The Oregon Consumer Privacy Act, S.B. 619, is sitting on Governor Tina Kotek’s desk waiting to be signed. Oregon legislature voted on and passed the new bill on June 22, 2023. If enacted by Governor Kotek, Oregon will be the twelfth state (sixth in 2023) to pass a comprehensive privacy statute, along with California, Colorado, Connecticut, Florida, Indiana, Iowa, Montana, Tennessee, Texas, and Utah.
The bill shares some similarities with the proposed Washington Privacy Act. It will join the Texas Data Privacy and Security Act as the only comprehensive state privacy laws enacted so far in 2023 that extend privacy rights and protections beyond the existing high-water marks.
What You Need to Know
The Oregon Consumer Privacy Act (SB 619) is meant to give consumers more control over their data and prevent third part companies from using their personal data, without the consumer’s permission. This bill would require companies to obtain consumers’ opt-in consent before processing a host of potentially sensitive data — including information about race, ethnicity, religion, health condition or diagnosis, sexual orientation and immigration status. Companies also must obtain opt-in consent before processing precise location data and biometric data.
This bill essentially does three things:
(1) Allows Oregon residents to opt-out of ad targeting based on their online activity and “Personal Data”.
“Personal data” means data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household. “Personal data” does not include deidentified data or data that:
(A) Is lawfully available through federal, state or local government records or through widely distributed media; or
(B) A controller reasonably has understood to have been lawfully made available to the public by a consumer.
(2) Gives consumers the right to learn what personal data about them has been collected.
(3) Gives consumers the right to learn what third parties received that information.
Scope and Exemptions
This Act would apply to any person that conducts business or provides products or services to Oregon residents and during a calendar year:
(1) Controls or processes personal data of 100,000 or more consumers (except for personal data controlled or processed solely for the purpose of completing a payment transaction).
(2) Personal data of 25,000 or more consumers if 25% or more of the annual revenue is derived from the sale of data.
The Act exempts employee information, among other exceptions.
The Act defines personal data to include “data, derived data, or any unique identifier that is linked or reasonably linkable to one or more consumers in a household.”
The Act requires consent prior to the collection and processing of sensitive data. The definition of sensitive data includes race or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, citizenship status, precise geolocation, and a number of other categories that are consistent with many other comprehensive state privacy statutes. However, the Act’s definition also includes “status as a transgender or non-binary” and “status as a victim of a crime” to the definition of sensitive data.
Consumers would have the rights of access, deletion, portability, and correction under the Act, though there are some notable departures from existing comprehensive privacy statutes. For example, consumers would have the right to request “[a]t the controller’s option, a list of specific third parties” to which the controller has disclosed the consumer’s personal data. Additionally, the Act provides consumers a right to delete personal data about the consumer, which the Act defines to include “personal data the consumer provided to the controller, personal data the controller obtained from another source and derived data.”
The Act would prohibit a controller from processing personal data for targeted advertising, sales, or profiling in furtherance of decisions with a legal or similarly significant effect without the consumer’s consent, if the controller has “actual knowledge that, or willfully disregards whether, the consumer is at least 13 years of age and not older than 15 years of age.”
The Attorney General has exclusive authority to enforce the Act, and there is no private right of action. The Act will enter into effect July 1, 2024.
Looking for a screening partner? Or do you just have questions about HR? KRESS has been in the industry for over 33 years. We know this industry inside and out.