On June 22, the Oregon State Legislature passed a comprehensive privacy bill becoming the latest US state to pass such a law. The bill passed in Oregon follows in the footsteps of many of the existing US state privacy laws and will introduce similar provisions including application thresholds, data protection assessments, and cure periods.
The bill now awaits signature from the Governor of Oregon ahead of an expected effective date on July 1, 2024 – Which will see the Texas Data Privacy and Security Act become effective on the same day. Read on to learn more about some of the key areas of the incoming privacy law in Oregon.
Scope of application
Oregon’s privacy bill closely resembles other similar consumer data privacy acts around the US. Its scope of application is no different, offering similar language as well as similar application thresholds.
Oregon’s privacy bill will apply to “any person that conducts business in [Oregon], or that provides products or services to residents of [Oregon].”
Additionally, these businesses must either, during a calendar year, control or process:
The personal data of 100,000 or more consumers (excluding payment transaction data)
OR
The personal data of 25,000 or more consumers, while deriving 25% or more of annual gross revenue from selling personal data
While comparable to other state privacy laws, it is important to note the nuances of these application thresholds to understand whether this bill will apply to your organizations. Furthermore, there are exemptions for a range of types of information including those covered by the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA). However, unlike most US state privacy these are not entity-level exemptions, and the law will also extend to non-profit organizations.
Key requirements of Oregon’s privacy bill
Oregon’s new privacy bill includes many of the provisions you may expect from modern data privacy laws. Alongside requirements such as data protection assessments, heightened conditions for processing sensitive data, and a range of individuals’ rights, the bill also includes requirements relating to transparency, data minimization, data security, and purpose specification. Let’s take a closer look at some of these requirements below.
Individuals’ rights
Under the incoming privacy bill in Oregon, consumers will be afforded the following rights:
- Right to confirm processing, including the categories of personal data being processed
- Right to access a copy of their personal data being processed
- Right to access a copy of the third parties that their personal data has been disclosed to
- Right to correction
- Right to deletion (including derived data)
- Right to opt-out of
- Targeted advertising
- Sale of personal data
- Profiling
- Right to data portability
Although not explicitly called out as a consumer right, individuals have the right to not be discriminated against. Additionally, businesses covered by the new privacy bill will be required to honor universal opt-out signals from January 1, 2026.
Businesses must respond to consumer rights requests without undue delay and not later than 45 days after receiving the request. The bill includes an option to extend this by an additional 45 days.
Privacy notice
Businesses covered by the new privacy bill will be required to provide a reasonably accessible, clear, and meaningful privacy notice to consumers.
This notice should include details relating to:
- Categories of personal data, including the categories of sensitive data
- Purposes of processing
- How an individual may exercise their rights
- Categories of personal data, including the categories of sensitive data, shared with third parties
- Categories of third parties with whom personal data is shared
- Contact details for the business
- Information that Identifies the controller, including any business name under which the controller registered with the Secretary of State
- Processing of personal data for targeted advertising or profiling
- How an individual can opt out of this type of processing
- A method for an individual to submit a rights request
Sensitive data
There is a specific carve-out for sensitive data which includes a definition of types of information considered sensitive as well as conditions for its use.
Under the new bill, Sensitive data will mean personal data that reveals:
- Racial or ethnic background
- National origin
- Religious beliefs
- Mental or physical condition or diagnosis
- Sexual orientation
- Status as transgender or nonbinary
- Status as a victim of crime
- Citizenship or immigration status
Additionally, sensitive data will include children’s personal data, geolocation, and genetic or biometric data. Sensitive data can only be processed on an opt-in basis and businesses will need to acquire “freely given, specific, informed, and unambiguous” consent for its use.
Valid consent
Consent is necessary for lawfully performing several types of data processing activities, including the use of sensitive data. Under the new bill in Oregon consent is defined as:
“An affirmative act by means of which a consumer clearly and conspicuously communicates the consumer’s freely given, specific, informed and unambiguous assent to another person’s act or practice under the following conditions:
- The user interface by means of which the consumer performs the act does not have any mechanism that has the purpose or substantial effect of obtaining consent by obscuring, subverting or impairing the consumer’s autonomy, decision-making or choice; and
- The consumer’s inaction does not constitute consent.”
Businesses should be careful to understand this definition with particular attention paid to user interface requirements as well as the individual’s inaction not constituting as valid consent.
Data protection assessments
Data protection assessments are a key feature of Oregon’s privacy bill, businesses will be required to conduct and document data protection assessments for activities that present “a heightened risk of harm to a consumer” and must balance the interests of the business with the risk posed to individuals.
The bill outlines specific activities that fall under this definition that include:
- Targeted advertising
- Processing sensitive data
- Selling personal data
- Processing personal data for profiling
As with many emerging privacy acts in the US, Oregon will allow a single data protection assessment to address comparable sets of processing activities with a similar heightened risk of harm and assessments carried out to satisfy other applicable laws and regulations can be considered valid as long as the activities are similar in scope and effect.
Documentation of data protection assessments is critical and the Oregon Attorney General may require businesses to provide assessments relevant to an investigation into non-compliance and assessments should be held for five years.
Enforcement
The Attorney General will have exclusive authority to enforce the provisions of this new privacy act. The AG may bring seek civil penalties of up to $7,500 for each violation of the act. Businesses will have a 30-day cure period – This clause will sunset on January 1, 2026. There is no private right of action.
How OneTrust helps
The OneTrust Privacy & Data Governance Cloud offers and range of automated solutions to help you prepare and comply with the latest additions to the US privacy landscape. From Privacy Notice Management to PIA & DPIA Automation, the Privacy & Data Governance Cloud has your privacy program covered with the most critical requirements that you will face come July 1, 2024.
OneTrust can also help you establish a consumer rights request process and automate to fulfillment of these requests as well as help streamline your processes so you can reallocate the time and resources to focus on other key areas of compliance.
Request a demo today and speak to one of our experts to see how the OneTrust Privacy & Data Governance Cloud can help you prepare for US privacy in 2024 and beyond.
