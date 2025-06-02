"Our cars know how fast you're driving, where you're going, how long you stay there. They know where we work, they know whether we stop for a drink on the way home, whether we worship on the weekends, and what we do on our lunch hours." OR Representative David Gomberg

The Oregon Legislature recently enacted House Bill 3875, amending the Oregon Consumer Privacy Act (OCPA) effective September 28. 2025, to broaden its scope to include motor vehicle manufacturers and their affiliates that control or process personal data from a consumer's use of a vehicle or its components.

While this expansion is clear in its application to vehicle manufacturers, it raises important questions for automobile dealerships, particularly those "affiliated"—formally or informally—with manufacturers. Dealerships should consider whether they may now be subject to the full scope of Oregon's privacy law. Of course, they may be subject directly to the OCPA in their own right.

The Amendment: HB 3875

HB 3875 modifies ORS 646A.572 to extend the OCPA's privacy obligations to:

"A motor vehicle manufacturer or an affiliate of the motor vehicle manufacturer that controls or processes personal data obtained from a consumer's use of a motor vehicle or a vehicle's technologies or components."

Who Counts as an "Affiliate"?

To determine whether a dealership is subject to these new obligations, one must examine the OCPA's definition of affiliate:

"Affiliate" means a person that, directly or indirectly through one or more intermediaries, controls, is controlled by or is under common control with another person such that:

(a) The person owns or has the power to vote more than 50 percent of the outstanding shares of any voting class of the other person's securities;

(b) The person has the power to elect or influence the election of a majority of the directors, members or managers of the other person;

(c) The person has the power to direct the management of another person; or

(d) The person is subject to another person's exercise of the powers described in paragraph (a), (b) or (c) of this subsection.

This definition introduces some ambiguity for dealerships. Many dealerships operate as independent businesses, even if they sell only one manufacturer's vehicles and display that brand prominently. While they may be contractually tied to a manufacturer, they may not meet the legal standard of being controlled by or under common control with that manufacturer as described in the definition.

However, certain dealership groups—particularly those owned or operated by manufacturers or holding companies—may clearly fall within the definition of "affiliate."

Dealerships should evaluate their corporate structure and agreements with manufacturers to determine whether this definition might apply to them.

Why This Matters

Entities subject to the OCPA must comply with a range of privacy requirements, including:

Providing transparent privacy notices

Obtaining consumer consent for data collection and sharing under certain circumstances

Offering consumer rights such as access, correction, deletion, and data portability

Implementing reasonable data security measures

These obligations extend to any personal data collected through vehicle technologies, such as navigation systems, driver behavior analytics, location data, and mobile app integrations.

Federal Context: FTC Enforcement

Dealerships should also remain aware of federal obligations. Under the Gramm-Leach-Bliley Act (GLBA), auto dealers engaged in leasing or financing must follow privacy and safeguard rules enforced by the Federal Trade Commission (FTC).

The FTC has published detailed guidance for auto dealers, including:

What Dealerships Should Do Now

Even if a dealership is not legally an "affiliate" under the OCPA or subject to a similar state comprehensive privacy law, the trend toward regulating vehicle-generated data suggests it's time to proactively review data practices. Dealerships should:

Conduct a data inventory to identify what personal data is collected, especially from connected vehicle systems. Update privacy notices and practices in accordance with state and federal law. Review contracts with manufacturers and vendors for data-sharing provisions and compliance obligations. Train staff on new privacy responsibilities and how to respond to consumer data requests.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.