On July 18, 2023, Oregon’s Governor Tina Kotek signed SB 619, which created the Oregon Consumer Privacy Act (“OCPA”). Oregon joins California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Florida, and Texas, as the 12th state to enact a comprehensive consumer data privacy law.

Most provisions of the OCPA will take effect on July 1, 2024, with delayed compliance deadlines for honoring universal mechanisms consumers will use to exercise their right to “opt out” of a platform processing their personal information for certain purposes and for activities of tax-exempt organizations described in Section 501(c)(3) of the Internal Revenue Code. Notably, unlike most other state privacy laws, the OCPA exempts only certain nonprofit organizations. For activities of tax-exempt organizations described in Section 501(c)(3) of the Internal Revenue Code, the OCPA has a delayed effective date of July 1, 2025.

Who must comply with the OCPA’s requirements?

Any entity that conducts business in the State of Oregon, or that provides products or services to residents of the State of Oregon, and that, during a calendar year, controls or processes the Personal Data of:

  • At least 100,000 consumers, excluding Personal Data controlled or processed solely to complete a payment transaction.
  • At least 25,000 consumers, and derives more than 25% of their gross revenue from selling Personal Data.

What is Personal Data under the OCPA?

The OCPA broadly defines “Personal Data” as information, derived information, or any unique identifier, that is linked or reasonably linkable to an identified or identifiable individual, or a device that identifies an individual. Personal Data does not include (1) de-identified data, or (2) publicly available information.

Are there any entity level or data-level exemptions under the OCPA?

Nonprofit Organizations are generally not exempt.

The OCPA does not provide a broad exemption for nonprofit organizations, unlike almost all the other state consumer privacy laws (note, the Colorado Privacy Act does not grant a full exemption to nonprofits either). The OCPA expressly exempts only (1) nonprofit organizations that are established to detect and prevent fraudulent acts in connection with insurance, or (2) the non-commercial activity of: (i) a publisher, editor, reporter or other person who is connected with or employed by a newspaper, magazine, periodical, newsletter, pamphlet, report or other publication in general circulation, (ii) a radio or television station that holds a license, (iii) a nonprofit organization that provides programming to radio or television networks, and (iv) an entity that provides an information services, including a press association or wire service. The OCPA also does not apply to public corporations (entity created by the state) or state and local government bodies.

Entities subject to HIPAA or the GLBA are not exempt from compliance with OCPA at the entity level.

Most state privacy laws exempt both entities and data governed by the Health Insurance Portability and Accountability Act (“HIPAA”) and the Gramm-Leach-Bliley Act (“GLBA”). However, the OCPA, like the California Consumer Privacy Act (“CCPA”), exempts only data governed by HIPAA and GLBA rather than the entities subject to HIPAA or GLBA.

Who gets the new rights and protections under the OCPA?

Oregon residents acting as consumers in individual or household contexts are covered; individuals acting in employment or commercial contexts are not.

Specifically, the OCPA defines “Consumer” to mean a natural person who resides in Oregon and acts in any capacity other than in a commercial or employment context. Employee data and business-to-business data are excluded from the scope of the OCPA. In fact, the OCPA goes further to specifically exclude from its application, information processed or maintained solely in connection with, and for the purpose of, enabling an individual’s:

  • employment or application for employment;
  • ownership of, or function as a director or officer of, a business entity;
  • contractual relationship with a business entity; or
  • receipt of benefits from an employer, including benefits for the individual’s dependents or beneficiaries.

The OCPA establishes for consumers, and the parent or guardian of consumers under the age of 13, the following rights:

1. Right to Know

a. whether a controller is processing their Personal Data and the categories of Personal Data processed.

b. At the controller’s option, know the specific third parties to which the controller has disclosed their Personal Data or any Personal Data.

c. Receive a copy of the Personal Data the controller has processed or is processing.

2. Right to Correction

3. Right to Deletion

4. Right to Opt-Out, for purposes of:

a. Personal Data sales;

b. targeted advertising; or

profiling in furtherance of automated decisions that produce legal or similarly significant effects for the consumer.

5. Right to Data Portability

6. Sensitive Data Protections

7. Special Protections for Youth

What obligations are imposed by the OCPA?

Covered entities, that, alone or jointly with another, determine the purposes and means for processing Personal Data, must:

  • Provide consumers with a reasonably accessible and clear privacy notice describing express purposes for which they are collecting and processing a consumer’s Personal Data, including by setting forth:
    • the categories of Personal Data the controller processes and the processing purposes;
    • the categories of Personal Data that the controller shares with third parties and the categories of those third parties, if any;
    • how consumers may exercise their rights, including details regarding request and appeal rights;
    • an email address or other online method by which a consumer can contact the controller;
    • the controller’s business name and assumed business name used in Oregon;
    • if a controller engages in targeted advertising or profiling that produces legal or similarly significant effects for the consumer, how consumers can opt out of targeted advertising or profiling; and
    • describes the method(s) the controller has established to submit a request to exercise their rights.
  • Limit Personal Data collection to what is adequate, relevant, and reasonably necessary for the processing’s purpose.
  • Establish, implement, and maintain data security practices consistent with the Oregon Consumer Information Protection Act’s personal information safeguards requirements in Or. Rev. Stat. § 646A.622.
  • Provide consumers with an effective means to revoke consent. The means must be at least as easy as the means by which the consumer provided consent.
  • Only process consumers’ sensitive Personal Data with their consent or, if the controller knows the consumer is a child, without processing the sensitive data in accordance with the Children’s Online Privacy Protection Act of 1998, 15 U.S.C. 6501 et seq.
  • Respond to consumer requests to exercise their rights without undue delay and not later than 45 days of receipt, with some exclusions and extension opportunities.
  • Enter into contracts with their processors that include specified instructions and duties.
  • Only process consumers’ Personal Data for secondary uses with their consent.
  • Not deny goods or services, charge different prices or rates for goods or services, or provide a different level of quality or selection to consumers that exercises a right provided to the consumer under the OCPA.
  • Conduct and document data protection assessments for each processing activity that presents a heightened risk of harm to a consumer including processing sensitive data and processing Personal Data for the purposes of targeted advertising, selling, or profiling where certain foreseeable risks exist.

Does the OCPA create a private right of action or are its obligations enforced by State enforcement agencies only?

There is no private right of action under the OCPA.

The OCPA gives the Oregon Department of Justice exclusive authority to enforce the OCPA’s provisions, including levying civil penalties of “not more than $7,500 per violation.” In addition, the attorney general may bring an action to enjoin a violation of the OCPA or obtain other equitable relief.

The OCPA does not authorize any rulemaking. Therefore, unlike, the CCPA, we are not awaiting implementing regulations or further exemptions or carve-outs. Until relevant case law arises and establishes legal precedent, a comprehensive assessment and interpretation of the implications of the OCPA will be limited to the language in the statute.

What are the next steps for entities doing business in and/or collecting or processing personal information in Oregon?

Entities doing business in and/or collecting or processing personal information in Oregon should review their data inventory, collection, and sharing practices to determine if the OCPA applies. Such entities should integrate compliance with the OCPA into their existing data privacy compliance programs prior to the effectivity date of the OCPA.