The Oregon Consumer Privacy Act: Does It Apply to Your Organization?

If you’re like a lot of people, you only have so much time to spend reading about new privacy laws. The cadence of state bills and laws this year has been highly aggressive, even for those of us that live and drink data protection for our day jobs.

For those of you, however, that want to “cut to the chase” because you have your own day jobs, this article is designed for you, starting out high-level, and getting progressively deeper the further you read. If you only make it halfway through, that’s okay; you’ll get the big picture by reading sections one, two and three. The data protection gurus can keep reading past that point for deeper details.

Section 1: An Introduction to the Oregon Consumer Privacy Act (OCPA)

Privacy regulations are becoming an increasingly significant area of concern and scrutiny. An embodiment of this trend is the recent introduction of the Oregon Consumer Privacy Act (OCPA), a landmark piece of legislation that significantly bolsters privacy protections for Oregon residents. Enacted on July 18, 2023, the OCPA represents a significant leap forward in terms of state-led consumer privacy protections, setting a high standard for data privacy rights.

The OCPA, which goes into effect on July 1, 2024, operates as a comprehensive data privacy law, placing rigorous obligations on companies handling the personal data of Oregon residents. A delayed effective date of July 1, 2025, has been set for non-profit organizations, which, unlike in most other states, are not exempt under the OCPA.

Section 2: Does the OCPA Apply to My Organization? An Applicability Exercise.

The following exercise can help your organization determine if the law is applicable.

Step 1: Does your organization collect and process personal data?

• If No, then the OCPA does not apply.
• If Yes, proceed to Step 2.

Step 2: Does your organization conduct business in Oregon or provide products or services to Oregon residents?

• If No, then the OCPA does not apply.
• If Yes, proceed to Step 3.

Step 3: Does your organization control or process the personal data of 100,000 or more Oregon residents in a calendar year (except for data processed solely for completing a payment transaction)? OR control or process the personal data of 25,000 or more consumers, deriving 25 percent or more of annual gross revenue from selling personal data?

• If No, then the OCPA does not apply.
• If Yes, proceed to Step 4.

Step 4: Does your organization fall into any of the exempt entity categories under the OCPA, such as public corporations, state government bodies, certain financial institutions, certain insurers, or certain non-profits?

• If Yes, then the OCPA does not apply.
• If No, proceed to Step 5.

Step 5: Does the personal data your organization processes fall into any of the exempt data categories under the OCPA, such as data governed by HIPAA or GLBA, data processed for a purely personal or household activity, or employment-related data?

• If Yes, then the law does not apply as your organization should have implemented a data protection program to comply with these requirements.
• If No, proceed to Step 6.

Step 6: Is the personal data your organization processes exempted due to certain non-commercial activities of a publisher, editor, reporter, or others, or certain non-profit organizations that provide programming to radio or television networks?

• If Yes, then those specific processing activities are not subject to the OCPA, but any other data processing you do may still be.
• If No, then the OCPA applies to your organization.

Please note that this decision tree is a simplified guide and may not cover all scenarios.

Section 3: An At-a-Glance Compliance Checklist for the OCPA

Cutting to the chase, what must a business do to comply with the OCPA? Here are many of the obligations that controllers and processors must do to comply with the OCPA.

• Assess Applicability: Confirm if your organization falls under the applicability criteria of the OCPA (i.e., conducting business in Oregon or providing products or services to Oregon residents, and meeting certain data processing or revenue thresholds).
• Data Inventory and Mapping: Perform a detailed inventory of all personal data that your organization collects, processes, and shares. Understand how this data is used, where it is stored, and with whom it is shared. [1]
• Consumer Rights Response Process: Establish clear processes and mechanisms to respond to consumer requests (access, deletion, correction, portability, etc.) within the specified time frames. [2]
• Sensitive Data Management: Understand how your organization collects, processes, and shares sensitive data as defined by the OCPA. Ensure proper consumer consent is obtained for processing this data. [3]
• Sales of Personal Data: If your organization sells personal data, implement a clear process for consumers to opt-out of the sale of their data. [4]
• Review Exemptions: Evaluate if any exemptions apply to your organization and ensure these are properly accounted for in your privacy operations. [5]
• Privacy Notices: Review and update privacy notices to meet the requirements of the OCPA, including all necessary information about data processing and consumer rights. [6]
• Data Protection Assessments: Perform data protection assessments for processing activities that present a "heightened risk of harm to a consumer." Document these assessments and ensure they are updated regularly and upon significant changes in processing activities. [7] The Attorney General may require a controller to provide any data protection assessments the controller has conducted if the data protection assessment is relevant to an investigation the Attorney General conducts under section 9 of this 2023 Act.
• Processor Contracts: Review contracts with data processors to ensure they include all necessary provisions as mandated by the OCPA. [8]
• Training and Awareness: Ensure all relevant employees and contractors are aware of the requirements of the OCPA and are trained in handling personal data and responding to consumer requests in compliance with the law. [9]
• Data Breach Response Plan: Have a data breach response plan in place that aligns with the OCPA's requirements. Ensure all relevant parties are aware of and trained in this plan. [10]

Please note that this is a high-level checklist and does not cover all aspects of the OCPA. For further details, keep reading below.

