ORS 646A.578
Duties of controller

  • prohibitions
  • privacy notice to consumer

(1)

A controller shall:

(a)

Specify in the privacy notice described in subsection (4) of this section the express purposes for which the controller is collecting and processing personal data;

(b)

Limit the controller’s collection of personal data to only the personal data that is adequate, relevant and reasonably necessary to serve the purposes the controller specified in paragraph (a) of this subsection;

(c)

Establish, implement and maintain for personal data the same safeguards described in ORS 646A.622 (Requirement to develop safeguards for personal information) that are required for protecting personal information, as defined in ORS 646A.602 (Definitions for ORS 646A.600 to 646A.628), such that the controller’s safeguards protect the confidentiality, integrity and accessibility of the personal data to the extent appropriate for the volume and nature of the personal data; and

(d)

Provide an effective means by which a consumer may revoke consent a consumer gave under ORS 646A.570 (Definitions) to 646A.589 (Investigative demand by Attorney General) to the controller’s processing of the consumer’s personal data. The means must be at least as easy as the means by which the consumer provided consent. Once the consumer revokes consent, the controller shall cease processing the personal data as soon as is practicable, but not later than 15 days after receiving the revocation.

(2)

A controller may not:

(a)

Process personal data for purposes that are not reasonably necessary for and compatible with the purposes the controller specified in subsection (1)(a) of this section, unless the controller obtains the consumer’s consent;

(b)

Process sensitive data about a consumer without first obtaining the consumer’s consent or, if the controller knows the consumer is a child, without processing the sensitive data in accordance with the Children’s Online Privacy Protection Act of 1998, 15 U.S.C. 6501 et seq. and the regulations, rules and guidance adopted under the Act, all as in effect on January 1, 2024;

(c)

Process a consumer’s personal data for the purposes of targeted advertising, of profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance or of selling the consumer’s personal data without the consumer’s consent if the controller has actual knowledge that, or willfully disregards whether, the consumer is at least 13 years of age and not older than 15 years of age; or

(d)

Discriminate against a consumer that exercises a right provided to the consumer under ORS 646A.570 (Definitions) to 646A.589 (Investigative demand by Attorney General) by means such as denying goods or services, charging different prices or rates for goods or services or providing a different level of quality or selection of goods or services to the consumer.

(3)

Subsections (1) and (2) of this section do not:

(a)

Require a controller to provide a good or service that requires personal data from a consumer that the controller does not collect or maintain; or

(b)

Prohibit a controller from offering a different price, rate, level of quality or selection of goods or services to a consumer, including an offer for no fee or charge, in connection with a consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discount or club card program.

(4)

A controller shall provide to consumers a reasonably accessible, clear and meaningful privacy notice that:

(a)

Lists the categories of personal data, including the categories of sensitive data, that the controller processes;

(b)

Describes the controller’s purposes for processing the personal data;

(c)

Describes how a consumer may exercise the consumer’s rights under ORS 646A.570 (Definitions) to 646A.589 (Investigative demand by Attorney General), including how a consumer may appeal a controller’s denial of a consumer’s request under ORS 646A.576 (Method for requesting personal data);

(d)

Lists all categories of personal data, including the categories of sensitive data, that the controller shares with third parties;

(e)

Describes all categories of third parties with which the controller shares personal data at a level of detail that enables the consumer to understand what type of entity each third party is and, to the extent possible, how each third party may process personal data;

(f)

Specifies an electronic mail address or other online method by which a consumer can contact the controller that the controller actively monitors;

(g)

Identifies the controller, including any business name under which the controller registered with the Secretary of State and any assumed business name that the controller uses in this state;

(h)

Provides a clear and conspicuous description of any processing of personal data in which the controller engages for the purpose of targeted advertising or for the purpose of profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance, and a procedure by which the consumer may opt out of this type of processing; and

(i)

Describes the method or methods the controller has established for a consumer to submit a request under ORS 646A.576 (Method for requesting personal data) (1).

