PL Risk Blog

Oregon Becomes latest state to address Privacy concerns

Written by Drew Smith | Jul 17, 2023 4:04:54 PM

With the passage of the bill SB 619 in the legislature,  and Governor Tina Kotek's signature on July 18th, Oregon becomes the 11th state, the 6th this year alone to address the rising concerns of privacy and data collection. Come July 1st, 2024, Oregon will join the likes of Illinois and Texas in protecting collection of personal data without the consent of the individual.

Data collection and privacy have become a hot button topic in 2023. With many websites and social media pages demanding information out of consumers, it’s a treasure trove for hackers and other malicious actors. Unfortunately, many websites nowadays collect this data, and it causes headaches when they get hacked. Thus, regulations like Europe’s General Data Protection Regulation exist. The GDPR in Europe works by making company that works in Europe like Facebook must take care of their customers data, including removing their presence from their websites if they so request it. (1)

In the US, privacy laws are done state by state. One of the first laws on the books is California’s Consumer Privacy Act (CCPA). Passed in 2018 but not taking effect until 2020, the act was considered a landmark at the time of its passing. It allowed California citizens to:

This was later amended in 2020, with the amendment going into effect in 2023. The amendment added the right for a consumer to battle against false information and the right to limit how much personal information that can be disclosed.(2)

The Oregon law when it goes into effect in 2024 is comparably faster than some states implementing them, with Indiana and Tennessee which had passed their laws this year not implementing them until 2025 and 2026. Oregon’s law, dubbed the Oregon Consumer Privacy Act (OCPA) is similar in scope to other laws already in effect such as the CCPA and Colorado’s Data Privacy Act. Where Oregon differs is in what it effects.

  • Biometrics: In states like Connecticut, whose Privacy Act went into effect this past July 1st, biometrics is among the covered data that is protected under their law. Oregon does protect this, but unlike Connecticut, the data does not need to have a use in order to be considered personal data. Illinois Biometric Information Privacy Act in this regard is the gold standard when it comes to biometric security. Many cases involving this particular law stem from the data unknowingly being collected, with Six Flags reaching a settlement over this issue in 2021. (3)
  • Legal Requirements: Many privacy acts like GDPR and California’s Consumer Protection Act have a legal requirement for anyone working in their jurisdiction. GDPR for instance covers any company, international or not, that applies to the EU Members states. The OCPA in a similar fashion will apply to any person that conducts business in Oregon or that provides products or services to Oregon residents, and controls or possesses the following data during a calendar year:
    • The personal data of 100,000 or more consumers (other than personal data controlled or processed solely for the purpose of completing a payment transaction); or
    • The personal data of 25,000 or more consumers, while deriving at least 25% of the person’s annual gross revenue from selling personal data.
    • “Personal data”means data, derived data, or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to, or is reasonably linkable to one or more consumers in a household. However, “personal data” excludes deidentified data or data that: (1) is lawfully available through government records or through widely distributed media; or (2) a controller reasonably has understood to have been lawfully made available to the public by a consumer.
  • Companies that are exempt: Uniquely for Oregon, there are relatively few companies that are not exempt if they meet the consumer requirement. Even non-profits have limited ways to be exempt. (4)

Oregon’s new law is the latest in a set of laws designed to protect their citizen’s information and privacy. More laws are on the way potentially in the US and around the world. This is a great opportunity to review your company’s information handling policies and how to limit exposure.

Update July 20th 2023: Content update to reflect that Governor Tina Kotek has since signed the bill since this article was published.