SB619 is Oregon’s New Privacy Law: What You Need to Know and Why It Matters to You

Table Of Content


Oregon’s Senate Bill 619, a new privacy law effective July 1, 2024, applies to businesses handling personal data of 100,000+ Oregon residents. It guarantees data rights, mandates Privacy Policies, and enables the Attorney General to impose $7,500 fines per violation. Businesses must adapt their practices to ensure compliance.


As small business owners, decision-makers at companies, and fellow web designers, it’s essential to stay informed about changes in legislation that affect our operations. A recent significant development is Oregon’s new privacy law, Senate Bill 619 (SB619). Signed into law on July 18, 2023, this adds Oregon to the growing patchwork of state privacy laws in the United States.

Questions and Answers

Let’s start with a Q&A section that quickly addresses the heavy-hitting questions about this new legislation:

Q: Who does the new law apply to?

A: Oregon’s privacy law applies to anyone conducting business in Oregon or providing products or services to Oregon residents who either process or control the personal data of 100,000 or more Oregon residents, or process or control the personal data of 25,000 or more residents and derive 25% or more of their annual gross revenue from selling personal data. This law even applies to businesses that are not located in Oregon but meet the criteria.

Q2: How does the law define personal data?

A: Personal data refers to any unique identifier linked or reasonably linkable to a consumer or a device identifying one or more consumers in a household. This would include information like names, email addresses, phone numbers, IP addresses, or device identifiers.

Q: What rights are provided to Oregon residents?

A: The law provides numerous rights including the right to:

  • confirm whether their data is being processed obtain a list of third parties to which their data has been disclosed
  • receive a copy of all their personal data that has been processed
  • correct inaccuracies
  • delete personal data
  • opt-out of targeted advertising
  • the sale of personal data
  • and profiling

among other rights.

Q: What are the penalties for non-compliance?

A: Oregon’s Attorney General will enforce SB619, seeking a civil penalty of up to $7,500 per violation. A violation likely means per website visitor whose privacy rights were infringed upon. That could add up to hefty fines quickly.

Q: When does this law go into effect?

A: The law will go into effect on July 1, 2024.

Now, let’s delve into the details of these points and how they may affect you and your business.

Who Needs to Comply

If you operate in Oregon or provide services or products to Oregon residents, you may need to comply with this new law, depending on your processing and control of personal data [1]. Importantly, the law can apply to businesses that don’t meet these criteria but have signed a contract for data processing with a company that does [1].

Defining Personal Data

Personal data includes any unique identifier reasonably linkable to a consumer or a device that identifies one or more consumers in a household. This includes commonly collected data through websites like names, email addresses, phone numbers, IP addresses, or device identifiers [1].

Privacy Rights for Oregon Residents

The new law gives Oregon residents extensive privacy rights. They can confirm if their personal data is being processed, obtain a list of specific third parties to which their data has been disclosed, receive a copy of all their processed personal data, correct inaccuracies in their data, and delete their personal data [1]. They also have the right to opt out of targeted advertising, the sale of their data, and profiling. Furthermore, they can request their data in a portable and, where technically feasible, readily usable format [1].

Penalties for Non-Compliance

The Attorney General of Oregon will enforce SB619, and violations of the law can result in a civil penalty of up to $7,500 per violation [1]. This could mean per website visitor whose privacy rights were violated, leading to potentially large fines [1].

The Need for Privacy Policies

The new law highlights the need for businesses to have comprehensive and up-to-date Privacy Policies. The Privacy Policy must include categories of personal data processed, the purposes for collection and processing, a description of how consumers can exercise their rights, all categories of data shared with third parties, the categories of third parties the data is shared with, and a method for consumers to contact the controller [1].

Furthermore, it’s important to note that the Act requires businesses to recognize and process Global Privacy Control (GPC) signals effective from July 1, 2026 [2].

The Role of Web Designers and Legal Counsel

In light of these new requirements, businesses should consult with web designers to ensure their websites comply with the new law. Larger companies should consider conferring with legal counsel. Understanding the full implications of the law on their operations can avoid potential penalties.

Understanding privacy laws like Oregon’s SB619 is crucial in today’s digital world. If your current Privacy Policy needs an update or you lack a strategy to keep your Privacy Policy up-to-date with such changes, make sure to consult with a web designer or legal professional. At Thencan Designs | Bend Web Design, we utilize Termageddon. This partner always keeps our clients on maintenance plans in compliance!


  1. Donata Stroink-Skillrud, “Oregon SB619 Compliance Guide.”
  2. Sarah L. Bruno Hubert J. Zanczak Casey H. Yang, “Oregon passes comprehensive privacy law.”


Submit a Comment

Your email address will not be published. Required fields are marked *