Oregon lawmakers pushed to secure sensitive data from ICE. How does the law work?
A new law could result in state agencies severing their contracts with data brokers who obtain Oregonians’ personally identifiable information and share it with federal immigration authorities.
Senate Bill 1587, which took effect last month, was originally an attempt to dramatically limit the use of data captured by private data brokers for enforcing civil law, including immigration, family and torts claims. State law already bars state agencies from assisting federal immigration enforcement, and data brokers operating in the state since 2024 have been required to register with Oregon regulators. More than 300 data brokers have done so as of July.
The companies, such as online people-search databases or consumer behavior analysts, gather information about individuals to sell it to various stakeholders, including state, local and federal law enforcement. A 2026 report from immigrant rights and privacy advocates found that the U.S. Department of Homeland Security has increasingly funded brokers including the American data analytics platform LexisNexis, which allows users to conduct legal research and verify people’s identities and locations.
But the original bill drew alarm from some industry groups and lawmakers concerned about how it would affect the civil court system during the short legislative session, at a time when Democrats were hoping to focus on directly combatting the Trump administration’s aggressive deportation campaign. That helped push the bill’s lead author, state Sen. Wlnsvey Campos, D-Aloha, to narrow her approach.
The new state law instead focuses on restricting state agencies from giving personal information to data brokers who won’t promise not to hand that data over to the federal government for immigration enforcement. It allows Oregon agencies to reject a data broker’s promises to follow the law if it “reasonably believes” that the company has made “material misrepresentations, falsehoods or omissions.”
Campos’ office said she wasn’t available for an interview this week, insteading offering a statement in which she said she would introduce broader legislation next year.
“Any violation is subject to typical contractual terms — including cancellation of contract and losing our state’s business,” Campos said. “Recognizing that this legislation is more narrowly tailored than what we initially began with in the 2026 session, my office has made a commitment to introducing broader privacy protections in the 2027 session.”
She didn’t explain how state regulators plan to determine if the law is being violated or how individual Oregonians who find out state bodies have shared their information in violation of the law could seek recourse. Oregon’s Criminal Justice Commission, for instance, told the Capital Chronicle in January that it has never investigated any potential sanctuary law violations that it may have funded through state grants to local law enforcement agencies for controversial license plate reading technology that critics have accused of assisting federal immigration enforcement.
Data safeguards growing in Oregon
Efforts to safeguard the sensitive information of Oregonians have grown under the Trump administration’s aggressive immigration crackdown, such as a lawsuit alleging Oregon State Police are violating the state’s sanctuary protections through data sharing agreements with federal law enforcement.
In written testimony, the Portland-based nonprofit Oregon Consumer Justice noted that passing the new data privacy law would advance those protections. The group referred the Capital Chronicle to Campos’ office and immigration attorneys in response to an interview request.
“Advancing technology leaves consumers more vulnerable and less informed about when their data is collected or shared,” Chris Coughlin, the group’s federal policy director, wrote in February testimony. “Public bodies, including state agencies and local governments, are not covered by the Oregon Consumer Protection Act, and Oregonians do not have a way to opt out of public bodies selling their personal information to data brokers.”
In the meantime, support for data privacy has been spurring action in Salem for years. A 2025 state law bans the sale of precise geolocation data of minors under the age of 16. A 2023 law allowed Oregonians to participate in a universal opt-out to stop businesses and nonprofits from swelling or sharing their data on websites for targeted advertising. That can be executed through an online tool in one’s browser, as put forth by Oregon Attorney General Dan Rayfield.
Key to the enforcement of the state’s new data privacy law for state agencies, however, will likely be the Oregon Department of Administrative Services. The agency helps oversee the state’s contracts as well as competitive bidding.
A department spokesperson was not able to provide information about how many contracts would change or any new practices it would adopt by Thursday afternoon.