Scope and applicability
The Act applies to any business (not-for-profit businesses are excluded until July 1, 2025) that does business in Oregon and controls or processes the personal information of (i) at least 100,000 Oregon residents or (ii) at least 25,000 Oregon residents while deriving at least 25% of its revenue from the sale of personal information. The Act does not apply to personal information collected in the context of employment or business-to-business relationships.
Data exemptions
The Act does not include entity-level exemptions for organizations subject to the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA). However, it does contain data-level exemptions for these organizations, among other data-level exemptions for certain research and credit reporting purposes as required or allowed by applicable laws.
Defined terms
The Act defines a “sale” to mean “the exchange of personal data for monetary or other valuable consideration by the controller with a third party.” The Act excludes the following activities from the definition of a “sale”:
- Disclosures to processors
- Disclosures to affiliates of the controller
- Disclosures to third parties for the purpose of enabling the controller to provide a product or service to a consumer that requested the product or service
- Disclosures or transfers from a controller to a third party as part of a merger, acquisition, bankruptcy or other transaction
- Disclosures that occur at a consumer’s direction or because a consumer intentionally disclosed the personal information to the controller or the public
The Act also defines “biometric data” as “personal data generated by automatic measurements of a consumer’s biological characteristics, such as the consumer’s fingerprint, voiceprint, retinal pattern, iris pattern, gait or other unique biological characteristics that allow or confirm the unique identification of the consumer.” Photographs, audio and video recordings, and facial mapping or facial geometry are not considered biometric data under the Act unless the data was generated or used for the purpose of identifying a specific consumer.
Like other state privacy laws, the Act defines “profiling” to mean “an automated processing of personal data for the purpose of evaluating, analysing or predicting an identified or identifiable consumer’s economic circumstances, health, personal preferences, interests, reliability, behaviour, location or movements.” The Act also similarly excludes deidentified data and publicly available data from its definition of “personal data.”
Consumer rights
The Act grants consumers the right to know, access, transfer, correct and delete their personal information. The Act also provides Oregon residents with the right to opt out of the sale – as that term is defined under the Act - of their personal information, targeted advertising and profiling that produces certain effects.
The Act requires that businesses recognize and process Global Privacy Control (GPC) signals; however, that provision is not effective until July 1, 2026.
Consent under the Act
The Act defines “consent” to mean “an affirmative act by means of which a consumer clearly and conspicuously communicates the consumer’s freely given, specific, informed and unambiguous assent to another person’s act or practice.” In order to satisfy this standard, a business cannot use “dark patterns” to obtain consumer consent (i.e., the consent mechanism must not have “the purpose or substantial effect of obtaining consent by obscuring, subverting or impairing the consumer’s autonomy, decision-making or choice”), and the consumer’s inaction does not constitute consent.
Similar to other state privacy laws, a business may not process personal data in the following circumstances without obtaining consumer consent:
- For new purposes that are not reasonably necessary or compatible with the business’ original purposes disclosed to the consumer.
- When the personal data is considered sensitive data.
- For the purposes of targeted advertising, profiling in furtherance of decisions that produce legal effects, or selling the consumer’s personal data if the business has actual knowledge or willfully disregards the fact that the consumer is between 13 and 15 years old.
The Act deviates from other state privacy laws slightly in that it requires a business receiving a consent revocation from a consumer to process the revocation within 15 days. The other states that have enacted privacy laws do not proscribe a time frame for the revocation of consent.
Business obligation
As is now common in the United States, the Act requires that a business post a privacy policy that describes the categories of personal information it collects, the purpose of collection, the categories of third parties with whom the personal information is shared and an explanation of the consumers’ rights to access, delete and correct their personal information. Notably, however, the Act suggests that the privacy policy disclosures should identify all categories of third parties with which the controller shares personal information at a “level of detail that enables the consumer to understand what type of entity each third party is and, to the extent possible, how each third party may process personal information.” Also, the Act requires privacy policies to include a “clear and conspicuous” description of any processing for the purpose of targeted advertising. Businesses must also have a Data Protection Addendum (DPA) in place with their processors. The DPA must be detailed and describe any processing instructions, as is common in other state privacy laws. In addition, a processor is required to have a DPA in place with any subcontractor it uses.
The Act also requires that businesses document a Data Protection Impact Assessment (DPIA) for certain processing activities, such as targeted advertising, collection of sensitive personal information (which includes collection of data about consumers under 13 years old) and profiling, and that businesses retain the DPIA for at least five years.
Enforcement
The Act is still awaiting Governor Kotek’s signature, but if signed, the Act will go into effect on July 1, 2024 and will be enforceable only by the Oregon attorney general. Possible remedies include an injunction and a fine of up to $7,500 per violation. However, the Act provides for a 30-day right to cure period, which, unlike in other state laws, is not set to expire at this time.
Takeaways and trends
Oregon is the eleventh state to pass a comprehensive privacy law. This time next year, businesses will need to be prepared to comply with eleven privacy laws. Fortunately, most of these state laws have similar components, including the privacy policy disclosure, data subject access rights, and DPAs. However, each law continues to present some unique challenges and idiosyncratic definitions. Businesses should take measures now to begin to get into compliance by the time these laws go into effect. With 11 state privacy laws, businesses must develop a strategy for compliance that considers their customer base, whether any of the state laws have an exception that applies to their data, and the risk associated with their data collection practices. For example, businesses that collect more sensitive personal information or conduct targeted advertising are in a higher risk category in each state and should tread more carefully with respect to ensuring their data processing activities are in accordance with the patchwork of these 11 states’ laws.
Client Alert 2023-155