Oregon Passes Privacy Law With Narrow Financial Institution Exemption
Oregon has joined 10 other states in enacting a comprehensive data privacy law.1 On July 18, 2023, Governor Tina Kotek signed the Oregon Consumer Privacy Act (the “Oregon Privacy Law”) into law. The law imposes a range of new data privacy requirements on non-exempt controllers and processors of Oregon consumer personal data. The Oregon Privacy Law goes into effect on July 1, 2024.
Scope
Similar to recently enacted privacy laws in other states, the Oregon Privacy Law applies to entities if they meet a certain volume of personal data collection or a revenue-from-sale standard. Specifically, the Oregon Privacy Law applies to entities that conduct business in Oregon or provide products or services to Oregon residents and, during a calendar year, control or process the personal data of: (1) 100,000 or more Oregon residents, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or (2) 25,000 or more Oregon residents, if the entity derives 25% or more of its annual gross revenue from selling personal data.
Obligations
Similar to Other State Privacy Laws
Entities doing business in Oregon that meet one of these thresholds will now be subject to data privacy requirements commonly seen under other state privacy laws, such as the requirement to give a privacy notice, honor consumer privacy rights (e.g., rights to access; correct; delete; opt-out of sale of personal data, targeted advertising and profiling; appeal; and non-discrimination), enter into contracts with processors, conduct data protection impact assessments for high-risk processing, and adhere to certain privacy principles (e.g., data minimization, purpose limitation, and data security).
A Unique Requirement
However, what is particularly unique about Oregon’s privacy law is that it adds a new privacy right not present under the other state comprehensive privacy laws: the right to request from a controller a list of specific third parties, other than natural persons, to which the controller has disclosed personal data. The controller may respond by specifying the third parties to which it has disclosed either the requesting consumer’s personal data or any personal data. This new right will require companies to maintain a list of the specific names of the third parties instead of just generally describing the categories of third parties that may have received a consumer’s personal data. This new right underscores the need to conduct and maintain a thorough data inventory that reflects, among other things, the type of personal data you collect, why you collect it, and to which parties you disclose it.
A Narrower Exemption
In addition, the Oregon Privacy Law provides a narrower exemption for financial institutions, contrary to the other states’ privacy laws (except for California), which contain a full exemption for entities that are considered financial institutions under the federal Gramm-Leach-Bliley Act (GLBA). Therefore, financial institutions subject to the GLBA will need to consider whether they now need to comply with the Oregon Privacy Law, along with the California Privacy Rights Act.
Under the Oregon Privacy Law, only “financial institutions,” as defined under Oregon Revised Statutes (ORS) section 706.008, are subject to a full exemption. The definition of “financial institution” under this statute is narrower than that under the GLBA. It only applies to Federal Deposit Insurance Corporation (FDIC)-insured institutions, banks organized under the laws of another country, Oregon-chartered credit unions, out-of-state credit unions or federal credit unions. An affiliate or subsidiary of such financial institutions is also exempt from the Oregon Privacy Law if it meets a certain threshold of “control” and is “only and directly engaged in financial activities” as described in Section 4(k) of the federal Bank Holding Company Act. In contrast, the GLBA applies to a much broader array of financial institutions, i.e., businesses significantly engaged in financial activities—a broad umbrella. The Oregon legislature’s choice to provide a narrower financial institution exemption means that the Oregon Privacy Law will sweep in a wide range of companies, even if those companies are “financial institutions” under the GLBA and exempt from the non-California state privacy laws. The customer information could be exempt if the information was collected, processed, sold or disclosed under and in accordance with the GLBA.
Comparison of Comprehensive State Privacy Laws
In the charts below, we compare the Oregon Privacy Law with the other state privacy laws in connection with key rights and obligations.
DATA SUBJECT RIGHTS
STATE |
ACCESS |
OBTAIN LIST OF SPECIFIC THIRD PARTIES |
DATA PORTABILITY |
DELETE |
CORRECT |
OPT-OUT OF SALE |
OPT-OUT OF TARGETED ADVERTISING |
OPT-OUT OF PROFILING |
SENSITIVE DATA (OPT-IN, OPT-OUT, LIMIT USE) |
California |
✓ |
X |
✓ |
✓ |
✓ |
✓ |
✓ |
In Progress |
Limit Use |
Virginia |
✓ |
X |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
Opt-In |
Colorado |
✓ |
X |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
Opt-In |
Connecticut |
✓ |
X |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
Opt-In |
Utah |
✓ |
X |
✓ |
✓ |
X |
✓ |
✓ |
X |
Opt-Out |
Texas |
✓ |
X |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
Opt-In |
Florida |
✓ |
X |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
Opt-In |
Montana |
✓ |
X |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
Opt-In |
Iowa |
✓ |
X |
✓ |
✓ |
X |
✓ |
✓ |
X |
Opt-Out |
Tennessee |
✓ |
X |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
Opt-In |
Indiana |
✓ |
X |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
Opt-In |
Oregon |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
Opt-In |
Delaware |
✓ |
X |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
Opt-In |
DATA SUBJECT RIGHTS (cont.)
