Current through 2024 Regular Session legislation effective June 6, 2024
Section 646A.576 - Method for requesting personal data; persons who may request personal data on consumer's behalf; designation by consumer; duties of controller; process for appealing controller's refusal of consumer request(1) A consumer may exercise the rights described in ORS 646A.574 by submitting a request to a controller using the method that the controller specifies in the privacy notice described in ORS 646A.578.(2) A controller may not require a consumer to create an account for the purpose described in subsection (1) of this section, but the controller may require the consumer to use an account the consumer created previously.(3) A parent or legal guardian may exercise the rights described in ORS 646A.574 on behalf of the parent's child or on behalf of a child for whom the guardian has legal responsibility. A guardian or conservator may exercise the rights described in subsection (1) of this section on behalf of a consumer that is subject to a guardianship, conservatorship or other protective arrangement.(4) A consumer may designate another person to act on the consumer's behalf as the consumer's authorized agent for the purpose of opting out of a controller's processing of the consumer's personal data, as provided in ORS 646A.574 (1)(d). The consumer may designate an authorized agent by means of an internet link, browser setting, browser extension, global device setting or other technology that enables the consumer to opt out of the controller's processing of the consumer's personal data. A controller shall comply with an opt-out request the controller receives from an authorized agent if the controller can verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf.(5) Except as otherwise provided in ORS 646A.570 to 646A.589, in responding to a request under subsection (1) of this section, a controller shall: (a) Respond to a request from a consumer without undue delay and not later than 45 days after receiving the request. The controller may extend the period within which the controller responds by an additional 45 days if the extension is reasonably necessary to comply with the consumer's request, taking into consideration the complexity of the request and the number of requests the consumer makes. A controller that intends to extend the period for responding shall notify the consumer within the initial 45-day response period and explain the reason for the extension.(b) Notify the consumer without undue delay and not later than 45 days after receiving the consumer's request if the controller declines to take action on the request. The controller in the notice shall explain the justification for not taking action and include instructions for appealing the controller's decision.(c) Provide information the consumer requests once during any 12-month period without charge to the consumer. A controller may charge a reasonable fee to cover the administrative costs of complying with a second or subsequent request within the 12-month period, unless the purpose of the second or subsequent request is to verify that the controller corrected inaccuracies in, or deleted, the consumer's personal data in compliance with the consumer's request.(d) Notify the consumer if the controller cannot, using commercially reasonable methods, authenticate the consumer's request without additional information from the consumer. A controller that sends a notification under this paragraph does not have to comply with the request until the consumer provides the information necessary to authenticate the request.(e) Comply with a request under ORS 646A.574 (1)(d) to opt out of the controller's processing of the consumer's personal data without requiring authentication, except that: (A) A controller may ask for additional information necessary to comply with the request, such as information that is necessary to identify the consumer that requested to opt out.(B) A controller may deny a request to opt out if the controller has a good-faith, reasonable and documented belief that the request is fraudulent. If the controller denies a request under this subparagraph, the controller shall notify the consumer that the controller believes the request is fraudulent, stating in the notice that the controller will not comply with the request.(6) A controller shall establish a process by means of which a consumer may appeal the controller's refusal to take action on a request under subsection (1) of this section. The controller's process must: (a) Allow a reasonable period of time after the consumer receives the controller's refusal within which to appeal;(b) Be conspicuously available to the consumer;(c) Be similar to the manner in which a consumer must submit a request under subsection (1) of this section; and(d) Require the controller to approve or deny the appeal within 45 days after the date on which the controller received the appeal and to notify the consumer in writing of the controller's decision and the reasons for the decision. If the controller denies the appeal, the notice must provide or specify information that enables the consumer to contact the Attorney General to submit a complaint.(7) A controller that obtains personal data about a consumer from a source other than the consumer complies with the consumer's request to delete the personal data if the controller: (a) Deletes the data but retains a record of the deletion request and a minimal amount of data necessary to ensure that the personal data remains deleted and does not use the minimal data for any other purpose; or(b) Opts the consumer out of the controller's processing of the consumer's personal data for any purpose other than a purpose that is exempt under ORS 646A.572.Added by 2023 Ch. 369, § 4 646A.576 becomes operative July 1, 2024. See section 15, chapter 369, Oregon Laws 2023.