Effective June 5, 2026, Oregon Senate Bill 1587 prohibits any state government, local government and special government bodies (each a “public body”) from disclosing personally identifiable information to a data broker unless the data broker first provides a written attestation to the public body that the information will not be sold or otherwise transferred to any entity that will use the information to enforce federal immigration law.

The following key provisions are included in the law:

• Personally Identifiable Information. Personally identifiable information is defined as information that can be used to distinguish or trace an individual’s identity or, when combined with other personal or identifying information, is linked or linkable to a specific individual.
• Data Broker. A data broker is defined as a business entity or part of a business entity that collects and sells or licenses brokered personal data to another person. “Brokered personal data” includes the following data elements about an Oregon resident if categorized or organized for sale or licensing to another person:
  • the resident individual’s name or the name of a member of the resident individual’s immediate family or household;
  • the resident individual’s address or an address for a member of the resident individual’s immediate family or household;
  • the resident individual’s date or place of birth;
  • the maiden name of the resident individual’s mother;
  • biometric information about the resident individual;
  • the resident individual’s social security number or the number of any other government-issued identification for the resident individual; or
  • other information that, alone or in combination with other information that is sold or licensed, can reasonably be associated with the resident individual.
• Rejection of Attestation. If a public body reasonably believes that a data broker’s written attestation contains material misrepresentations, falsehoods or omissions, the public body must reject the written attestation and decline to disclose personally identifiable information to the data broker.
• No Limitation on Disclosure Pursuant to Legal or Court-Ordered Requests. Notably, a public body is allowed to disclose personally identifiable information if:
  • required under Oregon law;
  • required by a court order of competent jurisdiction; or
  • the information is available to the general public and is only disclosed under the same terms and conditions under which the information is available to the general public.