Archives

Does the law impose any obligations on employee data?

Posted in on

The law does not apply to data maintained for employment records purposes. Furthermore, the term “consumer” means an individual Oregon resident acting only in an individual or household context and does not include an individual acting as an employee or... View Article

What entities are excluded from the law?

Posted in on

The privacy law excludes some types of entities from complying with its requirements, even if those entities meet the threshold requirements. These entities include: State, local, and tribal governments; Financial institutions as defined in ORS 706.008; and Certain insurers as... View Article

What types of data are considered sensitive data under the law?

Posted in on

Sensitive data includes: Any data revealing an individual’s racial or ethnic background, national origin, religious beliefs, mental or physical health conditions or diagnoses, sexual orientation, citizenship or immigration status, status as transgender or nonbinary, or status as a crime victim;... View Article

How does the law define personal data?

Posted in on

Personal data is any information that can be linked to an individual or to a device (like a cell phone or a smart appliance) that can be linked to an individual or someone else that they live with. Some examples... View Article

What is a “sale” of personal data?

Posted in on

Generally, a “sale” is the exchange of personal data for monetary or other valuable consideration between a controller and a third party. This could include a controller exchanging customer lists with a third party. There are some exceptions to the... View Article

What does it mean to “process” data?

Posted in on

Processing refers to any action a controller may take with respect to personal data, including collecting, using, storing, selling, sharing, analyzing, or modifying the data.

Does the law apply to vendors and other service providers?

Posted in on

Yes, the law applies to vendors and service providers that maintain or provide services involving personal data on behalf of a controller. The individuals or entities that fit that description are called “processors.”