Oregon Consumer Privacy Act
The new Oregon Consumer Privacy Act (OCPA) most closely resembles the newly effective Colorado CPA and Connecticut CTDPA, with some notable differences. The OCPA goes into effect July 1, 2024; for non-profit organizations, the effective date is July 1, 2025.
What is essential to know about OCPA, and what are its key requirements?
What You Need to Know About OCPA
OCPA applies to you if your business:
- conducts business or provides products or services to residents in Oregon, and
- processes or controls:
- personal data about at least 100,000 Oregon consumers annually, other than personal data processed solely for purposes of payment; or
- personal data about at least 25,000 Oregon consumers and derives more than 25% of gross revenue from the sale of personal data
- Exempt entities: Unlike many other state laws, OCPA limits its entity-level exemptions to a more limited subset of organizations than other laws. Exempt entities include (a) public bodies (public corporations), (b) certain financial institutions as defined under Oregon law, (c) insurers, (d) nonprofit organizations that focus on detecting and preventing insurance fraud, (e) all non-commercial activities of a publisher, editor, reporter or other person who is connected with or employed by a newspaper, magazine, periodical, newsletter, pamphlet, report or other publication in general circulation, (f), the non-commercial activity of radio or TV stations, (f) nonprofit radio or TV, or nonprofits that provide programming (g) noncommercial activity of an entity that provides an information service, including a press association or wire service In doing so, Oregon is acknowledging that many of the broad entity-level exemptions create loopholes with respect to data processed by such entities but not protected under the law (for example, non-PHI processed by HIPAA Covered Entities and/or Business Associates). Notably, the OCPA folds some entity-level exemptions into the data-level exemptions (see below).
- Context: Like most of the other state privacy laws, with California being the notable exception, OCPA does not apply to individuals acting in a commercial or employment context.
- Exempt data: data protected by: (a) HIPAA and processed by a covered entity or business associate, (b) the Common Rule, (c) other specified heath and health-related laws, (d) GLBA, (e) the Driver’s Privacy Protection Act, (f) FERPA, (g) the Airline Deregulation Act, (h) the Fair Credit Reporting Act, and (i) data processed or maintained solely in connection with employment or other commercial context, and (j) emergency contact information.
- Know which third parties (by name) receive personal data from your company.
- Review and update your Privacy Notice to specify purpose for collection of personal data.
- Review whether you processsensitive personal data, includingstatus as transgender or nonbinary, or status as a victim of a crime and be sure you have appropriate consent.
- Implement or update your process for receiving and responding to Individual Rights Requests(including appeals) and be prepared to list the specific third parties that have received personal data.
- Create or update Data Protection Assessments (or Privacy Impact Assessments, if completed for GDPR).
- Ensure that your vendor contractsinclude appropriate privacy protections.
- Update your technology so that you can recognize universal opt-out mechanisms as of January 1, 2026.
Key Components of OCPA
Oregon expands the definition of personal data, found in many other state laws, by adding identifiability via one’s device. Specifically, the definition of personal data is “data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household.” (emphasis added)
Like many of the recently enacted state privacy laws, Oregon expands the definition of sensitive data as we previously knew it – in addition to the usual elements, such as:
- racial or ethnic background and national origin (note the addition of national origin),
- religious beliefs,
- mental or physical condition or diagnosis,
- sexual orientation,
- citizenship or immigration status (introduced by several state laws passed earlier this year),
- personal data about a child,
- geolocation data that accurately identifies a consumer’s present or prior location to within 1750 feet, or the past or present location of a device linkable to a consumer by means of technology such as GPS (note the addition of specific language and distance for what geolocation data is) and
- genetic or biometric data.
OCPA adds:
- status as transgender or nonbinary, and
- status as a victim of a crime.
In a word: Yes!
Parental consent is required to process Personal Data about a known child (under 13) in accordance with COPPA, and data subject consent is required to sell the Personal Data of a person between the ages of 13 and 15 or use it for targeted advertising.
Under the new Oregon privacy law, a Privacy Notice must:
- list the categories of personal data, including categories of sensitive data, that are processed;
- describe how a consumer may exercise their rights (see below) and appeal a decision to not fulfill a request;
- list all categories of personal data and sensitive data that are shared with third parties;
- describe the categories of third parties with which personal data is shared;
- include an email address or other online way for a consumer to contact the company;
- describe any targeted advertising and profiling activities and provide a procedure for opting out of the processing for these purposes;
- provide the method(s) by which a consumer can submit a request to exercise their individual rights, including via a webpage/web form.
In addition, OCPA requires that the Privacy Notice “specify … the express purposes for which the controller is collecting and processing personal data.” Finally, Oregon adds a requirement that the company identify itself, including any business name under which the company is registered with the Secretary of State and any assumed business name that the company uses in the state of Oregon.
Oregon follows the lead of California in defining ‘sale’ to include exchange for monetary or other valuable consideration.