(5)

The method or methods described in subsection (4)(i) of this section for submitting a consumer’s request to a controller must:

(a)

Take into account:

(A)

Ways in which consumers normally interact with the controller;

(C)

The controller’s ability to authenticate the identity of the consumer that makes the request; and

(6)

If a consumer or authorized agent uses a method described in subsection (5) of this section to opt out of a controller’s processing of the consumer’s personal data under ORS 646A.574 (Consumer requests for personal data) (1)(d) and the decision conflicts with a consumer’s voluntary participation in a bona fide reward, club card or loyalty program or a program that provides premium features or discounts in return for the consumer’s consent to the controller’s processing of the consumer’s personal data, the controller may either comply with the request to opt out or notify the consumer of the conflict and ask the consumer to affirm that the consumer intends to withdraw from the bona fide reward, club card or loyalty program or the program that provides premium features or discounts. If the consumer affirms that the consumer intends to withdraw, the controller shall comply with the request to opt out. [2023 c.369 §5]
Note: 646A.578 (Duties of controller) becomes operative July 1, 2024. See section 15, chapter 369, Oregon Laws 2023.
Note: The amendments to 646A.578 (Duties of controller) by section 12, chapter 369, Oregon Laws 2023, become operative January 1, 2026. See section 15, chapter 369, Oregon Laws 2023. The text that is operative on and after January 1, 2026, is set forth for the user’s convenience.
646A.578 (Duties of controller). (1) A controller shall:

(a)

Specify in the privacy notice described in subsection (4) of this section the express purposes for which the controller is collecting and processing personal data;

(b)

Limit the controller’s collection of personal data to only the personal data that is adequate, relevant and reasonably necessary to serve the purposes the controller specified in paragraph (a) of this subsection;

(c)

Establish, implement and maintain for personal data the same safeguards described in ORS 646A.622 (Requirement to develop safeguards for personal information) that are required for protecting personal information, as defined in ORS 646A.602 (Definitions for ORS 646A.600 to 646A.628), such that the controller’s safeguards protect the confidentiality, integrity and accessibility of the personal data to the extent appropriate for the volume and nature of the personal data; and

(d)

Provide an effective means by which a consumer may revoke consent a consumer gave under ORS 646A.570 (Definitions) to 646A.589 (Investigative demand by Attorney General) to the controller’s processing of the consumer’s personal data. The means must be at least as easy as the means by which the consumer provided consent. Once the consumer revokes consent, the controller shall cease processing the personal data as soon as is practicable, but not later than 15 days after receiving the revocation.

(2)

A controller may not:

(a)

Process personal data for purposes that are not reasonably necessary for and compatible with the purposes the controller specified in subsection (1)(a) of this section, unless the controller obtains the consumer’s consent;

(b)

Process sensitive data about a consumer without first obtaining the consumer’s consent or, if the controller knows the consumer is a child, without processing the sensitive data in accordance with the Children’s Online Privacy Protection Act of 1998, 15 U.S.C. 6501 et seq. and the regulations, rules and guidance adopted under the Act, all as in effect on January 1, 2024;

(c)

Process a consumer’s personal data for the purposes of targeted advertising, of profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance or of selling the consumer’s personal data without the consumer’s consent if the controller has actual knowledge that, or willfully disregards whether, the consumer is at least 13 years of age and not older than 15 years of age; or

(d)

Discriminate against a consumer that exercises a right provided to the consumer under ORS 646A.570 (Definitions) to 646A.589 (Investigative demand by Attorney General) by means such as denying goods or services, charging different prices or rates for goods or services or providing a different level of quality or selection of goods or services to the consumer.

(3)

Subsections (1) and (2) of this section do not:

(a)

Require a controller to provide a good or service that requires personal data from a consumer that the controller does not collect or maintain; or

(b)

Prohibit a controller from offering a different price, rate, level of quality or selection of goods or services to a consumer, including an offer for no fee or charge, in connection with a consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discount or club card program.

