Oregon’s Senate Bill 619, a new privacy law effective July 1, 2024, applies to businesses handling personal data of 100,000+ Oregon residents. It guarantees data rights, mandates Privacy Policies, and enables the Attorney General to impose $7,500 fines per violation. Businesses must adapt their practices to ensure compliance.
As small business owners, decision-makers at companies, and fellow web designers, it’s essential to stay informed about changes in legislation that affect our operations. A recent significant development is Oregon’s new privacy law, Senate Bill 619 (SB619). Signed into law on July 18, 2023, this adds Oregon to the growing patchwork of state privacy laws in the United States.
Questions and Answers
Let’s start with a Q&A section that quickly addresses the heavy-hitting questions about this new legislation:
Q: Who does the new law apply to?
A: Oregon’s privacy law applies to anyone conducting business in Oregon or providing products or services to Oregon residents who either process or control the personal data of 100,000 or more Oregon residents, or process or control the personal data of 25,000 or more residents and derive 25% or more of their annual gross revenue from selling personal data. This law even applies to businesses that are not located in Oregon but meet the criteria.
Q2: How does the law define personal data?
A: Personal data refers to any unique identifier linked or reasonably linkable to a consumer or a device identifying one or more consumers in a household. This would include information like names, email addresses, phone numbers, IP addresses, or device identifiers.
Q: What rights are provided to Oregon residents?
A: The law provides numerous rights including the right to:
- confirm whether their data is being processed obtain a list of third parties to which their data has been disclosed
- receive a copy of all their personal data that has been processed
- correct inaccuracies
- delete personal data
- opt-out of targeted advertising
- the sale of personal data
- and profiling
among other rights.
Q: What are the penalties for non-compliance?
A: Oregon’s Attorney General will enforce SB619, seeking a civil penalty of up to $7,500 per violation. A violation likely means per website visitor whose privacy rights were infringed upon. That could add up to hefty fines quickly.
Q: When does this law go into effect?
A: The law will go into effect on July 1, 2024.
Now, let’s delve into the details of these points and how they may affect you and your business.
Who Needs to Comply
If you operate in Oregon or provide services or products to Oregon residents, you may need to comply with this new law, depending on your processing and control of personal data . Importantly, the law can apply to businesses that don’t meet these criteria but have signed a contract for data processing with a company that does .
Defining Personal Data
Personal data includes any unique identifier reasonably linkable to a consumer or a device that identifies one or more consumers in a household. This includes commonly collected data through websites like names, email addresses, phone numbers, IP addresses, or device identifiers .
Privacy Rights for Oregon Residents
The new law gives Oregon residents extensive privacy rights. They can confirm if their personal data is being processed, obtain a list of specific third parties to which their data has been disclosed, receive a copy of all their processed personal data, correct inaccuracies in their data, and delete their personal data . They also have the right to opt out of targeted advertising, the sale of their data, and profiling. Furthermore, they can request their data in a portable and, where technically feasible, readily usable format .
Penalties for Non-Compliance
The Attorney General of Oregon will enforce SB619, and violations of the law can result in a civil penalty of up to $7,500 per violation . This could mean per website visitor whose privacy rights were violated, leading to potentially large fines .
The Need for Privacy Policies
Furthermore, it’s important to note that the Act requires businesses to recognize and process Global Privacy Control (GPC) signals effective from July 1, 2026 .
The Role of Web Designers and Legal Counsel
In light of these new requirements, businesses should consult with web designers to ensure their websites comply with the new law. Larger companies should consider conferring with legal counsel. Understanding the full implications of the law on their operations can avoid potential penalties.
- Donata Stroink-Skillrud, “Oregon SB619 Compliance Guide.”
- Sarah L. Bruno Hubert J. Zanczak Casey H. Yang, “Oregon passes comprehensive privacy law.”