Oregon’s legislature recently expanded the scope of statutory consumer protections by passing a bill to amend the state’s Unlawful Trade Practices Act (the “Act”). Recently, Oregon’s Governor Kate Brown signed H.B. 2090 into law after near unanimous passage by state lawmakers. The bill is particularly notable because it squarely targets online commerce and imposes liability on businesses for publishing false or misleading online privacy policies. Specifically, the amended Act will allow the Attorney General or county District Attorney where a violation is alleged to have occurred to:
- Hold businesses accountable for consumer-facing statements or representations of fact published online about how the business will “use, disclose, collect, maintain, delete or dispose of information” obtained from consumers. Violations arise when any such statements are “materially inconsistent” with the company’s actual practices.
- Look to company websites and consumer contracts for compliance! The new law applies not only to online statements, including privacy policies, but also to “consumer agreement[s] related to a consumer transaction.” Therefore, false representations made in a consumer contract could give rise not only to a breach of contract claim, but also to liability under the amended Act.
- Enforce alleged violations by: (1) opening an investigation and requiring from any person testimony under oath, written responses to interrogatories, or production of relevant evidence, (2) accepting or rejecting an assurance of voluntary compliance agreement with alleged violators before instituting suit, or (3) file an action in the name of the State of Oregon to seek (i) injunctive and equitable relief, (ii) reasonable attorney fees, (iii) damages up to $25,000 per willful violation, and/or (iv) any additional orders or judgments that “may be necessary to ensure cessation of unlawful trade practices.”
What kinds of information collected from consumers trigger the law?
Oregon’s amended Act applies to information that is “request[ed], require[d] or receive[d] from a consumer.” This language arguably applies not only to voluntary information consumers give to a business through its website or otherwise, but also to information that a company’s website automatically collects from consumers. Potentially, this could extend to data the site receives through cookies and other tracking technologies. However, it is too early to say if Attorney General Rosenblum will focus oversight on statements around personally identifiable information collected by automatic means.
Oregon must have read the FTC’s playbook
Of course, the FTC only has the capacity to target a limited number of large businesses, and so it is remarkable that now Oregon has codified a similar enforcement power at the state level!
How do I protect my business?
- Confirm your business has controls in place to identify prospective changes within the organization or to the website that may impact the way data is collected and stored, used and disclosed, or eventually destroyed. Confirm that your legal team or an appropriate contact will be notified of these changes before they are rolled out.
- Do what you say! Be vigilant, communicate with stakeholders often, and strive to make sure your organization practices what it preaches about privacy and data security.