A New Consumer Personal Data Protection Law in Oregon

On June 25, 2023, both houses of the Oregon State Legislature approved Senate Bill (SB) 619, “relating to protections for the personal data of consumers.”   SB 619 is now on the desk of Oregon Governor Tina Kotek for signature.  Upon signing, Oregon will become the eleventh state to enact general, or omnibus, privacy legislation, following California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, and Texas.  Omnibus federal privacy legislation (e.g., HB 2701) remains a (remote) possibility. There are fifty (50) state breach notifications laws, and we seem to be marching in the same direction, as it concerns general privacy laws.   

No bill exists in a vacuum.  Structurally, SB 619 generally follows the Virginia Consumer Data Protection Act (VCDPA), as do the laws enacted by Colorado, Connecticut, Utah, and other states. 

SB 619 is only 19 pages long, not as slim as the VCDPA (8 pages), but not as bulky as the California Consumer Privacy Act (59 pages).  Unlike the CCPA, SB 619 does not reference any implementing regulations; however, implementing regulations could be added.

Below are the key questions (and answers):

Whom does the bill protect?  Under SB 619, that would be Oregon consumers, i.e., residents acting in any capacity other than a commercial or employment context. 

Who would be subject to the new law?  The new law would apply to any person that conducts business in Oregon, or that provides products or services to Oregon residents, and that, during a calendar year, controls or processes the personal data of either (a) at least 100,000 Oregon consumers (other than personal data solely to complete a payment transaction); or (b) at least 25,000 Oregon consumers, with at least 25% of its annual gross revenue attributable to the sale of personal data. 

Are non-profits generally exempt?  No. The exemptions are limited to a nonprofit that is “established to detect and prevent fraudulent acts in connection with insurance” and to the “noncommercial activities of … nonprofits that provides programming to radio or television networks.”

Are there other notable exemptions? The new law would exempt: “i) Information processed or maintained solely in connection with, and for the purpose of, enabling: (A) An individual’s employment or application for employment; (B) An individual’s ownership of, or function as a director or officer of, a business entity; (C) An individual’s contractual relationship with a business entity; (D) An individual’s receipt of benefits from an employer, including benefits for the individual’s dependents or beneficiaries;” (emphasis added).  Most states have exemptions for personal data collected from independent contractors and used by controllers and third parties in the context of that relationship.  Oregon’s formulation is ostensibly broader, as it would cover the information, including, implicitly personal data, shared by an individual with a business entity for the purpose of enabling a contractual relationship.  This could be an independent contractor (if an individual) or someone contracting with a roofing company, car repair shop, home security provider, or wireless carrier, just to give a few examples.  If the business used that information only for the purpose of enabling the contractual relationship, that business would not be subject to the new law.  If it did not, it would be. Of course, limiting the processing of that individual’s personal data to the sole purpose of enabling that relationship is a compliance obligation in itself.  

Can a consumer appoint a representative to exercise that consumer’s opt out and other rights under the new law?  Yes.

Is there a private right of action?  No.

What comprises sensitive personal data (SPD)?  SPD includes personal data that “reveals a consumer’s racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or non-binary, status as a victim of crime or citizenship or immigration status.” Other types of SPD are biometric data (which excludes data generated from photographs or audio or video recordings, or facial mapping or facial geometry, unless generated for the purpose of identifying a specific consumer).

Is there a security exception?  Yes.  The new law would not prohibit a controller or processor from: “(e) [p]reventing, detecting, protecting against or responding to, and investigating, reporting or prosecuting persons responsible for, security incidents, identity theft, fraud, harassment or malicious, deceptive or illegal activity or preserving the integrity or security of systems;”

Is consent required for the collection and other processing of sensitive personal data?  Yes.

Is a data protection assessment required for high-risk processing, including the sale of personal data?  Yes.

Are affiliates of the controller or processor considered third parties?  No.  

What can a consumer request (and expect to receive) from the controller?  A controller is any person who, alone or together with others, determines the purposes and means of processing personal data.  A consumer may obtain from the controller confirmation of whether a controller is processing or has processed the consumer’s personal data, a list of the categories of the personal data subject to processing, and a list of the specific third parties, other than natural persons (as opposed to categories of third parties) to which the personal data has been disclosed.  In addition, a consumer may require a controller to correct inaccuracies in the personal data about the consumer, to delete personal data about the consumer, and to opt-out the consumer from targeted advertising, selling of personal data, and certain profiling. 

What are the penalties under the new law? Up to $7,500 per violation, an injunction, or other equitable relief, plus reasonable attorneys’, expert witness, and investigation fees and costs to the Oregon Attorney General, if it prevails.  

Is there an ability to cure violations?  Maybe.  The Attorney General will notify the controller if the purported violation can be cured, and if curable, the controller will have 30 days to do so. 

Last, but not least, when would SB 619, if enacted, become operative?  There are three (3) operative dates to note: July 1, 2024 (general); January 1, 2025 (the date the new law becomes applicable to a Section 501(c)(3) nonprofit); and January 1, 2026 (the date when the controller must have the capability to allow a consumer to send a universal opt out signal and when the potential 30-day cure period sunsets).