Oregon has become one of the latest states to adopt a comprehensive data privacy law. The Oregon Consumer Privacy Act (“OCPA” or the “Act”) takes effect July 1, 2024, and mirrors its other U.S. privacy law counterparts, with a few unique distinctions. Here is what you need to know.
Scope. The OCPA applies to (i) any person or entity who conducts business in Oregon or provides products or services to residents in Oregon and (ii) during a calendar year, controls or processes:
- The personal data of 100,000 or more consumers (other than personal data controlled or processed solely for the completion of a payment transaction) or
- The personal data of 25,000 or more consumers while deriving 25 percent or more of annual revenue from selling personal data.
Processing Roles. Like the GDPR and other U.S. privacy laws (e.g., the Virginia Consumer Data Protection Act, Colorado Privacy Act), any person or entity that “alone or jointly with another person, determines the purposes and means for processing personal data” is a “controller” while any person or entity that “processes personal data on behalf of a controller” is a “processor.” Lastly, a “consumer” is “any natural person who resides in [Oregon] and acts in any capacity other than in a commercial or employment context.”
Defining Personal Data. Personal data under the OCPA mirrors the definition used in other U.S. privacy laws. Under the Act, “personal data” means “data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more [Oregon resident] in a household.” Personal data also encompasses “sensitive data” which includes data that:
- Reveals a consumer’s racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or nonbinary, status as a victim of crime, or citizenship/immigration status;
- Is a child’s personal data (with “child” being defined as any individual under the age of 13)
- Accurately identifies, within a radius of 1,750 feet, a consumer’s present or past location, or the location of a device that links or is linkable to a consumer (e.g., GPS); or
- genetic or biometric data.
Personal data does NOT include de-identified data or data that (a) is lawfully available through federal, state, or local government records or through widely distributed media; or (b) a data controller has reasonably understood to have been lawfully made available to the public by a consumer.
Exempt Organizations/Information. Like other U.S. privacy laws, the Act does not apply to certain entities or information.
The following are just a few entities not bound by the OCPA:
- Public corporations;
- Government agencies;
- Entities that process protected health information (“PHI”) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA);
- Consumer reporting agencies;
- Nonprofits focused on detecting and preventing insurance fraud;
- Financial institutions; and
The Act also excludes the following types of information:
- Information used for public health activities;
- Information used for research purposes;
- Employment data;
- Information provided during notice of an emergency to persons that an individual specifies;
- Information collected, processed, sold, or disclosed in accordance with the following federal laws:
- Gramm-Leach Bliley Act (GLBA);
- The Driver’s Privacy Protection Act of 1994;
- The Family Education Rights and Privacy Act (FERPA);
- The Airline Deregulation Act
- Noncommercial activity of a:
- Publisher, editor, report, or other person who is connected with or employed by media or other publication in general production;
- Radio or Television station that holds a license issued by the Federal Communications Commission (FCC)
- A nonprofit organization that provides programming to radio or television networks; or
- An entity that provides an information service, including a press association or wire service.
Consumer Rights. The OCPA empowers Oregon residents to exercise any of the four rights outlined below with respect to their personal data.
- Right to Access: Consumers may request data controllers to confirm:
- Whether the controller is processing or has processed their personal data and the categories of personal data that the controller is processing or has processed;
- At the controller’s option, a list of specific third parties, other than natural persons, to which the controller has disclosed: (a) the individual’s personal data; or (b) any personal data; and
- A copy of all the consumer’s personal data that the controller has processed or is processing.
- Portability. Housed within this access right is a portability right requiring controllers to provide personal data requested by a consumer in a “portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the personal data to another person without hindrance.”
- Right to Correction: Consumers can require a controller to correct inaccuracies concerning their personal data (taking into account the nature of the personal data and the controller’s purpose for processing the personal data).
- Right to Deletion: Consumers can require a controller to delete personal data about them, including personal data that the consumer provided to the controller, personal data that the controller obtained from another source, and derived data.
- Opt-Out Right: Consumers may also opt-out from a controller’s processing of their data for any of the following purposes:
- Targeted advertising;
- Selling personal data; or
- Profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance.
- Responding to Consumer Requests. The consumer request denial/grant process under the OCPA mirrors other U.S. privacy laws, and controllers must respond to consumer requests within 45 days of receipt of the request. Controllers may extend the period within which they respond by another 45 days if the extension is “reasonably necessary to comply with the consumer’s request, taking into consideration the complexity of the request and the number of requests the consumer makes.” For any extension, the controller must notify the consumer within the initial 45-day response period and explain the reason for the extension.
