In June 2023, the Oregon Legislature passed Senate Bill 619 », the Oregon Consumer Privacy Act or “the law”. The Oregon Consumer Privacy Act, ORS 646A.570-646A.589 », was signed into law by Governor Kotek and takes effect on July 1, 2024.
The Department of Justice has put together Frequently Asked Questions (FAQs) for consumers and businesses to help prepare for the privacy law’s implementation.
A link to the Privacy Law FAQs for Consumers can be found on the Consumer Privacy page.
The law goes into effect on July 1, 2024. For nonprofit entities covered by the privacy law, is not scheduled to go into effect until July 1, 2025.
The law applies to any individual or entity that conducts business in Oregon or that provides products or services to Oregon residents if, during a calendar year, that individual or entity controls or processes the personal data of:
The individuals or entities that fit that description are called “controllers.”
Yes, the law applies to vendors and service providers that maintain or provide services involving personal data on behalf of a controller. The individuals or entities that fit that description are called “processors.”
The key distinction between a controller and a processor is their decision-making authority over personal data. Under the law, a processor may only process data at the request and under the direction of a controller. The processor is contractually bound by the controller’s instructions as to what the processor must and may do with personal data. The processor is obligated by their contract to help a controller fulfill their duties regarding personal data.
A “sale” is the exchange of personal data for monetary or other valuable consideration between a controller and a third party. ”Valuable consideration” is not limited to money. This could include a controller exchanging customer lists with a third party. There are some exceptions to the definition of “sale” stated in the law. Those exceptions can be found at ORS 646A.570(17)(b).
Personal data is any information that can be linked to an individual. Personal data also includes any information that can be linked to an individual’s device or a household device (like a cell phone or a smart appliance). Some controller and a third party. This could include a controller exchanging customer lists with a third party. There are some exceptions to the definition of “sale” stated in the law. Those exceptions can be found at ORS 646A.570(17)(b).
Processing refers to any action a controller may take with respect to personal data, including collecting, using, storing, selling, sharing, analyzing, or modifying the data.
The privacy law excludes some types of entities from complying with its requirements, even if those entities meet the threshold requirements. These entities include:
A person or entity that contracts with an exempt entity may still be subject to the law if they process personal data on behalf of any non-exempt controllers and/or if that person or entity meets the law’s definition of controller.
The law does not apply to data maintained for employment records purposes. Furthermore, the term "consumer" means an individual Oregon resident acting only in an individual or household context and does not include an individual acting as an employee or job applicant.
Yes, for certain types of data and under certain circumstances. Consent is required to collect, store, or otherwise process all categories of “sensitive data”, as defined in the law (see question above for more detail about this). If the controller knows (or willfully disregards knowing) that a consumer is at least 13 years old and less than 16 years old, the controller also must obtain consent to process the consumer’s personal data when it is for the purposes of sale, targeted advertising, or profiling.
In addition, a controller must obtain a consumer’s consent to process personal data for any “secondary purpose” – a purpose that is not reasonably necessary for and compatible with the purposes the controller has specified in its privacy notice. For instance, if a restaurant’s website states that it collects personal data only for the purpose of completing online orders, the restaurant cannot sell that personal data to data brokers or other advertisers without obtaining the consumer’s consent. If a controller wants to use collected data in a different way than what was outlined in the original privacy notice, they may need to get consent for existing personal data and should change their privacy notice moving forward.
Privacy notices should be written in clear, straightforward language geared towards consumers. ORS 646A.578(4) describes all topics that should be contained in a controller’s privacy notice.
If a controller shares personal data with third parties, the privacy notice must list all categories of personal data, including the categories of sensitive data, that are shared. The law also requires that the privacy notice state the categories of third parties data is shared with. There should be enough detail to give consumers a meaningful understanding of the types of businesses, or processing expected, but not so much as to render the privacy notice unclear/unreadable. For example, categories of Third Parties described in a sufficiently granular level of detail include, but are not limited to: “analytics companies,” “data brokers,” “third-party advertisers,” “payment processors,” “lenders,” “other merchants,” and “government agencies.”
In addition, the law does not apply to certain types of personal data maintained in compliance with specific federal privacy laws, such as the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act. A complete list of exclusions can be found at ORS 646A.572(2).
A controller must respond to a consumer’s request no later than 45 days after receipt of the request. Under certain conditions, the controller may extend the response period by 45 days but must tell the consumer that the response will be delayed and explain the reason for that delay.
Controllers will be required to accept opt-out requests through universal opt-out mechanisms starting on January 1, 2026. Prior to January 1, 2026, controllers may, but are not required to, allow consumers to opt-out of personal data processing through a universal opt-out mechanism.
A consumer can use an agent to exercise “opt-out” rights. A controller must comply with the opt-out request if the controller can verify, with commercially reasonable effort, the identity of the consumer and the authorized agent’s authority to act on their behalf. The agent must make the opt-out request through the method(s) specified in the controller’s privacy notice.
If the consumer is under 13 years old or under a protective arrangement, the consumer’s parent, guardian, or conservator may exercise all privacy rights on the consumer’s behalf.
Controllers must provide information to consumers free of charge for the first request within a twelve-month period. Controllers may charge a reasonable fee to cover administrative costs to comply with a or subsequent requests within a twelve-month period, unless the request is to confirm that the controller corrected inaccuracies in, or deleted, the consumer’s personal data based on a prior request.
Between July 1, 2024 and January 1, 2026, if the Attorney General determines that a violation can be remedied, the Attorney General must first send a letter giving the violator 30 days to cure, or fix, the violation. If the Attorney General determines that no fix is possible for the violation, no such letter is required.
After January 1, 2026, the Attorney General is not required to send a cure notice under any circumstances and can proceed directly to an enforcement action.
No, the Oregon Department of Justice cannot act as your attorney or give you legal advice. If you have questions or comments about the privacy law, you may email oregonprivacy@doj.oregon.gov. We may use your question to expand and/or clarify the list of frequently asked questions (FAQs) on our website to address common concerns of consumers and businesses.
Entities or individuals that violate the law may face civil penalties up to $7,500 per violation. In addition to civil penalties, the Attorney General can also seek other relief, including injunctive relief, restitution, and/or disgorgement.