This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

Technology Law

| 3 minute read

Oregon Joins the Consumer Privacy Bill Trend

On June 22, 2023, the Oregon Legislature advanced a new consumer data privacy bill called SB 619. If Governor Tina Kotek signs the bill into law, Oregon will join the consistent trend of states passing consumer data privacy bills. Only a few days ago, on June 18, 2023, Governor Abbott signed the Texas Data Privacy and Security Act into law, placing Oregon in line to become the eleventh state (and sixth this year) to enact a broad-based consumer privacy bill. Most of the bill’s provisions go into effect on July 1, 2024, and while the bill does not stray too far from the ‘Washington Privacy Act-style,’ there are a few key differences worth considering before 2024.

Personal Data:

SB 619 explicitly defines “Personal Data” to include derived data and device data that is reasonably linkable or linked to one or more consumers in a household. “Derived Data” is typically referred to as the cross-referencing or synthesizing of different data sets to discover valuable information that may not be apparent from the original data sets. Oregon’s inclusion of derived and device data will possibly lead to a broader range of data being subject to provisions of SB 619. Oregon’s personal data definition is novel and significant because most states, such as Utah, Virginia, and Montana, define “Personal Data” as information linked or reasonably linkable to an identified or identifiable individual.

Sensitive Data: 

Personal data is not the only definition that SB 619 gives expansive treatment to; SB 619 identifies “Sensitive Data” to include new categories such as national origin, status as transgender or nonbinary, and status as a victim of a crime. None of the ten other state consumer privacy laws include these unique categories, and Oregon’s inclusion will likely lead to greater data protection for these groups. On the other hand, while all states with consumer data privacy bills include biometric data as sensitive data, Oregon further narrowly defines “Biometric Data” by overtly excluding facial mapping or facial geometry unless the facial mapping or geometry was generated to identify a specific consumer.

Covered Entities- Nonprofits: 

Before this week, Colorado was the only other state not to exempt nonprofit organizations. Now, Oregon will join Colorado in this limited group. There are still two ways that nonprofits may qualify for data or entity exemption in Oregon. First, nonprofits may qualify for data exemptions if they participate in the noncommercial activity of providing programming to radio or television networks. Secondly, a nonprofit organization that is established to detect and prevent fraudulent acts in connection with insurance is exempt. While the exclusion of nonprofits is distinctive, these organizations will have until July 1, 2025 (as opposed to July 1, 2024) to comply with SB 619.

Research Exceptions: 

Most states present an exemption for data used for research purposes in the “public interest” (a standard that varies between jurisdictions). To be exempt, the statistical or scientific research  typically must be approved, monitored, and governed by an institutional review board or independent oversight entity. But, SB 619 only requires adherence to applicable laws. There is no need for statistical or scientific research to go through a review to qualify for an exemption. Oregon’s review exemption will likely lead to more research data being excused from SB 619’s provisions than other states.

Transparency- Third Party Specification:  

Upon consumer request, covered businesses will be required to disclose to consumers a specific list of third parties to which the business has disclosed the consumer's personal data or any personal data. Additionally, in their privacy notice, covered businesses must include a description of all categories of third parties with which the controller shares personal data at a level of detail that enables the consumer to understand what type of entity each third party is and, if possible, how each of these third parties process the data.

Opt-In For 13-15: 

Lastly, when it comes to children ages 13 to 15, if a business is planning on selling their data or using their data for profiling or targeted advertising, the business must first obtain consent.

Takeaways: 

July 1, 2024, is almost exactly a year away. Companies doing business in Oregon or whose products or services are consumed by Oregon residents should consider the following as part of their continuing privacy compliance efforts:

  • Consider the Data You are Processing. If you are a business that processes derived data or data linked to a device that is not lawfully available through federal, state, or local government records or widely distributed media, confirm personal data compliance with SB 619 and, if necessary, make changes to internal policies. In addition, if your business processes consumer data pertaining to national origin, status as transgender or nonbinary, and status as a victim of a crime, you must first obtain the consumer's consent before processing.
  • Nonprofits Prepare to Comply. If your business is a nonprofit, you likely are not exempt from the provisions of SB 619. Oregon's requirements are not particularly burdensome compared to other states' laws, but they are novel to nonprofits (unless Colorado's law already encompasses your nonprofit). Nonprofits should begin preparing to comply with SB 619.
  • Update Your Third Party Specification. Companies planning on disclosing personal data to third parties must be prepared to provide a specific list of these third parties to consumers upon request. Further, companies should confirm that their privacy policies include a description of said third parties.

Tags

technology law