07.25.2023

|

Updates

Governor Tina Kotek signed the Oregon Consumer Privacy Act (OCPA or the Act) into law on July 18, 2023. The OCPA goes into effect on July 1, 2024. Oregon follows 11 other states that have enacted consumer privacy protections, and the law and legislative history are available here. Like most of its predecessors, the OCPA is modeled on the Virginia Consumer Data Protection Act (VCDPA).

In 2019, Oregon’s attorney general formed a Consumer Privacy Task Force to address protections for Oregon consumers. The Task Force included 150 consumer privacy experts and other stakeholders who developed the OCPA for introduction in the 2023 legislative session. Attorney General Ellen F. Rosenblum—whose office is tasked with exclusive enforcement authority—touted the law as “a high-water mark for consumer data privacy nationwide.”

This Update provides an overview of the OCPA and recommendations on how companies that may be subject to the OCPA can prepare for compliance.

Scope and Applicability

The OCPA’s obligations apply to businesses (referred to as controllers) that (1) conduct business in Oregon or provide products and services to residents of Oregon and (2) control or process the personal data of either of the following:

  • Consumers and/or devices linked to consumers numbering 100,000 or more, other than personal data controlled or processed solely for the purpose of completing payment transactions.
  • Consumers numbering 25,000 or more, while deriving 25% or more of the business’s annual gross revenues from selling personal data.

Unlike California, there is no revenue threshold, and unlike Texas, there is no small business carveout. Like Virginia and its progeny, the OCPA does not include enterprise (B2B) or employee data.

OCPA Exceptions

There is no broad exemption for nonprofits under the OCPA. Instead, the statute delays application of the law to 501(c)(3) entities until July 1, 2025, but the only nonprofits entirely exempted from OCPA are those established to detect and prevent fraudulent acts in connection with insurance and nonprofits providing programming to radio or television networks.

Otherwise, the OCPA exceptions are generally familiar to those already implementing U.S. state privacy compliance programs. The law does not apply, for example, to consumer reporting agencies covered by the Fair Credit Reporting Act (FCRA) or financial institutions covered by the Gramm Leach Bliley Act (GLBA), or to protected health data covered by the Health Insurance Portability and Accountability Act (HIPAA).

Obligations

Data Rights

Like its predecessors, the OCPA provides a variety of rights to Oregonians related to their personal data. These rights include: (1) the right to know; (2) correction of inaccuracies in their personal data; (3) deletion of personal data; (4) the ability to opt out of targeted advertising, sale, or consumer profiling; and (5) the ability to request a copy of their personal data and transmission of it to another controller (portability). The OCPA also includes heightened protections for sensitive data (which requires consumer consent to collect/process, a data protection assessment, and listing in the privacy notice all categories of sensitive data processed and/or shared with third parties), children’s data (opt-in consent for targeted advertising for children ages 13-15), and specific requirements related to deidentified data (including public commitment not to attempt reidentification and imposition of obligations on third parties that receive the data).

Controllers must respond to consumer requests within 45 days of receipt. However, when a consumer revokes consent (where consent is necessary for processing), the controller has 15 days to comply with the revocation.

Opt-Out Signals

As with other comprehensive state consumer privacy laws, such as the Texas law, the OCPA allows additional time for the implementation of opt-out signal protocols. While the bulk of the OCPA will be effective next July, controllers have until January 1, 2026, to allow a consumer to utilize universal opt-out mechanisms (subject to certain criteria) to opt out of the sale of personal data or targeted advertising.

If a consumer’s opt-out mechanism conflicts with the consumer’s participation in certain reward programs (i.e., those that provide the consumer a premium feature or discount in return for consent to process their data, like a customer loyalty program), the controller must either comply with the opt-out mechanism or notify the consumer of the conflict to confirm whether the customer intends to withdraw from the reward program. If the consumer affirms that they intend to withdraw from the reward program, the controller must comply with the opt-out request.

Notice Obligations

Controllers subject to the OCPA must provide a privacy notice that includes the following:

  • The categories of personal data that the controller possesses (including sensitive data).
  • The purposes for processing personal data.
  • How a consumer may exercise the rights promised by the Act (e.g., obtain a copy of their data), including an appeal method after a controller’s denial.
  • All categories of data the controller shares with third parties.
  • All categories of third parties with which data is shared.
  • Method by which the consumer can contact the controller.
  • Identity of the controller, including any business name registered with the secretary of state.
  • Description of any processing of personal data for the purpose of targeted advertising or profiling the consumer and a procedure by which the consumer may opt out of this processing.

Codifying the concept of “data minimization,” the OCPA also requires that affected controllers limit personal data collection to what is “adequate, relevant, and reasonably necessary for the purposes set out in the controller’s privacy notice.” If the controller intends to process data for purposes beyond those included in the notice, the controller must obtain consent. Controllers are also subject to data security and nondiscrimination obligations under the OCPA.

Data Protection Impact Assessments

Under the OCPA, controllers are required to conduct and document a data protection assessment for each of the controller’s processing activities that presents a heightened risk of harm to the consumer. Such activities include processing personal data for targeted advertising, processing sensitive data, selling personal data, and using personal data to profile, if that profiling presents certain other risks.

The assessment should identify and weigh the benefits and risks of the processing, considering safeguards that may mitigate risk. The controller should consider the mitigating effects of deidentified data, the reasonable expectations of consumers, the context of the processing activity, and the relationship between the controller and the consumer. Controllers should retain data protection assessments for at least five years, and they may be required to provide them to the attorney general if relevant to an investigation under the Act.

What Makes the OCPA Unique?

Consumer Reports, a nonprofit consumer organization, praised the Oregon law for its more expansive definitions of certain key terms like personal data, sensitive data, and biometric data. For example, the OCPA defines personal data as “data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to, or is reasonably linkable to one or more consumers in a household.”

Additionally, the OCPA has a unique definition of “biometric data” that includes “personal data generated by automatic measurements of a consumer’s biological characteristics, such as the consumer’s fingerprint, voiceprint, retinal pattern, iris pattern, gait or other unique biological characteristics that allow or confirm the unique identification of the consumer” and excludes any of the following:

  • Photographs recorded digitally or otherwise.
  • Audio or video recordings.
  • Data from photographs, audio, or video recordings “unless the data were generated for the purpose of identifying a specific consumer or were used to identify a particular consumer.”
  • Facial mapping or facial geometry “unless the facial mapping or facial geometry was generated for the purpose of identifying a specific consumer or was used to identify a specific consumer.”

Enforcement

Enforcement investigative powers are vested only with the Oregon Office of the Attorney General, which can bring an action for injunction or civil penalties up to $7,500 for each violation. Before commencing any enforcement proceeding, the attorney general must give a controller written notice of the violation. The OCPA also has a 30-day cure period, which will sunset in January 2026. Once that cure period has expired, if the violation is not rectified, the attorney general can bring an action without further notice. Additionally, the attorney general may bring an action within five years of the date of the controller’s last alleged violation.

The OCPA does not include a private right of action.

How To Prepare

Businesses subject to state laws like the OCPA should review the legislation to determine its applicability. While many of the compliance requirements overlap with other state privacy laws, some obligations are unique. Preparation may include creating a mechanism for the intake of data requests, drafting updated privacy notices, and even implementing a process for responding to an investigation demand. Ultimately, businesses should consult with experienced privacy counsel to ensure compliance.

The authors would like to acknowledge the contributions of summer associates Emmy Edwards and Tina Acevedo to this Update.

© 2023 Perkins Coie LLP

 

Sign up for the latest legal news and insights  >