The state of Oregon has passed a comprehensive data protection law (SB0619), which will go into effect in July 2024.

What do you need to know about SB0619, also known as the Oregon Consumer Privacy Act?

  • Similar to the Colorado progeny of laws, but with differences – not the least of which is that it applies to nonprofits starting July 2025.
  • Different definition of personal data than the other state laws (though practical difference is unclear). It doesn’t include information made available through widely distributed media.
  • Biometric data is such that is capable of identifying a person, even if not used for this.
  • Deidentified data includes data derived from patient data and Deidentified under HIPAA.
  • Sale is for monetary or other valuable consideration, but carves out sharing to an affiliate, or as part of a merger/acquisition or made publicly available.
  • Scope: processing the information of 100,000 consumers or 25,000 consumers, where 25% of the revenue is from sale of data.
  • There is a list of carve outs that the law doesn’t prohibit a controller from doing, which include: (1) Conducting internal research to develop, improve or repair products, services or technology; (2) Performing internal operations that are reasonably aligned with a consumer’s expectations, that the consumer may reasonably anticipate based on the consumer’s existing relationship with the controller or that are otherwise compatible with processing.
  • The law provides a much needed clarification (obvious under GDPR, but not explicitly stated in the parallel state laws) that the carve out applies only subject to controller fulfilling the data minimization, purpose limitation and retention limitations of the law (adequate and reasonably necessary for, relevant to, proportionate in relation to and limited to the purposes) and adequately protecting the data from unauthorized use.
  • Specifically stating that the burden of proof regarding the carve out is on the controller.
  • The consumer may designate an authorized agent by means of an internet link, browser setting, browser extension, global device setting or other technology that enables the consumer to opt out of the controller’s processing of the consumer’s personal data.
  • Controllers must provide a clear and conspicuous description of any processing of personal data in which the controller engages for the purpose of targeted advertising or for the purpose of profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance, and a procedure by which the consumer may opt out of this type of processing.
  • A controller that discloses deidentified data must exercise reasonable oversight to monitor compliance with any contractual commitments to which the deidentified data is subject and shall take appropriate steps to address any breaches of the contractual commitments.
  • Enforceable by the Attorney General’s Office.