A comprehensive new consumer privacy law is set to take effect in Oregon this July that will affect a wide swath of businesses, both large and small.

“We think some businesses might be surprised that they’re covered by the law,” said Laura Lemire, a privacy and security attorney at Schwabe Williamson & Wyatt. “Some people think privacy laws are just for the big tech companies.”

The Oregon Consumer Protection Act applies to businesses based in Oregon or that provide products and services in Oregon and that control or process the personal data of 100,000 or more consumers in the state in a calendar year. It also applies to businesses that control or process personal data of at least 25,000 Oregonians and derive at least 25% of their gross revenue from the sale of personal data.

Oregon’s Attorney General is responsible for enforcing the law and can impose a fine of up to $7,500 per violation.

Since the new law broadly defines “personal information,” organizations can easily hit the threshold by using commonplace digital marketing practices, Lemire said.

“The law will cover small and medium businesses that have a sizable consumer base,” Lemire said. “Small businesses, if they have enough website visitors or people who provided email addresses for their newsletter, might be surprised.”

Oregon is one of 11 states that have enacted such protections, after Attorney General Ellen Rosenblum formed a task force in 2019 to study the issue.

Senate Bill 619 passed last year, not without controversy. Among the opponents were the Computer and Communications Industry Association, which argued that the bill would create “inflated liability with no associated meaningful improvement to consumer data protections.”

The Electronic Frontier Foundation was among the supporters. A representative of the digital civil liberties organization said the bill was “reasonable in its scope, more usable for everyday people and contains enforcement provisions with weight.”

The law gives Oregon consumers the right to know the information companies have collected about them, including their email addresses, and to access, and get a copy of it, as well as request it be corrected or deleted. The law goes into effect on July 1 for businesses and exactly a year later for nonprofits.

Lemire recommends that businesses review their privacy statements and where they’re “actually storing and processing personal information to ensure they can handle it in accordance with the law,” she said. She recommends that businesses make sure they have adequate security measures in place.

“If a consumer asks, ‘What information do you have for me?,” there might be some work they need to do to honor the request and respond correctly,” Lemire said. “Businesses might want to ensure they review the law and understand if they’re subject to it and the triggers for it.”

Read the full article in the Portland Business Journal

This article was republished with permission from the Portland Business Journal.

This article summarizes aspects of the law and does not constitute legal advice. For legal advice for your situation, you should contact an attorney.