Oregon Consumer Privacy Act

The Oregon Consumer Privacy Act (OCPA) most closely follows the stalled Washington Privacy Act model and resembles both the Colorado Privacy Act and Connecticut Data Privacy Act in ways, but includes an onerous obligation tied to access rights. The OCPA’s effective date is July 1, 2024, with obligations for non-profit organizations effective July 1, 2025.

Book a Free Consultation

What you need to know about the OCPA:

To Whom Does OCPA Apply?

OCPA applies to entities that: 

  1. Conduct business or provide products or services to residents of Oregon (consumers), and 
  2. Annually control or process the PI of either:
    • 100,000 unique residents, excluding personal information used solely for completing payment transactions; or
    • 25,000 unique residents and derives more than 25% of gross revenue from sale of PI.
Where Does OCPA NOT Apply?

Exempt entities: OCPA has fewer entity-level exemptions than many U.S. state privacy laws. Exempt entities include:

  • Public bodies (public corporations);
  • Certain financial institutions as defined under Oregon law;
  • Insurers;
  • Nonprofit organizations that focus on detecting and preventing insurance fraud; and
  • Nonprofit radio or TV, or nonprofits that provide programming.

With these limited entity exemptions, Oregon acknowledges that broad entity-level exemptions create a gap in protections for personal information processed by regulated entities but not protected under existing laws (for example, non-protected health information (PHI) processed by HIPAA Covered Entities and/or Business Associates).

Exempt data: Oregon exempts a long list of personal information, including but not limited to:

  • PHI under HIPAA;
  • Data covered by the Gramm-Leach-Bliley Act;
  • Various federally and internationally protected health and patient information, including that protected by the Common Rule, human subject data, and more;
  • Various forms of credit data regulated by the Fair Credit Reporting Act; and
  • Data covered by a wide variety of other federal laws including the Family Educational Rights and Privacy Act, Farm Credit Act, and Driver’s Privacy Protection Act.

Exempt Use Cases: The OCPA is not applicable in some circumstances, such as:

  • Processing PI in an employment or commercial (B2B) context;
  • Noncommercial activity of an entity that provides an information service, including a press association or wire service;
  • Non-commercial activities of a publisher, editor, reporter, etc.; and
  • Non-commercial activity of radio or TV stations.

In addition, OCPA specifies that it isn’t meant to restrict a business’s collection, use, or retention of PI for:

  • Conducting internal research for development, improvement, and repair of products, services, and technology (R&D);
  • Product recalls;
  • Identifying and repairing technical errors that impair existing or intended functionality;
  • Performing internal operations:
  • Internal activities related to security incidents, identity theft, fraud, and other malicious or illegal activity;
  • Protecting health and safety; and Activities related to fulfilling a contract with a consumer.

Key Components of OCPA

What Constitutes Personal Information in OCPA?

The OCPA covers “personal data,” or PI, which Oregon has defined more broadly than many other states to include identifiability via one’s device. Specifically, the definition of PI is “data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household.”

The definition exempts de-identified and information made publicly available by government records, the media, or the consumer.

What Constitutes Sensitive PI?

Oregon’s definition of sensitive PI includes the following information where that information is not connected to utility metering systems and equipment:

  • Racial or ethnic background and national origin;
  • Religious beliefs;
  • Mental or physical condition or diagnosis;
  • Sexual orientation;
  • Transgender or nonbinary status;
  • Status as a crime victim;
  • Citizenship or immigration status;
  • PI about a child;
  • Precise geolocation data; and
  • Genetic or biometric data.
Any Other Categories of Data I Should Think About?

Where a controller processes de-identified data, OCPA requires it to take reasonable measures to ensure the data cannot be associated with an individual; publicly commit to maintaining such data without attempting to re-identify it; and contractually obligate any recipients of the data to comply with Oregon’s law. In addition, organizations do not need to comply with privacy rights obligations in relation to de-identified data.

Is Consent Needed To Process Sensitive PI?

In a word, YES!

Is Consent Needed for Any Other Processing?

Consent is needed before processing PI about a known child (under 13) in accordance with COPPA, and before processing PI of a minor ages 13 through 15 for the purposes of targeted advertising, profiling, or sale.

Consent is also required prior to processing PI for purposes that are not reasonably necessary to or compatible with the business purpose for which the information was collected and notified to the consumer.

What Needs To Be Included in the Privacy Notice?

Under OCPA, a privacy notice must include:

  • Categories of PI, including categories of sensitive PI, processed;
  • Business purpose for processing PI;
  • Privacy rights;
  • Methods for a consumer to exercise their privacy rights (see below) and appeal a rights decision;
  • Categories of PI shared with third parties;
  • Categories of third parties with which PI is shared;
  • Description of targeted advertising and profiling activities including a procedure for opting out of the processing for these purposes; and
  • Name of the organization and an electronic method of contact.
What Constitutes Sale of PI?

