Oregon Enacts Data Broker Registration Law | Practical Law

Oregon Enacts Data Broker Registration Law | Practical Law

Oregon has enacted HB 2052, which requires data brokers to register with the Department of Consumer and Business Services before collecting, selling, or licensing brokered personal data in the state.

Oregon Enacts Data Broker Registration Law

Practical Law Legal Update w-040-3346 (Approx. 4 pages)

Oregon Enacts Data Broker Registration Law

by Practical Law Data Privacy & Cybersecurity
Published on 28 Jul 2023Oregon
Oregon has enacted HB 2052, which requires data brokers to register with the Department of Consumer and Business Services before collecting, selling, or licensing brokered personal data in the state.
On July 27, 2023, Oregon governor Tina Kotek signed HB 2052, which creates registration requirements for data brokers before they can collect, sell, or license brokered personal data in the state.
HB 2052 applies to data brokers, defined as a business entity or part of a business entity that collects and sells or licenses brokered personal data to another person. A business entity includes individuals engaged in commercial activities, corporations and non-profit corporations, limited liability companies, business trusts, financial institutions, joint ventures, and other forms of business organizations.
The definition of a data broker does not include:
  • If subject to regulation under the Fair Credit Reporting Act:
  • A financial institution, affiliate, or nonaffiliated third party subject to regulation under the Gramm-Leach-Bliley Act.
  • A business entity that collects information about an Oregon resident who is or was:
    • a customer, subscriber, or user of the business entity's good or services;
    • the business entity's employee or agency, or in a contractual relationship with the business entity;
    • the business entity's investor or donor, or in another similar relationship; or
    • a business entity that performs services for, acts on behalf of, or as an agent of another business entity.
HB 2052 defines brokered personal data as any of the following computerized data elements about a resident, if categorized or organized for sale or licensing to another person:
  • Name, or the name of the resident's immediate family or household member.
  • Address, or the address the resident's immediate family or household member.
  • Date or place of birth.
  • Mother's maiden name.
  • Biometric information.
  • Social Security number or any other government-issued identification number.
  • Other information that, alone or in combination with other licensed or sold information, can reasonably be associated with the resident.
Data brokers must pay a fee and submit the following information to the Department of Consumer and Business Services (Department), on a form and in a format it specifies:
  • The name of the data broker.
  • The street address and telephone number of the data broker.
  • The data broker's primary website and email address.
Data brokers must submit the application form with a declaration that:
  • States whether a resident may opt out of all or part of the data broker's collection, sale, or licensing of the resident's brokered personal data.
  • Identifies which of the data broker's activities or what portion of the resident's personal data the resident can opt out of providing or permitting the data broker to collect, sell, or license.
  • Describes the method by which a resident may opt out of the data broker's activities.
  • States whether a resident can authorize another person to exercise their opt-out rights and how to do so.
Data brokers do not need to register with the Department if their personal data collection, sale, and licensing only involves:
  • Providing publicly available information:
    • related to a resident's business or profession; or
    • as part of a service that provides alerts for health or safety purposes.
  • Providing information that is lawfully available from federal, state, or local government records.
  • Publishing, selling, reselling, distributing, or providing digital access to journals, books, periodicals, newspapers, magazines, news media, or educational, academic, or instructional works.
  • Developing or maintaining an electronic commerce service or software.
  • Providing directory assistance or directory information services as a telecommunications carrier or on behalf of one.
  • Selling all or part of a business entity's assets a single time, or only occasionally, as part of a transfer of control over the assets that is not part of the ordinary conduct of the business entity or a part of the business entity.
For violations of the law, the Department may impose a civil penalty of up to:
  • $500 for each violation.
  • $500 a day, for each day the violation continues.
The Department may impose up to $10,000 in penalties on a data broker in a calendar year.
HB 2052 takes effect on January 1, 2024, and the director of the Department may adopt rules and take any other necessary action before this date.