On July 18, 2023, the Governor of Oregon signed Oregon SB619 into law, which is a comprehensive state privacy law that provides privacy rights to residents of Oregon and imposes requirements for the collection, use and sharing of personal information on businesses. This law will go into effect on July 1, 2024 and adds Oregon to the state privacy law patchwork of the United States.
In this Compliance Guide, we will discuss the following important aspects of Oregon SB619:
- Who needs to comply with this new Oregon privacy law;
- How the law defines personal data;
- The privacy rights provided to residents of Oregon;
- The penalties for failure to comply; and
Table of Contents
Who needs to comply with Oregon’s privacy law?
Oregon’s privacy law applies to any person that conducts business in Oregon or that provides products or services to residents of Oregon and that, during a calendar year:
- Processors or controls the personal data of 100,000 or more residents of Oregon; or
- Processors or controls the personal data of 25,000 or more residents of Oregon and derives 25% or more of annual gross revenue from the sale of personal data.
In addition, the law can apply to businesses that do not meet the criteria above if they have signed a contract for the processing of data with a company that does need to comply with this law. The law specifically exempts nonprofits that are established to detect or prevent fraudulent acts in connection with insurance and nonprofits that provide programming to radio or television networks. It is important to note that Oregon SB619 applies to businesses that meet the criteria above regardless of whether they are actually located in Oregon.
How the law defines personal data
Oregon’s privacy law applies to organizations that control or process personal data, which is defined by the law as “data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household.” Personal data does not include deidentified data or data that is lawfully available through government records or through widely distributed media or data that has been lawfully made available to the public by a consumer.
Due to this definition, personal data would include any data that is commonly collected through websites such as names, email addresses, phone numbers, IP addresses or device identifiers. Thus, businesses that collect this data through contact forms, payment gateways, email newsletter subscription forms or analytics or advertising tools, should ensure that they are in compliance with this law if they meet the criteria above.
The privacy rights provided to residents of Oregon
The purpose of Oregon SB619 is to protect the privacy of residents of the state and this purpose is achieved through providing individuals residing in Oregon with the following privacy rights:
- The right to confirm whether the controller is processing or has processed the consumer’s personal data and the categories of personal data which have been processed;
- The right to obtain a list of specific third parties to which the controller has disclosed the consumer’s personal data or any personal data;
- The right to receive a copy of all of the consumer’s personal data that the controller has processed or is processing;
- The right to correct inaccuracies in the personal data about a consumer;
- The right to delete personal data;
- The right to opt out of the processing of personal data for the purpose of targeted advertising;
- The right to opt out of the sale of personal data;
- The right to opt out of the processing of personal data for the purpose of profiling the consumer;
- The right to request a copy of personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the personal data to another person without hindrance;
- The right to not be discriminated against based upon the exercise of privacy rights;
- The right to appeal a privacy rights decision.
Organizations subject to this privacy law will have 45 days to respond to a consumer privacy rights request, though this time period may be extended by an additional 45 days if necessary.
- The categories of personal data that the controller processes;
- The purposes for which personal data is collected and processed;
- A description of how consumers can exercise their privacy rights and appeal a privacy rights decision;
- All categories of personal data that is shared with third parties;
- The categories of third parties with whom personal data is shared;
- An email or other online method by which a consumer can contact the controller that the controller actively monitors;
- Identification of the controller;
- A description of any processing of personal data for the purpose of targeted advertising or profiling and how a consumer can opt out of this type of processing.
Penalties for failure to comply with Oregon’s privacy law
Oregon SB619 will be enforced by the Oregon Attorney General who can investigate any violations of the law. The Oregon Attorney General can seek a civil penalty of not more than $7,500 per violation. In this case, “per violation” may mean per website visitor whose privacy rights were infringed upon, which can lead to high fines.