OP-ED: Take Note of New Privacy and Security Protections

March 2016

Kristen G. Hilton, CIPP/US

Published in the Daily Journal of Commerce

Businesses operating in Oregon should be aware of three changes to the state's privacy and security laws. Employees' personal social media accounts now have increased protections, state authorities now must be notified of data breaches, and prohibitions against collecting and sharing student data will soon take effect.

Protections for employees' personal social media accounts

Since 2014, Oregon employers have been prohibited from requesting an employee's or applicant's social media username or password, requiring an employee or applicant to add the employer to his or her social media contacts, compelling an employee or applicant to access a personal social media account in front of the employer, or retaliating against an employee or applicant for refusing to do so. As of Jan. 1, employers must comply with additional restrictions when it comes to their employees' social media accounts.

The new provisions, aimed at protecting an employee's right not to engage in social media, prohibit employers from requiring or requesting an employee or applicant to establish or maintain a personal social media account. An employer also cannot require an employee or applicant to authorize the employer to advertise on the employee or applicant's personal social media account.

A "personal" social media account refers to one that is used by an employee or applicant exclusively for personal purposes unrelated to any business purpose of the employer or prospective employer, and that is not provided by or paid for by the employer or prospective employer.

While several states have laws concerning employee privacy in social media, Oregon is the first to adopt these protections.

Expanded data breach law

An updated data breach law took effect on Jan. 1. The amendments to Oregon's Consumer Identity Theft Protection Act expand the definition of "personal information," mandate notification of a data breach to Oregon's Attorney General, and permit civil enforcement actions by state and local law enforcement personnel.

The CITP Act, originally passed in 2007, requires a person who owns, maintains or otherwise possesses data that includes a consumer's "personal information" used in the course of the person's business, implement reasonable safeguards to protect the security, confidentiality and integrity of such personal information. As of Jan. 1, the "personal information" covered by the CITP Act includes biometric, health insurance and medical information.

In the event of a breach that materially compromises the security, confidentiality or integrity of such personal information, the impacted business must notify every affected consumer (individual Oregon residents). For breaches that occur on or after Jan. 1, notice must also be sent in writing or electronically to Oregon's attorney general if the number of Oregon residents to whom notice is sent exceeds 250. All notices must be given in the most expeditious manner possible, without unreasonable delay, unless law enforcement requests a delay.

The amendments also add a new provision that makes a violation of the CITP Act an unlawful practice under Oregon's Unlawful Trade Practices Act. This means that businesses that fail to properly safeguard personal information or comply with the mandatory notification requirements could be subject to civil actions by either the attorney general or local district attorneys. While private individuals do not have a right to sue directly for violation of these laws, they could seek recovery based on other legal theories (such as breach of contract).

New privacy safeguards for student information 

Effective July 1, 2016, businesses in the "Ed Tech" industry – education-focused technology service providers – will be subject to a new privacy law governing K-12 student data. The Oregon Student Information Protection Act, modeled after a California law, prohibits Ed Tech providers from selling student data and using such information to target advertising to students or to "amass a profile" on any particular student for non-educational purposes. The law also requires Ed Tech providers to maintain adequate security procedures and to delete student information at the request of a school or district. The type of information covered by the law includes the student's name, address, phone number, email address and information contained in their emails, discipline records and test results.

Ed Tech providers are still permitted to use covered information to develop and improve their own products and services, and may disclose anonymous student data for marketing and other enumerated purposes. Violators may be prosecuted by the Oregon attorney general for unfair business practices relating to data created, provided or gathered after July 1, 2016.

Washington passed a similar student privacy law that goes into effect the same day as Oregon's law. Ed Tech providers that operate in both states should educate themselves on key differences between the statutes. For example, Washington does not make exceptions for "de-identified" or anonymous student data. In addition, Washington prohibits some targeted advertising to students that Oregon expressly permits. Schools and school districts should also be cognizant of the new requirements and ensure that their vendors' policies and procedures are compliant.

Related Practice Areas


Return to Articles