STATE |
NO DISCRIMINATION |
RIGHT TO APPEAL DENIAL |
AUTHORIZED AGENTS |
OPT-OUT SIGNALS |
DAYS TO RESPOND TO REQUESTS |
VERIFY/AUTHENTICATE IDENTITY OF REQUESTING CONSUMER |
California |
✓ |
X |
✓ |
✓ |
15 business days for requests to opt-out and limit use 45 calendar days for other requests |
✓ |
Virginia |
✓ |
✓ |
X |
X |
45 calendar days |
✓ |
Colorado |
✓ |
✓ |
✓ |
✓ |
45 calendar days |
✓ |
Connecticut |
✓ |
✓ |
✓ |
✓ |
45 calendar days |
✓ |
Utah |
✓ |
X |
X |
X |
45 calendar days |
✓ |
Texas |
✓ |
✓ |
✓ |
✓ |
45 calendar days |
✓ |
Florida |
✓ |
✓ |
X |
X |
45 calendar days |
✓ |
Montana |
✓ |
✓ |
✓ |
✓ |
45 calendar days |
✓ |
Iowa |
✓ |
✓ |
X |
X |
90 calendar days |
✓ |
Tennessee |
✓ |
✓ |
X |
X |
45 calendar days |
✓ |
Indiana |
✓ |
✓ |
X |
X |
45 calendar days |
✓ |
Oregon |
✓ |
✓ |
✓ |
✓ |
45 calendar days |
✓ |
Delaware |
✓ |
✓ |
✓ |
✓ |
45 calendar days |
✓ |
DATA CONTROLLER OBLIGATIONS
STATE |
DPIA |
DATA MINIMIZATION |
PURPOSE LIMITATION |
PRIVACY POLICY |
FINANCIAL INCENTIVE NOTICE |
DATA SECURITY |
PROCESSOR/SERVICE PROVIDER/CONTRACTOR CONTRACT REQUIREMENT |
THIRD PARTY CONTRACT REQUIREMENT |
California |
In Progress |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
Virginia |
✓ |
✓ |
✓ |
✓ |
X |
✓ |
✓ |
X |
Colorado |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
X |
Connecticut |
✓ |
✓ |
✓ |
✓ |
X |
✓ |
✓ |
X |
Utah |
X |
✓ |
✓ |
✓ |
X |
✓ |
✓ |
X |
Texas |
✓ |
✓ |
✓ |
✓ |
X |
✓ |
✓ |
X |
Florida |
✓ |
✓ |
✓ |
✓ |
X |
✓ |
✓ |
X |
Montana |
✓ |
✓ |
✓ |
✓ |
X |
✓ |
✓ |
X |
Iowa |
X |
✓ |
✓ |
✓ |
X |
✓ |
✓ |
X |
Tennessee |
✓ |
✓ |
✓ |
✓ |
X |
✓ |
✓ |
X |
Indiana |
✓ |
✓ |
✓ |
✓ |
X |
✓ |
✓ |
X |
Oregon |
✓ |
✓ |
✓ |
✓ |
X |
✓ |
✓ |
X |
Delaware |
✓ |
✓ |
✓ |
✓ |
X |
✓ |
✓ |
X |
EXEMPTIONS2
STATE |
GENERALLY APPLIES TO NON-PROFITS |
APPLIES TO CONSUMERS ENGAGED IN COMMERCIAL OR EMPLOYMENT CONTEXT (B2B AND HR) |
GLBA EXEMPTION |
HIPAA EXEMPTION |
California |
X |
✓ |
Data only |
Data only |
Virginia |
X |
X |
Financial Institution |
Covered Entity and Business Associate |
Colorado |
✓ |
X |
Financial Institution |
Data only |
Connecticut |
X |
X |
Financial Institution |
Covered Entity and Business Associate |
Utah |
X |
X |
Financial Institution |
Covered Entity and Business Associate |
Texas |
X |
X |
Financial Institution |
Covered Entity and Business Associate |
Florida |
X |
X |
Financial Institution |
Covered Entity and Business Associate |
Montana |
X |
X |
Financial Institution |
Covered Entity and Business Associate |
Iowa |
X |
X |
Financial Institution |
Covered Entity and Business Associate |
Tennessee |
X |
X |
Financial Institution |
Covered Entity and Business Associate |
Indiana |
X |
X |
Financial Institution |
Covered Entity and Business Associate |
Oregon |
✓ |
X |
Data and Certain Financial Institutions |
Data only |
Delaware |
✓ |
X |
Financial Institution |
Data only |
THE LEGISLATION
STATE |
ENACTMENT |
EFFECTIVE DATE |
LINK |
California |
California Privacy Rights Act |
January 1, 2023 |
|
Virginia |
Virginia’s Consumer Data Protection Act |
January 1, 2023 |
|
Colorado |
Colorado Privacy Act |
July 1, 2023 |
|
Connecticut |
Connecticut Data Privacy Act |
July 1, 2023 |
|
Utah |
Utah Consumer Privacy Act |
December 31, 2023 |
|
Texas |
Texas Data Privacy and Security Act |
July 1, 2024 |
|
Florida* |
Florida Digital Bill of Rights |
July 1, 2024 |
|
Oregon |
Oregon Consumer Privacy Act |
July 1, 2024 |
|
Montana |
Montana Consumer Data Privacy Act |
October 1, 2024 |
|
Iowa |
Iowa Consumer Data Protection Act |
January 1, 2025 |
|
Delaware |
Delaware Personal Data Privacy Act |
January 1, 2025 (pending signature) |
|
Tennessee |
Tennessee Information Protection Act |
July 1, 2025 |
|
Indiana |
Indiana Consumer Data Protection Act |
January 1, 2026 |
* The Florida Digital Bill of Rights is arguably a comprehensive privacy law, but it applies under narrow circumstances (e.g., among other things, companies that have over $1 billion in global gross annual revenues).
1 Oregon will arguably be joining 11 other states that have enacted comprehensive privacy laws, but the Florida Digital Bill of Rights has limited applicability.
2 These reflect some of the common exemptions under these laws, but there are others available under the comprehensive privacy laws. Companies should consult with counsel to learn more.