Privacy Law FAQs for Businesses

In June 2023, the Oregon Legislature passed Senate Bill 619 », the Oregon Consumer Privacy Act or “the law”. The Oregon Consumer Privacy Act, ORS 646A.570-646A.589 », was signed into law by Governor Kotek and takes effect on July 1, 2024.

The Department of Justice has put together Frequently Asked Questions (FAQs) for consumers and businesses to help prepare for the privacy law’s implementation.

A link to the Privacy Law FAQs for Consumers can be found on the Consumer Privacy page.

The FAQs address select provisions of the OCPA. FAQs do not cover all potentially applicable laws or enforcement circumstances; the Civil Enforcement Division will make case-by-case enforcement determinations. FAQs do not implement, interpret, or make specific the law enforced or administered by the Oregon Department of Justice, establish substantive policy or rights, constitute legal advice, or reflect the views of the Attorney General.

FAQs do not provide any options for alternative relief or safe harbor from potential violations. The statute controls in the event of any conflicting interpretation. These FAQs are hypothetical examples of how a business might review its practices. Businesses should consult the statute and/or an attorney before taking any action to ensure compliance with the law.

Privacy Law FAQs for Businesses

Open All

When does the law take effect?

The law goes into effect on July 1, 2024. For nonprofit entities covered by the privacy law, is not scheduled to go into effect until July 1, 2025.

Who does the privacy law apply to?

The law applies to any individual or entity that conducts business in Oregon or that provides products or services to Oregon residents if, during a calendar year, that individual or entity controls or processes the personal data of:

  • at least 100,000 consumers; or
  • 25,000 or more consumers and derives over 25% of annual gross revenue from the sale of personal data.

The individuals or entities that fit that description are called “controllers.”

How should my business calculate whether it meets the threshold to qualify under the OCPA when it has a complex hierarchy/ structure?

It depends on several factors specific to your business. For example, some factors to consider include how data flows throughout the organization, including whether different entities utilize or have access to each other’s consumer personal data, and who has decision-making authority over that data. The management structure of the organization may also bear on the threshold calculation. Keep in mind that the OCPA does not make any distinction between where the data came from, i.e., whether your business collected it directly from consumers or obtained it from other sources. Depending on factors specific to your business, the number of consumers whose personal data various related entities (for example, parent companies and multiple subsidiaries) control or process may be added together for purposes of determining whether your business meets the OCPA’s threshold. The DOJ may request additional information or documentation if you claim that your business does not meet the OCPA thresholds.

Does the law apply to vendors and other service providers?

Yes, the law applies to vendors and service providers that maintain or provide services involving personal data on behalf of a controller. The individuals or entities that fit that description are called “processors.”

What is the difference between a controller and processor?

The key distinction between a controller and a processor is their decision-making authority over personal data. Under the law, a processor may only process data at the request and under the direction of a controller. The processor is contractually bound by the controller’s instructions as to what the processor must and may do with personal data. The processor is obligated by their contract to help a controller fulfill their duties regarding personal data.

What is a “sale” of personal data?

A “sale” is the exchange of personal data for monetary or other valuable consideration between a controller and a third party. ”Valuable consideration” is not limited to money. This could include a controller exchanging customer lists with a third party. There are some exceptions to the definition of “sale” stated in the law. Those exceptions can be found at ORS 646A.570(17)(b).

How does the law define personal data?

Personal data is any information that can be linked to an individual. Personal data also includes any information that can be linked to an individual’s device or a household device (like a cell phone or a smart appliance). Some controller and a third party. This could include a controller exchanging customer lists with a third party. There are some exceptions to the definition of “sale” stated in the law. Those exceptions can be found at ORS 646A.570(17)(b).

What types of data are considered sensitive data under the law?

Sensitive data includes:

  • Any data revealing an individual’s racial or ethnic background, national origin, religious beliefs, mental or physical health conditions or diagnoses, sexual orientation, citizenship or immigration status, status as transgender or nonbinary, or status as a crime victim;
  • Genetic data, or biometric data that could be used to identify an individual;
  • Personal data of a child under the age of 13; and
  • Information about an individual’s specific past or present location.

