On July 18, 2023, Oregon joined the growing league of states that have passed a comprehensive data privacy framework. Signed into law by Gov. Tina Kotek, the Oregon Consumer Privacy Act (the Act), or SB 619, is the product of a multi-year effort by the state Consumer Privacy Task Force formed by Oregon Attorney General Ellen F. Rosenblum, comprising 150 consumer privacy experts from various industries. The Act will take effect on July 1, 2024, except for some provisions that will not take effect until January 1, 2026.
Scope of Applicability
The Act applies to any person that conducts business in Oregon, or that provides products or services to residents of Oregon, and, during a calendar year, controls or processes either:
- The personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or
- The personal data of 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal data.
Importantly, the definition of “consumers” is limited to a natural person residing in Oregon and excludes both employee and business-to-business (B2B) data. “Sale” is defined broadly, similar to the California Consumer Protection Act, as the “exchange of personal data for monetary or other valuable consideration” with a third party except for data disclosed to processors.
The Act contains a significant number of exclusions that exceed those of other U.S. states’ statutes. The Act does not apply to certain groups, including but not limited to public entities, insurers and financial institutions governed by the Bank Holding Company Act. Unlike other U.S. data privacy laws, the law includes an exemption for nonprofit organizations that expires July 1, 2025. Additionally, and similar to the California law, the Act provides data-level, not entity-level, exemptions for entities subject to the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA).
The Act broadly defines “sensitive data” as (1) data that reveals a consumer’s racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or non-binary, status as a victim of crime or citizenship or immigration status; (2) data belonging to a child under the age of 13; (3) specified precise geolocation data; and (4) genetic or biometric data.
The Act requires opt-in consent for any processing of sensitive data, and controllers must comply with the Children’s Online Privacy Protection Act (COPPA) to process children’ data. Furthermore, opt-in consent is required before engaging in targeted advertising, profiling or sale of personal data of an individual between the ages of 13 and 15.
The Act provides access, correction, deletion, and opt-out rights common to other states’ data privacy laws. Under the Act, consumers have the following rights:
- Right to Know: Consumers have the right to know that a controller is processing or has processed their personal data; the categories of personal data the controller is processing or has processed; and a list of specific third parties for which data has been disclosed. Consumers can also obtain a copy of all the personal data that the controller has processed or is processing;
- Right to Correct: Consumers have the right to correct inaccuracies in personal data about the consumer, taking into account the nature of the personal data and purpose for processing the personal data;
- Right to Delete: Consumers have the right to delete personal data about the consumer, including personal data the consumer provided to the controller, personal data the controller obtained from another source and derived data;
- Right to Opt-Out: Consumers have the right to opt-out of the processing of their personal data for targeted advertising, sales or profiling of the consumer in furtherance of decisions that produce legal effects or effects of similar significance;
- Right to Data Portability: Consumers have the right to obtain a portable and readily usable copy of their personal data; and
- Right of Non-Discrimination: The Act prohibits controllers from discriminating against consumers for exercising their rights.
Starting January 1, 2026, the Act requires controllers to honor universal opt-out signals from consumers—i.e., the Global Privacy Control—for any sale of personal data or targeted advertising.
Obligations of Controllers and Processors
The Act imposes the following obligations on controllers:
- Provide consumers with a comprehensive privacy notice that includes: (1) categories of personal data processed; (2) purposes for processing personal data, (3) categories of personal data shared with third parties and categories of third parties receiving such data; (4) information on exercising consumers’ rights; (5) description of any targeted advertising, sales, and/or profiling; and (6) contact information;
- Incorporate privacy by design principles, such as purpose limitation and reasonable security safeguards;
- Obtain consent prior to processing (1) sensitive data, (2) personal data for purposes that are not reasonably necessary for and compatible with the purposes the controller specified in its privacy notice, or (3) personal data for the purposes of targeted advertising, profiling or selling the personal data of a child between the ages of 13 and 15;
- Must provide an effective means to revoke consent, which, if exercised, should cause the controller to cease processing within 15 days.
- Conduct data protection assessments for each processing activity that presents a heightened risk of harm to a consumer, including processing sensitive data and personal data for the purpose of targeted advertising, sales, and profiling if the profiling presents a reasonably foreseeable risk of substantial injury to consumers.
Furthermore, the Act requires processors to assist controllers in meeting their obligations by enforcing contracts that specify how a processor processes personal data on the controller’s behalf.
Enforcement and Private Right of Action
The Act does not include a private right of action. The Oregon Attorney General has the sole authority to enforce the Act and can bring an action to seek a civil penalty of up to $7,500 per violation, enjoin a violation or obtain other equitable relief. These actions are subject to a five-year statute of limitations period. Prior to bringing any action, the Oregon Attorney General must notify the controller of a violation and allow a 30-day cure period if the Attorney General determines that the controller can cure the violation. The 30-day cure period, however, expires on January 1, 2026.
With the signing of the Act, Oregon becomes the twelfth U.S. state to enact an overall comprehensive data privacy framework and the seventh U.S. state to pass such comprehensive legislation this year following Florida, Indiana, Iowa, Montana, Tennessee, and Texas.