The following law(s) specifically govern personal data / information:
Oregon has laws specifically dealing with data protection, which are set out in more detail below.
The key data protection principles in this jurisdiction are:
- Maintaining administrative, technical and physical safeguards to protect Personal Information (defined below).
The supervisory authority / regulator in charge of data protection is:
- The Department of Consumer and Business Services
- Oregon Department of Justice
- Oregon Attorney General
Is there a requirement to register with a supervisory authority / regulator?
Is there a requirement to notify the supervisory authority / regulator?
Is it possible to register with / notify the supervisory authority / regulator online?
The key data subject rights under the data protection laws of this jurisdiction are:
- ORS 646A.604: Data Breach Notification Law: Right to be informed if their Personal Information was accessed during a data breach, if the incident meets the statutory requirements.
- ORS 646A.600: OR Consumer Information Protection Act: The right to the safeguarding and proper disposal of their Personal Information.
- ORS 646.607: Unlawful Trade Practice: Information provided by a consumer will not be used, disclosed, collected, maintained, deleted or disposed of in a manner that is materially inconsistent with the way represented to a consumer.
- ORS 336.184: Oregon Student Information Protection Act (OSIPA): The OSIPA prohibits online education sites, services, and applications from compiling, sharing, or disclosing K-12 student information for any purpose other than educational purposes.
- ORS 746.607: Use and Disclosure of Personal Information: Health insurers may only disclose Personal Information in a manner that is consistent with an authorization provided by the individual or a personal representative of the individual (there are exceptions to this rule).
Is there a requirement to appoint a data protection officer (or equivalent)?
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
ORS 646A.622: Oregon Consumer Information Protection Act: businesses must develop, implement and maintain reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of Personal Information, including safeguards that protect the Personal Information when the covered entity or vendor disposes of the Personal Information. This will likely require businesses to complete a data impact assessment. There is a small business exception.
A Covered Entity must implement an information security program that includes:
- Administrative safeguards such as:
- Designating one or more employees to coordinate the security program;
- Identifying reasonably foreseeable internal and external risks with reasonable regularity;
- Assessing whether existing safeguards adequately control the identified risks;
- Training and managing employees in security program practices and procedures with reasonable regularity;
- Selecting service providers that are capable of maintaining appropriate safeguards and practices, and requiring the service providers by contract to maintain the safeguards and practices;
- Adjusting the security program in light of business changes, potential threats or new circumstances; and
- Reviewing user access privileges with reasonable regularity;
- Technical safeguards such as:
- Assessing risks and vulnerabilities in network and software design and taking reasonably timely action to address the risks and vulnerabilities;
- Applying security updates and a reasonable security patch management program to software that might reasonably be at risk of or vulnerable to a breach of security;
- Monitoring, detecting, preventing and responding to attacks or system failures; and
- Regularly testing, monitoring and taking action to address the effectiveness of key controls, systems and procedures; and
- Physical safeguards such as:
- Assessing, in light of current technology, risks of information collection, storage, usage, retention, access and disposal and implementing reasonable methods to remedy or mitigate identified risks;
- Monitoring, detecting, preventing, isolating and responding to intrusions timely and with reasonable regularity;
- Protecting against unauthorized access to or use of Personal Information during or after collecting, using, storing, transporting, retaining, destroying or disposing of the personal information; and
- Disposing of Personal Information, whether the covered entity or vendor disposes of the Personal Information on or off the covered entity’s or vendor’s premises or property, after the covered entity or vendor no longer needs the Personal Information for business purposes or as required by local, state or federal law by burning, pulverizing, shredding or modifying a physical record and by destroying or erasing electronic media so that the information cannot be read or reconstructed.
*Small businesses are deemed to be in compliance if the information security and disposal program contains administrative, technical and physical safeguards and disposal measures that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the Personal Information the small business collects from or about consumers. ORS 646A.622(5).
Does this jurisdiction have any specific data breach notification requirements?
ORS 646A.604: Requires that if there is an “unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of Personal Information maintained or possessed by the Entity,” the individual must be notified “in the most expedient manner possible and without unreasonable delay, but not later than 45 days after discovering or receiving notice of the breach.”