Section 4: More Details about Applicability and Exemptions

The Oregon Consumer Privacy Act is applicable to a broad range of entities, but it notably outlines specific thresholds that must be met for businesses to be subject to its provisions. These thresholds align with those under the Colorado Privacy Act and, unlike some other state privacy laws, are not predicated on an entity's annual revenue.

The OCPA applies to any person conducting business in Oregon or providing products or services to Oregon residents and that, during a calendar year:

• Controls or processes the personal data of 100,000 or more Oregon residents (excluding data controlled or processed solely for completing a payment transaction), or
• Controls or processes the personal data of 25,000 or more consumers while deriving 25 percent or more of their annual gross revenue from selling personal data.

One distinguishing feature of the OCPA is its treatment of non-profit organizations. Unlike most other state privacy laws that exempt these entities, the OCPA mandates compliance for non-profits, with an extended implementation deadline of July 1, 2025. This provision underscores Oregon's commitment to comprehensive privacy protections that span across sectors.

Beyond these general applicability provisions, the OCPA includes several unique exemptions that differ from other state privacy laws. For example, it does not contain a general exemption for entities subject to the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA), a feature common to most state privacy laws. Instead, the OCPA exempts only the data governed by these acts, meaning entities must still ensure compliance for any personal information collected that is not covered by HIPAA and GLBA.

Furthermore, the OCPA carves out specific exemptions for certain non-commercial activities of publishers, editors, reporters, radio or television stations, non-profit organizations providing programming to networks, and entities providing an information service, including a press association or wire service. It also recognizes unique exemptions for processing-related activities, such as complying with federal, state, or local laws, investigating legal claims, conducting internal research, and more.

The OCPA, in its applicability and unique provisions, underscores the evolution of consumer privacy law, pushing the boundaries and setting new precedents for data privacy regulation.

Section Five: Consumer Rights Under OCPA

Under the Oregon Consumer Privacy Act (OCPA), Oregon residents (operating in any capacity other than commercial or employment contexts) are provided with a number of rights to control their personal data. One of the significant features of the OCPA is the extension of the scope of consumer rights compared to other state privacy laws.

Consumers are granted the right to request specifics about third parties (excluding natural persons) to which a controller has disclosed their personal data. This right is more extensive than in other state privacy laws, which only mandate controllers to identify categories of third parties, not specific entities.

Furthermore, consumers have the right to confirm whether a controller is processing their personal data and the categories of personal data being processed. They are entitled to obtain a portable and readily usable copy of their personal data, correct inaccuracies in their personal data, have their personal data deleted, and opt out of a controller's processing of their personal data for sales, targeted advertising, or profiling that results in "legal effects or effects of similar significance."

Unlike most other state privacy laws, the OCPA does not define pseudonymous data or exclude it from a consumer's rights to confirm, correct, delete, and port their personal data. This lack of exemption could pose a more substantial compliance burden for Oregon businesses, as a larger dataset may be subject to consumer rights requests.

Another unique feature of the OCPA is its requirement for recognizing universal opt-out mechanisms, which will become effective from January 1, 2026. This aligns with the privacy laws of several other states including California, Colorado, Connecticut, Montana, and Texas, which all require recognition of such mechanisms. This provision emphasizes the OCPA's commitment to simplifying the process for consumers to exercise their privacy rights.

Through these provisions, the OCPA underscores its mission to enhance consumer control over personal data, providing Oregon residents with comprehensive tools to manage their privacy.

Section Six: Enforcement and Penalties

The enforcement of the Oregon Consumer Privacy Act (OCPA) falls within the purview of the Oregon Department of Justice, under the state's office of attorney general. The attorney general is given exclusive authority to enforce the provisions of the OCPA, which includes levying civil penalties for non-compliance.

The penalties associated with the breach of the OCPA can be substantial, with the law stipulating a fine of "not more than $7,500 per violation." Besides monetary penalties, the attorney general can also bring an action to enjoin a violation of the OCPA or obtain other forms of equitable relief.

However, the OCPA includes a unique statute of limitations for enforcement actions by the attorney general. Specifically, the attorney general must initiate an action "within five years after the date of the last act of a controller that constituted the violation for which the [attorney general] seeks relief."

One notable provision in the OCPA is the "No Private Right of Action" clause. According to this provision, no private right of action is available to consumers. This means that individual consumers do not have the right to bring a lawsuit to enforce a violation of the OCPA. The law explicitly states that its provisions, along with any other state laws, do not create a private right of action for enforcement of an OCPA violation.

This places the full responsibility of OCPA enforcement on the Oregon Department of Justice, highlighting the crucial role that this body will play in ensuring businesses adhere to this new consumer privacy law.

Section Seven: Other Compliance Requirements

The Oregon Consumer Privacy Act (OCPA) puts forth a set of compliance requirements that organizations must adhere to. One such requirement is a 30-day cure period, which provides businesses with a window of time to rectify violations upon receiving notice from the attorney general. However, this cure period includes a "sunset provision," which means that it will cease to be in effect after a specific period, with the OCPA's cure period scheduled to sunset on January 1, 2026.

