How Does Oregon Define a Data Broker?

Under Oregon SB 619, a “data broker” is generally defined as a business entity that collects and sells or otherwise makes available personal data about consumers with whom the business does not have a direct relationship.

The definition focuses on two primary elements:

• No direct relationship with the consumer whose data is collected

• Commercial availability or sale of that personal data to third parties

A “direct relationship” typically means the consumer intentionally interacts with the business — for example, by purchasing a product, creating an account, subscribing to services, or otherwise knowingly engaging with the company.

Organizations that obtain personal data from third-party sources and then license, sell, enrich, or otherwise make that information commercially available may fall within the scope of Oregon’s definition.

Oregon’s statute also includes specific exclusions and clarifications. Because definitions vary from state to state, organizations should document a formal applicability analysis rather than relying on assumptions based on other jurisdictions.

For detailed compliance tools, governance templates, and audit-readiness materials, visit the CLIClaw Data Broker Compliance Library.