Oregon's governor in late July signed the twelfth comprehensive consumer privacy law in the US. Along with many others that passed in the states in 2023, the law will take effect in 2024. It presents a now-familiar model with expanded consumer rights to their information, a broad definition of what is considered protected "personal" data, and limits on what companies can do with the personal data they collect.
Why It Matters
Oregon's law will not break much new ground when it takes effect, although it does have some unique twists. It follows the general model of the already-in-force California privacy law, but it adds "derived data" and data about devices linkable to a specific person to the list of covered data. It also designates transgender/nonbinary status, and crime victim status, to the list of "sensitive" information that requires an opt-in to process. Like other recent privacy laws, it will require that websites honor a universal opt-out mechanism (such as GPC), although that requirement does not take effect until 2026.
The key thing about Oregon's new law is that it caps off an extremely busy state legislative season that saw ten new comprehensive privacy laws and several other privacy-related laws passed in states across the country. This is an area where state legislatures, regardless of which party controls, are keenly interested in regulating business practices. Moreover, with twelve such laws on the books, it will become more and more difficult for any company to assume that privacy rules don't apply to its business.
/Passle/5fe0c4f453548a10fc881e09/SearchServiceImages/2025-03-31-20-40-41-549-67eafdc99050990b49b48356.jpg)
/Passle/5fe0c4f453548a10fc881e09/SearchServiceImages/2025-02-17-20-16-07-617-67b39907c56ef846c927f846.jpg)
/Passle/5fe0c4f453548a10fc881e09/MediaLibrary/Images/2025-05-05-20-53-03-372-6819252fda001553f92c4ae0.png)