Beginning on January 1, 2024, data brokers must annually register with the Oregon Department of Consumer and Business Services (the “Department”) before collecting, selling, or licensing brokered personal data. Oregon’s data broker registration law, HB 2052, joins a growing list of similar laws requiring data broker registration, passed in Vermont, California, and Texas.
Application & Requirements
HB 2052 applies to “data brokers,” defined as a business entity or part of a business entity that collects and sells or licenses “brokered personal data” about Oregon residents. The law defines “brokered personal data” to include, generally, computerized data elements about an Oregon resident, if categorized or organized for sale or licensing to another person including, but not limited to: name, physical address, date or place of birth, mother’s maiden name, biometric information, and Social Security Number (or other government-issued identification number). The definition also includes a catch-all for other information that, alone or in combination with other information that is sold or licensed, can reasonably be associated with the resident individual. While only the catch-all includes the “can be reasonably associated with the resident individual” modifier, a reasonable interpretation of the law would extend that modifier to each of the other data elements listed.
To the extent that HB 2052 applies, data brokers must register annually with and pay a fee to be set by the Department. Among other things, a data brokers’ registration submission must include a declaration that describes whether and how Oregon residents may opt out of all or a portion of the data broker’s activities, and whether an Oregon resident may authorize an agent to exercise these rights on their behalf. HB 2052’s January 1, 2024 effective date is before Oregon’s privacy law (which goes into effect on July 1, 2024). Thus, data brokers subject to this law will need to be prepared to comply with a consumer’s opt-out request well in advance of other entities who need only comply with the privacy law.
As of the date of this blog’s publication, the Department has yet to issue any additional rules under HB 2502, including amount of the fee payment.
In addition to exempting various federally regulated businesses (e.g., entities subject to the FCRA and GLBA), the law exempts data brokers from registration under several circumstances, including when they collect or provide:
- Information about a current or former customer, employee, agent, investor, donor, or any other individual with a similar relationship;
- Publicly available information that is related to an Oregon resident’s business or profession, or otherwise as part of a service that provides alerts for health or safety purposes;
- Information that is lawfully available from federal, state, or local government records; or
- Information to develop or maintain an e-commerce service or software.
If an applicable data broker does not register or otherwise violates any other requirement, the Department may impose a civil penalty of up to $500 for each violation, with the possibility of being charged an additional $500 each day the violation continues. However, the Department’s penalties on a data broker may not exceed $10,000 during any calendar year.
Thus, companies wishing to avoid the optics of being among the first or few on what may at first be a relatively short list of registered data brokers—and willing to risk a (relatively low) penalty assessment—may decide to wait to register until the list has grown.
To evaluate compliance with the law, businesses should:
- Evaluate whether they meet HB 2052’s definition of “data broker;”
- Evaluate whether any statutory exemption applies to their data practices.
To the extent the business meets the definition of a “data broker” and its data practices do not fall within any of the statutory exemptions, it must register with the Department via fee payment and submission of the requisite information. Businesses should monitor developments regarding registration in the next two months leading up to the law’s effective date on January 1, 2024. While HB 2052 does not specify a date for future rulemaking (including for setting the registration fee), other states with similar laws published general instructions that detail the fee amount and how to complete the registration – we expect that Oregon will likely follow suit.
Further, to the extent applicable and not already completed, businesses should also ensure compliance with California, Texas, and Vermont’s data broker registration requirements.