On July 18, Oregon Governor Tina Kotek signed SB 619 into law as the Oregon Consumer Privacy Act, making Oregon the eleventh U.S. state to enact consumer privacy legislation and the seventh in 2023 alone. The compliance deadline for for-profit entities is July 1, 2024.
In Brief: The Oregon Consumer Privacy Act has no revenue threshold and applies to any person that conducts business in Oregon or provides products or services to Oregon residents and who, during a calendar year, controls or processes either:
- The personal data of at least 100,000 consumers, or
- The personal data of at least 25,000 consumers, if they derive more than 25% of their annual gross revenue from the sale of personal data.
Exemptions/Exceptions: The law does not apply to public corporations (defined under existing Oregon law as entities created by the state to carry out public missions and services), public bodies (state government bodies, local government bodies and special government bodies) or insurers. Activities subject to the Fair Credit Reporting Act’s privacy requirements are also exempt, as well as organizations who process data compliant with the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA) and the Family Educational Rights and Privacy Act (FERPA). Further, the Act exempts noncommercial activities of newspapers, magazines, periodicals, radio and television stations, press association and wire services, as well as nonprofit organizations that provide programming to radio or television networks.
Nonprofits, exempt under many other state privacy laws, don’t benefit from a blanket exemption, although they will have an extra year (until July 1, 2025) to comply.
Personal Data is defined as that which “is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household,” and excludes de-identified data, and data that is lawfully available through governmental records or widely distributed media. The Act also doesn’t apply to consumers insofar as they are acting in a commercial or employment context.
Sensitive Date is defined as data that “reveals a consumer’s racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or nonbinary, status as a victim of crime, or citizenship or immigration status.” Sensitive data additionally includes precise geolocation data, children’s data and biometric data,
Data subject requests: A controller must respond to data subject requests without undue delay and, in any case within 45 days of receiving the request, though this period may be extended by an additional 45 days if such extension is reasonably necessary, including:
- Confirm whether a controller is processing a consumer’s personal data;
- Obtain a list of third-parties to whom the controller discloses personal data;
- Obtain a copy, in a portable and readily usable format, of the consumer’s personal data that the controller has processed;
- Correct inaccuracies in their personal data;
- Request the deletion of their personal data; and
- Opt out of processing for the purpose of targeted advertising, sale of the personal data (sale includes exchange for any valuable consideration), or profiling that produces legal or other similarly significant effects.
Controller Obligations: Controller organizations must provide consumers with a reasonably accessible, clear and meaningful privacy notice as well asobtaining a consumer’s affirmative consent to process a consumer’s Sensitive Data (or, if the consumer is known to be a child, processing their sensitive data in accordance with the Children’s Online Privacy Protection Act) or process personal data for the purpose of targeted advertising or profiling if the controller knows that the consumer is at least 13 years old but not older than 16.
Further, the Act also requires controllers to perform data protection assessments under certain circumstances and to enter into valid contracts with processors that set forth instructions for the processing of personal data that give the controller wide rights to audit and enforce confidentiality obligations on processors.
Controllers must limit collection of personal data to that which is adequate, relevant and reasonably necessary for the stated purpose as well as maintaining information security safeguards to protect the confidentiality, integrity and accessibility of personal data to the extent appropriate based on the volume and nature of the personal data. Controllers that process de-identified data must take reasonable measures to prevent the de-identified data from being linked to an individual and respond to universal browser opt-out signals.
Enforcement: The attorney general may bring an action seeking up $7500 per violation, as well as injunctive and other equitable relief.
Before bringing an action under the Oregon Consumer Privacy Act, the attorney general must notify the controller of the alleged violation and provide the controller with 30 days to rectify the alleged violation. If the controller fails to cure the violation after the 30 day period, the attorney general may proceed with the action without further notice. This cure period provision will expire on January 1, 2026.
With less than a year before the Oregon Consumer Privacy Act becomes operative, businesses should review their privacy programs to ensure compliance with the requirements of the new law. Although the Oregon law largely tracks existing consumer privacy legislation, it does contain some notable and unique features—including narrow exceptions that may mean that it will apply to some organizations not caught by other privacy laws. Businesses should continue to work with counsel to assess their obligations and monitor new legislative developments