Oregon defines “sale” as an exchange of PI for monetary or other valuable consideration.

There are limits on the definition of “sale” to ensure that certain business functions are not unintentionally impeded by this law. Examples of activities deemed not to be a sale include: the disclosure of PI to provide a product or service requested by the consumer, a disclosure of PI at the direction of the consumer, and the disclosure of PI that the consumer intentionally made available to the public.

How Will the OCPA Be Enforced?

The Oregon Attorney General (AG) has sole enforcement authority of OCPA. Under the law, the AG may bring an enforcement action after providing 30 days’ notice and an opportunity for the business to cure the alleged violation(s); the cure period allowance will end January 1, 2026. Penalties may include injunctive relief (the company must immediately stop certain behaviors) and/or fines of up to $7,500 per violation, plus attorney’s fees, investigative costs, and any other relief the court determines appropriate.

There is no private right of action under OCPA.

Privacy Rights

The privacy rights created under OCPA generally align with those provided under other state laws. Notably, the right to access in OCPA includes a consumer’s right to know the specific third parties with which the organization shares their PI or shares PI in general. (Read more about that here)

If OCPA applies to your business, you must provide the following privacy rights to consumers:

  • Right to know whether a business is processing your PI;
  • Right to access PI;
  • Right to correct inaccuracies in PI;
  • Right to delete PI about them;
  • Right to obtain a copy of PI (data portability); and
  • Right to opt out of the sale of PI, processing for targeted advertising, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

Oregon requires that businesses respond to privacy rights requests within 45 days of receipt, with a permissible 45-day extension in limited circumstances. Responses must be provided free of charge at least once a year. If the business cannot authenticate a request or declines to take a requested action for another reason, the business must notify the consumer in writing, including the reason for the declination and instructions for appeal.

The appeals process must be conspicuously available to consumers and similar to the process for submitting and initial privacy rights request. In Oregon, businesses must respond to appeals within 45 days of receipt and, if denying an appeal, must provide or specify information that enables the consumer to contact the AG to submit a complaint.

 

Universal Opt Out

Oregon requires that controllers recognize universal opt-out signals. Universal opt-out, or global privacy control, is a technical standard that enables users to automatically communicate their privacy preferences, such as opting out of the sale of their PI, to websites through their web browser or other technologies.

 

Privacy Impact Assessments

OCPA requires that covered organizations conduct data protection impact assessments, or privacy impact assessments (PIAs), for certain high-risk processing.

OCPA requires assessments for activities created or generated after July 1, 2024, that present a heightened risk of harm, specifically including:

  • Processing for targeted advertising;
  • Processing sensitive PI;
  • Selling PI; and
  • Profiling that presents a ‘reasonably foreseeable risk’ of:
    • Unfair or deceptive treatment or unlawful disparate impact on consumers;
    • Financial, physical, or reputational injury to consumers;
    • Physical or other intrusion on the solitude or seclusion, or private affairs or concerns, which would be offensive to a reasonable person; or
    • Other substantial injury.

 

Vendor Contracts

OCPA requires that organizations have a contract in place with vendors that dictates obligations with respect to processing PI. Contracts must include:

  • Instructions for processing PI;
  • The nature and purpose of processing;
  • Type of data that is subject to processing;
  • The duration of processing;
  • A duty of confidentiality for individuals who process the PI;
  • Obligation to delete or return all PI at the controller’s direction or when it has completed the services, unless retention of the PI is required by law;
  • Obligation to make available all information necessary to demonstrate the vendor’s compliance with its obligations;
  • Compliance with audits by the controller or independent auditor and to provide a report of the assessment to the controller; and
  • Pass along obligations to any subcontractor in a written contract.

 

Data Minimization

 

Oregon requires covered organizations to limit their collection of PI “to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed.” Where processing is not necessary or compatible with the purpose for collection, organizations must obtain consumers’ consent for the processing.

 

Explore More OCPA Resources

Keep up-to-date with the most recent developments in Oregon’s privacy law that could affect your business, including:

The Oregon Consumer Privacy Act – A Case for Data Inventory

Data Privacy is Just Good Business

Managing privacy compliance with all these new state privacy laws popping up in the U.S., might seem like a daunting task. But just because the task appears daunting, it doesn’t mean that it’s impossible to handle.

You don’t have to go at it alone! With the right support, you can make data privacy measures a sustainable part of your daily operations. That’s where Red Clover Advisors comes in – to deliver practical, actionable, business-friendly privacy strategies to help you achieve data privacy compliance and establish yourself as a consumer-friendly privacy champion that customers will appreciate and trust.

Book a Free Consultation