A new privacy law signed last month is a reminder that data protection and privacy are not just issues for companies who must comply with the EU’s General Data Protection Regulation (GDPR). In the United States, regulators at the state level are turning their attention to companies who collect and use personal information – and they are putting in place their own rules about how it should be protected and managed responsibly.

A newly signed Oregon law is an example of how states are moving towards interpreting unfair competition laws to cover statements make in a privacy policy. This trend has been seen in many states. California, Connecticut, Delaware, Utah, Nebraska and Pennsylvania also have enacted various laws related to the posting of accurate privacy policies. The new Oregon law is a good reminder of the enforcement teeth that a growing number of states have with respect to regulating good data management practices.

Oregon now will hold companies liable for misrepresenting – on their websites or in their agreements with consumers – how it collects, maintains, discloses, deletes or disposes of personal information. The law states that if a company makes assertions to consumers about how it handles their information, and those statements do not reflect their actual practices, it may be found to engage in an unfair trade practice. The law provides that consumers can report violations to a hotline maintained by the Oregon Attorney General. The state can bring an action to stop the company from posting the inaccurate privacy policy, and can require companies to provide monetary compensation for damages.

This means that the accuracy of your privacy policy is more important than ever, and companies that rely on boilerplate policies place themselves at risk.

While many companies understand that they are required to post a privacy policy, many don’t understand fully what’s behind that obligation. Often, a company’s policy may be old, out of date – or, worse, copied from someone else’s website. Some organizations post privacy policies giving little or no consideration to what technologies they use and how they use and safeguard data. Posting such a policy is dangerous! Your company’s policy must be accurate and up-to-date: an honest representation of the way that your company collects, processes and protects data. And it must be written in a way that individuals can understand.

In fact, posting a privacy policy is just one step in establishing responsible data practices within a company. It’s often the final step – one that a company takes after it understands what data it collects and maintains, how it uses and shares it, and what steps it takes to protect it. Only after this work is done can a company write and post a policy that accurately reflects a company’s data practices and avoids making misrepresentations to consumers.

What the Oregon law makes clear is that privacy policies – and data protection in general – are not just a concern for companies collecting data about EU citizens and that must meet the requirements of the GDPR. State lawmakers in the U.S. understand the power of personal data and are moving to protect citizens against its misuse. Companies are wise to take steps now to address this issue, as we can expect more activity like this in the states.


Achieved Compliance – helping you navigate the complex world of data compliance.

Through its software guided review and remediation process, education tools and representation services, Achieved Compliance makes it possible for companies to take all the steps needed for meaningful compliance that meets regulators’ expectations.

For more information as to how we can help your organization be GDPR compliant please contact info@achievedcompliance.com.