On July 27, 2023, Oregon Governor Tina Kotek signed HB 2052 ("the Act") into law. The Act relates to data broker registration for entities that qualify as data broker under the Act.
Data Broker Registration Overview
The Act details that Oregon data brokers "may not collect, sell or license brokered personal data within this state unless the data broker first registers with the Department of Consumer and Business Services." The Act does not apply to publicly available data.
HB 2052 authorizes the Department to impose a civil penalty of up to $500 per violation and, in the case of a continuing violation, $500 for each day that the violation continues. However, "[t]he total amount of penalties that the [D]epartment imposes on a data broker may not exceed $10,000 during any calendar year."
Oregon's new data broker law will take effect on January 1, 2024, at which time it is extremely likely that the Department will enact additional rules and provide further clarification, including costs of registration.
State Data Broker Registration Comparison
As readers of this blog know, Oregon is now the fourth state of the Union to require data broker registration. The Act defines a data broker as "a business entity or part of a business entity that collects and sells or licenses brokered personal data to another person." Note that the Oregon Act is stricter than its counterparts that were enacted in Texas, Vermont, and California. Specifically, HB 2052 applies to the collection, sale, or licensing of brokered data, while Vermont and California only apply to the sale of personal data.
Unlike Texas, the Act does not specifically apply to pseudonym data; however, it does provide a more definitive definition of what constitutes "brokered personal data." Brokered personal data includes, among other things, an individual's name, name of immediate family, address, date or place of birth, mother's maiden name, biometric information, social security number or any other government-issued identification number.
At this time, we are still investigating whether HB2052 contains data threshold requirements similar to those contained in the Texas statute.
Compliance with Oregon's Data Broker Registration Law
Businesses must begin the process of ensuring compliance now, as civil penalties may be imposed for each day that a violation continues. It is also extremely important for businesses that operate in multiple states to hire the right counsel, to ensure that consumer data privacy practices comply with the different requirements of each state jurisdiction.
Similar Blog Posts:
California Data Broker Registration Requirements – Klein Moynihan Turco
CCPA Amended to Require California Data Broker Registration – Klein Moynihan Turco
Vermont Data Broker Registration Due January 31, 2019 – Klein Moynihan Turco
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.