Oregon Enacts Comprehensive Consumer Data Privacy Act with Limited GLBA Exemption

Oregon Gov. Tina Kotek has signed into law Senate Bill 619, making Oregon the 11th state to enact a comprehensive consumer data privacy law, following California, Virginia, Colorado, Utah, Connecticut,  Iowa, Indiana, Tennessee, Montana, and Texas. The Act will go into effect July 1, 2024.

APPLICABILITY

The Act applies to any person that conducts business in Oregon, or that provides products or services to its residents, and that during a calendar year, controls or processes:

1. The personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or
2. The personal data of 25,000 or more consumers, while deriving 25% or more of the person’s annual gross revenue from selling personal data.

EXEMPTIONS

Exemptions include, but are not limited to:

1. Information collected, processed, or disclosed under and in accordance with the Gramm-Leach-Bliley Act;
2. Information that originates from, or is intermingled so as to be indistinguishable from, information described in paragraph (k)(A) [Gramm-Leach-Bliley Act] of this subsection and that a licensee, as defined in Or. Rev. Stat. Ann. § 725.010, collects, processes, uses or maintains in the same manner as is required under the laws and regulations specified in paragraph (k)(A) [Gramm-Leach-Bliley Act] of this subsection;
3. Financial Institutions as defined in Or. Rev. Stat. Ann. § 706.008, or a financial institution’s affiliate or subsidiary that is only and directly engaged in financial activities, as described in 12 U.S.C. 1843(k);
4. Activities regulated by the Fair Credit Reporting Act;
5. Protected health information under the Health Insurance Portability and Accountability Act.

Or. Rev. Stat. Ann. § 725.010 (Oregon Consumer Finance Act) defines a “licensee” as a person licensed to make consumer finance loans of $50,000 or less.

Or. Rev. Stat. Ann. § 706.008(9) (Oregon Bank Act) defines a “financial institution” as “an [FDIC] insured institution, an extranational institution, a credit union as defined in ORS 723.006, an out-of-state credit union under ORS 723.042 or a federal credit union.”

CONSUMER RIGHTS

Consumers have the right to:

1. confirm processing of their personal data and access such data;
2. correct inaccuracies;
3. delete personal data;
4. obtain personal data provided by the consumer in a portable and readily usable format, if stored digitally;
5. opt out of processing if for the purpose of targeted advertising, sale, or profiling.

SENSITIVE PERSONAL INFORMATION

Sensitive personal data may not be processed without the consumer’s consent or, in the case of a known child, pursuant to the Children’s Online Privacy Protection Act.

Sensitive data means personal data that:

1. Reveals a consumer’s racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or non-binary, status as a victim of crime or citizenship or immigration status;
2. Is a child’s personal data;
3. Accurately identifies within a radius of 1,750 feet a consumer’s present or past location, or the present or past location of a device that links or is linkable to a consumer by means of technology that includes, but is not limited to, a global positioning system that provides latitude and longitude coordinates; or
4. Is genetic or biometric data.

CONTRACT REQUIREMENTS

A contract between a controller and processor must be valid and binding and:

1. Set forth clear instructions for processing data, the nature and purpose of the processing, the type of data that is subject to processing and the duration of the processing;
2. Specify the rights and obligations of both parties with respect to the subject matter of the contract;
3. Ensure that each person that processes personal data is subject to a duty of confidentiality with respect to the personal data;
4. Require the processor to delete the personal data or return the personal data to the controller at the controller’s direction or at the end of the provision of services, unless a law requires the processor to retain the personal data;
5. Require the processor to make available to the controller, at the controller’s request, all information the controller needs to verify that the processor has complied with all obligations the processor has under the Act;
6. Require the processor to enter into a subcontract with a person the processor engages to assist with processing personal data on the controller’s behalf and in the subcontract require the subcontractor to meet the processor’s obligations under the processor’s contract with the controller; and
7. Allow the controller, in accordance with an appropriate and accepted control standard, framework or procedure, to assess the processor’s policies and technical and organizational measures for complying with the processor’s obligations, and require the processor to cooperate with the assessment and, at the controller’s request, report the results of the assessment to the controller.

DATA PROTECTION ASSESSMENTS

Controllers must conduct and document a data protection assessment for processing that presents a heightened risk of harm, including:

1. Processing personal data for the purpose of targeted advertising;
2. Processing sensitive data;
3. Selling personal data; and
4. Using the personal data for purposes of profiling.

ENFORCEMENT

The Act does not create a private right of action. Provided a person cannot cure a violation within 30 days, the attorney general may seek injunctive relief and a civil penalty of not more than $7,500 for each violation.

IMPRESSION

While this Act is similar to other data privacy laws recently enacted, it takes a turn by limiting the GLBA exemption to information and omitting the entity-level exemption that every state has included since California.

For more information and insight from Maurice Wutscher on data privacy and security laws and legislation, click here.