Like most state laws, including Utah, Virginia, Colorado, Connecticut, Montana, Iowa, Tennessee, and Indiana, the Oregon Attorney General has the sole enforcement authority. Under OCPA, the Attorney General may bring an enforcement action after providing 30 days’ notice and an opportunity for the business to cure the alleged violation(s); the cure period will end on January 1, 2026. Actions can be brought that seek injunctive relief (the company must immediately stop certain behaviors) and/or civil penalties of up to $7,500 per violation.
Individual Rights
The Individual Rights created under OCPA generally align with those provided under other state laws. If OCPA applies to your business, you must allow consumers to:
- Confirm whether your business is processing any data;
- Obtain a list of specific third parties to which you have disclosed personal data about the consumer or any personal data (this is unique to Oregon);
- Correct inaccuracies in personal data they provided;
- Delete personal data, including derived data;
- Get a copy of certain personal data (data portability);
- Opt-out of the sale of personal data and processing for profiling and targeted advertising.
Oregon requires that businesses respond to individual rights requests within 45 days of receipt (unless the business has been unable to authenticate a request), with a permissible 45-day extension in limited circumstances. Responses must be provided free of charge at least once a year. If the business declines to take a requested action, the business must notify the consumer in writing, along with instructions for appeal.
As we have seen with other recent state privacy laws, including Montana, Iowa, and Tennessee, the appeal process must be conspicuously available to the consumer and similar to the process for submitting requests. In Oregon, businesses must respond to appeals within 45 days of receipt and, if denying an appeal, must provide or specify information that enables the consumer to contact. In practice, just communicate in the manner you already have been with the consumer (aka do not only communicate via email and then send the governor contact info via snail mail). Contact the Oregon State Attorney General to submit a complaint.
Unlike Virginia, Montana, Iowa, Tennessee, and Indiana, the OCPA does not mention pseudonymous data. Nonetheless, it does exempt de-identified data from the consumer rights.
Privacy Impact Assessments
Like many of the recent state privacy laws, including Virginia, Connecticut, Montana, Tennessee, and Indiana, OCPA requires that regulated businesses conduct Data Protection or Privacy Impact Assessments. The circumstances under which businesses must complete assessments align with these other laws. Like its predecessors, OCPA also includes an allowance for the use of Assessments conducted for compliance with other laws to satisfy its requirements if they have a “reasonably similar in scope and effect.”
OCPA requires assessments for activities created or generated after July 1, 2024, that present a heightened risk of harm, specifically including:
- Processing for targeted advertising;
- Processing sensitive data;
- Selling personal data;
- Processing for the purposes of profiling if it presents a ‘reasonably foreseeable risk’ of
- Unfair or deceptive treatment or unlawful disparate impact on consumers;
- Financial, physical, or reputational injury to consumers;
- Physical or other intrusion on the solitude or seclusion, or private affairs or concerns, which would be offensive to a reasonable person; or
- Other substantial injury.
Vendor Contracts
Like Iowa, Montana, Tennessee, Indiana, and many other state laws, OCPA requires a contract that dictates what vendors must do with respect to processing personal data. Contracts must “set forth clear instructions for processing data, the nature and purpose of processing, the type of data that is subject to processing and the duration of processing” and specify the rights and obligations of both parties. In addition, the contract must require that the processor:
- ensure that each person who processes personal data is subject to a duty of confidentiality;
- delete or return all personal data at the controller’s direction or when it has completed the services, unless retention of the personal data is required by law;
- make available all information necessary to demonstrate the processor’s compliance with its obligations;
- make itself available for audits by the controller, or arrange for an independent auditor to review its policies and practices, and provide a report of the assessment to the controller; and
- pass along the same obligations to any subcontractor in a written contract.
Business Friendly Exceptions
Like the most recent state laws, including the laws in Colorado, Connecticut, Montana, Iowa, Tennessee, and Indiana, OCPA specifies that it should not be construed to restrict a business’s collection, use, or retention of personal data for:
- conducting internal research for development, improvement, and repair of products, services, and technology (R&D);
- product recalls;
- identifying and repairing technical errors that impair existing or intended functionality; and
- performing internal operations.
Oregon further expands on this list by adding:
- preventing, detecting, protecting against or responding to, and investigating, reporting, or prosecuting persons responsible for security incidents, identity theft, fraud, and other malicious or illegal activity;
- protecting any person’s health and safety; and
- negotiating, entering into, or performing a contract with a consumer, including to fulfill a warranty.
Data Privacy is Just Good Business
Managing privacy compliance with all these new state privacy laws popping up in the U.S., might seem like a daunting task. But just because the task appears daunting, it doesn’t mean that it’s impossible to handle.
You don’t have to go at it alone! With the right support, you can make data privacy measures a sustainable part of your daily operations. That’s where Red Clover Advisors comes in – to deliver practical, actionable, business-friendly privacy strategies to help you achieve data privacy compliance and establish yourself as a consumer-friendly privacy champion that customers will appreciate.