What does it mean to “process” data?

Processing refers to any action a controller may take with respect to personal data, including collecting, using, storing, selling, sharing, analyzing, or modifying the data.

What entities are excluded from the law?

The privacy law excludes some types of entities from complying with its requirements, even if those entities meet the threshold requirements. These entities include:

  • State, local, and tribal governments;
  • Financial institutions as defined in ORS 706.008; and
  • Certain insurers as well as insurance producers and insurance consultants defined in Oregon laws.

A person or entity that contracts with an exempt entity may still be subject to the law if they process personal data on behalf of any non-exempt controllers and/or if that person or entity meets the law’s definition of controller.

Does the law impose any obligations on employee data?

The law does not apply to data maintained for employment records purposes. Furthermore, the term "consumer" means an individual Oregon resident acting only in an individual or household context and does not include an individual acting as an employee or job applicant.

What rights do Oregon consumers have under the privacy law?

Generally, Oregon consumers have the following rights:

  • The right to access personal data that has been collected about them.
  • The right to know a list of the specific third parties that have received their personal data or any personal data from a controller.
  • The right to correct inaccuracies in their personal data.
  • The right to have their personal data deleted.
  • The right to obtain a copy of their personal data.
  • The right to say “no” to (opt-out of) a controller doing certain things with their personal data.

What obligations do controllers have under the law?

Among other obligations, controllers must:

  • Provide a privacy notice regarding the types of personal data the controller processes, the specific purpose(s) for processing data, whether and why the controller shares personal data with third parties, and information about how consumers can exercise their various rights (e.g. access, deletion) over their personal data.
  • Provide a way for consumers to directly contact the controller about privacy-related issues and rights.
  • Limit collection of personal data to what is adequate, relevant, and reasonably necessary for the specific purpose(s) for which the data is collected and processed (also known as “data minimization”).
  • Respond to requests to exercise consumer rights granted under the law within the 45 day response window.
  • Conduct assessments before processing personal data in a manner that presents a heightened risk of harm to consumers (called “Data Protection Assessments”). This includes processing personal data for the purposes of targeted advertising, sale, or profiling, and any processing of sensitive data. There is additional guidance on Data Protection Assessments on the DOJ website. For a more in-depth definition of profiling, see ORS 646A.570.
  • Use reasonable safeguards to secure personal data.

The OCPA says my business can use a “commercially reasonable” method to authenticate consumers when they make a rights request. What does that mean?

Your method(s) of authentication should consider a number of factors: which data right a consumer is exercising; the type, sensitivity, value, and volume of personal data involved; the level of possible harm that improper access or use could cause to the consumer; and the cost of authentication to your business. You must avoid methods that place an unreasonable burden on the consumer submitting a data rights request.

For instance, it should be easy to authenticate a consumer for a deletion request, because the likelihood of harm to a consumer from an improper deletion request is relatively low. In contrast, requests for a copy of personal or sensitive data should be subject to a more rigorous authentication process, given the higher potential for harm to a consumer if your business gave a copy of the consumer’s data to an unauthorized person.

Is consent required to process personal data under the law?

Yes, for certain types of data and under certain circumstances. Consent is required to collect, store, or otherwise process all categories of “sensitive data”, as defined in the law (see question above for more detail about this). If the controller knows (or willfully disregards knowing) that a consumer is at least 13 years old and less than 16 years old, the controller also must obtain consent to process the consumer’s personal data when it is for the purposes of sale, targeted advertising, or profiling.

In addition, a controller must obtain a consumer’s consent to process personal data for any “secondary purpose” – a purpose that is not reasonably necessary for and compatible with the purposes the controller has specified in its privacy notice. For instance, if a restaurant’s website states that it collects personal data only for the purpose of completing online orders, the restaurant cannot sell that personal data to data brokers or other advertisers without obtaining the consumer’s consent. If a controller wants to use collected data in a different way than what was outlined in the original privacy notice, they may need to get consent for existing personal data and should change their privacy notice moving forward.

Does the OCPA address the use of “dark patterns”?

