Spotlight: Privacy

Privacy is a key issue for the Oregon Department of Justice (DOJ) and Attorney General Ellen F. Rosenblum. Rapid changes in technology and information sharing have raised new privacy challenges. The sheer amount of information produced, collected and stored about Oregonians is expanding rapidly, and the data collected is more sensitive than ever. Health trackers, online banking, home security systems and even our cars are presenting new privacy and security challenges.

Consumer Privacy

Attorney General Rosenblum and the Oregon Department of Justice have led the way in making the online marketplace safer and more straightforward for Oregonians:

Google Settlement

In 2022, Attorney General Rosenblum led an historic $391.5 million settlement with Google over its location tracking practices. The settlement, which was led by Oregon AG Rosenblum and Nebraska AG Doug Peterson, is the largest attorney general-led consumer privacy settlement ever. Because of Oregon’s leadership role in the bipartisan investigation and settlement, Oregon will receive over $14 million. Google has also agreed to significantly improve its location tracking disclosures and user controls starting in 2023.

“Consumer privacy is one of my office’s top priorities,” said Attorney General Rosenblum. “That’s why it’s so important to me that Oregon played a key role in this settlement. Until we have comprehensive privacy laws, companies will continue to compile large amounts of our personal data for marketing purposes with few controls,” You can read more about the settlement here.

Oregon Consumer Privacy Task Force

In 2019, Attorney General Rosenblum formed the Oregon Consumer Privacy Task Force to answer the growing call for legislation that would give consumers more control over their online privacy and require businesses to adhere to basic standards when handling personal information. The task force now has more than 150 participants from a variety of perspectives.

The task force will introduce comprehensive consumer data privacy legislation in the 2023 Oregon legislative session. If passed, consumers will have more control over their personal data: the right to know what personal information a company is collecting, to whom or where their data was disclosed, and a copy of all the data a company has about them. Companies would also need to correct inaccuracies in personal data or delete the information, and consumers would have the right to “opt out” of the sale of personal data and targeted advertising. The bill will also include protections for sensitive data (like geolocation information, biometric data, protected class status, mental or physical health information, crime victim status, immigration status and data about children). The task force will also introduce legislation to create a state registry of data brokers, or companies that often operate under the radar but make billions selling personal consumer data.

In 2020, when the Covid-19 pandemic hit, the task force developed, and the legislature passed HB 3284. This law applies to anyone who collects, uses, or discloses personal health data or develops or operates a website, web application, or mobile application to collect, use or disclose “personal health data.” You can read the bill here ».

Oregon DOJ Privacy Cases

The Oregon DOJ’s Financial Fraud/Consumer Protection Section handles privacy cases on a wide range of subjects, including data collected from Wi-Fi networks to smart TVs.

The DOJ also conducts numerous data breach investigations against companies that have put Oregonians’ personal data at risk. If you feel a business is violating your privacy, please file a complaint with us ».

Oregon’s Unlawful Trade Practices Act

In 2017, AG Rosenblum supported a new law to hold companies accountable for their online privacy policies. The new law updates Oregon’s Unlawful Trade Practices Act to include the privacy terms consumers agree to prior to downloading an app or other online tools. You can read the bill here ».

Data Security

Oregon businesses and governments have a duty to notify any Oregon consumer whose personal information was breached. The Oregon Attorney General can enforce penalties against companies who fail to use reasonable security measures. In the event of a breach, businesses must let consumers know. If the breach involves more than 250 Oregonians, the Attorney General must also be notified.

Oregonians can search the names of companies or organizations that have reported data breaches ».

You can read the Oregon Consumer Information Protection Act here: Oregon Revised Statutes 646A.600-646A.628 »

Student Privacy

Educators and students across Oregon use online platforms everyday. Many of these services track, collect and store sensitive student information according to their own privacy policies, which may be inadequate.

In 2015, AG Rosenblum helped pass The Oregon Student Information Protection Act. The Act prohibits online educational sites, services, and applications from compiling, sharing or disclosing student information for any non-educational purpose. You can read the Oregon Student Information Protection Act here: Oregon Revised Statutes 336.184 »

Related Stories