Oregon Statutes 646A.578 – Duties of controller; prohibitions; privacy notice to consumer
(1) A controller shall:
Terms Used In Oregon Statutes 646A.578
- Appeal: A request made after a trial, asking another court (usually the court of appeals) to decide whether the trial was conducted properly. To make such a request is "to appeal" or "to take an appeal." One who appeals is called the appellant.
(a) Specify in the privacy notice described in subsection (4) of this section the express purposes for which the controller is collecting and processing personal data;
(b) Limit the controller’s collection of personal data to only the personal data that is adequate, relevant and reasonably necessary to serve the purposes the controller specified in paragraph (a) of this subsection;
(c) Establish, implement and maintain for personal data the same safeguards described in ORS § 646A.622 that are required for protecting personal information, as defined in ORS § 646A.602, such that the controller’s safeguards protect the confidentiality, integrity and accessibility of the personal data to the extent appropriate for the volume and nature of the personal data; and
(d) Provide an effective means by which a consumer may revoke consent a consumer gave under ORS § 646A.570 to 646A.589 to the controller’s processing of the consumer’s personal data. The means must be at least as easy as the means by which the consumer provided consent. Once the consumer revokes consent, the controller shall cease processing the personal data as soon as is practicable, but not later than 15 days after receiving the revocation.
(2) A controller may not:
(a) Process personal data for purposes that are not reasonably necessary for and compatible with the purposes the controller specified in subsection (1)(a) of this section, unless the controller obtains the consumer’s consent;
(b) Process sensitive data about a consumer without first obtaining the consumer’s consent or, if the controller knows the consumer is a child, without processing the sensitive data in accordance with the Children’s Online Privacy Protection Act of 1998, 15 U.S.C. § 6501 et seq. and the regulations, rules and guidance adopted under the Act, all as in effect on January 1, 2024;
(c) Process a consumer’s personal data for the purposes of targeted advertising, of profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance or of selling the consumer’s personal data without the consumer’s consent if the controller has actual knowledge that, or willfully disregards whether, the consumer is at least 13 years of age and not older than 15 years of age; or
(d) Discriminate against a consumer that exercises a right provided to the consumer under ORS § 646A.570 to 646A.589 by means such as denying goods or services, charging different prices or rates for goods or services or providing a different level of quality or selection of goods or services to the consumer.
(3) Subsections (1) and (2) of this section do not:
(a) Require a controller to provide a good or service that requires personal data from a consumer that the controller does not collect or maintain; or
(b) Prohibit a controller from offering a different price, rate, level of quality or selection of goods or services to a consumer, including an offer for no fee or charge, in connection with a consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discount or club card program.
(4) A controller shall provide to consumers a reasonably accessible, clear and meaningful privacy notice that:
(a) Lists the categories of personal data, including the categories of sensitive data, that the controller processes;
(b) Describes the controller’s purposes for processing the personal data;
(c) Describes how a consumer may exercise the consumer’s rights under ORS § 646A.570 to 646A.589, including how a consumer may appeal a controller’s denial of a consumer’s request under ORS § 646A.576;
(d) Lists all categories of personal data, including the categories of sensitive data, that the controller shares with third parties;
(e) Describes all categories of third parties with which the controller shares personal data at a level of detail that enables the consumer to understand what type of entity each third party is and, to the extent possible, how each third party may process personal data;
(f) Specifies an electronic mail address or other online method by which a consumer can contact the controller that the controller actively monitors;
(g) Identifies the controller, including any business name under which the controller registered with the Secretary of State and any assumed business name that the controller uses in this state;
(h) Provides a clear and conspicuous description of any processing of personal data in which the controller engages for the purpose of targeted advertising or for the purpose of profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance, and a procedure by which the consumer may opt out of this type of processing; and
(i) Describes the method or methods the controller has established for a consumer to submit a request under ORS § 646A.576 (1).
(5) The method or methods described in subsection (4)(i) of this section for submitting a consumer’s request to a controller must:
(a) Take into account:
(A) Ways in which consumers normally interact with the controller;
(B) A need for security and reliability in communications related to the request; and
(C) The controller’s ability to authenticate the identity of the consumer that makes the request; and
(b) Provide a clear and conspicuous link to a webpage where the consumer or an authorized agent may opt out from a controller’s processing of the consumer’s personal data as described in ORS § 646A.574 (1)(d) or, solely if the controller does not have a capacity needed for linking to a webpage, provide another method the consumer can use to opt out.
(6) If a consumer or authorized agent uses a method described in subsection (5) of this section to opt out of a controller’s processing of the consumer’s personal data under ORS § 646A.574 (1)(d) and the decision conflicts with a consumer’s voluntary participation in a bona fide reward, club card or loyalty program or a program that provides premium features or discounts in return for the consumer’s consent to the controller’s processing of the consumer’s personal data, the controller may either comply with the request to opt out or notify the consumer of the conflict and ask the consumer to affirm that the consumer intends to withdraw from the bona fide reward, club card or loyalty program or the program that provides premium features or discounts. If the consumer affirms that the consumer intends to withdraw, the controller shall comply with the request to opt out. [2023 c.369 § 5]
646A.578 becomes operative July 1, 2024. See section 15, chapter 369, Oregon Laws 2023.
The amendments to 646A.578 by section 12, chapter 369, Oregon Laws 2023, become operative January 1, 2026. See section 15, chapter 369, Oregon Laws 2023. The text that is operative on and after January 1, 2026, is set forth for the user’s convenience.
