Oregon privacy bill faces criticism over novel data minimization framework

The House Committee on Commerce and Consumer Protection convened on March 18, 2025, to discuss significant updates to Oregon's data privacy laws. The meeting focused on proposed amendments that could reshape the existing framework governing consumer data processing and privacy rights.

The first major topic addressed was the broad definition of "sale" in the proposed legislation, which overlaps with current Oregon law. This definition aims to encompass not only traditional sales but also the sharing of consumer data. Concerns were raised that the requirement for consumers to opt out of all data processing is unprecedented and disrupts the established balance of consumer rights, which currently allows for selective opt-outs related to data sales and targeted advertising.

Committee members highlighted that consumers already possess rights to delete their data and must provide affirmative consent for the collection of sensitive information, such as biometric data and children's data. The definition of a child, set at under 18 years old, was noted as inconsistent with other state laws.

The discussion also touched on data minimization standards, which Oregon currently aligns with the European GDPR model and California's regulations. The proposed amendments would introduce a new data minimization framework that lacks precedent in other states, potentially complicating compliance for businesses and confusing consumers. Critics argued that the new standards could hinder businesses' ability to provide tailored services and product recommendations.

Another point of contention was the proposed universal opt-out mechanism, which aims to simplify consumer choices regarding targeted advertising and data sales. The amendments would shift from an opt-out to an opt-in model for targeted advertising, raising concerns about the feasibility of implementation and the potential for consumer confusion.

The committee also discussed protections for children's data and reproductive health data, with a willingness expressed to collaborate on enhancing these protections without triggering constitutional challenges. The meeting concluded with an acknowledgment of the need for ongoing review and updates to the data privacy framework to ensure it remains effective and relevant.

Overall, the discussions highlighted the complexities and potential implications of the proposed amendments, emphasizing the need for clarity and balance in consumer data rights and business compliance. The committee plans to continue evaluating these issues in future sessions.