(1)(a) A controller shall conduct and document a data protection assessment for each of the controller’s processing activities that presents a heightened risk of harm to a consumer.

Ask a legal question, get an answer ASAP!
Click here to chat with a lawyer about your rights.

(b) Processing activities that present a heightened risk of harm to a consumer include:

(A) Processing personal data for the purpose of targeted advertising;

(B) Processing sensitive data;

(C) Selling personal data; and

(D) Using the personal data for purposes of profiling, if the profiling presents a reasonably foreseeable risk of:

(i) Unfair or deceptive treatment of, or unlawful disparate impact on, consumers;

(ii) Financial, physical or reputational injury to consumers;

(iii) Physical or other types of intrusion upon a consumer’s solitude, seclusion or private affairs or concerns, if the intrusion would be offensive to a reasonable person; or

(iv) Other substantial injury to consumers.

(c) A single data protection assessment may address a comparable set of processing operations that present a similar heightened risk of harm.

(2) A data protection assessment shall identify and weigh how processing personal data may directly or indirectly benefit the controller, the consumer, other stakeholders and the public against potential risks to the consumer, taking into account how safeguards the controller employs can mitigate the risks. In conducting the assessment, the controller shall consider how deidentified data might reduce risks, the reasonable expectations of consumers, the context in which the data is processed and the relationship between the controller and the consumers whose personal data the controller will process.

(3) The Attorney General may require a controller to provide to the Attorney General any data protection assessments the controller has conducted if the data protection assessment is relevant to an investigation the Attorney General conducts under ORS § 646A.589. The Attorney General may evaluate a data protection assessment for the controller’s compliance with the requirements of ORS § 646A.570 to 646A.589. If a data protection assessment the Attorney General obtains under this subsection includes information that is subject to attorney-client privilege or is work product that is subject to a privilege, the controller’s provision of the data protection assessment does not waive the privilege.

(4) A data protection assessment that a controller conducts to comply with another applicable law or regulation satisfies the requirements of this section if the data protection assessment is reasonably similar in scope and effect to a data protection assessment conducted under this section.

(5) Requirements that apply to a data protection assessment under this section apply only to processing activities that occur on and after July 1, 2024, and are not retroactive.

(6) A controller shall retain for at least five years all data protection assessments the controller conducts under this section.

(7) A data protection assessment is confidential and is not subject to disclosure under ORS § 192.311 to 192.478. [2023 c.369 § 8]

646A.586 becomes operative July 1, 2024. See section 15, chapter 369, Oregon Laws 2023.

[2011 c.393 § 6; 2013 c.97 § 1; 2014 c.27 § 1; 2017 c.450 § 1; renumbered 646A.835 in 2023]