Published:

Oregon SB619 Compliance Guide

General

Photo of author

Donata Stroink-Skillrud

Co-founder and President of Termageddon

SB619 Oregon Privacy law

On July 18, 2023, the Governor of Oregon signed Oregon SB619 into law, which is a comprehensive state privacy law that provides privacy rights to residents of Oregon and imposes requirements for the collection, use and sharing of personal information on businesses. This law will go into effect on July 1, 2024 and adds Oregon to the state privacy law patchwork of the United States. 

In this Compliance Guide, we will discuss the following important aspects of Oregon SB619: 

  • Who needs to comply with this new Oregon privacy law; 
  • How the law defines personal data; 
  • The privacy rights provided to residents of Oregon; 
  • The Privacy Policy requirements of Oregon SB619; 
  • The penalties for failure to comply; and 
  • How Termageddon will handle Privacy Policy updates for Oregon’s privacy law. 

Who needs to comply with Oregon’s privacy law? 

Oregon’s privacy law applies to any person that conducts business in Oregon or that provides products or services to residents of Oregon and that, during a calendar year: 

  1. Processors or controls the personal data of 100,000 or more residents of Oregon; or 
  2. Processors or controls the personal data of 25,000 or more residents of Oregon and derives 25% or more of annual gross revenue from the sale of personal data. 

In addition, the law can apply to businesses that do not meet the criteria above if they have signed a contract for the processing of data with a company that does need to comply with this law. The law specifically exempts nonprofits that are established to detect or prevent fraudulent acts in connection with insurance and nonprofits that provide programming to radio or television networks. It is important to note that Oregon SB619 applies to businesses that meet the criteria above regardless of whether they are actually located in Oregon.

How the law defines personal data

Oregon’s privacy law applies to organizations that control or process personal data, which is defined by the law as “data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household.” Personal data does not include deidentified data or data that is lawfully available through government records or through widely distributed media or data that has been lawfully made available to the public by a consumer. 

Due to this definition, personal data would include any data that is commonly collected through websites such as names, email addresses, phone numbers, IP addresses or device identifiers. Thus, businesses that collect this data through contact forms, payment gateways, email newsletter subscription forms or analytics or advertising tools, should ensure that they are in compliance with this law if they meet the criteria above. 

The privacy rights provided to residents of Oregon

The purpose of Oregon SB619 is to protect the privacy of residents of the state and this purpose is achieved through providing individuals residing in Oregon with the following privacy rights: 

  1. The right to confirm whether the controller is processing or has processed the consumer’s personal data and the categories of personal data which have been processed; 
  2. The right to obtain a list of specific third parties to which the controller has disclosed the consumer’s personal data or any personal data; 
  3. The right to receive a copy of all of the consumer’s personal data that the controller has processed or is processing; 
  4. The right to correct inaccuracies in the personal data about a consumer; 
  5. The right to delete personal data; 
  6. The right to opt out of the processing of personal data for the purpose of targeted advertising; 
  7. The right to opt out of the sale of personal data; 
  8. The right to opt out of the processing of personal data for the purpose of profiling the consumer; 
  9. The right to request a copy of personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the personal data to another person without hindrance; 
  10. The right to not be discriminated against based upon the exercise of privacy rights; 
  11. The right to appeal a privacy rights decision. 

Organizations subject to this privacy law will have 45 days to respond to a consumer privacy rights request, though this time period may be extended by an additional 45 days if necessary. 

The Privacy Policy requirements of Oregon SB619

Organizations that need to comply with Oregon’s privacy law will also need to have a comprehensive and up to date Privacy Policy that includes the following disclosures: 

  1. The categories of personal data that the controller processes; 
  2. The purposes for which personal data is collected and processed; 
  3. A description of how consumers can exercise their privacy rights and appeal a privacy rights decision; 
  4. All categories of personal data that is shared with third parties; 
  5. The categories of third parties with whom personal data is shared; 
  6. An email or other online method by which a consumer can contact the controller that the controller actively monitors; 
  7. Identification of the controller; 
  8. A description of any processing of personal data for the purpose of targeted advertising or profiling and how a consumer can opt out of this type of processing. 

Penalties for failure to comply with Oregon’s privacy law 

Oregon SB619 will be enforced by the Oregon Attorney General who can investigate any violations of the law. The Oregon Attorney General can seek a civil penalty of not more than $7,500 per violation. In this case, “per violation” may mean per website visitor whose privacy rights were infringed upon, which can lead to high fines. 

How Termageddon will handle Privacy Policy updates for this new law

We have been tracking this law from its inception and will continue to track it for any amendments, rules and regulations that change the requirements of this law. Prior to the effective date of the law, we will email our customers to let them know of the updates that we have made to their Privacy Policies to reflect these new requirements. If you currently do not have a Privacy Policy or do not have a strategy to keep your Privacy Policy up to date with changes such as this one, make sure to check out the Termageddon Privacy Policy generator today.

Photo of author
About the Author
Donata Stroink-Skillrud

Donata is the Co-founder and President of Termageddon and a licensed attorney and Certified Information Privacy Professional. She serves as the Vice-Chair of the American Bar Association's ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy

Culture

Disclaimer

EULA

How To's

Privacy Policy

Terms of Service

Subscribe for Updates