Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.


Did You Know?

  • New laws are effective on January 1, 2016
  • Comprehensive information requirements for notifications
  • Limited methods of notification delivery
  • State attorney general, consumer reporting agencies and credit bureaus may need to be notified
  • Data owners are responsible for reporting and notifications. Vendors must report to Data Owners
  • Comprehensive data protection and disposal laws with information security program requirement
  • Violations can add up to $500,000

Who Me?


Oregon breach and notification laws may apply if you are a person that:

  • Owns or licenses personal information that the person uses in the course of the person’s business, vocation, occupation or volunteer activities; 
  • Maintains or otherwise possesses personal information on behalf of, or under license of another person.

There are exemptions.

Other state laws, federal laws, industry regulations, and/or out-of-country laws may apply.

What is PII?


PII relevant to a breach in Oregon includes an consumer’s name with one or more of the following:

  • The consumer's:
    • Social security, driver’s license or state identification card number;
    • Passport or other United States issued identification number;
    • Account or credit or debit card number, with any required security code etc. permitting access to an consumer’s account;
  • Data from automatic measurements of the consumer’s physical characteristics;
  • A consumer’s medical history, mental or physical condition, or medical diagnosis.



An applicable statute includes, but is not limited to:

  • Volume: 14 - Trade Practices, Labor and Employment - Chapters 645-669 / Chapter 646A Trade Regulation / Identity Theft Protection Act:  646A.600 to 646A.604, and 646A.624


A few of these laws include, but are not limited to:

  • Data protection and data disposal / Volume: 14 - Trade Practices, Labor and Employment - Chapters 645-669 / Chapter 646A Trade Regulation:
    • 646A.620 Prohibition on printing, displaying or posting Social Security numbers; exemptions.
    • 646A.622 Requirement to develop safeguards for personal information; conduct deemed to comply with requirement;
    • 646A.624 Powers of director; penalties.



The Director of the Department of Consumer and Business Services may investigate and enforce violations. Violators may be subject to a $1,000 fine for every offense. In the case of a continued violation, each day may be considered a separate offense; maximum penalty of $500,000.



When considering reporting requirements, it would include, but not be limited to:

  • The combination of personal information breached;
  • If the data was rendered unusable;
  • If the data was encrypted;
  • If the data included any kind of key or password;
  • Is there a reasonable likelihood of harm.

There are documentation requirements related to the decision.


In Oregon, the notification may be delayed if law enforcement advises the person in writing that they are requesting a delay as it will impede a criminal investigation; otherwise, the notification must be made in the most expeditious manner possible, without unreasonable delay.


Requires detailed information and potential provision of services

Notification may be required for all consumer reporting agencies and credit bureaus. (1/1/16: report to state AG too)

Disclosure may be made by written notice or electronically (with stipulations).

A substitute notice, with specific requirements, may be sent if the cost of the notice exceeds $250,000 or the persons notified exceeds 350,000 or they do not have sufficient contact information.

Contact the Privacy Experts at CSR