Update Applicable to:

All employers who meet the applicability qualifications shown below

What happened?

On July 18, 2023, Oregon’s Governor signed Senate Bill 619, enacting a comprehensive consumer data privacy statute for the state.

What are the details?

The new law, set to take effect on July 1, 2024, with a delayed implementation of July 1, 2025, for non-profit organizations, introduces significant changes to how businesses handle consumer data. Oregon joins a growing list of states, including California, Colorado, Connecticut, Indiana, Iowa, Montana, Tennessee, Texas, Utah, and Virginia, in implementing a comprehensive consumer privacy law.

Applicability of the Law:

The statute applies to any person conducting business in Oregon or providing products/services to state residents, if during a calendar year, they control or process personal data of either 100,000 or more consumers (excluding payment transaction data) or 25,000 or more consumers while deriving 25% or more of their annual gross revenue from selling personal data. Certain entities, such as public corporations, businesses processing protected health information under HIPAA, and those subject to the Gramm-Leach-Bliley Act, are exempted from the law’s provisions.

Protected Data and Exemptions:

Personal data covered under the statute includes any unique identifier linked to a consumer or their device, which can reasonably identify one or more consumers in a household. However, the law excludes certain types of data from its scope, such as deidentified data, information publicly available through government records or widely distributed media, and data that consumers have lawfully made available to the public.

The statute also includes biometric data in its definition of personal data, encompassing data generated by automatic measurements of a consumer’s biological characteristics, like fingerprints, voice prints, iris patterns, gait, or other unique biological traits that enable or confirm consumer identification.

Consumer Rights:

The new legislation grants consumers several rights concerning their personal data. These rights include the ability to confirm whether a controller (business) processes their personal data and access that data, correct inaccuracies, delete personal data provided or obtained, receive a digital copy of their data (if available), and opt out of personal data processing for targeted advertising, sale, or profiling resulting in significant legal effects. Consumers are also entitled to request a list of specific third parties to whom a controller discloses their personal data.

Obligations of Businesses:

Covered businesses are required to post a privacy policy that describes the categories of personal data collected, the purposes of collection, the categories of third parties with whom data is shared, and an explanation of consumers’ rights. Businesses must also provide a “clear and conspicuous” description of any data processing conducted for targeted advertising purposes.

Furthermore, the statute mandates that covered businesses eventually recognize universal opt-out mechanisms. However, this specific provision does not take effect until January 1, 2026.

Enforcement and Penalties:

The State Attorney General has exclusive authority to enforce the statute. It does not permit a private right of action, meaning consumers cannot pursue legal action against businesses for violations. Penalties for noncompliance can be severe, with businesses facing fines of $500 per day or 25% of fraudulently withheld amounts for willful failure to furnish reports or information.

For more information, please see the links below:

Oregon Consumer Data Privacy Act (the “OCDPA”)

Law Firm Article 1, Article 2, Article 3, Article 4, Article 5

What do employers need to do?

As the law’s effective date approaches, businesses operating in Oregon must review and update their data handling practices, ensure compliance with reporting and disclosure requirements, and prepare for the implementation of universal opt-out mechanisms in 2026.

This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.