Posted in on July 1, 2024
No, the Oregon Department of Justice cannot act as your attorney or give you legal advice. If you have questions or comments about the privacy law, you may email oregonprivacy@doj.oregon.gov. We may use your question to expand and/or clarify the... View Article
Posted in on June 24, 2024
Privacy notices should be written in clear, straightforward language geared towards consumers. ORS 646A.578(4) describes all topics that should be contained in a controller’s privacy notice. If a controller shares personal data with third parties, the privacy notice must list... View Article
Posted in on April 11, 2024
Entities or individuals that violate the law may face civil penalties up to $7,500 per violation. In addition to civil penalties, the Attorney General can also seek other relief, including injunctive relief, restitution, and/or disgorgement.
Posted in on
Between July 1, 2024 and January 1, 2026, if the Attorney General determines that a violation can be remedied, the Attorney General must first send a letter giving the violator 30 days to cure, or fix, the violation. If the... View Article
Posted in on
The Attorney General has sole enforcement power under the privacy law.
Posted in on
No, the privacy law does not include a private right of action.
Posted in on
A consumer can use an agent to exercise “opt-out” rights. A controller must comply with the opt-out request if the controller can verify, with commercially reasonable effort, the identity of the consumer and the authorized agent’s authority to act on... View Article
Posted in on
Controllers will be required to accept opt-out requests through universal opt-out mechanisms starting on January 1, 2026. Prior to January 1, 2026, controllers may, but are not required to, allow consumers to opt-out of personal data processing through a universal... View Article
Posted in on
Controllers must provide information to consumers free of charge for the first request within a twelve-month period. Controllers may charge a reasonable fee to cover administrative costs to comply with a or subsequent requests within a twelve-month period, unless the... View Article
Posted in on
A controller must respond to a consumer’s request no later than 45 days after receipt of the request. Under certain conditions, the controller may extend the response period by 45 days but must tell the consumer that the response will... View Article