While the OCPA does not include the term “dark patterns” specifically, the OCPA contains numerous requirements regarding the accessibility and clarity of resources provided to consumers by controllers.  The use of dark patterns (or deceptive design) may violate these accessibility requirements and, therefore, violate the OCPA. Additionally, the definition of consent in the OCPA prohibits the use of dark patterns. The use of dark patterns also may implicate other laws, such as the restriction on deceptive business practices under Oregon’s Unlawful Trade Practices Act.

What level of detail is required in a privacy notice? What information must be included regarding personal data shared with third parties?

Privacy notices should be written in clear, straightforward language geared towards consumers. ORS 646A.578(4) describes all topics that should be contained in a controller’s privacy notice.

If a controller shares personal data with third parties, the privacy notice must list all categories of personal data, including the categories of sensitive data, that are shared. The law also requires that the privacy notice state the categories of third parties data is shared with. There should be enough detail to give consumers a meaningful understanding of the types of businesses, or processing expected, but not so much as to render the privacy notice unclear/unreadable. For example, categories of Third Parties described in a sufficiently granular level of detail include, but are not limited to: “analytics companies,” “data brokers,” “third-party advertisers,” “payment processors,” “lenders,” “other merchants,” and “government agencies.”

Are certain types of personal data excluded from the law?

Yes, publicly available data and deidentified data are not “personal data” under the law.

In addition, the law does not apply to certain types of personal data maintained in compliance with specific federal privacy laws, such as the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act. A complete list of exclusions can be found at ORS 646A.572(2).

How long does a controller have to respond to a consumer's privacy rights request?

A controller must respond to a consumer’s request no later than 45 days after receipt of the request. Under certain conditions, the controller may extend the response period by 45 days but must tell the consumer that the response will be delayed and explain the reason for that delay.

Does a controller have to accept consumer requests made through a universal opt-out mechanism?

Controllers will be required to accept opt-out requests through universal opt-out mechanisms starting on January 1, 2026. Prior to January 1, 2026, controllers may, but are not required to, allow consumers to opt-out of personal data processing through a universal opt-out mechanism.

Does a controller have to accept a privacy rights request made by a consumer’s agent?

A consumer can use an agent to exercise “opt-out” rights. A controller must comply with the opt-out request if the controller can verify, with commercially reasonable effort, the identity of the consumer and the authorized agent’s authority to act on their behalf. The agent must make the opt-out request through the method(s) specified in the controller’s privacy notice.

If the consumer is under 13 years old or under a protective arrangement, the consumer’s parent, guardian, or conservator may exercise all privacy rights on the consumer’s behalf.

Can a controller charge the consumer a fee to respond to a privacy rights request?

Controllers must provide information to consumers free of charge for the first request within a twelve-month period. Controllers may charge a reasonable fee to cover administrative costs to comply with a or subsequent requests within a twelve-month period, unless the request is to confirm that the controller corrected inaccuracies in, or deleted, the consumer’s personal data based on a prior request.

Can individuals sue entities for violating the privacy law?

No, the privacy law does not include a private right of action.

Are controllers provided notice of a violation before enforcement action is taken?

Between July 1, 2024 and January 1, 2026, if the Attorney General determines that a violation can be remedied, the Attorney General must first send a letter giving the violator 30 days to cure, or fix, the violation. If the Attorney General determines that no fix is possible for the violation, no such letter is required.

After January 1, 2026, the Attorney General is not required to send a cure notice under any circumstances and can proceed directly to an enforcement action.

Can the Attorney General give me legal advice about how the privacy law applies to my business?

No, the Oregon Department of Justice cannot act as your attorney or give you legal advice. If you have questions or comments about the privacy law, you may email oregonprivacy@doj.oregon.gov. We may use your question to expand and/or clarify the list of frequently asked questions (FAQs) on our website to address common concerns of consumers and businesses.

 

What is the Oregon Attorney General's role in enforcing this law?

The Attorney General has sole enforcement power under the privacy law.

What are the penalties for failing to comply with the law?

Entities or individuals that violate the law may face civil penalties up to $7,500 per violation. In addition to civil penalties, the Attorney General can also seek other relief, including injunctive relief, restitution, and/or disgorgement.