LEGAL UPDATE: Oregon Consumer Privacy Act

by | February 12, 2024

What Is The OCPA?

On July 18, 2023, Oregon joined the growing number of states in signing into law comprehensive data privacy legislation. Effective July 1, 2024, the Oregon Consumer Privacy Act (the OCPA or the Act) will create meaningful privacy protections for Oregon consumers and new data protection obligations for businesses operating in Oregon.

What Does The OCPA Do?

The OCPA will provide Oregonians rights over personal information and impose specific obligations on businesses that collect, use, store, disclose, analyze, delete, or modify consumers’ data.

Under the new law, Oregonians will now have the right to:

  1. Know whether and how their data is being used
  2. Correct inaccuracies in their data
  3. Require a business to delete their data
  4. Opt out of the processing of their data for targeted advertising, sale, or profiling in a way that produces legal effects
  5. Obtain a copy of their data in a portable and usable format.

The OCPA also requires opt-in consent for any processing of “sensitive data” that is broadly defined to include information on race and ethnicity, religious beliefs, sexual orientation, health data, gender identity, crime victim status, immigration status, precise geolocation, and more.

The OCPA also expands the rights of children. When processing data of children under the age of 13, businesses must follow the requirements of the federal Children’s Online Privacy Protection Act (COPPA). Furthermore, for children between the ages of 13 and 15, businesses must provide an “opt-in” consent for targeted advertising or sale of personal data.

Scope Of Applicability: Who Does The OCPA Apply To?

The OCPA applies to any person that conducts business in Oregon, or that provides products or services to residents of Oregon, and that during a calendar year, controls or processes:  

  1. The personal data of 100,000 or more consumers (other than personal data controlled or processed solely for the purpose of completing a payment transaction); or
  2. The personal data of 25,000 or more consumers while deriving more than 25% or more of the person’s annual gross revenue from selling personal data

Exemptions to the Act include business-to-business data, employee data, de-identified data, and certain groups such as financial institutions, insurers, and public entities, and does not apply to data collected and processed through other federal privacy laws, including HIPAA, the Fair Credit Reporting Act, Gramm-Leach-Biley Act, and more.

What Kind Of Liability Does Your Company Need To Worry About?

Of particular importance, the Act does not include a private right of action. The Oregon Attorney General has the sole right to enforce the OCPA and can bring an action to seek a civil penalty of up to $7,500 per violation.

The OCPA has expanded obligations for businesses. These obligations include limiting the collection of personal data to what is adequate, relevant, and reasonably necessary for the purposes set out in the controller’s privacy notice; obtaining consent to process data beyond the specified purposes set out in the privacy notice; maintaining reasonable data security practices;  not discriminating against consumers for exercising their rights under the Act; ensuring that deidentified data stays deidentified; and conducting data privacy assessments for activities that present a heightened risk of harm to a consumer, including targeted advertising, sale of data, profiling that presents a risk of unfair treatment, disparate impact or injury, and processing of sensitive data.

What Should Your Businesses Do Next?

To set your business up for success, it is best to prepare for compliance by July 1, 2024. To ensure you’re ready, it’s important that you perform a data audit to determine what data is being collected, from whom, and for what purpose. Next, you must understand how stored data moves throughout your company, from consumers and employees to relevant departments and vendors. Last, implement regular monitoring systems to ensure the protection of consumer data rights. 

As state data privacy regulations continue to expand, we’re here to help you understand which states’ laws apply to your business and how to ensure you’re in compliance. 

Schedule a complimentary checkup with our team, or take a self-guided Business Health Assessment to see where your business stands.