On June 22, 2023, the Oregon state legislature passed the Oregon Consumer Privacy Act, S.B. 619 (the “Act”). This bill resembles the comprehensive privacy statutes in Colorado, Montana, and Connecticut, though there are some notable distinctions. If passed, Oregon will be the twelfth state to implement a comprehensive privacy statute, joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Texas, and Florida.
- Scope and Exemptions: This Act would apply to any person that conducts business or provides products or services to Oregon residents and during a calendar year, controls or processes (1) personal data of 100,000 or more consumers (except for personal data controlled or processed solely for the purpose of completing a payment transaction) or (2) personal data of 25,000 or more consumers if 25% or more of the annual revenue is derived from the sale of data. The Act exempts employee information, among other exceptions.
- Personal Data: The Act defines personal data to include “data, derived data, or any unique identifier that is linked or reasonably linkable to one or more consumers in a household.”
- Sensitive Data: The Act requires consent prior to the collection and processing of sensitive data. The definition of sensitive data includes race or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, citizenship status, precise geolocation, and a number of other categories that are consistent with many other comprehensive state privacy statutes. However, the Act’s definition also includes “status as a transgender or non-binary” and “status as a victim of a crime” to the definition of sensitive data.
- Consumer Rights: Consumers would have the rights of access, deletion, portability, and correction under the Act, though there are some notable departures from existing comprehensive privacy statutes. For example, consumers would have the right to request “[a]t the controller’s option, a list of specific third parties” to which the controller has disclosed the consumer’s personal data. Additionally, the Act provides consumers a right to delete personal data about the consumer, which the Act defines to include “personal data the consumer provided to the controller, personal data the controller obtained from another source and derived data.”
- Opt-In Consent: The Act would prohibit a controller from processing personal data for targeted advertising, sales, or profiling in furtherance of decisions with a legal or similarly significant effect without the consumer’s consent, if the controller has “actual knowledge that, or willfully disregards whether, the consumer is at least 13 years of age and not older than 15 years of age.”
- Enforcement: The Attorney General has exclusive authority to enforce the Act, and there is no private right of action. The Act will enter into effect July 1, 2024.