Oregon § 646A.583 Controller’s use of deidentified data; exclusions

Oregon Statutes

§ 646A.583 — Controller’s use of deidentified data; exclusions

Oregon § 646A.583

Vol.16

Title 50Trade Regulations and Practices

Ch. 646ATrade Regulation

This text of Oregon § 646A.583 (Controller’s use of deidentified data; exclusions) is published on Counsel Stack Legal Research, covering Oregon primary law. Counsel Stack provides free access to over 12 million legal documents including statutes, case law, regulations, and constitutions.

Bluebook

Or. Rev. Stat. § 646A.583 (2026).

Text

(1)(a) A controller that possesses deidentified data shall:

(A)Take reasonable measures to ensure that the deidentified data cannot be associated with an individual;

(B)Publicly commit to maintaining and using deidentified data without attempting to reidentify the deidentified data; and

(C)Enter into a contract with a recipient of the deidentified data and provide in the contract that the recipient must comply with the controller’s obligations under ORS 646A.570 to 646A.589.

(b)A controller that discloses deidentified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the deidentified data is subject and shall take appropriate steps to address any breaches of the contractual commitments.

(c)This section does not prohibit a controll

Free access — add to your briefcase to read the full text and ask questions with AI

(1)(a) A controller that possesses deidentified data shall:
(A) Take reasonable measures to ensure that the deidentified data cannot be associated with an individual;
(B) Publicly commit to maintaining and using deidentified data without attempting to reidentify the deidentified data; and
(C) Enter into a contract with a recipient of the deidentified data and provide in the contract that the recipient must comply with the controller’s obligations under ORS 646A.570 to 646A.589.
(b) A controller that discloses deidentified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the deidentified data is subject and shall take appropriate steps to address any breaches of the contractual commitments.
(c) This section does not prohibit a controller from attempting to reidentify deidentified data solely for the purpose of testing the controller’s methods for deidentifying data.
(2) ORS 646A.570 to 646A.589 do not:
(a) Require a controller or processor to:
(A) Reidentify deidentified data; or
(B) Associate a consumer with personal data in order to authenticate the consumer’s request under ORS 646A.576 by:
(i) Maintaining data in identifiable form; or
(ii) Collecting, retaining or accessing any particular data or technology.
(b) Require a controller or processor to comply with a consumer’s request under ORS 646A.576 if the controller:
(A) Cannot reasonably associate the request with personal data or if the controller’s attempt to associate the request with personal data would be unreasonably burdensome;
(B) Does not use personal data to recognize or respond to the specific consumer who is the subject of the personal data or associate the personal data with any other personal data about the specific consumer; and
(C) Does not sell or otherwise voluntarily disclose personal data to a third party, except as otherwise provided in this section.