WILL OREGON BE THE NEXT STATE TO SIGN INTO LAW CONSUMER DATA PRIVACY: There is a Bill Currently Sitting on the Governor’s Desk.

Do you feel like we just brought you news of a new privacy bill or two? That is because we did and are back with another! These states are passing new consumer privacy laws fast than you can say, Troutman Amin! Oregon is the latest state with a bill sitting on the Governor’s desk. Once signed into law that will make ELEVEN states that have enacted consumer data privacy laws, with more in the making.

Oregon SB619 created new provisions and amends ORS 180.095. Sections 1-9 go into effect on July 1st, 2024, however, amendments to sections 5 and 9 go into effect January 1, 2026. This act applies to anyone conducting business or providing products or services to residents of the state of Oregon.

What to expect from the new law once signed, well let me tell you.

Consumers have the right to:

  • Right to know and access
  • Right to correct
  • Right to delete
  • Right to opt-out
    • Targeted advertising
    • Sale
    • Decision profiling
  • Right to data portability

Businesses will have 45 days to respond to consumer requests and may take up to an additional 45 days if reasonably necessary for complex requests. Businesses who observe the extension must notify the customer within the initial 45 days and provide the reason for the extension.

If a business declines to process a consumer request, it must notify the consumer of the denial without undue delay and within 45 days. The notification must provide the reason for the denial and instructions on how to appeal the decision.

Consumers’ requests for information must be provided for free once in a 12-month period. Businesses may charge a reasonable fee for additional requests, however, not if the request is to confirm corrections or deletion in compliance with a consumer request.

Businesses must establish a process for consumers to appeal the denial of their requests, the process shall include:

  • Reasonable time for a consumer to respond to notification of denial
  • Conspicuously provided to the consumer
  • Be similar in process to which a consumer can exercise rights
  • Must respond to appeals within 45 days and provide written notice to consumers. If the appeal is denied you must provide the consumer with information on how they can contact the Attorney General to file a complaint.

Businesses must comply with the following

  • Express purpose for which the business is collecting and processing personal data in their privacy notice
  • Limit the collection of personal data to only what is reasonably necessary to provide a product or service
  • Establish, implement, and maintain for personal data the same safeguards described in ORS 646A.622 that are required for protecting personal information, as defined in ORS 646A.602, such that the controller’s safeguards protect the confidentiality, integrity, and accessibility of the personal data to the extent appropriate for the volume and nature of the personal data
  • Provide effective means for a consumer to revoke consent, which must be as easy as the consumer proving consent. Once consent is revoked business must stop processing personal data as soon as practicable but no later than 15 days after revocation.
  • Method(s) for which a consumer may use to exercise their rights must be provided in a way in which a consumer would normally interact with the website through a secure and reliable manner
  • Provide a clear and conspicuous link on the webpage where a consumer can opt out of personal data processing. If linking a webpage is not an option must provide an alternative method for consumers to opt-out
  • Create and conduct data protection assessment for each of the controller’s processing activities that present a heightened risk of harm to a consumer

Business cannot:

  • Process personal data for purposes that are not reasonably necessary, unless you obtain consumer consent
  • Process sensitive data unless you have consumer consent
  • Discriminate against a consumer that exercises their rights

Businesses must provide a clear and meaningful privacy policy that includes:

  • List the categories of personal data, including categories of sensitive data, that are processed
  • Describe the purpose for processing the personal data
  • Describe how consumers may exercise their rights, including how to appeal a request denial
  • List the categories of personal data, including categories of sensitive data, that are shared with third parties
  • Describes all categories of third parties with which the controller shares personal data at a level of detail that enables the consumer to understand what type of entity each third party is and, to the extent possible, how each third party may process personal data
  • Provide an email address or other online method for a consumer to contact the business
  • Identify any business name under which the controller registered with the Secretary of State and any assumed business name that the controller uses in this state
  • Provide a clear and conspicuous description of any processing of personal data for the purpose of targeted advertising or decision profiling and how a consumer can opt-out
  • Describe the method(s) in which the consumer can submit a request to exercise their rights

There are additional requirements for how processors of personal data shall adhere to the direction of the business and process de-identified data.

Note there is no private right of action created and the Attorney General is the enforcer of violation with each violation carrying up to a $7,500 penalty. There is a 30-day cure period provided before bringing the action from the AG’s office until December 31, 2025. Must recognize consumer opt-out signals by January 1, 20206.

Are you feeling worried about keeping up with the ever-changing landscape of state consumer data privacy?

We’ve got your back with an incredible session on all the state PRIVACY BILS coming up at the Troutman Amin, LLP Summer  Marketing/Advertising/Privacy Law conference on July 13, 2023. 

We will be breaking down everything you need to know about the pile of states who have enacted state privacy bills recently–and this is a real can’t miss session.

In-person tickets are SOLD OUT but you can still attend our virtual option!

Register now

We will keep you posted once this is signed into law, in the mean time you can ready the complete bill here.


Leave a Reply