(4)

A controller shall provide to consumers a reasonably accessible, clear and meaningful privacy notice that:

(a)

Lists the categories of personal data, including the categories of sensitive data, that the controller processes;

(b)

Describes the controller’s purposes for processing the personal data;

(c)

Describes how a consumer may exercise the consumer’s rights under ORS 646A.570 (Definitions) to 646A.589 (Investigative demand by Attorney General), including how a consumer may appeal a controller’s denial of a consumer’s request under ORS 646A.576 (Method for requesting personal data);

(d)

Lists all categories of personal data, including the categories of sensitive data, that the controller shares with third parties;

(e)

Describes all categories of third parties with which the controller shares personal data at a level of detail that enables the consumer to understand what type of entity each third party is and, to the extent possible, how each third party may process personal data;

(f)

Specifies an electronic mail address or other online method by which a consumer can contact the controller that the controller actively monitors;

(g)

Identifies the controller, including any business name under which the controller registered with the Secretary of State and any assumed business name that the controller uses in this state;

(h)

Provides a clear and conspicuous description of any processing of personal data in which the controller engages for the purpose of targeted advertising or for the purpose of profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance, and a procedure by which the consumer may opt out of this type of processing; and

(i)

Describes the method or methods the controller has established for a consumer to submit a request under ORS 646A.576 (Method for requesting personal data) (1).

(5)

The method or methods described in subsection (4)(i) of this section for submitting a consumer’s request to a controller must:

(a)

Take into account:

(A)

Ways in which consumers normally interact with the controller;

(C)

The controller’s ability to authenticate the identity of the consumer that makes the request;

(c)

Allow a consumer or authorized agent to send a signal to the controller that indicates the consumer’s preference to opt out of the sale of personal data or targeted advertising under ORS 646A.574 (Consumer requests for personal data) (1)(d) by means of a platform, technology or mechanism that:

(A)

Does not unfairly disadvantage another controller;

(B)

Does not use a default setting but instead requires the consumer or authorized agent to make an affirmative, voluntary and unambiguous choice to opt out;

(C)

Is consumer friendly and easy for an average consumer to use;

(D)

Is as consistent as possible with similar platforms, technologies or mechanisms required under federal or state laws or regulations; and

(E)

Enables the controller to accurately determine whether the consumer is a resident of this state and has made a legitimate request under ORS 646A.576 (Method for requesting personal data) to opt out as described in ORS 646A.574 (Consumer requests for personal data) (1)(d).

(6)

If a consumer or authorized agent uses a method described in subsection (5) of this section to opt out of a controller’s processing of the consumer’s personal data under ORS 646A.574 (Consumer requests for personal data) (1)(d) and the decision conflicts with a consumer’s voluntary participation in a bona fide reward, club card or loyalty program or a program that provides premium features or discounts in return for the consumer’s consent to the controller’s processing of the consumer’s personal data, the controller may either comply with the request to opt out or notify the consumer of the conflict and ask the consumer to affirm that the consumer intends to withdraw from the bona fide reward, club card or loyalty program or the program that provides premium features or discounts. If the consumer affirms that the consumer intends to withdraw, the controller shall comply with the request to opt out.

Source: Section 646A.578 — Duties of controller; prohibitions; privacy notice to consumer, https://www.­oregonlegislature.­gov/bills_laws/ors/ors646A.­html.