(1) A controller shall:
(a) Specify in the privacy notice described in subsection (4) of this section the express purposes for which the controller is collecting and processing personal data;
(b) Limit the controller’s collection of personal data to only the personal data that is adequate, relevant and reasonably necessary to serve the purposes the controller specified in paragraph (a) of this subsection;
(c) Establish, implement and maintain for personal data the same safeguards described in ORS § 646A.622 that are required for protecting personal information, as defined in ORS § 646A.602, such that the controller’s safeguards protect the confidentiality, integrity and accessibility of the personal data to the extent appropriate for the volume and nature of the personal data; and
(d) Provide an effective means by which a consumer may revoke consent a consumer gave under ORS § 646A.570 to 646A.589 to the controller’s processing of the consumer’s personal data. The means must be at least as easy as the means by which the consumer provided consent. Once the consumer revokes consent, the controller shall cease processing the personal data as soon as is practicable, but not later than 15 days after receiving the revocation.
(2) A controller may not:
(a) Process personal data for purposes that are not reasonably necessary for and compatible with the purposes the controller specified in subsection (1)(a) of this section, unless the controller obtains the consumer’s consent;
(b) Process sensitive data about a consumer without first obtaining the consumer’s consent or, if the controller knows the consumer is a child, without processing the sensitive data in accordance with the Children’s Online Privacy Protection Act of 1998, 15 U.S.C. § 6501 et seq. and the regulations, rules and guidance adopted under the Act, all as in effect on January 1, 2024;
(c) Process a consumer’s personal data for the purposes of targeted advertising, of profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance or of selling the consumer’s personal data without the consumer’s consent if the controller has actual knowledge that, or willfully disregards whether, the consumer is at least 13 years of age and not older than 15 years of age; or
(d) Discriminate against a consumer that exercises a right provided to the consumer under ORS § 646A.570 to 646A.589 by means such as denying goods or services, charging different prices or rates for goods or services or providing a different level of quality or selection of goods or services to the consumer.
(3) Subsections (1) and (2) of this section do not:
(a) Require a controller to provide a good or service that requires personal data from a consumer that the controller does not collect or maintain; or
(b) Prohibit a controller from offering a different price, rate, level of quality or selection of goods or services to a consumer, including an offer for no fee or charge, in connection with a consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discount or club card program.
(4) A controller shall provide to consumers a reasonably accessible, clear and meaningful privacy notice that:
(a) Lists the categories of personal data, including the categories of sensitive data, that the controller processes;
(b) Describes the controller’s purposes for processing the personal data;
(c) Describes how a consumer may exercise the consumer’s rights under ORS § 646A.570 to 646A.589, including how a consumer may appeal a controller’s denial of a consumer’s request under ORS § 646A.576;
(d) Lists all categories of personal data, including the categories of sensitive data, that the controller shares with third parties;
(e) Describes all categories of third parties with which the controller shares personal data at a level of detail that enables the consumer to understand what type of entity each third party is and, to the extent possible, how each third party may process personal data;
(f) Specifies an electronic mail address or other online method by which a consumer can contact the controller that the controller actively monitors;
(g) Identifies the controller, including any business name under which the controller registered with the Secretary of State and any assumed business name that the controller uses in this state;
(h) Provides a clear and conspicuous description of any processing of personal data in which the controller engages for the purpose of targeted advertising or for the purpose of profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance, and a procedure by which the consumer may opt out of this type of processing; and
(i) Describes the method or methods the controller has established for a consumer to submit a request under ORS § 646A.576 (1).
(5) The method or methods described in subsection (4)(i) of this section for submitting a consumer’s request to a controller must:
(a) Take into account:
(A) Ways in which consumers normally interact with the controller;
(B) A need for security and reliability in communications related to the request; and
(C) The controller’s ability to authenticate the identity of the consumer that makes the request;
(b) Provide a clear and conspicuous link to a webpage where the consumer or an authorized agent may opt out from a controller’s processing of the consumer’s personal data as described in ORS § 646A.574 (1)(d) or, solely if the controller does not have a capacity needed for linking to a webpage, provide another method the consumer can use to opt out; and
(c) Allow a consumer or authorized agent to send a signal to the controller that indicates the consumer’s preference to opt out of the sale of personal data or targeted advertising under ORS § 646A.574 (1)(d) by means of a platform, technology or mechanism that:
(A) Does not unfairly disadvantage another controller;
(B) Does not use a default setting but instead requires the consumer or authorized agent to make an affirmative, voluntary and unambiguous choice to opt out;
(C) Is consumer friendly and easy for an average consumer to use;
(D) Is as consistent as possible with similar platforms, technologies or mechanisms required under federal or state laws or regulations; and
(E) Enables the controller to accurately determine whether the consumer is a resident of this state and has made a legitimate request under ORS § 646A.576 to opt out as described in ORS § 646A.574 (1)(d).
(6) If a consumer or authorized agent uses a method described in subsection (5) of this section to opt out of a controller’s processing of the consumer’s personal data under ORS § 646A.574 (1)(d) and the decision conflicts with a consumer’s voluntary participation in a bona fide reward, club card or loyalty program or a program that provides premium features or discounts in return for the consumer’s consent to the controller’s processing of the consumer’s personal data, the controller may either comply with the request to opt out or notify the consumer of the conflict and ask the consumer to affirm that the consumer intends to withdraw from the bona fide reward, club card or loyalty program or the program that provides premium features or discounts. If the consumer affirms that the consumer intends to withdraw, the controller shall comply with the request to opt out.
[2011 c.393 § 3; renumbered 646A.826 in 2023]