Miller Nash LLP,
What law(s) specifically govern personal data / information?
Oregon has laws specifically dealing with data protection, which are set out in more detail below.
What are the key data protection principles in this jurisdiction?:
Transparency
Maintaining administrative, technical and physical safeguards to protect Personal Information
What is the supervisory authority / regulator in charge of data protection?
The Department of Consumer and Business Services
Oregon Department of Justice
Is there a requirement to register with a supervisory authority / regulator?
Yes, for data brokers.
Is there a requirement to notify the supervisory authority / regulator?
Yes, in the event of a data breach.
Is it possible to register with / notify the supervisory authority / regulator online?
Yes, for data brokers and in the event of a data breach.
What are the key data subject rights under the data protection laws of this jurisdiction?
ORS 646A.600 to 646A.628: Oregon Consumer Information Protection Act includes data breach notification law (ORS 646A.604), no display of SSN (ORS 646A.620), and reasonable safeguard requirements (ORS 646A.622). Right to be informed if personal information was accessed during a breach of security, if the incident meets the statutory requirements. Prohibition on mailing or publicly posting a social security number, with certain exceptions. Prohibition on printing a social security number on a membership or other access card. Right to safeguarding and proper disposal of personal information.
ORS 646A.570 to 646A.589: Oregon Consumer Privacy Act: Processing limited to the extent it is adequate and reasonably necessary for, relevant to, proportionate, in relation to disclosed purposes. Requires reasonable administrative, technical, and physical measures to protect confidentiality, integrity, and security of personal data and reduce risks of harm to consumers. Provides consumer rights to access, to correction of inaccuracies, to delete, to opt-out of targeted advertising, the sale of personal data, and certain profiling, to data portability, and to no discrimination for accessing rights. Opt-in requirement for processing sensitive data, for personal data about children under 13 years old, and for certain data about children ages 13-15 years old. Beginning January 1, 2026, prohibition against processing data of children under 16 years old for targeted advertising or certain profiling, regardless of consent. Controllers must conduct data protection assessments and enter into certain contractual terms with processors.
ORS 646.607 Unlawful Trade Practices Act: Information provided by a consumer will not be used, disclosed, collected, maintained, deleted or disposed of in a manner that is materially inconsistent with the way represented to a consumer.
ORS 336.184: Oregon Student Information Protection Act (OSIPA): The OSIPA prohibits online education sites, services, and applications from compiling, sharing, or disclosing K-12 student information for any purpose other than educational purposes.
ORS 746.607: Oregon’s mini-HIPAA: Health insurers may only disclose personal information in a manner that is consistent with an authorisation provided by the individual or a personal representative of the individual (there are exceptions to this rule).
ORS 646A.593: Data Broker Registration: Certain data brokers need to register before selling or licensing personal data to a third party.
ORS 646A.813: IoT Security: Connected devices must have reasonable security features.
ORS 659A.330: Employee Rights: An employer cannot require or request that an employee or a job applicant provide access to a personal social media account.
Is there a requirement to appoint a data protection officer (or equivalent)?
No.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Yes:
ORS 646A.586: Requires a data protection assessment for processing activities with heightened risk of harm. Both the Oregon Consumer Privacy Act and the Oregon Consumer Information Protection Act require entities to develop, implement, and maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of personal data, including when the entity disposes of the personal data. This will likely require entities to complete a data impact assessment, if the entity is subject to one or both of these laws.
Does this jurisdiction have any specific data breach notification requirements?
Yes:
ORS 646A.604: Requires that if there is an “unauthorised acquisition of computerised data that materially compromises the security, confidentiality or integrity of personal information maintained or possessed by the Entity,” the individual must be notified “in the most expedient manner possible and without unreasonable delay, but not later than 45 days after discovering or receiving notice of the breach.”
