Posted in on April 11, 2024
Controllers will be required to accept opt-out requests through universal opt-out mechanisms starting on January 1, 2026. Prior to January 1, 2026, controllers may, but are not required to, allow consumers to opt-out of personal data processing through a universal... View Article
Posted in on
Controllers must provide information to consumers free of charge for the first request within a twelve-month period. Controllers may charge a reasonable fee to cover administrative costs to comply with a or subsequent requests within a twelve-month period, unless the... View Article
Posted in on
A controller must respond to a consumer’s request no later than 45 days after receipt of the request. Under certain conditions, the controller may extend the response period by 45 days but must tell the consumer that the response will... View Article
Posted in on
Yes, for certain types of data and under certain circumstances. Consent is required to collect, store, or otherwise process all categories of “sensitive data”, as defined in the law (see question above for more detail about this). If the controller... View Article
Posted in on
Among other obligations, controllers must: Provide a privacy notice regarding the types of personal data the controller processes, the specific purpose(s) for processing data, whether and why the controller shares personal data with third parties, and information about how consumers... View Article
Posted in on
Generally, Oregon consumers have the following rights: The right to access personal data that has been collected about them. The right to know a list of the specific third parties that have received their personal data or any personal data... View Article
Posted in on
The law does not apply to data maintained for employment records purposes. Furthermore, the term “consumer” means an individual Oregon resident acting only in an individual or household context and does not include an individual acting as an employee or... View Article
Posted in on
The privacy law excludes some types of entities from complying with its requirements, even if those entities meet the threshold requirements. These entities include: State, local, and tribal governments; Financial institutions as defined in ORS 706.008; and Certain insurers as... View Article
Posted in on
Yes, publicly available data and deidentified data are not “personal data” under the law. In addition, the law does not apply to certain types of personal data maintained in compliance with specific federal privacy laws, such as the Health Insurance... View Article
Posted in on
Sensitive data includes: Any data revealing an individual’s racial or ethnic background, national origin, religious beliefs, mental or physical health conditions or diagnoses, sexual orientation, citizenship or immigration status, status as transgender or nonbinary, or status as a crime victim;... View Article
