August 01, 2023

Oregon Passes Privacy Law With Narrow Financial Institution Exemption

Share

Oregon has joined 10 other states in enacting a comprehensive data privacy law.1 On July 18, 2023, Governor Tina Kotek signed the Oregon Consumer Privacy Act (the “Oregon Privacy Law”) into law. The law imposes a range of new data privacy requirements on non-exempt controllers and processors of Oregon consumer personal data. The Oregon Privacy Law goes into effect on July 1, 2024.

Scope

Similar to recently enacted privacy laws in other states, the Oregon Privacy Law applies to entities if they meet a certain volume of personal data collection or a revenue-from-sale standard. Specifically, the Oregon Privacy Law applies to entities that conduct business in Oregon or provide products or services to Oregon residents and, during a calendar year, control or process the personal data of: (1) 100,000 or more Oregon residents, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or (2) 25,000 or more Oregon residents, if the entity derives 25% or more of its annual gross revenue from selling personal data.

Obligations

Similar to Other State Privacy Laws

Entities doing business in Oregon that meet one of these thresholds will now be subject to data privacy requirements commonly seen under other state privacy laws, such as the requirement to give a privacy notice, honor consumer privacy rights (e.g., rights to access; correct; delete; opt-out of sale of personal data, targeted advertising and profiling; appeal; and non-discrimination), enter into contracts with processors, conduct data protection impact assessments for high-risk processing, and adhere to certain privacy principles (e.g., data minimization, purpose limitation, and data security).

A Unique Requirement

However, what is particularly unique about Oregon’s privacy law is that it adds a new privacy right not present under the other state comprehensive privacy laws: the right to request from a controller a list of specific third parties, other than natural persons, to which the controller has disclosed personal data. The controller may respond by specifying the third parties to which it has disclosed either the requesting consumer’s personal data or any personal data. This new right will require companies to maintain a list of the specific names of the third parties instead of just generally describing the categories of third parties that may have received a consumer’s personal data. This new right underscores the need to conduct and maintain a thorough data inventory that reflects, among other things, the type of personal data you collect, why you collect it, and to which parties you disclose it.

A Narrower Exemption

In addition, the Oregon Privacy Law provides a narrower exemption for financial institutions, contrary to the other states’ privacy laws (except for California), which contain a full exemption for entities that are considered financial institutions under the federal Gramm-Leach-Bliley Act (GLBA). Therefore, financial institutions subject to the GLBA will need to consider whether they now need to comply with the Oregon Privacy Law, along with the California Privacy Rights Act.

Under the Oregon Privacy Law, only “financial institutions,” as defined under Oregon Revised Statutes (ORS) section 706.008, are subject to a full exemption. The definition of “financial institution” under this statute is narrower than that under the GLBA. It only applies to Federal Deposit Insurance Corporation (FDIC)-insured institutions, banks organized under the laws of another country, Oregon-chartered credit unions, out-of-state credit unions or federal credit unions. An affiliate or subsidiary of such financial institutions is also exempt from the Oregon Privacy Law if it meets a certain threshold of “control” and is “only and directly engaged in financial activities” as described in Section 4(k) of the federal Bank Holding Company Act. In contrast, the GLBA applies to a much broader array of financial institutions, i.e., businesses significantly engaged in financial activities—a broad umbrella. The Oregon legislature’s choice to provide a narrower financial institution exemption means that the Oregon Privacy Law will sweep in a wide range of companies, even if those companies are “financial institutions” under the GLBA and exempt from the non-California state privacy laws. The customer information could be exempt if the information was collected, processed, sold or disclosed under and in accordance with the GLBA.

Comparison of Comprehensive State Privacy Laws

In the charts below, we compare the Oregon Privacy Law with the other state privacy laws in connection with key rights and obligations.

DATA SUBJECT RIGHTS

STATE

ACCESS

OBTAIN LIST OF SPECIFIC THIRD PARTIES

DATA PORTABILITY

DELETE

CORRECT

OPT-OUT OF SALE

OPT-OUT OF TARGETED ADVERTISING

OPT-OUT OF PROFILING

SENSITIVE DATA (OPT-IN, OPT-OUT, LIMIT USE)

California

X

In Progress

Limit Use

Virginia

X

Opt-In

Colorado

X

Opt-In

Connecticut

X

Opt-In

Utah

X

X

X

Opt-Out

Texas

X

Opt-In

Florida

X

Opt-In

Montana

X

Opt-In

Iowa

X

X

X

Opt-Out

Tennessee

X

Opt-In

Indiana

X

Opt-In

Oregon

Opt-In

Delaware

X

Opt-In


DATA SUBJECT RIGHTS (cont.)