Personal information is defined as:
(1) An Oregon resident’s first name or first initial and last name in combination with any one or more of the following data elements, if encryption, redaction or other methods have not rendered the data unusable or if the data elements are encrypted and the encryption key has also been acquired:
- Social Security Number
- Driver license number or state identification card number issued by the department of transportation
- Passport number or other identification number issued by the United States
- Financial account number or credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an Oregon resident’s financial account, or any other information or combination of information that a person reasonably knows or should know would permit access to the consumer’s financial account
- Biometric data from automatic measurements of a consumer’s physical characteristics, such as an image of a fingerprint, retina or iris, that are used to authenticate the consumer’s identity in the course of a financial or other transaction
- a consumer’s health insurance policy number or health insurance subscriber identification number in combination with any other unique identifier that a health insurer uses to identify the consumer
- any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer
(2) A user name or other means of identifying a consumer for the purpose of permitting access to the consumer's account, together with any other method necessary to authenticate the user name or means of identification.
Personal information also includes any personal information data element or any combination of the personal information data elements without the consumer's user name, or the consumer's first name or first initial and last name if encryption, redaction, or other methods have not rendered the data element or combination of data elements unusable and the data element or combination of data elements would enable an individual to commit identity theft.
Personal information does not include information in a federal, state or local government record, other than a Social Security number, that is lawfully made available to the public.
If the number of residents affected exceeds 250, the Oregon Attorney General must be informed.
What restrictions apply to the international transfer of personal data / information?
n/a
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes:
ORS 646A.604: The Data Breach Notification Law provides that, whether you are in Oregon or not, if an Oregon resident’s personal information has been involved in a breach of security, as that term is defined under the statute, notification must be provided to the affected Oregon residents in line with the Oregon notification statute.
What rules specifically deal with marketing?
ORS 646.607: Prohibits the use of “unconscionable tactic[s] in connection with selling, renting or disposing of real estate, goods or services, or collecting or enforcing an obligation.”
ORS 646.608: Prohibits certain unlawful advertising practices.
Do different rules apply to business-to-business and business-to-consumer marketing?
The Unlawful Trade Practices Act only applies to business-to-consumer marketing.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
Oregon has rules dealing with electronic marketing, but these rules are specifically directed to real estate brokers (see OAR 863-015-0125).
Oregon’s telephone solicitation laws apply to any telephonic contact, including text messaging. (see ORS 646.551 to 646.559 and OAR 137-020-0200 to 137-020-0205 for registration requirements and ORS 646.561 to 646.578 for Do Not Call and do not call me again requirements.) Oregon has designated the federal Do Not Call list in lieu of an Oregon list.
What rules specifically deal with cookies?
N/A.
What are the consequences of non compliance with data protections laws (including marketing laws)?
The Oregon Consumer Information Protection Act, OSIPA, IoT security and telephone solicitation laws are all incorporated into the UTPA through either ORS 646.607 or ORS 646.608. ORS 646.607 can only be enforced by the Attorney General. ORS 646.608 can be enforced by the Attorney General and there is a private right of action. The Attorney General may seek civil penalties of up to USD $25,000 per violation, injunctive relief, restitution for consumers, and attorney fees. (ORS 646.632 and ORS 646.636). A consumer bringing a private right of action must have suffered an ascertainable loss and can bring a class action. A consumer can seek actual damages or statutory damages of USD $200, punitive damages, equitable relief, and attorney fees. (ORS 646.638).
The Department of Consumer and Business Services (DCBS) also has authority to enforce the Oregon Consumer Information Protection Act. DCBS can impose civil penalties of up to USD $1,000 per violation with a cap of USD $500,000. (ORS 646A.624).
ORS 646A.570 to 646A.589: Oregon Consumer Privacy Act: The Attorney General can seek civil penalties up to USD $7,500 per violation, injunctive relief, and equitable relief. (ORS 646A.589).
ORS 746.607: Oregon’s mini-HIPAA: For some violations, individuals are entitled to recover damages sustained as a result of the disclosure; however, such damages cannot exceed the actual damages sustained by the individual. Individuals may also be able to seek equitable relief and attorney fees. See ORS 746.680.
ORS 646A.593: Data Broker Registration: DCBS can impose civil penalties of up to USD $500 per violation or per day with a cap of USD $10,000 per year.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
The Oregon Department of Justice has a privacy enforcement unit and works cooperatively with other state Attorneys General’s offices to investigate and take action on varied data protection violations.
What upcoming data protection developments should multinational organisations be aware of?
Bills were passed in the 2025 legislative session that amended the Oregon Consumer Privacy Act and the telephone solicitation law.