Additionally, the OCPA mandates controllers to provide privacy notices. These privacy notices should be "reasonably accessible, clear and meaningful" and include a number of specifics, such as the categories of personal data processed, the controller's purposes for collecting and processing the data, and how consumers can exercise their rights under the law. The notice must also detail the types of personal data shared with third parties and provide a clear procedure for consumers to opt out of certain types of data processing.

In terms of managing data processing, the OCPA sets forth the requirement for written processor contracts when a controller uses a processor to manage personal data on its behalf. These contracts must stipulate that the processor adheres to the controller's instructions, maintains confidentiality of the data, and returns or deletes the data at the end of the services, among other things.

The law also establishes data protection assessment requirements. Controllers must conduct and document assessments for processing activities that present a "heightened risk of harm to a consumer." These activities can include targeted advertising, processing of sensitive data, selling personal data, and using personal data for profiling that may lead to substantial consumer harm. The OCPA requires these assessments to be maintained for at least five years and may request them to evaluate compliance, however, controllers can provide them without waiving applicable attorney-client or work product privileges.

Through these provisions, the OCPA aims to ensure organizations are transparent about their data processing activities and are held accountable for their privacy practices.

Section Eight: Conclusion

In sum, the Oregon Consumer Privacy Act introduces an array of key provisions designed to protect the personal data of Oregon residents and hold businesses accountable for their data practices. The law, which affects a range of businesses, including non-profits, sets forth distinct consumer rights, defines specific terms like 'sale' and 'sensitive data', outlines data protection assessments and privacy notice requirements, and provides a framework for enforcement and penalties.

For businesses and consumers in Oregon, the enactment of the OCPA signifies a pivotal moment in data privacy regulation. Businesses now have a clear roadmap of obligations when it comes to handling consumer data, while consumers are granted more control over their personal information than ever before. This law underlines the critical role of transparency, accountability, and consumer empowerment in today's data-driven landscape.

The enactment of the OCPA, alongside similar laws in other states, may serve as a bellwether for privacy laws in the United States. It not only reflects a growing trend of state-led data protection initiatives but also raises the question of whether a federal privacy law might be on the horizon. As more states follow suit, a unified, national approach to data privacy could become an increasingly appealing and practical solution.

Until then, the OCPA stands as a testament to Oregon's commitment to safeguarding consumer privacy in the digital age.

About the Author

Scott Allendevaux has a doctorate in law and policy from Northeastern University and is senior practice lead of law and policy at Allendevaux & Company. He can be reached at [email protected] .

Need Any Help?

Data protection specialists at Allendevaux & Company implement and maintain data protection programs for multinational organizations, helping them weave the requirements of statutory and contractual laws into their policies and procedures. They usually choose a best-practice framework to employ, such as SOC2 or NIST standards. More popular as of late is stacking ISO standards to create a superstructure of heightened controls, such as ISO 27001 as a foundation, adding ISO 27017 for added cloud security controls, ISO 27018 for PII cloud processors, and ISO 27701 for a privacy management system. NIST controls can also be integrated into this stack. When taking this stackable approach, the requirements of domestic and foreign laws as well as contractual obligations can be integrated into a holistic data protection program, resulting in a certified management system audited by internal and external auditors, producing a certified attestation of assurance that your organization can be trusted to process information responsibly and lawfully. This is a primary focus of Allendevaux & Company, along with the supporting work of its cybersecurity division that provides vulnerability management and independent penetration assessments. More information is available at www.allendevaux.com .

Footnotes

[1] This requirement is derived from page ten of Senate Bill 619. The law does not explicitly mention a requirement for data inventory and mapping, but it does require businesses to understand the personal data they are processing, including its nature and purpose. The best way to accomplish this is through a data inventory and mapping exercise.

[2] The law requires businesses to provide consumers with a way to exercise their rights, such as access, correction, deletion, and portability of their personal data (pages 7-8).

[3] The law requires businesses to obtain explicit consent from consumers before processing their sensitive data (page 4).

[4] The law requires businesses to provide consumers with a way to opt out of the sale of their personal data (page 10).

[5] The law provides several exemptions, and businesses are required to demonstrate that their processing activities qualify for these exemptions (page 6).

[6] The law does not explicitly mention a website privacy notices, but it does require businesses to provide consumers with a notice that is clear and accessible information about their data processing activities (page 8). The best way to do this is usually through a website privacy notice or one in an application of app.

[7] The law requires businesses to conduct and document data protection assessments for processing activities that present a heightened risk of harm to consumers (page 12).

[8] The law requires businesses to enter into contracts with data processors that include certain provisions (page 10).

[9] The law does not explicitly mention a requirement for training and awareness, but it does require businesses to establish, implement, and maintain safeguards for personal data, which implies the need for training and awareness (page 8), for without such employees are not able to understand their obligations to follow the safeguards.

[10] The law does not explicitly mention a requirement for a data breach response plan, but it does require businesses to establish, implement, and maintain safeguards for personal data, which could imply the need for such a plan (page 8). Having an incident response plan is a best practice and likely an expectation of customer contracts.