Oregon data privacy and security act (SB 619)

At least one more comprehensive privacy law could get signed before the end of an extremely active legislative session—Oregon’s “Act relating to protections for the personal data of consumers” (SB 619).

SB 619 has passed through Oregon’s legislature and just needs a governor’s signature before being enacted in Oregon’s revised statutes (ORS 180.095). Here’s a comprehensive overview of the law’s main provisions.

Application

SB 619 applies to any company conducting business in Oregon or targeting products or services at Oregon residents that meets one or more of the following thresholds:

• It controls or processes personal data about 100,000 or more Oregon consumers (other than personal data used “solely for the purpose of completing a payment transaction”)
• It both:
  • Controls or processes personal data about 25,000 or more Oregon consumers, and
  • Derives at least 25% of revenues from selling personal data.

Many exemptions apply, including to:

• State agencies.
• Financial institutions regulated by the Gramm-Leach-Bliley Act (GBLA)
• Covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA)
• Non-profits in certain fields (insurance fraud detection and TV and radio programming)
• Higher education institutions.

SB 619 also exempts the processing of personal data in the context of various health-related regulations, certain non-commercial activities, and employment.

Another long list of exemptions states that the law does not apply in the context of activities including:

• Preventing, detecting, protecting against or responding to, and investigating, reporting or prosecuting persons responsible for security incidents, identity theft, fraud, harassment or malicious, deceptive or illegal activity or preserving the integrity or security of systems
• Identifying and repairing technical errors in a controller’s or processor’s information systems that impair existing or intended functionality
• Negotiating, entering into or performing a contract with a consumer, including fulfilling the terms of a written warranty
• Protecting any person’s health and safety

Definitions

Some key definitions under Oregon’s SB 619 include:

• Personal data: Data, derived data, or any unique identifier that is “linked to or is reasonably linkable to a consumer” or to “a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household”.
• Processing: Any operation performed on personal data, including its “collection, use, storage, disclosure, analysis, deletion, or modification”.
• Controller: A person or organisation that, alone or jointly with others, “determines the purposes and means” of processing personal data.
• Processor: A person or organisation that processes personal data on behalf of a controller.
• Consent: An affirmative act by means of which a consumer “clearly and conspicuously communicates” their “freely given, specific, informed and unambiguous assent to another person’s act or practice”, under the following conditions:
  • The consumer does not consent via any user interface or mechanism that “has the purpose or substantial effect of obtaining consent by obscuring, subverting or impairing the consumer’s autonomy, decision-making or choice” (essentially “dark patterns”).
  • “The consumer’s inaction does not constitute consent” (sic).

SB 619 also defines “sensitive data”, which includes:

• Personal data revealing:
  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis
  • Sexual orientation
  • Status as transgender or nonbinary
  • Citizenship or immigration status
• A child’s personal data
• Geolocation data revealing a consumer’s location (or the location of device reasonably linkable to the consumer) within a radius of 1,750 feet
• Biometric or genetic data

“Sensitive data” does not include “the content of communications” or “any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.”

Selling personal data, targeted advertising

SB 619 regulates the “sale” of personal data, which means “the exchange of personal data for monetary or other valuable consideration by the controller to a third party”.

A “sale” does not include the disclosure of personal data:

• To a processor that processes personal data on behalf of the controller.
• To a third party for the purposes of providing a product or service requested by the consumer.
• To an affiliate of the controller.
• Where the consumer:
  • Intentionally made the personal data public via a mass media channel, and
  • Did not restrict the disclosure to a restricted audience.
• As part of an acquisition, merger, or bankruptcy.

SB 619 also regulates “targeted advertising”, defined as displaying an advertisement to a consumer when the following conditions are met:

• The advertisement is selected based on personal data.
• The personal data is obtained from the consumer’s activities over time and across nonaffiliated websites or apps.
• The personal data is used to predict the consumer’s preferences or interests.

The definition excludes “first-party” ads based on personal data collected via the controller’s own properties, contextual ads, certain engagement-measurement activities, or ads directed to the consumer based on the consumer’s response to a request for feedback.

Consumer rights

SB 619 provinces consumers with several rights over their personal data. Under the law, a consumer may:

• Obtain from the controller:
  • Confirmation of whether the controller is processing or has processed the consumer’s data, plus a list of the relevant categories of personal data.
  • At “the controller’s option”, a list of specific third parties (excluding individuals) to which the controller has disclosed either:
    • The consumer’s personal data, or
    • Any personal data
  • A copy of their personal data in “a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the personal data to another person without hindrance”.
• Require a controller to correct inaccuracies in their personal data, taking into account the nature of the personal data of the purposes of processing the data.
• Require a controller to delete personal data and derived data provided by or obtained about the consumer.
• Opt out of:
  • The sale of their personal data.
  • Targeted advertising.
  • Profiling “in furtherance of decisions that produce legal or similarly significant effects”.