646A.005
Definitions 646A.009
Prohibition on sales of cosmetics developed or manufactured using animal testing 646A.013
Exceptions to prohibition on sales of cosmetics developed using animal testing 646A.017
Donation and distribution of prohibited cosmetics 646A.021
Investigative demand by Attorney General 646A.025
Action by Attorney General to impose civil penalty or obtain injunction 646A.028
Amount of civil penalty 646A.030
Definitions for ORS 646A.030 to 646A.042 646A.032
Price list for health spa services 646A.034
Contracts 646A.036
Contracts and rules 646A.038
Moneys paid prior to facility opening 646A.040
Waiver of provisions of ORS 646A.030 to 646A.042 646A.042
Remedies and obligations supplementary to existing remedies 646A.050
Definitions 646A.052
Form of purchase agreement 646A.054
Rules 646A.060
Purchase of used goods 646A.062
Penalty for violation of ORS 646A.060 646A.064
Definitions for ORS 646A.064 to 646A.067 646A.065
Records required for transactions involving items of precious metal 646A.066
Applicability to local ordinances 646A.067
Preemption of local requirements applicable to pawnbrokers 646A.068
Penalty for violating ORS 646A.065 646A.070
Sale of telephonic equipment 646A.072
Exceptions to disclosure requirements 646A.075
Prohibition on retail pet store sales of dogs and cats 646A.077
Qualification for full refund 646A.080
Sale of novelty item containing mercury 646A.081
Prohibition on sale or installation of mercury vapor outdoor lighting fixtures 646A.082
Floral retail sales 646A.085
Sale of rights by distributor to exhibit motion picture without first giving exhibitor opportunity to view motion picture prohibited 646A.090
Offer to sell or lease motor vehicle under retail installment contract or lease agreement 646A.092
Advertisements for sale or lease of motor vehicle 646A.093
Disclosures for handling and shipping consumer goods required in advertisements, offers and sales 646A.095
Disclosure required when purchaser of product offered technical support through information delivery system 646A.097
Payment of sales commissions following termination of contract between sales representative and principal 646A.100
Definitions for ORS 646A.100 to 646A.110 646A.102
Notice of intent to conduct going out of business sale 646A.104
Information required in notice of intent 646A.106
Circumstances in which going out of business sale prohibited 646A.108
Prohibited conduct 646A.110
Applicability of ORS 646A.100 to 646A.110 and 646A.112 646A.112
Injunction of sham sale 646A.115
Software prohibited that interferes with sale of admission tickets to entertainment events 646A.120
Definitions for ORS 646A.120 to 646A.134 646A.122
Applicability of ORS 646A.120 to 646A.134 646A.124
General disclosure requirements 646A.126
Specific disclosure requirements 646A.128
Provisions prohibited in lease-purchase agreements 646A.130
Reinstatement of lease-purchase agreement by consumer 646A.132
Renegotiation or extension of lease-purchase agreement 646A.134
Disclosures required in advertisement for lease-purchase agreements 646A.140
Definitions for ORS 646A.140 and 646A.142 646A.142
Rental vehicle collision damage waiver notice 646A.150
Applicability of ORS 646A.150 to 646A.172 646A.152
Definitions for ORS 646A.150 to 646A.172 646A.154
Service contract defined 646A.156
Required contents of service contracts 646A.158
Prohibited conduct 646A.160
Service contract obligor as agent of insurer 646A.162
Investigation of violations 646A.164
Complaints and investigations confidential 646A.166
Refusal to continue or suspension or revocation of registration 646A.168
Assessment fee 646A.170
Remedies not exclusive 646A.172
Rules 646A.200
Definitions for ORS 646A.202 and 646A.204 646A.202
Payment processing systems 646A.204
Customer information 646A.206
Rules 646A.210
Requiring credit card number as condition for accepting check or share draft prohibited 646A.212
“Credit card” defined 646A.214
Verification of identity in credit or debit card transactions 646A.220
Credit card solicitation 646A.222
Charge card solicitation 646A.230
Action by Attorney General or district attorney 646A.232
Effect of compliance with federal law 646A.240
Treatment of child support obligations by creditor in applications for extensions of credit 646A.242
