Oregon Passes Privacy Law to Strengthen Data Protection

Oregon has become the latest state to pass comprehensive privacy legislation with the approval of Senate Bill 619 by both Houses of the Oregon State Legislature. The Act, which follows the template of other state privacy laws, aims to enhance data protection and privacy rights within the state.

The Act applies to businesses operating in Oregon that control or process the personal information of a significant number of Oregon residents or derive a substantial portion of their revenue from the sale of personal information. Exemptions are provided for personal information collected in the context of employment or business-to-business relationships.

While the Act does not include entity-level exemptions for organizations subject to HIPAA or GLBA, it provides data-level exemptions for these organizations, as well as exemptions for certain research and credit reporting purposes in compliance with applicable laws. The Act also grants consumers the right to know, access, transfer, correct, and delete their personal information. Oregon residents have the right to opt out of the sale of their personal information, targeted advertising, and certain profiling activities.

Businesses operating in Oregon need to comply with the Act if they meet the specified criteria related to the personal information of Oregon residents. Organizations should review their data processing practices, privacy policies, and data protection measures to ensure compliance with the new requirements. Implementing mechanisms to address consumer rights, such as data access and deletion requests, is crucial for organizations to fulfill their obligations under the Act.

Implications for Compliance Officers & Data Privacy Professionals

• Compliance officers need to familiarize themselves with the provisions of the Act to ensure their organizations adhere to the new privacy requirements.
• They should work closely with relevant stakeholders to develop and implement policies, procedures, and controls that align with the Act's standards.
• Compliance officers should oversee regular assessments, audits, and documentation of data processing activities to demonstrate adherence to privacy obligations.
• Data privacy professionals should stay updated on the Act's specific requirements and guidance provided by regulatory authorities.
• They should assist organizations in developing privacy policies, consent mechanisms, and processes for managing consumer rights.
• Data privacy professionals play a crucial role in ensuring ongoing compliance, providing training and awareness programs, and advising on privacy best practices to mitigate potential risks.

The Act is awaiting the governor's signature and, if enacted, will go into effect on July 1, 2024. Organizations operating in Oregon should prepare for compliance with the new privacy obligations to protect personal information and uphold consumer rights in line with the state's comprehensive privacy framework.