Oregon has joined a growing list of states that have passed comprehensive state privacy legislation. On July 18, 2023, Oregon Governor Tina Kotek signed Senate Bill 619 (the "Act"), which went into effect on July 1, 2024. The Act follows the now common template used by states such as Colorado, Virginia, Utah, and Connecticut, with some notable deviations.
The Act applies to any business (not-for-profit businesses are excluded until July 1, 2025) that does business in Oregon and controls or processes the personal data of (i) at least 100,000 Oregon residents or (ii) at least 25,000 Oregon residents while deriving at least 25% of its revenue from the sale of personal data.
Obligations for controllers
The Act imposes many new requirements on companies that determine the purposes and means for processing personal data (referred to as the "Controller") and meets the applicability thresholds described above.
Some of the more notable requirements for Controllers are as follows:
Controllers must provide consumers a detailed privacy notice disclosing the categories of personal data it collects, the purpose of collection (including a "clear and conspicuous" description of any processing for targeted advertising), and an explanation of the consumers' privacy rights (e.g., to access, delete and correct their personal data). The Act notably requires that Controllers specifically describe in the privacy notice all categories of third parties with which the Controllers share personal data such that consumers understand what type of entity each third party is and how each third party may process personal data.
Controllers must provide a means by which consumers can exercise their privacy rights (e.g., through an online request form) and a process by which consumers may appeal a Controller's refusal to take action on a request.
Controllers must first obtain a consumer's affirmative consent before processing personal data for an unrelated or incompatible purpose as those originally specified in the privacy notice or before processing sensitive data, which includes biometric data. Controllers must also provide a means by which consumers can just as easily revoke their consent.
Controllers must allow consumers to exercise their right to opt-out of the processing of their personal data for any of the following purposes: (i) targeted advertising, (ii) selling personal data, or (iii) profiling the consumer. Such processing activities are not prohibited, as long as consumers have the opportunity to opt-out at any time. Controllers must also provide consumers with certain rights to their data, as discussed in more detail below.
On July 1, 2026, Controllers must allow consumers to use Global Privacy Control (GPC) signals to exercise their rights to opt-out of the sale or processing of their personal data for purposes of targeted advertising and honor such requests accordingly. A GPC signal is a web browser setting used to automatically convey a request to opt-out of certain processing of personal information. It is typically found as a plugin to browsers like Chrome and Firefox.
Controllers must also conduct and document data protection impact assessments ("DPIAs") for processing activities that present heightened risks of harm to consumers, which they must retain for at least five years.
Lastly, Controllers must have contractual terms (e.g., a Data Protection Addendum or "DPA") in place with third parties that process personal data on their behalf (referred to as "processors"), as further described below.
Obligations for processors
The Act imposes a few requirements on processors of Controllers that are similar to the requirements described in other state privacy laws. Some of the requirements for processors are as follows:
Processors must adhere to a Controller's instructions and assist the Controller in meeting its obligations under the Act, including conducting and documenting DPIAs.
Processors must enable the Controller to respond to consumer privacy requests.
Processors must adopt administrative, technical, and physical safeguards to protect the personal data it processes on the Controller's behalf.
Lastly, processors must enter into a contract (e.g., a DPA) with the Controller, which must include certain terms such as: (i) processing instructions, (ii) duty of confidentiality, (iii) deletion or return of personal information, (iv) downstream obligations on subcontractors to meet the same obligations as the processor, and (v) audits of the processor's compliance with such requirements.
Consumer rights
The Act grants consumers the right to know, access, transfer, correct and delete their personal data. The Act also provides Oregon residents with the right to opt-out of the sale of their personal data, targeted advertising, and profiling that produces certain effects.
Beginning July 1, 2026, consumers can opt-out of the sale of their personal data or targeted advertising using GPC signals, which Controllers must honor within 15 days.
Consent under the Act
The Act defines "consent" to mean "an affirmative act by means of which a consumer clearly and conspicuously communicates the consumer's freely given, specific, informed and unambiguous assent to another person's act or practice." A business cannot use "dark patterns" to obtain consumer consent (i.e., the consent mechanism must not have "the purpose or substantial effect of obtaining consent by obscuring, subverting or impairing the consumer's autonomy, decision-making or choice"), and the consumer's inaction does not constitute consent.
Similar to other state privacy laws, a Controller must obtain consent:
For new purposes that are not reasonably necessary or compatible with the business' original purposes disclosed to the consumer;
When the personal data is considered sensitive data;
For the purposes of targeted advertising, profiling in furtherance of decisions that produce legal effects, or selling the consumer's personal data if the business has actual knowledge or willfully disregards the fact that the consumer is between 13 and 15 years old.
The Act deviates from other state privacy laws slightly in that it requires a business receiving a consent revocation from a consumer to process the revocation within 15 days. Other state privacy laws do not prescribe a time frame for the revocation of consent.
Enforcement
The Act went into effect on July 1, 2024, and will be enforceable only by the Oregon attorney general. Possible remedies include an injunction and a fine of up to $7,500 per violation. However, the Act provides for a 30-day right to cure period, which, unlike in other state laws, is not set to expire at this time.
Exemptions
The Act contains several entity-level and data-level exemptions. The Act does not apply to employment or business-to-business (B2B) data. Additionally, the Act contains a broad exemption for personal health information, which includes (i) information processed by Health Insurance Portability and Accountability Act (HIPAA) covered entities; (ii) data that is intermingled with and indistinguishable with HIPAA covered information; (iii) and several other health and medical research related data uses. If you want to know how LightBeam can help you with complying to Oregon Data Privacy Law, contact us here. Analysis of the Oregon Consumer Data Privacy Act
Comments