In July, Oregon’s governor signed into law the Oregon Consumer Privacy Act (“OCPA”), making Oregon the eleventh state to enact a comprehensive privacy law. The OCPA goes into effect on July 1, 2024. Covered business other than applicable non-profits must comply with the OCPA by that date. Applicable non-profits will become subject to the OCPA on July 1, 2025.
1. Covered Businesses:
Consistent with the trend we have seen in most states outside of California, the OCPA’s coverage thresholds are based on consumer thresholds, not revenue. The OCPA applies to any person who (1) conducts business in Oregon or provides products or services to residents of Oregon and (2) during a calendar year, controls or processes: (a) the personal data of 100,000 or more consumers (other than personal data controlled or processed solely for the purpose of completing a payment transaction) or (b) the personal data of 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal data. Notably, there no requirement that businesses target Oregon residents. The OCPA merely requires a business to provide products or services to Oregon residents for the business to be subject to the OCPA, provided the other requirements are met.
The OCPA exempts public corporations, financial institutions, insurers[1], insurance producers, insurance consultants, licensed third party administrators and nonprofits that are established to detect and prevent fraudulent acts in connection with insurance. Notably, the OCPA does not exempt covered entities or business associates that are regulated by the Health Insurance Portability and Accountability Act (“HIPAA”), but rather exempts protected health information under HIPAA (“PHI”) and information that is comingled with PHI. Additionally, as noted above, nonprofits are not exempt from the OCPA, and nonprofits become subject to the OCPA on July 1, 2025.
2. Covered Information
As with other comprehensive privacy laws, the OCPA’s definition of “personal data” is broad. The OCPA defines “personal data” to include “data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household.” De-identified data, data that is lawfully available through public records or widely distributed media, or data that a controller reasonably has understood to have been lawfully made available to the public by a consumer is excluded.
Additionally, the OCPA has added protections for “sensitive data”, which includes (i) personal data that reveals a consumer’s racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or non-binary, status as a victim of crime, citizenship or immigration status; (ii) a child’s personal data; (iii) precise geolocation data; or (iv) genetic or biometric data.
3. Consumer Rights
The rights of consumers under the OCPA are similar to the rights prescribed in other state comprehensive privacy laws. Under the OCPA, a consumer has the right to (i) confirm whether a controller has processed or is processing the consumer’s personal data, (ii) obtain a copy of all personal data of the consumer that a controller has processed or is processing, (iii) require a controller to correct inaccuracies in the consumer’s personal data, (iv) require a controller to delete the consumer’s personal data and (v) opt out of a controller processing the consumer’s personal data for targeted advertising, the sale of consumer’s personal data or certain profiling purposes (“Opt Out Request”). As with other state comprehensive privacy laws, the OCPA delineates between controllers and processers. A “controller” is a person that determines the purposes and the means for processing personal data; whereas a “processor” is a person that processes personal data on behalf of a controller.
4. Compliance
Like other state comprehensive privacy laws, the OCPA requires controllers to provide consumers a privacy notice that (i) lists the categories of personal data that the controller processes and all the categories of personal data that the controller shares with third parties, (ii) describes the controller’s purposes for processing the personal data, (iii) describes how a consumer may exercise their individual rights under the OCPA, (iv) describes all categories of third parties with whom the controller shares personal data, (v) specifies an online method (e.g., email) for contacting the controller, (vi) identifies the controller (including Oregon-registered business names and assumed business names used in Oregon), (vii) describes controller’s processing of personal data for targeted advertising or profiling and the procedure for opting out of such processing and (viii) describes the method(s) the controller has established for a consumer to submit requests for exercising their rights under the OCPA.
If a consumer submits a request to a controller to exercise their rights under the OCPA in accordance with the method(s) described in the controller’s privacy notice, the controller must respond to such request within 45 days of receiving it. If an extension is reasonably necessary to comply with a consumer’s request, the controller may extend the time to respond by an additional 45 days by notifying the consumer within the initial 45-day response period and explaining the reason for the extension. A controller must also notify the consumer within 45 days of receiving a request of the controllers’ decision to decline the request, explaining the justification for declining the request and providing instructions for appealing the controller’s decision. Furthermore, the controller must establish a process for consumers to appeal such decisions. A controller must comply with a consumer’s “Opt Out Request” unless the controller has a good-faith, reasonable and documented belief that such request is fraudulent.
Controllers may not process sensitive data without first obtaining consent from the consumer, or if the controller knows the consumer is a child, the controller must process the data in accordance with the Children’s Online Privacy Protection Act of 1998. Controllers also must not discriminate against consumers that exercise rights arising out of the OCPA (e.g., denying goods or services, charging different prices, etc.). Controllers are also required to conduct a data protection assessment for each of the controller’s processing activities that presents a heightened risk of harm to the consumers, which includes: (i) processing personal data for the purpose of targeted advertising, (ii) processing sensitive data, (iii) selling personal data and (iv) using personal data for purposes of profiling if certain foreseeable risks attach to such profiling. Controllers must retain data protection assessments for at least five years.
5. Enforcement & Penalties:
There is no private right of action under the OCPA. The Oregon Attorney General has exclusive authority to enforce the OCPA, and the Attorney General may bring an action to seek a civil penalty of not more than $7,500 for each violation, enjoin a violation or obtain other equitable relief. If the Attorney General prevails, the court may award reasonable attorney fees, expert witness fees and costs of investigation to the Attorney General. If the Attorney General determines that the controller can cure the violation, the Attorney General must notify the controller prior to bringing any action under the OCPA. If the controller fails to cure the violation within 30 days of receiving such notice, then the Attorney General may bring the action without further notice. The statute of limitations for violations of the OCPA is five years after the date of the last act of a controller that constituted the violation for which the Attorney General seeks relief.
[1] Excluding persons that, alone or in combination, with another person, establishes and maintains a self-insurance program and that does not otherwise engage in the business of entering into policies of insurance.
- Associate
Kevin has worked on health-care related transactions of all sizes, from those valued under $1MM to those valued in the hundreds of millions of dollars that span multiple jurisdictions. Kevin’s transactional experience includes ...
About Data Points: Privacy & Data Security Blog
The technology and regulatory landscape is rapidly changing, thus impacting the manner in which companies across all industries operate, specifically in the ways they collect, use and secure confidential data. We provide transparent and cutting-edge insight on critical issues and dynamics. Our team informs business decision-makers about the information they must protect, and what to do if/when security is breached.