Earlier this month, the Oregon state legislature introduced Senate Bill (SB) 619, “relating to protections for the personal data of consumers.” The bill has since been referred to the Senate Committee on Judiciary and the Joint Committee on Ways and Means. Of course, Oregon would not be the first state to enact general, or omnibus, privacy legislation; to date, five states (California, Virginia, Colorado, Connecticut, and Utah) have done so, with the first two operative as of today. Likewise, Oregon is not the only state to introduce new omnibus privacy legislation this month. The introduction of this bill (and other general state privacy legislation) remains significant because the prospect for omnibus federal privacy legislation (in the near term) fizzled out when the 117th Congress adjourned.
No bill exists in a vacuum. Structurally, SB 619 generally follows the Virginia Consumer Data Protection Act (VCDPA), as do the laws enacted by Colorado, Connecticut, and Utah.
SB 619 is only 17 pages long, not as slim as the VCDPA (8 pages), but not as bulky as the California Consumer Privacy Act (59 pages). Unlike the CCPA, SB 619 does not reference any implementing regulations; however, implementing regulations could be added.
As with any omnibus state privacy bill, the proposed legislation raises some key questions:
Whom does the bill protect? Under SB 619, that would be Oregon consumers, i.e., residents acting in any capacity other than a commercial activity or performing duties as employer or employee. The VCDPA has the same limitation. A similar limitation in the CCPA expired on January 1, 2023.
Who will be subject to SB 619, if enacted? SB 619 applies to any person that conducts business in Oregon, or that provides products or services to Oregon residents, and that, during a calendar year, controls or processes the personal data of either (a) at least 100,000 Oregon consumers, devices that do or can identify at least 100,000 Oregon consumers, or a combination of both; or (b) at least 25,000 Oregon consumers, with at least 25% of its gross revenue attributable to the sale of personal data.
What can a consumer request (and expect to receive) from the controller? A controller is any person who, alone or together with others, determines the purposes and means of processing personal data. A consumer may obtain from the controller confirmation of whether a controller is processing or has processed the consumer’s personal data, a list of the categories of the personal data subject to processing, and a list of the specific third parties (as opposed to categories of third parties) to which the personal data has been disclosed. In addition, a consumer may require a controller to correct inaccuracies in the personal data about the consumer, to delete personal data about the consumer, and to opt-out the consumer from targeted advertising, selling of personal data, and certain profiling.
Is there an opt-in requirement for sensitive personal data? Yes. The VCDPA features the opt-in requirement as well, though SB 619 defines sensitive personal data differently. The CCPA gives the consumer the right to limit the use or disclosure of sensitive personal information (to certain enumerated purposes). Colorado and Connecticut are also opt-in, while Utah is opt-out.
Is there a broad private right of action, available both on an individual and class-wide basis? Yes, so long as the consumer suffers an ascertainable loss of money or property as a result of a controller’s violation. For example, a failure to delete a consumer’s personal data could give rise to individual or class-wide claims, provided that there is an ascertainable loss. The CCPA features a limited private right of action (on an individual and class-wide basis) for data breaches. In contrast, the Virginia, Colorado, Connecticut, and Utah laws are enforceable only by the Attorney General of each state.
Is there potential personal liability for a director, member, officer, employee, or agent of a controller in violation of SB 619? Yes. This is not found in any of the existing (5) omnibus state privacy laws.
Is there an ability to cure violations? Maybe. The Attorney General will notify the controller if the purported violation can be cured, and if curable, the controller will have 30 days to do so.
Last, but not least, when would SB 619, if enacted, become operative? There are three operative dates to note: July 1, 2024 (general, including the serving of an investigative demand by the Attorney General), January 1, 2025 (the date the Attorney General may first bring suit, subject to the possible 30-day cure period), and January 1, 2026 (private right of action). In Oregon, the effective date is the date a bill becomes law. Typically, a bill takes effect the first day of the year following passage. One or more operative dates can be used to delay operation of one or more parts of a bill, if administrative preparation is required.
Bills change, and SB 619 may be no exception. Please stay tuned for updates.