Personal Information is defined as:
(1) An Oregon resident’s first name or first initial and last name in combination with any one or more of the following data elements, if encryption, redaction or other methods have not rendered the data unusable or if the data elements are encrypted and the encryption key has also been acquired:
- Social Security Number
- Driver license number or state identification card number issued by the department of transportation
- Passport number or other identification number issued by the United States
- Account number or credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an Oregon resident’s financial account, or any other information or combination of information that a person reasonably knows or should know would permit access to the consumer’s financial account
- Biometric data from automatic measurements of a consumer’s physical characteristics, such as an image of a fingerprint, retina or iris, that are used to authenticate the consumer’s identity in the course of a financial or other transaction
- A consumer’s health insurance policy number or health insurance subscriber identification number in combination with any other unique identifier that a health insurer uses to identify the consumer
- Any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer
(2) A user name or other means of identifying a consumer for the purpose of permitting access to the consumer's account, together with any other method necessary to authenticate the user name or means of identification.
Personal Information also includes any Personal Information data element or any combination of the Personal Information data elements without the consumer's user name, or the consumer's first name or first initial and last name if encryption, redaction, or other methods have not rendered the data element or combination of data elements unusable and the data element or combination of data elements would enable an individual to commit identity theft.
If the number of residents affected exceeds 250, the Oregon Attorney General must be informed.
The following restrictions apply to the international transfer of personal data / information:
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
ORS 646A.604: Data Breach Notification Law: whether you are in Oregon or not, if an Oregon resident’s Personal Information has been involved in a Security Breach, as that term is defined under the statute, notification must be provided to the affected Oregon residents in line with the Oregon notification statute.
The following rules specifically deal with marketing:
ORS 97.946: Advertising and Marketing Prohibitions: A person may not engage in unsolicited door to door or telephone advertising and marketing of prearrangement sales contracts or preconstruction sales contracts.
ORS 646.607: Prohibits the use of “unconscionable tactic[s] in connection with selling, renting or disposing of real estate, goods or services, or collecting or enforcing an obligation.”
ORS 646.608: No false or misleading advertising.
Do different rules apply to business-to-business and business-to-consumer marketing?
The following rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc):
Oregon has rules dealing with electronic marketing, but these rules are specifically directed to real estate brokers (see OAR 863-015-0125).
The following rules specifically deal with cookies:
The consequences of non compliance with data protections laws (including marketing laws) are:
ORS 646A.604: Data Breach Notification Law: any person who violates or who procures, aids, or abets in the violation of 646A.600-646A.628 shall be subject to a penalty of not more than $1,000 for every violation. See ORS 646A.624.
ORS 646A.600: OR Consumer Information Protection Act: any person who violates or who procures, aids, or abets in the violation of 646A.600-646A.628 shall be subject to a penalty of not more than $1,000 for every violation. See ORS 646A.624.
ORS 646.607 Unlawful Trade Practice: any person who violates or who procures, aids, or abets in the violation of 646A.600-646A.628 shall be subject to a penalty of not more than $1,000 for every violation.See ORS 646A.624.
ORS 336.184: Oregon Student Information Protection Act (OSIPA): any person who violates or who procures, aids, or abets in the violation of ORS 336.184 shall be subject to a penalty of not more than $1,000 for every violation. See ORS 646A.624.
ORS 746.607: Use and Disclosure of Personal Information: Individuals are entitled to recover damages sustained as a result of the disclosure; however, such damages cannot exceed the actual damages sustained by the individual. See ORS 746.680.
ORS 97.946: Advertising and Marketing Prohibitions: The Director of the Department of Consumer and Business Services (Director) may take any disciplinary action that the director finds proper, including assessment of the costs of the investigation and disciplinary proceedings and assessment of a civil penalty not to exceed $10,000 per violation. See ORS 97.948.
- An individual can bring an action in an appropriate court to recover actual damages or statutory damages of $200, whichever is greater.
- The court or the jury may award punitive damages and the court may provide any equitable relief the court considers necessary or proper.
- The court may award reasonable attorney fees and costs at trial and on appeal to a prevailing plaintiff in an action under this section (not applicable if the action is maintained as a class action).
See ORS 646.638.
In broad terms, multinational organisations should be aware of the following key factors if they process personal data / information from individuals within this jurisdiction, without being located there:
Multinational organisations should be aware of the following upcoming data protection developments: