The Weekly Breach Breakdown Podcast by ITRC - It's The Law - S6E10

Show Transcript

Welcome back to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown, supported by Sentilink. I’m James E. Lee, the ITRC’s President, and this is the episode for April 4, 2025. Today, we will provide updates on the Oregon Consumer Privacy Act and the California Consumer Privacy Protection Agency.

Soon, it will be seven years since California’s landmark Consumer Privacy Act (CCPA) was signed into law. Since that time, 19 other states have adopted their own versions of the CCPA and its companion Privacy Rights Act, known by its own set of letters (CPRA).

Oregon’s state privacy law, the Oregon Consumer Privacy Act, has been in effect since last summer, and the Beaver State’s Attorney General has issued a report card of sorts on how consumers and businesses are interacting with the Oregon privacy law. Like all of the state privacy and security laws, the Oregon Consumer Privacy Act gives individuals whose data is collected, processed and stored by organizations certain rights. It also imposes certain obligations on businesses.

In the first six months of the Oregon Consumer Privacy Act, consumers tended to complain most about three areas covered under the statute:

• Data brokers, particularly background check websites that sell personal information;
• social media and technology companies, which collect and share user data; and
• denials of consumer rights requests, with the right to delete personal data being the most frequently requested and denied right.

Likewise, state enforcement officials tended to issue failure to comply notices in three areas:

• Lack of required disclosures
• Confusing or incomplete privacy notices
• Difficult or hidden opt-out mechanisms

Oregon has a unique feature in the Oregon Consumer Privacy Act that will expire in January 2026 – a 30-day right to fix a violation. The Oregon privacy law will also expand in July of this year to include nonprofit organizations that are often exempt in other states.

Meanwhile, just across Oregon’s southern border, California’s Consumer Privacy Protection Agency or CPPA (so many letters!) has also been busy addressing similar complaints about failure to follow the law. The Agency just reached a settlement with Honda for failing to comply with some key consumer rights granted under the state’s privacy law.

As part of the settlement, Honda agreed to pay a $632,500 fine, implement a new and simpler process for consumers to submit privacy rights requests, consult a user experience designer to improve the way privacy requests are submitted, train employees on CCPA compliance and change its contracting process to ensure compliance with the CCPA.

Nine other states, including several where previous privacy legislation had failed, are currently considering comprehensive data privacy and security laws. To learn more, click here.

If you want to learn how to secure your personal or business information, you can speak with an expert ITRC expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PT). Just visit www.idtheftcenter.org to get started.

Thanks again to Sentilink for supporting this podcast and the ITRC. Please hit the like button for this episode and subscribe wherever you listen to podcasts. Check out our sister podcast, the Fraudian Slip, and tune in next week for another episode of the Weekly Breach Breakdown. Thanks for listening.