State Regulatory Developments

Oregon Enacts Comprehensive Consumer Data Privacy Law

Oregon recently enacted a comprehensive consumer state data privacy law (the “Act”), following multiple other states including: California, Colorado, Connecticut, Indiana, Iowa, Montana, Tennessee, Texas, Utah, and Virginia.  The Act will go into effect on July 1, 2024.

Scope

The Act applies to any person that conducts business in Oregon, or that provides products or services to Oregon residents, and that during a calendar year, controls or processes: (i) the personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or (ii) the personal data of 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal data.  “Personal data” is defined as “data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household.”  It excludes deidentified data or data that “is lawfully available through federal, state or local government records or through widely distributed media” or that a “controller reasonably has understood to have been lawfully made available to the public by a consumer.”

Certain entities, information, and activities are exempt from the Act, including, but not limited to: (i) a financial institution, as defined under Oregon law, or a financial institution’s affiliate or subsidiary that is only and directly engaged in financial activities; (ii) information collected, processed, sold or disclosed in accordance with the Gramm-Leach-Bliley Act (“GLBA”), (iii) protected health information or documents that a covered entity or business associate processes in accordance with the Health Insurance Portability and Accountability Act (“HIPAA”), and (iv) activity by a consumer reporting agency or a person who furnishes information to a consumer reporting agency if done strictly in accordance with the Fair Credit Reporting Act (“FCRA”). 

The Act differentiates a “controller,” which is “a person that, alone or jointly with another person, determines the purposes and means for processing personal data,” from a “processor,” which is “a person that processes personal data on behalf of a controller.”

Consumer Rights

The Act grants Oregon consumers certain rights with respect to their personal data.  Specifically, a consumer, or their authorized agent, may request, among other things: (i) confirmation from a controller as to whether the controller is processing or has processed the consumer’s personal data and the categories of personal data the controller is processing or has processed; (ii) a copy of all of the consumer’s personal data that the controller has processed or is processing in a portable and readily usable format; (iii) correction of inaccuracies in personal data about the consumer; (iv) deletion of the consumer’s personal data; and (v) an ability to opt-out of any sale, targeted advertising, or certain types of profiling related to the processing of personal data.

Under the Act, a controller must respond to a consumer’s request within 45 days of receipt, but can extend this time by 45 days if reasonably necessary and the consumer is informed of the extension and the reason for the extension within the initial 45-day response period.  A controller must provide information the consumer requests once during any 12-month period without charge to the consumer.  If the controller cannot authenticate the consumer’s request using commercially reasonable methods without additional information from the consumer, the controller must notify the consumer, and the controller does not have to comply with the request until the consumer provides the information necessary to authenticate the request. 

A controller must establish a process for consumers to appeal the controller’s refusal to take action on a request.  Among other requirements, the appeal process must be conspicuously available to the consumer and similar to the manner in which a consumer must submit a request, and the controller must approve or deny the appeal within 45 days after receipt and notify the consumer in writing of the reasons for the decision.  If the controller denies the appeal, the notice must provide or specify information that enables the consumer to contact the attorney general to submit a complaint.

If the consumer was not the source of the consumer’s personal data, a controller complies with the a consumer’s request to delete the personal data either by (i) deleting the data while retaining a record of the deletion request and a minimal amount of data necessary to ensure that the personal data remains deleted and does not use the minimal data for any other purpose, or by (ii) opting the consumer out of the controller’s processing of the consumer’s personal data for any purpose other than a purpose that is exempt under the Act. 

Additionally, a controller may not process sensitive data about a consumer without first obtaining the consumer’s consent or, if the controller knows the consumer is a child, without processing the sensitive data in accordance with the Children’s Online Privacy Protection Act (“COPPA”).  “Sensitive data” is defined as personal data that: (i) reveals a consumer’s racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or non binary, status as a victim of crime or citizenship or immigration status; (ii) is a child’s personal data; (iii) accurately identifies within a radius of 1,750 feet a consumer’s present or past location, or the present or past location of a device that links or is linkable to a consumer by means of technology that includes, but is not limited to, a global positioning system that provides latitude and longitude coordinates; or (iv) is genetic or biometric data.

Notice Requirements and Other Obligations

Among other duties, a controller must provide a privacy notice that includes certain information, including, but not limited to: (i) the categories of personal data that it processes; (ii) the controller’s purposes for processing the personal data; (iii) all categories of personal data that the controller shares with third parties; and (iv) how a consumer may exercise the consumer’s rights under the Act.  Additionally, the Act requires that controllers conduct and document data protection assessments.

Penalties and Enforcement There is no private right of action.  The Oregon attorney general has exclusive enforcement authority and may seek injunctive relief and a civil penalty of not more than $7,500 for each violation.