Oregon has joined 10 other states in enacting a comprehensive data privacy law.1 On July 18, 2023, Governor Tina Kotek signed the Oregon Consumer Privacy Act (the "Oregon Privacy Law") into law. The law imposes a range of new data privacy requirements on non-exempt controllers and processors of Oregon consumer personal data. The Oregon Privacy Law goes into effect on July 1, 2024.
Scope
Similar to recently enacted privacy laws in other states, the Oregon Privacy Law applies to entities if they meet a certain volume of personal data collection or a revenue-from-sale standard. Specifically, the Oregon Privacy Law applies to entities that conduct business in Oregon or provide products or services to Oregon residents and, during a calendar year, control or process the personal data of: (1) 100,000 or more Oregon residents, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or (2) 25,000 or more Oregon residents, if the entity derives 25% or more of its annual gross revenue from selling personal data.
Obligations
Similar to Other State Privacy Laws
Entities doing business in Oregon that meet one of these thresholds will now be subject to data privacy requirements commonly seen under other state privacy laws, such as the requirement to give a privacy notice, honor consumer privacy rights (e.g., rights to access; correct; delete; opt-out of sale of personal data, targeted advertising and profiling; appeal; and non-discrimination), enter into contracts with processors, conduct data protection impact assessments for high-risk processing, and adhere to certain privacy principles (e.g., data minimization, purpose limitation, and data security).
A Unique Requirement
However, what is particularly unique about Oregon's privacy law is that it adds a new privacy right not present under the other state comprehensive privacy laws: the right to request from a controller a list of specific third parties, other than natural persons, to which the controller has disclosed personal data. The controller may respond by specifying the third parties to which it has disclosed either the requesting consumer's personal data or any personal data. This new right will require companies to maintain a list of the specific names of the third parties instead of just generally describing the categories of third parties that may have received a consumer's personal data. This new right underscores the need to conduct and maintain a thorough data inventory that reflects, among other things, the type of personal data you collect, why you collect it, and to which parties you disclose it.
A Narrower Exemption
In addition, the Oregon Privacy Law provides a narrower exemption for financial institutions, contrary to the other states' privacy laws (except for California), which contain a full exemption for entities that are considered financial institutions under the federal Gramm-Leach-Bliley Act (GLBA). Therefore, financial institutions subject to the GLBA will need to consider whether they now need to comply with the Oregon Privacy Law, along with the California Privacy Rights Act.
Under the Oregon Privacy Law, only "financial institutions," as defined under Oregon Revised Statutes (ORS) section 706.008, are subject to a full exemption. The definition of "financial institution" under this statute is narrower than that under the GLBA. It only applies to Federal Deposit Insurance Corporation (FDIC)-insured institutions, banks organized under the laws of another country, Oregon-chartered credit unions, out-of-state credit unions or federal credit unions. An affiliate or subsidiary of such financial institutions is also exempt from the Oregon Privacy Law if it meets a certain threshold of "control" and is "only and directly engaged in financial activities" as described in Section 4(k) of the federal Bank Holding Company Act. In contrast, the GLBA applies to a much broader array of financial institutions, i.e., businesses significantly engaged in financial activities—a broad umbrella. The Oregon legislature's choice to provide a narrower financial institution exemption means that the Oregon Privacy Law will sweep in a wide range of companies, even if those companies are "financial institutions" under the GLBA and exempt from the non-California state privacy laws. The customer information could be exempt if the information was collected, processed, sold or disclosed under and in accordance with the GLBA.
Comparison of Comprehensive State Privacy Laws
In the charts below, we compare the Oregon Privacy Law with the other state privacy laws in connection with key rights and obligations.
DATA SUBJECT RIGHTS
DATA SUBJECT RIGHTS (cont.)
DATA CONTROLLER OBLIGATIONS
EXEMPTIONS2
THE LEGISLATION
* The Florida Digital Bill of Rights is arguably a comprehensive privacy law, but it applies under narrow circumstances (e.g., among other things, companies that have over $1 billion in global gross annual revenues).
Footnotes
1. Oregon will arguably be joining 11 other states that have enacted comprehensive privacy laws, but the Florida Digital Bill of Rights has limited applicability.
2. These reflect some of the common exemptions under these laws, but there are others available under the comprehensive privacy laws. Companies should consult with counsel to learn more.
Visit us at mayerbrown.com
Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.
© Copyright 2023. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.