“Creditor” defined 646A.244
Cause of action for violation of ORS 646A.240 646A.274
Definitions for ORS 646A.276 and 646A.278 646A.276
Sale of gift card that expires, declines in value, includes fee or does not give option to redeem 646A.278
Requirements for sale of gift card that expires 646A.280
Definitions for ORS 646A.280 to 646A.290 646A.282
Simulated invoices prohibited 646A.284
Cause of action by Attorney General 646A.286
Cause of action by private party 646A.288
Presumptions in cause of action brought under ORS 646A.284 or 646A.286 646A.290
Construction 646A.292
Legislative intent 646A.293
Definitions for ORS 646A.293 and 646A.295 646A.295
Prohibited actions 646A.300
Definitions for ORS 646A.300 to 646A.322 646A.302
Application of ORS 646A.300 to 646A.322 to successor in interest or assignee of supplier 646A.304
Payment for farm implements, parts, software, tools and signs upon termination of retailer agreement 646A.306
Repurchase of inventory by supplier 646A.308
Civil action for supplier’s failure to pay 646A.310
Prohibited conduct by supplier 646A.312
Termination, cancellation or nonrenewal of retailer agreement 646A.314
New or relocated dealership 646A.316
Warranty claims 646A.318
Warranty claims 646A.320
Retailer’s improvements to products 646A.322
Remedies 646A.325
Repurchase of motor vehicle by manufacturer 646A.327
Attorney fees for action under ORS 646A.325 646A.340
Definitions for ORS 646A.340 to 646A.348 646A.342
Prohibited conduct 646A.344
Bond or letter of credit 646A.346
Damages 646A.348
Action by Attorney General 646A.350
Delivery of unrequested hazardous substances prohibited 646A.352
Penalty 646A.360
Unsolicited facsimile machine transmissions 646A.362
Exclusion of name from sweepstakes promotion mailing list 646A.365
Check, draft or payment instrument creating obligation for payment 646A.370
Definitions for ORS 646A.370 to 646A.374 646A.372
Limits on usage of automatic dialing and announcing device 646A.374
Prohibited actions 646A.376
Enforcement 646A.400
Definitions for ORS 646A.400 to 646A.418 646A.402
Availability of remedy 646A.404
Consumer’s remedies 646A.405
Manufacturer action under ORS 646A.404 646A.406
Presumption of reasonable attempt to conform 646A.408
Use of informal dispute settlement procedure as condition for remedy 646A.410
Informal dispute settlement procedure 646A.412
Action in court 646A.414
Limitations on actions against dealers 646A.416
Limitation on commencement of action 646A.418
Remedies supplementary to existing statutory or common law remedies 646A.430
Definitions for ORS 646A.430 to 646A.450 646A.432
Applicability of ORS 646A.430 to 646A.450 646A.434
Sale of vehicle protection product 646A.436
Warrantor registration 646A.438
Reimbursement insurance 646A.440
Required provisions of reimbursement insurance policy 646A.442
Vehicle protection product warranty administrator 646A.444
Recordkeeping requirements for warrantor 646A.446
Prohibited conduct for warrantor 646A.448
Prohibited activities 646A.450
Rules 646A.452
Enforcement by Attorney General 646A.460
Definitions for ORS 646A.460 to 646A.476 646A.462
Express warranty 646A.464
Repair of assistive device 646A.466
Replacement or refund after attempt to repair 646A.468
Procedures for replacement or refund 646A.470
Sale or lease of returned assistive device 646A.472
Dispute resolution 646A.474
Applicability of other laws 646A.476
Civil action for damages 646A.480
Definitions for ORS 646A.480 to 646A.495 646A.482
Estimate required before beginning work 646A.486
Prohibited actions if estimate exceeds $200 646A.490
Additional prohibited actions 646A.495
Owner designee 646A.500
Legislative findings 646A.502
Short title 646A.504
Definitions for ORS 646A.500 to 646A.514 646A.506
Prohibited conduct 646A.508
Penalties 646A.510
Exemptions 646A.512
Private right of action 646A.514
Scope of remedies 646A.525
Definitions for ORS 646A.525 to 646A.535 646A.530
Prohibited sales of certain children’s products 646A.535
Assistance of Attorney General in obtaining recall notices 646A.540
Definitions 646A.542
Requirement to document compliance 646A.544
Local government enforcement 646A.550
Short title 646A.555
License to engage in business activity not required for individual under 17 years of age 646A.560
