Oregon recently joined Vermont and California as the third state requiring data broker registration before collecting, selling, or licensing “brokered personal data.” Several types of entities are exempt from the law. These include those collecting information from their customers, subscribers or users or those in a “similar” relationship or an entity acting as those companies’ agents. Also exempt are consumer reporting agencies, financial institutions, and affiliates or nonaffiliated third parties of financial institutions subject to GLBA. The new law takes effect on January 1, 2024.
Provided an exception does not apply, companies will need to figure out if they sell or license information as that term is defined by the law and thus might be viewed as a “data broker.” Unfortunately, the law is silent on what constitutes a “sale” of brokered personal data. Licensing means granting access or distributing brokered data to another person for consideration.
Information covered under the law (“brokered personal data”) includes, inter alia, name, data or place of birth, maiden name of an individual’s mother, biometric information, social security or other government-issued identification number. It also includes information that can “reasonably be associated” with the individual.
To the extent that the law applies, the “data broker” must register with the Department of Consumer and Business Services. In addition to paying a fee, they will need to include a declaration that describes whether consumers can opt-out of all or a portion of the data activities, how the consumer can exercise their opt-out choices, and whether an authorized agent can do so on the consumer’s behalf. The DCBS will maintain a list of registered brokers on its website. Companies who do not register as required face penalties up to $500 for each day it fails to register. Penalties are capped at $10,000 per calendar year.
Putting it into practice: This new law suggests that legislators may be renewing their focus on companies that sell or license personal information to third parties. While there are many exceptions under the law, this law serves as a reminder to examine information sharing practices.
Listen to this post