What Does Oregon’s HB 4017 Mean for Data Brokers?

Oregon is one of six US states whose legislature is considering adopting privacy legislation this session, along with Indiana, Washington, Wisconsin, and more. Here’s a look at what’s going on in Oregon — and how the state’s bill differs from others.

Oregon’s HB 4017 is unique in that it’s a privacy-adjacent bill in that it regulates data brokers. The bill was introduced in the House Committee and referred to the House Business and Labor Committee on February 1, 2022. It was then referred to the Joint Ways and Means Committee for consideration on February 11.

Data Broker Registry

If passed, HB 4017 would require business entities that qualify as data brokers to register with Oregon’s Department of Consumer and Business Services.

The definition of “data broker” under the bill includes any business entity that collects, stores, or transfers personal data of individual Oregon residents.

Business entities that fail to register in accordance with this bill will not be permitted to collect, license, or sell brokered personal data within Oregon state.

HB 4017 Exemptions and Penalties

HB 4017 also exempts the following types of entities from its definition of a “data broker”, including:

  • consumer reporting agencies
  • financial institutions and affiliates covered under the Gramm-Leach-Bliley Act (GLBA)
  • business entities that collect information on individual residents who are considered to be:
    • customers, subscribers, or users of the business’s goods and/or service
    • employees or agents of the business entity
    • individuals who donate to or invest in the business entity

Additionally, the bill provides civil penalties for up to $500 per violation of the act, caps the civil penalty at $10,000 in a given calendar year, and will declare such actions to be an emergency upon its passage.

Oregon’s HB 4017 Effective Date — and How to Prepare

If passed by both houses before Oregon’s legislative session ends on March 7, the bill will go into effect starting January 1, 2023.

BigID can assist data brokers in preparing for HB 4017’s potential new requirements by helping them classify and catalog the types of data they collect or license — and by automating opt-out requests from individual residents. Find out more about getting ahead of the new privacy laws coming your way with BigID.