Oregon Statutes 646A.583 – Controllers use of deidentified data; exclusions
(1)(a) A controller that possesses deidentified data shall:
Terms Used In Oregon Statutes 646A.583
- Contract: A legal written agreement that becomes binding when signed.
- Oversight: Committee review of the activities of a Federal agency or program.
(A) Take reasonable measures to ensure that the deidentified data cannot be associated with an individual;
(B) Publicly commit to maintaining and using deidentified data without attempting to reidentify the deidentified data; and
(C) Enter into a contract with a recipient of the deidentified data and provide in the contract that the recipient must comply with the controller’s obligations under ORS § 646A.570 to 646A.589.
(b) A controller that discloses deidentified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the deidentified data is subject and shall take appropriate steps to address any breaches of the contractual commitments.
(c) This section does not prohibit a controller from attempting to reidentify deidentified data solely for the purpose of testing the controller’s methods for deidentifying data.
(2) ORS § 646A.570 to 646A.589 do not:
(a) Require a controller or processor to:
(A) Reidentify deidentified data; or
(B) Associate a consumer with personal data in order to authenticate the consumer’s request under ORS § 646A.576 by:
(i) Maintaining data in identifiable form; or
(ii) Collecting, retaining or accessing any particular data or technology.
(b) Require a controller or processor to comply with a consumer’s request under ORS § 646A.576 if the controller:
(A) Cannot reasonably associate the request with personal data or if the controller’s attempt to associate the request with personal data would be unreasonably burdensome;
(B) Does not use personal data to recognize or respond to the specific consumer who is the subject of the personal data or associate the personal data with any other personal data about the specific consumer; and
(C) Does not sell or otherwise voluntarily disclose personal data to a third party, except as otherwise provided in this section. [2023 c.369 § 7]
646A.583 becomes operative July 1, 2024. See section 15, chapter 369, Oregon Laws 2023.
[2011 c.393 § 5; renumbered 646A.832 in 2023]