing what categories of data being processed and the purpose of processing. Policies also need to include what is sold or shared and explain rights and how to exercise them. Business that either serve target advertising or profiling (that creates consumer risk) must disclose this in the privacy notice and give consumers a way to opt-out.
• Consumer rights. Oregon consumers will have similar consumer rights as other states beginning July 1, 2024. This includes the right to access, correct, delete, and port personal information. Oregon consumers can also request a list of the specific third parties to whom the business has disclosed their information. That said, the company does not have to give this information. Timing for processing rights is similar to other states: 45 days to respond, with a 45-day extension possible. Beginning January 1, 2026, companies will also be required to respect opt-out preference signals (similar to the requirement in California, Colorado, Connecticut, and Montana).
• Targeted advertising, sale, profiling, and sensitive information. Like other states, can opt out of targeted advertising, the sale of their data, and profiling. Businesses must perform data protection assessments if they engage in targeted advertising or profiling that creates risks to consumers.[1] They must keep data protection assessment records for five years. For sensitive information, consent must be obtained before processing. (This is the same as Colorado, Connecticut, Indiana, Montana, Tennessee, Texas, and Virginia ). The definition of sensitive information mirrors other states (race and religious beliefs, etc.). It also, though, includes “status as a victim of crime” and “transgender/non-binary status.”
• Vendors. As under other states’ laws, Oregon will require contracts with vendors who process consumer personal data. Those agreements must include provisions that will sound similar to those familiar with other comprehensive privacy laws. They include telling the vendor how to use information and what information will be processed. The contracts will also need to require data confidentiality and provide companies with the ability to assess vendors’ compliance (vendors must cooperate with those assessments).

*Kathryn Smith is a fellow in the firm’s Chicago office.

Putting it Into Practice: This latest privacy state “comprehensive” privacy law suggests that other states may not be far behind. In light of this, companies may want to take an adaptive approach to their privacy program. Included in this would be how to easily assess if the laws apply; and updating consumer notices, ways of offering choices and rights, assessing obligations if profiling, as well as updating vendor contracts.