Open All

What does Oregon’s new privacy law do?

The law protects the personal data of Oregon residents when they are doing things like browsing the Internet or making a purchase at a store, and it gives Oregonians new rights related to their data. It also imposes specific obligations on entities, including non-profits.

I’m an Oregon resident. What rights do I have under the new privacy law?

You have the following rights:

  •  The right to access personal data that has been collected about you.
  • The right to know a list of the specific entities that have received your personal data or any personal data from a business.
  • The right to correct inaccuracies in your personal data.
  • The right to have your personal data deleted.
  • The right to obtain a copy of your personal data.
  • The right to say “no” to (opt-out of) a business selling your personal data or using your personal data for targeted advertising and some types of profiling.

What is personal data?

The law defines personal data as any information that (1) can be linked to you, or (2) that can be linked to your household devices (like cell phones or a smart appliances). Some examples of personal data include: a home address, a driver’s license or state identification number, passport information, a financial account number, login credentials, and browsing history on a smart TV.

What is profiling and what does it mean to opt-out of profiling?

Profiling is the automated processing of personal data for the purpose of evaluating, analyzing or predicting a consumer’s economic circumstances, health, personal preferences, interests, reliability, behavior, location or movements. Oregon’s privacy law gives you the right to say “no” to an entity profiling you to make decisions that that may result in you being given or denied financial or lending services, housing, insurance, educational enrollment or opportunities, criminal justice, employment opportunities, health care services or access to essential goods and services.

When do businesses have to obey the privacy law?

The law applies to for-profit businesses starting on July 1, 2024. The law applies to non-profit entities like charities starting on July 1, 2025.

Who has to follow Oregon’s privacy law?

The law applies to businesses that are physically located in Oregon and to businesses outside Oregon that direct their products or services to Oregon residents, if the businesses collect, use, or otherwise processes personal data of (1) 100,000 or more Oregonians or (2) 25,000 or more Oregonians and at least 25 percent of the business’s annual gross revenue comes from selling personal data.

Oregon’s privacy law does not apply to some businesses such as banks, credit unions, and insurance companies even if they meet the requirements above.

Does Oregon’s privacy law apply to the government?

No. The law does not apply to federal, state, or local governments.

Do businesses have to get my permission to collect or use my personal data?

Oregon’s privacy law requires covered businesses to get your permission before collecting or using personal data that the law considers “sensitive data.”

What types of data are sensitive data?

Sensitive data includes:

  • Any data revealing your racial or ethnic background, national origin, religious beliefs, mental or physical health conditions or diagnoses, sexual orientation, citizenship or immigration status, status as transgender or nonbinary, or status as a crime victim;
  • Genetic data or biometric data that could be used to identify you;
  • Personal data of a child under the age of 13; and
  • Information about your specific past or present location.

Does Oregon’s privacy law have protections for children’s data?

Yes. Before collecting, using, or otherwise processing personal data about someone the business knows is under 13 years old, the business must get consent from that child’s parent or legal guardian.

How can I find out if a business has my personal data?

If a business is covered by Oregon’s privacy law, it must provide consumers with a privacy notice that is reasonably accessible and explains how you can contact the business to request confirmation about whether the business collects, uses, or stores your personal data.

Where can I find a business’s privacy notice?

Most businesses post their privacy notice on their websites. A link can usually be found at the bottom of the homepage and other webpages. The link’s title may include the word “Privacy” or “Privacy Rights.” For mobile apps, a link to the privacy notice should be available on the download page for the app or in the app’s settings menu.

If a business does not have a website or an app, they must make the privacy notice available to you through other means. For example, if a business interacts with consumers offline, in person, then a paper copy of the privacy notice should be accessible to you.

How can I exercise my rights under Oregon’s privacy law?

Businesses must explain in their privacy notice how you can exercise your privacy rights. The notice must explain how you can request that your data be deleted or corrected, how to request a copy of your data, and how to request information about who the business has shared your (or any personal data) with A business will have to include a link on its website where you can opt-out of targeted advertising, some types of profiling, or the sale of your personal data

I have a teenager. Does Oregon’s privacy law protect their data?

In addition to the rights that apply to all personal data, the law has special requirements for personal data of teenagers who are at least 13 years old and under 16 years old. Businesses must get permission from the teenager or their parent/guardian to sell their personal data or to use their personal data for targeted advertising or some types of profiling.

Can I designate someone to exercise my privacy rights?

Any individual can designate an agent to exercise their rights to opt out of (say “no” to) the sale of their data or use of their personal data for targeted advertising or profiling. You cannot designate an agent to exercise your other privacy rights.

I’m a designated agent. How do I exercise a consumer’s opt-out rights?

The law requires agents to opt-out in the same manner as consumers. That means agents must use the method a business specifies in its privacy notice.

How long can a business take to respond to my rights request?

A business must respond to your rights requests within 45 days of receiving the request. Under certain conditions, the business may have an additional 45 days, but the business must tell you if it needs that extra time to respond.

Can someone else exercise privacy rights on my behalf?

Yes, a parent or legal guardian can exercise the privacy rights of a child under age 13, and a guardian or conservator can exercise the privacy rights of the person under their protection.

I requested and received a list of the third parties that received my data from a business and it includes data brokers. Is there some way for me to contact those data brokers?

Data brokers are required to register with the Oregon Department of Business and Consumer Services (DCBS). DCBS has a registry that includes contact information for all data brokers registered in the state of Oregon, along with information about whether a consumer can “opt out” of the data broker’s collection and sale of their personal information, and a method for requesting an opt out.

What can I do if a business denies my privacy law rights request?

You have the right to appeal a decision denying your rights request.

Can a business deny my privacy rights request?

Yes, but only for specified reasons. For example, a business may deny your request if it would restrict the business’s ability to:

  • Provide a product or service specifically requested by you.
  • Issue a product recall or repair technical errors.
  • Respond to and prevent security incidents, identity theft, and fraud.
  • Comply with federal, state, or local law.

I submitted an appeal – now what?

A business must respond to you within 45 days of receiving your appeal. The business must respond in writing and explain any actions it has taken and reasons for refusing your request. If the business rejects your appeal, it must provide you with information about how to contact the Oregon Attorney General’s office if you wish to file a complaint.

How often can I request information about my personal data from a business? Do I have to pay for that information?

You can request information from a business free of charge once every 12 months. If you make additional requests during that time period, the business may charge you a reasonable fee to cover the administrative costs of responding to your request, unless the purpose of your request is to confirm that the business corrected inaccuracies in or deleted your personal data in response to an earlier request.

What can I do if I think a business is violating Oregon’s privacy law?

After July 1, 2024, if you believe a business is violating the law, you can let us know by submitting a complaint on our website.

Can I sue a business for violating my rights under Oregon’s privacy law?

No. Private individuals cannot file lawsuits against companies for violating the law. Only the Oregon Attorney General can enforce this law.

Does Oregon’s privacy law apply to data I give my employer or that I put on a job application?

No, the law does not protect personal data collected or used in connection with your employment, such as when you apply for a job or fill out benefits paperwork.

Where can I find information about how to appeal a decision denying my rights request?

Information about how to appeal should be in the business’s privacy notice. That information should include where to send your appeal.