Can I ignore consumer requests for information or deletion in Oregon? What are the requirements?

Consumer Requests for Information or Deletion in Oregon

Under Oregon law, businesses cannot ignore consumer requests for information or deletion of their personal information held by the business. The requirements for responding to such requests depend on the type of business and the type of personal information involved.

Requests for Personal Information by a Legitimate Business

If a legitimate business requests personal information from the Oregon Department of Motor Vehicles (DMV), the business must provide evidence to the DMV that it is legitimate under ORS 802.179(3) ^[1.1]. The evidence required includes a current and valid business license, a Certificate of Existence or Authorization issued by the Secretary of State, or other documentation demonstrating that the business is authorized to transact business in Oregon or is formed in accordance with the laws of the jurisdiction in which it is incorporated or organized.

Personal information obtained from the DMV by a legitimate business may only be used for the purposes specified in ORS 802.179(3), and only an employee or owner of the business may obtain personal information from the DMV ^[1.1].

Disclosure to Department of Human Services or Oregon Health Authority

Financial institutions in Oregon must disclose account information to the Department of Human Services or the Oregon Health Authority upon request, but only if the department or authority provides certification that the person on whom the account information is sought is an applicant for or recipient of public or medical assistance, and that the department or authority has authorization from the person for release of the account information ^[3.3].

Electric Company Transfer of Data

Electric companies in Oregon may transfer certain proprietary customer information to the Administrator, but only for customers with usage less than one average megawatt (aMW) and those customers who elect to opt-in as described in Section (11) of ORAR 860-086-0030 ^[5.1]. The information that may be transferred includes customer name, service address, mailing address, in-service or activation date, building type, business type, historical usage data, meter number, rate schedule identifier, and information about energy efficiency program participation. However, certain types of personal information may not be transferred, including social security numbers, billing and payment history, credit information, tax identification numbers, driver license numbers, life support information, medical information, and proprietary customer information for customers who have requested that their information not be shared with third parties ^[5.1].

Public Records Requests

Under ORS 192.314, every person has the right to inspect the public records of a public body in Oregon, including personal information held by the public body ^[2.1]. However, certain personal information may be redacted before disclosure, including residential address and telephone numbers, personal electronic mail addresses and personal cellular telephone numbers, social security numbers and employer-issued identification card numbers, and emergency contact information ^[3.2].

Protected Health Information

Under ORS 192.553, individuals have the right to have their protected health information safeguarded from unlawful use or disclosure, and the right to access and review their protected health information ^[3.1]. The federal Health Insurance Portability and Accountability Act privacy regulations, 45 C.F.R. parts 160 and 164, also establish additional rights and obligations regarding the use and disclosure of protected health information and the rights of individuals regarding their protected health information.

Client Privacy Rights

Under ORAR 943-014-0030, clients have the right to access, inspect, and receive a copy of their information held by a program covered by chapter 411 of the Oregon Administrative Rules ^[6.1]. The Department must make information in a client case record or record of service available to the client or anyone authorized by the client, and information that was obtained from a third party becomes part of the case record of the client and is available to the client ^[4.1].

Conclusion

In Oregon, businesses must comply with various requirements when responding to consumer requests for information or deletion, depending on the type of business and the type of personal information involved. It is important for businesses to understand these requirements and ensure that they are in compliance with applicable laws and regulations. Therefore, businesses cannot ignore consumer requests for information or deletion of their personal information held by the business.

Source(s):

• [1.1] Requests for Personal Information by a Legitimate Business
• [2.1] Public Records Requests: Purpose and Scope
• [3.1] Policy for protected health information.
• [3.2] Required redaction of certain personal information.
• [4.1] Disclosure of Information to the Client or Third Party
• [3.3] Disclosure to Department of Human Services or Oregon Health Authority; procedure; limitations.
• [5.1] Electric Company Transfer of Data
• [6.1] Client Privacy Rights

Jurisdiction

Oregon

• Privacy