Spotlight: Privacy

Privacy is a key issue for the Oregon Department of Justice (DOJ) and Attorney General Ellen F. Rosenblum. Rapid changes in technology and information sharing have raised new privacy challenges. The sheer amount of information produced, collected and stored about Oregonians is expanding rapidly, and the data collected is more sensitive than ever. Health trackers, online banking, home security systems and even our cars are presenting new privacy and security challenges.

Consumer Privacy

AG Rosenblum wants to make the online marketplace safer and more straightforward for Oregonians. In 2017, AG Rosenblum supported a new law to hold companies accountable for their online privacy policies. The new law updates Oregon’s Unlawful Trade Practices Act to include the privacy terms consumers agree to prior to downloading an app or other online tools. You can read the bill here ».

Student Privacy

Educators and students across Oregon are using online platforms to enhance both online and classroom learning. Many of these services track, collect and store sensitive student information according to their own privacy policies, which may be inadequate.

In 2015, AG Rosenblum helped pass The Oregon Student Information Protection Act. The Act prohibits online educational sites, services, and applications from compiling, sharing or disclosing student information for any non-educational purpose. The law balances protecting our students while giving companies room to develop and thrive in the digital education market. You can read the Oregon Student Information Protection Act here: Oregon Revised Statutes 336.184 »

Privacy Task Force & Covid-19

In June of 2019, the Attorney General formed the Consumer Privacy Task Force to study and recommend comprehensive state consumer privacy issues, and develop legislation to address them.

In 2020, when the Covid-19 pandemic hit, the task force turned its attention to emerging privacy issues around data collection for contact tracing and exposure notification purposes. The task force developed, and the legislature passed HB 3284. Now, only personal health data needed to provide contact tracing and exposure notification services to the consumer that can be collected, used, and disclosed. Any data must also be deleted after 65 days unless it has been “de-identified” and converted into statistics. This law applies to anyone who collects, uses, or discloses personal health data or develops or operates a website, web application, or mobile application to collect, use or disclose “personal health data.” You can read the bill here ».

The Task Force is continuing to develop privacy legislation to address Oregonians’ right to know how their data is being used, the right to correct errors in data, the right to restrict how and if data is processed by a company, special protections for children and minors, and how these laws should best be enforced

Data Security

Oregon businesses and governments have an existing duty to provide reasonable security for Oregonians’ data and to notify any Oregon consumer whose personal information was breached. In 2016 a new law went into effect, allowing the Attorney General to enforce penalties against data holders who fail to use reasonable security measures. The Attorney General also worked to update the law to cover sensitive personal information such as fingerprints, medical information and health insurance information. In the event of a breach, businesses must let consumers know. If the breach involves more than 250 Oregonians, the Attorney General must also be notified.

Oregonians can search the names of companies or organizations that have reported data breaches ».

You can read the Oregon Consumer Information Protection Act here: Oregon Revised Statutes 646A.600-646A.628 »

Oregon DOJ Privacy Cases

The Oregon DOJ’s Financial Fraud/Consumer Protection Section handles privacy cases on a wide range of subjects, including data collected from wifi networks to smart TVs. The DOJ also conducts numerous data breach investigations against companies that have put Oregonians’ personal data at risk. If you feel a business is violating your privacy, please file a complaint with us ».

Federal Trade Commission Resources

The Federal Trade Commission (FTC) » has been the chief federal agency on privacy policy and enforcement since the1970s, when it began enforcing the Fair Credit Reporting Act ». Some helpful resources:

Related Stories