- Associated Charges with Consumer Requests. Controllers must also provide any information that the consumer requests once during any 12-month period without charge to the consumer. A controller may charge a reasonable fee to cover the administrative costs of complying with a second or subsequent request within the 12-month period, unless the purpose of the second or subsequent request is to verify that the controller corrected inaccuracies in, or deleted, the consumer’s personal data in compliance with the consumer’s request.
Business Obligations. Controllers subject to the OCPA must ensure they meet the following obligations under the Act.
- Controllers must also provide an effective means by which a consumer may revoke their consent and cease processing the consumer’s data no later than 15 days after receiving the revocation.
- Maintain/Implement Personal Data Safeguards. Controllers must establish, implement, and maintain the administrative, technical, and physical safeguards described in ORS 646A.622 to protect the confidentiality, integrity, and accessibility of the personal data.
- Data Protection Assessments. Controllers are required to conduct, document, and retain for five years, a data protection assessment when engaging in processing activities that present a heightened risk of harm to a consumer. Such processing includes:
- Processing personal data for the purpose of targeted advertising;
- Processing sensitive data;
- Selling personal data; and
- Using the personal data for purposes of profiling if the profiling presents a reasonably foreseeable risk of:
- unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
- financial, physical, or reputational injury to consumers;
- physical or other types of intrusion upon a consumer’s solitude, seclusion, or private affairs or concerns if the intrusion would be offensive to a reasonable person; or
- other substantial injury to consumers.
- Contract Requirement. The OCPA also requires controllers and processors to enter written contracts with one another to govern the processing relationship between the parties (e.g., a data processing agreement).
Enforcement. Unlike the CCPA, there is no private right of action under the Act. Only the Oregon Attorney General has enforcement powers under the OCPA and may bring an action to (i) seek a civil penalty of not more than $7,500 for each violation of sections under the Act; (ii) enjoin a violation; or (iii) obtain other equitable relief.
- Cure period. The OCPA provides a 30-day cure period for entities found in violation of the Act. Failure to cure the violation within 30 days after receiving the notice of the violation may result in the Attorney General bringing enforcement action without further notice.
Looking Ahead. Following the trend of enacted state privacy legislation over the last 24 months, we anticipate eventually all 50 states will adopt their own comprehensive data privacy law. With 12 down, there are only 38 to go! To stay on top of the current enacted privacy legislation, review our previous blogs summarizing the U.S. privacy laws pending and those currently in effect. Each link in the “State” column will take you to an article written by Taft’s Privacy & Data Security team regarding the relevant state privacy law.
Comprehensive State Data Privacy Laws
|State||Privacy Law Name||Status (e.g., in effect/pending)||Correlating Regulations|
|1||California||California Consumer Privacy Act as amended by the California Privacy Rights Act||In Effect||California Privacy Protection Agency (CPPA) Regulations; In Effect|
|2||Colorado||Colorado Privacy Act||In Effect||Colorado Privacy Regulations; In Effect|
|3||Connecticut||Connecticut Personal Data And Online Monitoring Act* (act recently amended to include consumer health data)||In Effect||—|
|4||Delaware||Delaware Personal Data Privacy Act||Pending; January 1, 2025||—|
|5||Indiana||Indiana Consumer Data Protection Act||Pending; January 1, 2026||—|
|6||Iowa||Iowa Consumer Data Protection Act||Pending; January 1, 2025||—|
|7||Montana||Montana Consumer Data Privacy Act||Pending; October 1, 2024||—|
|8||Oregon||Oregon Consumer Privacy Act||Pending; July 1, 2024||—|
|9||Tennessee||Tennessee Information Protection Act||Pending; July 1, 2025||—|
|10||Texas||Texas Data Privacy and Security Act||Pending; July 1, 2024||—|
|11||Utah||Utah Consumer Privacy Act||Pending; December 31, 2023||—|
|12||Virginia||Virginia Consumer Data Protection Act||In Effect||—|
|*||Washington (consumer health data privacy law)||Washington My Health My Data Act||Pending; March 31, 2023 for regulated entities and June 30, 2023 for small businesses||—|
|*||Nevada (consumer health data privacy law)||SB 370||Pending; March 31, 2023||—|
*States with an asterisk (*) are not comprehensive data privacy laws, but statutes governing a specific type of personal data (e.g., consumer health data).