Legislative findings 646A.562
Definitions for ORS 646A.560 to 646A.566 646A.564
Standards for mercury content in electric lamps 646A.566
Considerations for state agency procurement of lighting devices that contain mercury 646A.570
Definitions 646A.572
Scope and application 646A.574
Consumer requests for personal data 646A.576
Method for requesting personal data 646A.578
Duties of controller 646A.581
Duties of processor of personal data 646A.583
Controller’s use of deidentified data 646A.586
Data protection assessment for processing activities with heightened risk of harm 646A.589
Investigative demand by Attorney General 646A.593
Definitions 646A.600
Short title 646A.602
Definitions for ORS 646A.600 to 646A.628 646A.604
Notice of breach of security 646A.606
Security freeze 646A.608
Deadline for placing security freeze 646A.610
Fees not permitted 646A.612
Conditions for lifting or removing security freeze 646A.614
Effect of security freeze on use of consumer reports or protective records 646A.616
Effect of request for consumer report subject to security freeze 646A.618
Prohibition on changes to consumer report subject to security freeze 646A.620
Prohibition on printing, displaying or posting Social Security numbers 646A.622
Requirement to develop safeguards for personal information 646A.624
Powers of director 646A.626
Rules 646A.628
Allocation of moneys 646A.640
Definitions 646A.643
License requirement to engage in debt buying 646A.646
License application 646A.649
Licensee’s principal place of business and registered agent 646A.652
Required notices 646A.655
Compliance with director’s standards 646A.658
Prohibited practices 646A.661
Director’s supervisory authority 646A.664
Enforcement actions 646A.667
Preemption 646A.670
Legal action to collect debt 646A.673
Rules 646A.677
Requirement to screen for financial assistance before transferring medical debt for collection 646A.680
Legislative intent 646A.683
Requirement to report increase in drug price 646A.685
Plan and methodology to establish upper payment limits for drugs sold in this state 646A.686
Short title 646A.689
Requirement to report certain information concerning drug manufacturing and pricing 646A.692
Civil penalty 646A.693
Prescription Drug Affordability Board 646A.694
Annual affordability determination for identified drugs and insulin products 646A.695
Annual fees assessed against drug manufacturers 646A.696
Report to Health Care Cost Growth Target program and Legislative Assembly 646A.697
Study of market for generic drugs 646A.700
Short title 646A.702
Definitions for ORS 646A.702 to 646A.720 646A.705
Persons that are not foreclosure consultants 646A.710
Foreclosure consulting contract 646A.715
Cancellation 646A.720
Prohibited acts of foreclosure consultant 646A.725
Definitions for ORS 646A.725 to 646A.750 646A.730
Persons that are not equity purchasers 646A.735
Written contract 646A.740
Cancellation 646A.745
Required and prohibited acts 646A.750
Rebuttable presumptions 646A.755
Acts not precluded 646A.760
Civil action for damages 646A.765
Penalties 646A.770
Definitions 646A.773
Applicability of Insurance Code 646A.776
Required disclosures 646A.779
Determination of amount of waiver 646A.781
Cancellation and expiration 646A.784
Reimbursement insurance policies for guaranteed asset protection waivers 646A.787
Fiduciary responsibilities 646A.790
Unlawful practices 646A.800
Late fees on delinquent cable service accounts 646A.801
Termination of residential cable service or residential telecommunications service for certain persons 646A.803
Contest and sweepstakes solicitations 646A.806
Website with photographs and information about arrested persons 646A.808
Obtaining personal information by false representation via electronic media 646A.810
Patent infringement claim made in bad faith 646A.813
Security requirements for Internet-connected devices 646A.820
Definitions 646A.823
Limited license required 646A.826
Cost of coverage 646A.829
Written disclosure requirements 646A.832
Exceptions to license requirement 646A.835
Restrictions on modification or termination of coverage 646A.838
Rules 646A.841
Enforcement
Green check means up to date. Up to date

Current through early 2026

§ 646A.578’s source at oregon​.gov