Oregon's New Data Broker Registry: What to Know
The state of Oregon just passed a new law for "data brokers" to register with the state. Here's what to know.
On July 27, Oregon passed a new law that requires “data brokers” to register with the state. It came into effect immediately upon signing by the governor. Here’s what to know about the law — including its definitions, its exceptions, and how it differs from other state-level data broker registries in the US. Brought to you by Global Cyber Strategies, a Washington, DC-based research and advisory firm.
The One-Liner
Oregon’s data broker registry law requires certain third-party data brokers to register with the state — and replicates many of the carve-outs and gaps in other state data broker registry laws and bills.
Defining a “Data Broker” in Oregon
The newly signed law (H.B. 2052 in bill form) requires “data brokers” to register with the state. Two definitions are key to this requirement:
The law defines “brokered personal data” as “computerized data elements about a resident individual,” categorized or organized for sale or licensing, including a person’s name, the names of their immediate family members or residents of their household, their address, their immediate family members’ addresses, their date or place of birth, their mother’s maiden name, their biometric information, their Social Security Number or other state identification, and “other information that, alone or in combination with other information that is sold or licensed, can reasonably be associated with the resident individual.”
A “data broker” is defined as “a business entity or part of a business entity that collects and sells or licenses brokered personal data to another person” and does not include consumer reporting agencies under the Fair Credit Reporting Act, financial institutions and affiliated or nonaffiliated third parties under the Gramm-Leach-Bliley Act, and businesses gathering information about their own customers, subscribers, users, employees, agents, investors, donors, and anyone else with whom the business has a contractual relationship.
Most state laws and bills that create (or would create) data broker registries limit their scope to just third-party data brokers. Under those laws and bills, if a business sells data about its own users or customers, it is not considered a “data broker.” Thus, many first-party collectors of data which sell data on their own customers (such as mobile apps selling users’ location data) are not covered under the regulations. Oregon’s exemptions from the “data broker” definition follow the same path by excluding businesses gathering information about their own users, customers, and so on from coverage. This common gap leaves many data sales outside of the law’s scope.
Imposing Registration Requirements
Covered third-party data brokers, under the new law, must register with the Oregon Department of Consumer and Business Services by submitting:
The data broker’s name, street address, telephone number, primary website, and email address.
A registration fee, to be determined by the Department in rulemaking (“an amount that is sufficient, when aggregated, to pay the costs of administering the registration program”).
A declaration of the states in which residents may opt out of the data broker’s collection, sale, or licensing of their “brokered personal data”; which data broker activities and data sales individuals can opt out of; how individuals do so; and whether someone else can opt out on their behalf.
For covered third-party data brokers that fail to comply, the state may fine up to $500 for each violation of a requirement of the law. If violations continue, the state can fine companies $500 daily, up to $10,000 each year. Considering that even smaller data brokers can make hundreds or thousands of dollars from selling or licensing access to a single dataset (and the amounts only go up from there), this limit on fines creates a scenario in which some data brokers, especially larger ones, may not be properly incentivized to register if their non-registration is commercially advantageous.
The law additionally stipulates that covered third-party data brokers cannot “collect, sell, or license brokered personal data” in Oregon before registering with the state. But there are exceptions. For example, this does not apply if a data broker is “providing information that is lawfully available from federal, state, or local government records.” Given that data brokers, particularly “people search” websites, often scrape property filings, marriage certificates, voter registries, and other government records to aggregate information about people, this provision exempts numerous data brokers from the pre-registration prohibition on data collection, sale, and licensing. It is another common gap in state-level data broker registry laws.
What Now?
Oregon’s data broker registry law is now in effect. It remains to be seen in the coming weeks and months how many third-party data brokers will register with the state.
Importantly, Oregon’s state privacy law comes into effect next year, on July 1, 2024. Among many other provisions, it provides consumers with the right to opt out of a “controller’s” processing of their “personal data” when the processing is for targeted advertising, selling personal data, or profiling the consumer “in furtherance of decisions that produce legal effects or effects of similar significance.” Put simply, consumers will have the ability to require some data brokers to stop processing some of their data. Understanding how these laws intersect is a vital part of understanding Oregon’s privacy directions within the rest of the US landscape — and in drawing lessons for the development of laws and regulations elsewhere.
Subscribe for more public insights, and reach out on Global Cyber Strategies’ website for a range of custom-tailored research and advisory services.
—
© 2023 Global Cyber Strategies LLC.