ORS § 646A.570

Current through 2024 Regular Session legislation
Section 646A.570 - Definitions

As used in ORS 646A.570 to 646A.589:

(1) "Affiliate" means a person that, directly or indirectly through one or more intermediaries, controls, is controlled by or is under common control with another person such that:
(a) The person owns or has the power to vote more than 50 percent of the outstanding shares of any voting class of the other person's securities;
(b) The person has the power to elect or influence the election of a majority of the directors, members or managers of the other person;
(c) The person has the power to direct the management of another person; or
(d) The person is subject to another person's exercise of the powers described in paragraph (a), (b) or (c) of this subsection.
(2) "Authenticate" means to determine, using commercially reasonable methods, whether a consumer with the rights described in ORS 646A.574, or a person acting on behalf of the consumer, is the consumer who has asked to exercise, or is a person who has authority to exercise, any of the consumer's rights.
(3)
(a) "Biometric data" means personal data generated by automatic measurements of a consumer's biological characteristics, such as the consumer's fingerprint, voiceprint, retinal pattern, iris pattern, gait or other unique biological characteristics that allow or confirm the unique identification of the consumer.
(b) "Biometric data" does not include:
(A) A photograph recorded digitally or otherwise;
(B) An audio or video recording;
(C) Data from a photograph or from an audio or video recording, unless the data were generated for the purpose of identifying a specific consumer or were used to identify a particular consumer; or
(D) Facial mapping or facial geometry, unless the facial mapping or facial geometry was generated for the purpose of identifying a specific consumer or was used to identify a specific consumer.
(4) "Business associate" has the meaning given that term in 45 C.F.R. 160.103, as in effect on January 1, 2024.
(5) "Child" means an individual under the age of 13.
(6) "Consent" means an affirmative act by means of which a consumer clearly and conspicuously communicates the consumer's freely given, specific, informed and unambiguous assent to another person's act or practice under the following conditions:
(a) The user interface by means of which the consumer performs the act does not have any mechanism that has the purpose or substantial effect of obtaining consent by obscuring, subverting or impairing the consumer's autonomy, decision-making or choice; and
(b) The consumer's inaction does not constitute consent.
(7) "Consumer" means a natural person who resides in this state and acts in any capacity other than in a commercial or employment context.
(8) "Controller" means a person that, alone or jointly with another person, determines the purposes and means for processing personal data.
(9) "Covered entity" has the meaning given that term in 45 C.F.R. 160.103, as in effect on January 1, 2024.
(10) "Decisions that produce legal effects or effects of similar significance" means decisions that result in providing or denying financial or lending services, housing, insurance, enrollment in education or educational opportunity, criminal justice, employment opportunities, health care services or access to essential goods and services.
(11) "Deidentified data" means data that:
(a) Cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable consumer, or to a device that identifies, is linked to or is reasonably linkable to a consumer; or
(b) Is:
(A) Derived from patient information that was originally created, collected, transmitted or maintained by an entity subject to regulation under the Health Insurance Portability and Accountability Act of 1996, P.L. 104-191, as in effect on January 1, 2024, or the Federal Policy for the Protection of Human Subjects, codified as 45 C.F.R. part 46 and in various other deferral regulations, as codified in various sections of the Code of Federal Regulations and as in effect on January 1, 2024; and
(B) Deidentified as provided in 45 C.F.R. 164.514, as in effect on January 1, 2024.
(12) "Device" means electronic equipment designed for a consumer's use that can transmit or receive personal data.
(13)
(a) "Personal data" means data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household.
(b) "Personal data" does not include deidentified data or data that:
(A) Is lawfully available through federal, state or local government records or through widely distributed media; or
(B) A controller reasonably has understood to have been lawfully made available to the public by a consumer.
(14) "Process" or "processing" means an action, operation or set of actions or operations that is performed, automatically or otherwise, on personal data or on sets of personal data, such as collecting, using, storing, disclosing, analyzing, deleting or modifying the personal data.
(15) "Processor" means a person that processes personal data on behalf of a controller.
(16) "Profiling" means an automated processing of personal data for the purpose of evaluating, analyzing or predicting an identified or identifiable consumer's economic circumstances, health, personal preferences, interests, reliability, behavior, location or movements.
(17)
(a) "Sale" or "sell" means the exchange of personal data for monetary or other valuable consideration by the controller with a third party.
(b) "Sale" or "sell" does not include:
(A) A disclosure of personal data to a processor;
(B) A disclosure of personal data to an affiliate of a controller or to a third party for the purpose of enabling the controller to provide a product or service to a consumer that requested the product or service;
(C) A disclosure or transfer of personal data from a controller to a third party as part of a proposed or completed merger, acquisition, bankruptcy or other transaction in which the third party assumes control of all or part of the controller's assets, including the personal data; or
(D) A disclosure of personal data that occurs because a consumer:
(i) Directs a controller to disclose the personal data;
(ii) Intentionally discloses the personal data in the course of directing a controller to interact with a third party; or
(iii) Intentionally discloses the personal data to the public by means of mass media, if the disclosure is not restricted to a specific audience.
(18)
(a) "Sensitive data" means personal data that:
(A) Reveals a consumer's racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or nonbinary, status as a victim of crime or citizenship or immigration status;
(B) Is a child's personal data;
(C) Accurately identifies within a radius of 1,750 feet a consumer's present or past location, or the present or past location of a device that links or is linkable to a consumer by means of technology that includes, but is not limited to, a global positioning system that provides latitude and longitude coordinates; or
(D) Is genetic or biometric data.
(b) "Sensitive data" as defined in paragraph (a)(C) of this subsection does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.
(19)
(a) "Targeted advertising" means advertising that is selected for display to a consumer on the basis of personal data obtained from the consumer's activities over time and across one or more unaffiliated websites or online applications and is used to predict the consumer's preferences or interests.
(b) "Targeted advertising" does not include:
(A) Advertisements that are based on activities within a controller's own websites or online applications;
(B) Advertisements based on the context of a consumer's current search query, visit to a specific website or use of an online application;
(C) Advertisements that are directed to a consumer in response to the consumer's request for information or feedback; or
(D) A processing of personal data solely for the purpose of measuring or reporting an advertisement's frequency, performance or reach.
(20) "Third party" means a person, a public corporation, including the Oregon Health and Science University and the Oregon State Bar, or a public body, as defined in ORS 174.109, other than a consumer, a controller, a processor or an affiliate of a controller or processor.

ORS 646A.570

Added by 2023 Ch. 369, § 1

646A.570 becomes operative July 1, 2024. See section 15, chapter 369, Oregon Laws 2023.