Skip to main content


Click here to review text of state statute (see Oregon Rev. Stat. §646A.600 et seq.)

[For 2018 updates to Oregon Rev. Stat. §646A.600 et seq – click here]

Return to Index of States

Click here to download a print-version of the Mintz Matrix

Information Covered / Important Definitions

Information covered:

Personal information of Oregon consumers.

Definition includes (i) a passport number or other identification number issued by the United States; (ii) data from automatic measurements of a consumer’s physical characteristics, such as an image of a fingerprint, retina or iris, that are used to authenticate the consumer’s identity in the course of a financial transaction or other transaction; (iii) a health insurance policy number or health insurance subscriber identification number in combination with any other unique identifier that a health insurer uses to identify the consumer; or (iv) information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer.

[Effective January 1, 2020:  A user name of other means of identifying a consumer for the purpose of permitting access to the consumer’s account, together with any other method necessary to authenticate the user name or means of identification.

If data elements have not been encrypted, redacted or rendered unusable and the data element taken would enable a person to commit identity theft, the data element can be considered personal information.

Important definitions:

Security Breach” means an unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains.

Encryption” means an algorithmic process that renders data unreadable or unusable without the use of a confidential process or key.

Covered Entities* / Third Party Recipients

Subject to statute:

Any person, legal entity or public body (as defined in ORS 174.019) that owns, or licenses or otherwise possesses personal information that the person uses in the course of the person’s business, vocation, occupation or volunteer activities. (Effective January 1, 2020:  Applies to entities that maintain, store, or process information on their own behalf but that they do not own)

Third party recipients:

A person that maintains or otherwise possesses personal information on behalf of, or under license of, another person shall notify the other person after discovering a breach of security as soon as practicable. [Effective January 1, 2020: Notice must be sent no later than 10 days after discovering breach of security or reason to believe that breach of security occurred.] 

Notice Procedures & Timing / Other Obligations

Written, telephonic or electronic notice must be provided to victims of a security breach in the most expeditious manner possible, without unreasonable delay, but not later than 45 days after discovering or receiving notification of the breach of security unless a law enforcement agency determines that notice will impede a criminal investigation (in which case notification is delayed until authorized by law enforcement).

  • Notice to affected residents is required to contain specific content described in statute.
  • Substitute notice is available by means prescribed in the statute if costs to exceed $250,000, affected class exceeds 250,000 persons, or covered entity has insufficient contact information.
  • Notice not required if, after appropriate investigation or consultation with relevant law enforcement authorities, it is determined that no affected consumers are likely to suffer harm.  Written documentation of this determination is required and must be retained for 5 years.

Other obligations:

Any covered entity that must notify more than 1,000 Oregon residents at one time of a security breach is also required to notify without unreasonable delay consumer reporting agencies without delaying notice to affected Oregon residents.

Covered entities must develop, implement and maintain administrative, technical and physical safeguards to protect personal information. Note: ORS §654A.22(2)(d) contains expanded information security requirements.

Encryption Safe Harbor / Other Exemptions

Encryption Safe Harbor: Statute not applicable if the personal data that was lost, stolen or accessed by an unauthorized individual is encrypted, redacted or otherwise rendered unusable by other methods. 

Safe harbor not available if a security breach involves encrypted data but the encryption key has been compromised.

Other exemptions:

Exemption for good faith and inadvertent acquisition of personal information by a covered entity or a covered entity’s employee or agent if the personal information is not used in violation of applicable law or in a manner that harms or poses an actual threat to the security, confidentiality or integrity of the personal information.

A covered entity is deemed in compliance with the Oregon statute if it complies with notification requirements or procedures imposed by its primary or functional federal regulator that are at least as protective as Oregon’s statute.

Notification to Regulator / Waiver

Attorney General must be notified electronically or by mail if a single breach affects 250 residents. [Effective January 1, 2020:  Third parties that maintain or otherwise possess PI on behalf of another person must notify AG of breach exceeding 250, unless the owner has already notified the AG]

Attorney General must receive within a reasonable time at least one copy of any notice the person sends to consumers or to the person’s primary or functional regulator.

A determination of no likelihood of harm:

Does not require notification to Attorney General.

A covered entity that complies with other state or federal law that is at least as thorough as Oregon’s statute is exempt from Oregon’s statute.

A covered entity that is subject to GLBA or HIPAA is exempt from Oregon’s statute.


Violations are an unlawful practice under ORS 646.607.

Penalties can include $1,000 per violation. 

In the case of a continuing violation, each day’s continuance is a separate violation. Maximum penalty of $500,000.

Private Cause of Action / Enforcement

Private Cause of Action: No. 

Enforcement by the Director of the Department of Consumer and Business Services.

If the director has reason to believe that any person has engaged or is engaging in any violation of the Oregon statute, the director may issue a cease and desist order, or require the person to pay compensation to consumers injured by the violation. The director may order compensation to consumers only upon a finding that enforcement of the rights of the consumers by private civil action would be so burdensome or expensive as to be impractical.


Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive.  Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.

Click here to review text of state statute (see Oregon Rev. Stat. §646A.600 et seq.)

Return to Index of States

Click here to download a print-version of the Mintz Matrix

Subscribe To Viewpoints