On July 18, 2023, Governor Tina Kotek signed the Oregon Consumer Privacy Act (OCPA) into law, making Oregon the 12th U.S. state to enact a comprehensive consumer privacy law.
While the OCPA is similar to the privacy laws of other states and adheres to the general template initially established by Virginia, Connecticut and Colorado, some key differences could present special compliance challenges for companies. For example, the law applies to nonprofit organizations and does not contain the broad exemptions for entities regulated by federal financial and health privacy laws that companies have leveraged in other states. Further differences include a more expansive definition of sensitive data that companies must have opt-in consent to process, as well as a requirement to provide Oregon consumers with a list of specific third parties to which personal data has been disclosed. Since OCPA is similar but not identical to other states’ privacy laws and there is no federal privacy law establishing a single national standard, organizations will likely need to use a “mix and match” approach to privacy compliance programs.
OCPA Implementation
Like the European Union’s General Data Protection Regulation, OCPA and the other state laws are “comprehensive” in the sense that they are not specific to certain industry sectors or types of data. Rather, the purpose of the laws is to: provide the general public with choices regarding how their personal information is collected, used and shared; require greater transparency from companies about data use practices; and impose guardrails for companies around certain activities that create heightened privacy risks.
OCPA is not as onerous as the California Consumer Privacy Act (CCPA) and does not contain a “private right of action,” meaning private litigants will not be able to sue for OCPA violations. It can only be enforced by the Oregon attorney general’s office, which is empowered to launch investigations and enforcement actions under the law and seek civil penalties of $7,500 per violation as well as force defendants to pay attorneys’ fees and other litigation costs if an action is successful.
Most of OCPA takes effect on July 1, 2024, and starting on July 1, 2025, it will apply to both nonprofit organizations and for-profit businesses. As with many data privacy laws, OCPA divides organizations that possess personal data into two categories: “controllers” that determine the purposes and means of processing personal data, and “processors” that process personal data on behalf of a controller. If certain contract language required by the statute is in place, most vendors and service providers would be processors and, therefore, not subject to some of the key obligations under OCPA, such as providing consumers with a compliant privacy notice.
In general, OCPA applies to organizations that conduct business in Oregon or provide products or services to Oregon residents. During a calendar year, organizations must also control or process either the personal data of 100,000 or more consumers (excluding personal data controlled or processed solely for completing payment transactions), or the personal data of 25,000 or more consumers, if the organization derives 25% of its annual revenues from selling personal data. OCPA defines “selling” personal data broadly as an exchange for monetary or other valuable consideration. As a result, a variety of transactions in which publishers of internet properties share data with marketers or adtech companies may be covered.
Defining Data Use and Consumer Rights
OCPA defines the “personal data” it covers as “data, derived data, or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household.” Personal data may therefore include IP addresses and other types of identifiers that do not actually reveal a consumer’s identity. However, personal data excludes thoroughly de-identified data as well as information that is lawfully available through government records or widely distributed media, such as public social media posts. The definition of “consumer” excludes individuals acting in a commercial or employment context, so employee, job applicant and B2B data are not covered by OCPA.
Like other state privacy laws, OCPA imposes a data minimization requirement. A controller must limit its collection of personal data to only the data that is adequate, relevant and reasonably necessary to serve the purposes the controller specifies in the privacy notice it provides to customers.
Under OCPA, consumers who are Oregon residents have the right to confirm whether a controller is processing their personal data and the categories of personal data processed. Additionally, consumers can obtain a list of specific third parties to which the controller has disclosed their personal data, obtain a copy of their personal data, and require the controller to correct inaccuracies or delete their personal data. They also have the opportunity to opt out of the controller’s processing of their personal data for purposes of targeted advertising, selling the personal data, or profiling to further decisions that produce legal effects or effects of similar significance, such as discrimination, unfair treatment or other harm.
In addition to honoring these opt-out rights, a controller must obtain affirmative and informed opt-in consent in order to process a consumer’s sensitive data and must provide consumers with a means of revoking this consent. As with other state privacy laws, “sensitive data” includes precise geolocation data, biometric data, data about children, and information on racial or ethnic background or religious beliefs. Unlike other states, however, Oregon also includes information that reveals citizenship or immigration status, as well as transgender or non-binary identification.
Obligations for Controllers
Controllers have 45 days to respond after receiving an authenticated request from an Oregon consumer to exercise one of their rights. A controller may extend the response period by another 45 days if reasonably necessary to comply with the consumer’s request, provided that it notifies the consumer and gives a reason for the extension. A controller must also establish a process for the consumer to appeal if it declines to take action on the consumer’s request and must notify the consumer of its decision on the appeal within 45 days.
Other controller obligations include preparing, retaining and providing the Oregon attorney general with a data processing impact assessment for processing activities that could present a heightened risk of harm to individuals. The risks of harm include targeted advertising, processing sensitive data, selling personal data, and using personal data for certain types of profiling that creates a reasonable foreseeable risk of discrimination, unfair treatment or other harm to consumers. Controllers and their processors must also have a binding written contract limiting the processor’s use of personal data to the activities instructed by the controller, and requiring the processor to allow compliance audits.
A major factor differentiating OCPA from most other state privacy laws is the lack of an “entity-level” exemption for organizations regulated by the federal Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA). This exemption means an entity subject to HIPAA or GLBA does not have to comply with the particular state privacy law at issue, even when it processes personal data not covered by the federal statute. Instead, OCPA provides “data-level” exemptions for data covered by HIPAA or GLBA, but other types of personal data are still subject to the law. Although OCPA provides an entity-level exemption for certain traditional banking institutions, alternative lenders and many other financial services providers would not qualify for this.
OCPA will not represent a sea change for organizations already compliant with CCPA and other state privacy laws, since it generally recycles the requirements of many of those laws. However, OCPA’s applicability to nonprofits and the lack of entity-level exemptions for organizations regulated by HIPAA or GLBA means OCPA will reach many entities that are exempt from all or most of the other state laws. In addition, its unique definition of sensitive data that requires opt-in consent to process will require greater attention to the types of personal data controllers are collecting and how they use and share this data.
The OCPA also serves as a reminder that, in the absence of comprehensive federal privacy requirements, organizations must continue to monitor developments in the states and adjust their privacy compliance programs to an ever-growing patchwork of obligations.