Effective July 1, 2024: Any person that conducts business in Oregon or provides products or services to Oregon residents and who, during a calendar year, controls or processes either: the personal data of at least 100,000 consumers or the personal data of at least 25,000 consumers, if they derive more than 25% of their annual gross revenue from the sale of personal data must:

• Respond to data subject requests without undue delay, within 45 days of receiving the request (this period may be extended by an additional 45 days if such extension is reasonably necessary).
• Must provide consumers with a reasonably accessible, clear, and meaningful privacy notice, and obtain a consumer’s affirmative consent to process a consumer’s sensitive data.
• Perform data protection assessments under certain circumstances and enter into valid contracts with processors that set forth instructions for the processing of personal data.
• Limit collection of personal data to that which is adequate, relevant, and reasonably necessary for the stated purpose and maintain information security safeguards to protect the confidentiality, integrity, and accessibility of personal data.

Notably, there are no revenue requirements for those subject to this law.

The law also provides certain consumer rights. Specifically, consumers who are Oregon residents will have the right to:

• Confirm whether their personal data is processed.
• Obtain a list of third parties to whom the controller discloses personal data.
• Correct inaccuracies in their personal data.
• Deletion of their personal data.
• Portability of their personal data.
• Opt-out of the processing of their personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

There are several exemptions under the new law, including:

• Public corporations (defined under existing Oregon law as entities created by the state to carry out public missions and services),
• Public bodies (state government bodies, local government bodies and special government bodies) or insurers,
• Activities subject to the Fair Credit Reporting Act’s privacy requirements,
• Organizations who process data compliant with the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), and the Family Educational Rights and Privacy Act (FERPA)
• Noncommercial activities of newspapers, magazines, periodicals, radio and television stations, press association and wire services
• Nonprofit organizations that provide programming to radio or television networks.

While nonprofits have blanket exemptions under many other states’ privacy laws, there is no such general exemption here. However, they have an extra year for compliance through July 1, 2025.

Click here for more information.

As Hire Image predicted in our Top Ten Background Screening Predictions for 2023, we will likely see similar privacy laws being passed this year, and these laws will undoubtedly impact background screening. Hire Image is committed to keeping you updated as to the passage of additional privacy laws in other states.

Contact us if you have any questions about how this law may affect you or about your background screening processes in general.