State Privacy Law Tracker: Oregon

Oregon Passed the OCPA

The Oregon Consumer Privacy Act (OCPA) (SB 619) was passed in Oregon on June 22, 2023. Tina Kotek, the governor of Oregon, will now receive the bill for a final signature.

With the passage of this legislation, Oregon will become the eleventh state to pass a comprehensive state privacy law, and the sixth in the flurry of comprehensive state privacy laws in the 2023 calendar year. Interestingly, it is the first state controlled by Democrats to approve a comprehensive law protecting consumer privacy.

SB 619 emerged this year from a privacy working group led by the attorney general with input from a variety of consumer and business participants. The bill was a high priority, and the legislative process included lengthy discussions on whether to keep the private right of action. In the end, the private right to action was eliminated.

The statute is modeled after other previously passed comprehensive privacy laws but does have a few noteworthy and original provisions.

The OCPA goes into effect July 1, 2024.

Notable Provisions of the OCPA

Exemptions

The OCPA differs from other state privacy laws in that it does not provide the same exemptions.  For instance, the bill eliminated entity-level exemptions for healthcare entities covered by HIPAA and financial entities covered by the GLBA.

The reasoning behind the elimination of an exemption for entity-level exemptions is as follows. The “problem with [an entity-level exemption] is that there are many HIPAA-covered entities that are covered only for a small portion of the data they process. Including an entity-level exemption would create a huge loophole for any entity that engages in any amount of HIPAA-covered activities, no matter how much data they process that is not covered by HIPAA.”

In addition, the OCPA does not exempt non-profit organizations, unlike Colorado, but it does grant limited non-profit exemptions for groups created to identify and stop insurance fraud as well as those that provide programs for radio and television networks.

Biometric Data

The OCPA has a unique take on biometric data. To quote the act:

“Biometric data” means personal data generated by automatic measurements of a consumer’s biological characteristics, such as the consumer’s fingerprint, voiceprint, retinal pattern, iris pattern, gait or other unique biological characteristics that allow or confirm the unique identification of the consumer.”

“Biometric data” does not include:

1. A photograph recorded digitally or otherwise;
2. An audio or video recording;
3. Data from a photograph or from an audio or video recording, unless the data were generated for the purpose of identifying a specific consumer or were used to identify a particular consumer; or
4. Facial mapping or facial geometry, unless the facial mapping or facial geometry was generated for the purpose of identifying a specific consumer or was used to identify a specific consumer.”

Notably, the provisions for the laws regarding biometric data do not require controllers to use biometric data to identify an individual, as required by other privacy rules.

In addition to SB 619, 3 other narrower privacy-related bills were introduced. We’ll outline them all below.

Oregon Privacy Bills Proposed In 2023

In addition, 3 other narrower privacy-related bills were introduced. We’ll outline them all below.

HB 2052: Relates to Information Brokers

• specifies that a data broker must register with the Department of Consumer and Business Services before collecting, selling, or licensing brokered personal data inside the state
• defines the application’s form, process, and contents
• defines exclusions and exemptions
• provides a civil penalty of up to $500 for each act violation or, in the case of a persistent violation, for each day that the violation continues
• limits the civil penalty to a maximum of $10,000 per year

HB 2370: Requires Attorney General to Study Privacy

• establishes a study group for the attorney general to study privacy
• instructs the attorney general to submit findings to said committees of the legislative assembly related to consumer protection no later than Sept. 2024

SB 196: Relates to Children’s Online Privacy

• requires a company to identify, assess, and reduce risks to children from online products and services if it offers them and knows that children are fairly likely to use them
• limits the ways in which a company may gather or utilize a child’s personal data
• requires a company to perform and keep a data protection impact assessment if it offers an online service, feature, or product that a child is likely to access
• enables the attorney general to sue a company for violations and seek injunctive remedy, civil penalties, attorney fees, and enforcement costs and disbursements
• establishes a task team on the subject of age-appropriate design

SB 619: Proposes an Oregon Consumer Privacy Act

• gives consumers the right to request from a controller a confirmation of whether the controller is processing their personal data, a list of the categories of personal data the controller is processing, a list of the specific third parties to whom the controller has disclosed their personal data, and a copy of all of their personal data that the controller has processed or is processing
• allows a consumer to request that a controller correct inaccurate personal data about them
• allows a consumer to request that the controller erases personal information about them
• in some situations, gives consumers the right to request that the controller stop processing their personal information 
• requires a controller to give consumers a privacy notice that is easily accessible, and understandable, and outlines the categories of personal data being collected

Centraleyes brings you the latest updates on state privacy laws across the map of the U.S. If you’re interested in learning if your business is mandated by the deluge of new privacy laws emerging from all corners of the U.S, you can now easily refer to updated material on our state privacy tracker.