Oregon Data Brokers
ORS § 646A.593
Title Number: 50. Trade Regulations and Practices
Chapter 646A — Trade Regulation
DATA BROKERS - 646A.593
646A.593 Definitions; requirement to register with Department of Consumer and Business Services to operate as data broker; method of registration; penalty; rules.
(1) As used in this section:
(a) “Brokered personal data” means any of the following computerized data elements about a resident individual, if categorized or organized for sale or licensing to another person:
(A) The resident individual’s name or the name of a member of the resident individual’s immediate family or household;
(B) The resident individual’s address or an address for a member of the resident individual’s immediate family or household;
(C) The resident individual’s date or place of birth;
(D) The maiden name of the resident individual’s mother;
(E) Biometric information about the resident individual;
(F) The resident individual’s Social Security number or the number of any other government-issued identification for the resident individual; or
(G) Other information that, alone or in combination with other information that is sold or licensed, can reasonably be associated with the resident individual.
(b)(A) “Business entity” means:
(i) A resident individual who regularly engages in commercial activity for the purpose of generating income;
(ii) A corporation or nonprofit corporation, limited liability company, partnership or limited liability partnership, business trust, joint venture or other form of business organization the constituent parts of which share a common economic interest;
(iii) A financial institution, as defined in ORS 706.008; or
(iv) Another person that controls, is controlled by or is under common control with a person described in sub-subparagraphs (ii) and (iii) of this subparagraph.
(B) “Business entity” does not include the state or a state agency, a local government, as defined in ORS 174.116, a public corporation or a business entity or other person during a period in which the business entity or person is acting solely on behalf of and at the direction of the state, a state agency, the local government or a public corporation.
(c)(A) “Data broker” means a business entity or part of a business entity that collects and sells or licenses brokered personal data to another person.
(B) “Data broker” does not include:
(i) A consumer reporting agency, as defined in 15 U.S.C. 1681a(f), a person that furnishes information to a consumer reporting agency, as provided in 15 U.S.C. 1681s-2, or a user of a consumer report, as defined in 15 U.S.C. 1681a(d), to the extent that the consumer reporting agency, the person that furnishes information to a consumer reporting agency or the user of a consumer report engages in activities that are subject to regulation under the federal Fair Credit Reporting Act, 15 U.S.C. 1681 et seq.;
(ii) A financial institution, an affiliate or a nonaffiliated third party, as those terms are defined in 15 U.S.C. 6809, to the extent that the financial institution, affiliate or nonaffiliated third party engages in activities that are subject to regulation under Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 to 6809, and regulations adopted under Title V of the Gramm-Leach-Bliley Act;
(iii) A business entity that collects information about a resident individual if the resident individual is or was:
(I) A customer, subscriber or user of the business entity’s goods or services;
(II) An employee or agent of the business entity or is in a contractual relationship with the business entity;
(III) An investor in the business entity;
(IV) A donor to the business entity; or
(V) In another relationship with the business entity the nature of which is similar to the relationships described in this sub-subparagraph; or
(iv) A business entity that performs services for, acts on behalf of or acts as an agent of a business entity described in sub-subparagraph (iii) of this subparagraph.
(d)(A) “License” means a grant of access to, or distribution of, data by one person to another person in exchange for consideration.
(B) “License” does not include a use of data for the sole benefit of a data provider where the data provider maintains control over the use of the data.
(e) “Resident individual” means a natural person who resides in this state.
(2)(a) Except as provided in paragraph (b) of this subsection, a data broker may not collect, sell or license brokered personal data within this state unless the data broker first registers with the Department of Consumer and Business Services as provided in subsection (3) of this section.
(b) A data broker may collect, sell or license brokered personal data without registering with the department if the collection, sale or licensing involves only:
(A) Providing publicly available information that is related to a resident individual’s business or profession;
(B) Providing publicly available information as part of a service that provides alerts for health or safety purposes;
(C) Providing information that is lawfully available from federal, state or local government records;
(D) Publishing, selling, reselling, distributing or providing digital access to journals, books, periodicals, newspapers, magazines, news media or educational, academic or instructional works;
(E) Developing or maintaining an electronic commerce service or software;
(F) Providing directory assistance or directory information services as, or on behalf of, a telecommunications carrier; or
(G) Selling the assets of a business entity or a part of a business entity a single time, or only occasionally, as part of a transfer of control over the assets that is not part of the ordinary conduct of the business entity or a part of the business entity.
(3) To register with the department, a data broker shall:
(a) Submit on a form and in a format the department specifies:
(A) The name of the data broker;
(B) The street address and telephone number of the data broker; and
(C) The data broker’s primary website and electronic mail address.
(b) Pay a fee in an amount the department specifies by rule. The department shall set the fee in an amount that is sufficient, when aggregated, to pay the costs of administering the registration program.
(c) Include with the application form a declaration in which the data broker:
(A) States whether resident individuals may opt out of all or a portion of the data broker’s collection, sale or licensing of the resident individuals’ brokered personal data;
(B) Identifies which of the data broker’s activities of collecting, selling or licensing brokered personal data a resident individual may opt out of or which portion of the resident individual’s brokered personal data the resident individual may opt out of providing or permitting the data broker to collect, sell or license;
(C) Describes the method by which a resident individual may exercise the choices described in subparagraphs (A) and (B) of this paragraph; and
(D) States whether a resident individual may authorize another person to exercise the choice described in subparagraph (A) of this paragraph on the resident individual’s behalf and, if so, how to do so.
(4) If a data broker complies with the requirements set forth in subsection (3) of this section, the department shall approve the registration. A registration under this section is valid until December 31 of the year in which the department approves the registration.
(5) The department may approve and renew a registration under this section by means of an agreement with the Nationwide Multistate Licensing System and may, by rule, conform the practices, procedures and information that the department uses to approve or renew a registration to the requirements of the Nationwide Multistate Licensing System.
(6) The department shall make the information that business entities submit for registration under this section publicly available on or by means of the department’s website.
(7)(a) The department may impose a civil penalty:
(A) In an amount that does not exceed $500 for each of a data broker’s violations of a requirement under this section or each violation of a rule the department adopted under this section; or
(B) In the case of a continuing violation, in the amount of $500 for each day in which the violation continues.
(b) The total amount of penalties that the department imposes on a data broker may not exceed $10,000 during any calendar year.
(8) The department may adopt rules that are necessary to implement the provisions of this section. [2023 c.395 §1]
For more information, see here: https://www.oregonlegislature.gov/bills_laws/ors/ors646A.html
These materials were obtained directly from the State Legislative website and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.