STATE

NO DISCRIMINATION

RIGHT TO APPEAL DENIAL

AUTHORIZED AGENTS

OPT-OUT SIGNALS

DAYS TO RESPOND TO REQUESTS

VERIFY/AUTHENTICATE IDENTITY OF REQUESTING CONSUMER

California

X

15 business days for requests to opt-out and limit use

45 calendar days for other requests

Virginia

X

X

45 calendar days

Colorado

45 calendar days

Connecticut

45 calendar days

Utah

X

X

X

45 calendar days

Texas

45 calendar days

Florida

X

X

45 calendar days

Montana

45 calendar days

Iowa

X

X

90 calendar days

Tennessee

X

X

45 calendar days

Indiana

X

X

45 calendar days

Oregon

45 calendar days

Delaware

45 calendar days


DATA CONTROLLER OBLIGATIONS

STATE

DPIA

DATA MINIMIZATION

PURPOSE LIMITATION

PRIVACY POLICY

FINANCIAL INCENTIVE NOTICE

DATA SECURITY

PROCESSOR/SERVICE PROVIDER/CONTRACTOR CONTRACT REQUIREMENT

THIRD PARTY CONTRACT REQUIREMENT

California

In Progress

Virginia

X

X

Colorado

X

Connecticut

X

X

Utah

X

X

X

Texas

X

X

Florida

X

X

Montana

X

X

Iowa

X

X

X

Tennessee

X

X

Indiana

X

X

Oregon

X

X

Delaware

X

X


EXEMPTIONS2

STATE

GENERALLY APPLIES TO NON-PROFITS

APPLIES TO CONSUMERS ENGAGED IN COMMERCIAL OR EMPLOYMENT CONTEXT (B2B AND HR)

GLBA EXEMPTION

HIPAA EXEMPTION

California

X

Data only

Data only

Virginia

X

X

Financial Institution

Covered Entity and Business Associate

Colorado

X

Financial Institution

Data only

Connecticut

X

X

Financial Institution

Covered Entity and Business Associate

Utah

X

X

Financial Institution

Covered Entity and Business Associate

Texas

X

X

Financial Institution

Covered Entity and Business Associate

Florida

X

X

Financial Institution

Covered Entity and Business Associate

Montana

X

X

Financial Institution

Covered Entity and Business Associate

Iowa

X

X

Financial Institution

Covered Entity and Business Associate

Tennessee

X

X

Financial Institution

Covered Entity and Business Associate

Indiana

X

X

Financial Institution

Covered Entity and Business Associate

Oregon

X

Data and Certain Financial Institutions

Data only

Delaware

X

Financial Institution

Data only

 

THE LEGISLATION

STATE

ENACTMENT

EFFECTIVE DATE

LINK

California

California Privacy Rights Act

January 1, 2023

View the law

Virginia

Virginia’s Consumer Data Protection Act

January 1, 2023

View the law

Colorado

Colorado Privacy Act

July 1, 2023

View the law

Connecticut

Connecticut Data Privacy Act

July 1, 2023

View the law

Utah

Utah Consumer Privacy Act

December 31, 2023

View the law

Texas

Texas Data Privacy and Security Act

July 1, 2024

View the law

Florida*

Florida Digital Bill of Rights

July 1, 2024

View the law

Oregon

Oregon Consumer Privacy Act

July 1, 2024

View the law

Montana

Montana Consumer Data Privacy Act

October 1, 2024

View the law

Iowa

Iowa Consumer Data Protection Act

January 1, 2025

View the law

Delaware

Delaware Personal Data Privacy Act

January 1, 2025 (pending signature)

View the law

Tennessee

Tennessee Information Protection Act

July 1, 2025

View the law

Indiana

Indiana Consumer Data Protection Act

January 1, 2026

View the law

* The Florida Digital Bill of Rights is arguably a comprehensive privacy law, but it applies under narrow circumstances (e.g., among other things, companies that have over $1 billion in global gross annual revenues).

  


 

1 Oregon will arguably be joining 11 other states that have enacted comprehensive privacy laws, but the Florida Digital Bill of Rights has limited applicability.

2 These reflect some of the common exemptions under these laws, but there are others available under the comprehensive privacy laws. Companies should consult with counsel to learn more.

Related Services & Industries

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.
Subscribe