The Oregon Attorney General will eventually promulgate rules enabling consumers to opt out of the sale of personal information and targeted advertising via a browser or device setting (or an “opt-out preference signal”).

Responding to a request

Controllers must respond to a request by a consumer to exercise these rights “without undue delay” and within 45 days, with a 45-day extension available when reasonably necessary.

Consumers can make a request once every 12 months, and controllers must not charge a fee—unless the request is manifestly unfounded, technically infeasible, excessive, or repetitive, in which case the controller can charge a fee to cover the administrative costs.

Controllers must make “commercially reasonable efforts” to verify a consumer’s identity.

If a customer is not satisfied with the response from a controller, they can appeal within a reasonable time. The controller must respond to the appeal within 45 days, stating a reason for the decision. If the customer is still not satisfied, they have the right to file a complaint with the Attorney General.

Obligations on Controllers

SB 619 sets out several positive obligations on controllers, including to:

• Limit the collection of personal data to what is “adequate, relevant and reasonably necessary in relation to a specified purpose”.
• Put in place security safeguards that comply with those set out in Oregon’s data breach notification law (ORS 646A.622).
• Provide a means for consumers to revoke consent in a manner that is “at least as easy as the means by which the consumer provided consent”.

There are also some negative obligations on controllers, including to:

• Not process personal data for reasons that are not reasonably necessary for or compatible with a specific purpose without consent.
• Not process sensitive data without consent.
• Not process children’s personal data in violation of the Children’s Online Privacy Protection Act (COPPA).
• Not process the personal data of children aged between 13 and 15 without consent.
• Not discriminate against consumers for exercising their consumer rights.

Privacy Notice

Controllers must maintain a “reasonably accessible, clear, and meaningful privacy notice“ that discloses:

• The categories of personal data and sensitive data processed by the controller.
• The purposes for processing personal data.
• An explanation of the consumer rights and appeal process.
• The categories of personal data and sensitive data the controller shares with third parties, if any.
• A description of “all categories of third parties” with which the controller shares personal data at a level of detail that enables the consumer to understand:
  • What type of entity each third party is and,
  • To the extent possible, how each third party may process personal data.
• An actively-monitored email address or other online mechanism by which the consumer may contact the controller.
• The identity of the controller, including any business name that the controller uses in Oregon.
• A clear and conspicuous description of—and an explanation of how to opt out of—any processing done by the controller for the purposes of:
  • Targeted advertising
  • Profiling “in furtherance of decisions that produce legal or similarly significant effects”
• The methods designated for consumers to exercise their consumer rights.

Data Protection Assessments

Controllers must conduct a Data Protection Assessment (DPA) before engaging in any processing that presents “a heightened risk of harm to consumers”, including the following:

• Targeted advertising.
• Processing sensitive data.
• Selling personal data.
• Other processing activities that could result in risk, injury, or intrusion upon solitude.

A DPA must identify and weigh:

• The benefits that may flow from the processing to the controller, the consumer, other stakeholders, and the public.
• The potential risks to the rights of the consumer, taking safeguards into account.

The DPA should include consideration of:

• Consumers’ reasonable expectations
• The context of the processing
• The relationship between the controller and the consumers

The Oregon Attorney General can demand access to a copy of a controller’s DPA.

Obligations on Processors

Processors must help controllers facilitate consumer rights requests and conduct data protection assessments and must notify controllers of security breaches.

A controller may only engage a processor subject to a “valid and binding” written agreement that contains:

• Clear instructions for the data processing.
• The nature and purpose of the processing.
• The types of data
• The duration of the processing.
• The rights and obligations of the controller and processor.
• A section that requires the processor to:
  • Bind anyone processing personal data to a duty of confidentiality.
  • Delete or return all personal data to the controller as requested at the end of the contract, if allowed by law.
  • Provide the controller with any necessary information to demonstrate the processor’s compliance.
  • Allow reasonable assessments (audits) by the controller, or arrange an independent audit and provide a report on request.
  • Only engage subcontractors under a written contract with the same terms as above.

Enforcement

Oregon hands enforcement of its privacy law exclusively to the Attorney General, who must provide controllers or processors suspected of violating the law with a 30-day notice period. If the controller can “cure” the violation within this period, it will not face enforcement action.

The Attorney General can pursue a civil penalty of up to $7,500 per violation, plus costs. The law does not provide a private right of action.

If signed, the law should take effect from July 1 2024, or from July 1 2025 for any “501(c)(3) organization” (an organization exempt from federal income tax).