Oregon Consumer Privacy Act

On June 22, 2023, both legislative houses of Oregon passed SB619, also known as the Oregon Consumer Privacy Act. If it becomes law, Oregon will become the eleventh US state to pass a consumer privacy bill and grant consumers control over their data privacy.

This control entails obligations for businesses operating in Oregon, and if you are one of them, it is important for you to learn more about this law.

What is the Oregon Consumer Privacy Act (OCPA)?

The Oregon Consumer Privacy Act (OCPA) is designed to protect the consumer data privacy of Oregon residents. It provides specific rights to consumers and imposes obligations on businesses. Non-compliance with the OCPA may result in fines for businesses.

The OCPA aligns closely with the provisions found in other state laws addressing consumer data privacy. It primarily focuses on safeguarding consumer data privacy and excludes employment data from its scope of coverage.

The OCPA is scheduled to become effective on July 1, 2024.

Does the OCPA apply to your business?

The OCPA applies to your business if you operate in Oregon or target Oregon customers, and you meet either of the following criteria:

1. Control or process personal data of at least 100,000 Oregon residents
2. Control or process personal data of at least 25,000 Oregon residents and derive over 25% of your gross revenue from the sale of personal data

While initially achieving these numbers may seem challenging, it's important to consider that tools like Google Analytics, which process IP addresses, or Meta Pixel, which analyze browsing behavior, can effectively enable you to manage data from over 100,000 consumers and fulfill the requirements for applicability under the OCPA.

What is OCPA personal data?

According to the OCPA, personal data is defined as "data, derived data, or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to, or is reasonably linkable to one or more consumers in a household."

This definition encompasses a wide range of data types. In addition to the obvious categories such as personal names, email addresses, and government-issued numbers, personal data also includes health history, fitness app data, purchase behavior, and other information that has the potential to identify an individual.

It is important to note that employment data, as well as data protected by HIPAA (Health Insurance Portability and Accountability Act) and GLBA (Gramm-Leach-Bliley Act), are explicitly exempt from the scope of the OCPA.

What is OCPA sensitive data?

The OCPA explicitly lists the categories of personal information that are classified as sensitive. These categories include:

• Data revealing an individual's racial origin, ethnic origin, sexual orientation, status as transgender or non-binary, status as a victim of crime, citizenship or immigration status
• Precise geolocation data
• Child's data
• Biometric data for the purpose of identifying a person

According to the OCPA, sensitive data must not be processed without obtaining explicit consent from the user. It is crucial to obtain explicit consent from individuals before processing any sensitive personal information falling within these categories.

What are the general duties of controllers and processors under the OCPA?

Controllers that need to comply with the OCPA have several duties, including:

• Implementing sufficient technical and organizational measures to ensure data security.
• Limiting the processing of data to the purposes for which it was originally collected.
• Processing only the minimum necessary amount of data.
• Ensuring that the categories of collected data align with the intended processing purposes.
• Obtaining explicit consent before processing sensitive data.
• Conducting data protection assessments when necessary.
• Providing consumers with a transparent privacy notice that explains how their data is handled.
• Respecting and fulfilling consumer requests regarding their personal data.
• Establishing data processing contracts with processors to maintain accountability and compliance.

Processors, on the other hand, have the responsibility to:

• Implement appropriate data security measures to protect the data they handle.
• Process data solely based on the contractual agreement with the controller.
• Assist the controller in fulfilling legal compliance requirements.

What is a data processing contract?

The data processing contract serves as a crucial document that governs the relationship between the controller and the processor. It is necessary to have a valid contract in place to ensure legal compliance and avoid violating the OCPA. When drafting a data processing contract, it is essential to include provisions covering the following aspects:

• The identification of both parties involved in the agreement.
• The specific categories of personal data that will be processed.
• The nature and purposes of the data processing activities.
• The duration for which the data will be processed.
• Clearly defined rights and duties of both the controller and the processor.
• The requirement for the processor to provide proof of compliance to the controller upon request.
• The obligation to delete data upon the controller's request.
• A provision on confidentiality and protecting the security of the data.
• Provisions for hiring subcontractors, if applicable.

What is a privacy notice according to the OCPA?

Your OCPA privacy notice is actually your privacy policy. It is the document where you provide transparency about your privacy practices to consumers. Your notice should include the following minimum information:

• Identity of the controller
• Processing purposes
• Categories of processed data
• The categories of data you sell, if applicable
• The categories of third parties to whom you sell data, if applicable
• Consumer rights and instructions on how to exercise them

While not mandated by law, you can include additional information to further enhance transparency.

Is it necessary to obtain consumer consent for data processing?

Yes, explicit consumer consent is required for the processing of sensitive data. Collecting sensitive data without consent violates the law and may result in penalties. This consent must meet specific criteria, including being freely given, specific, informed, and unambiguous.

When collecting information from a known child for processing, obtaining parental consent in accordance with the standards outlined in COPPA (Children's Online Privacy Protection Act) is sufficient for compliance. This ensures that appropriate measures are taken to protect the online privacy of children.

Are we required to honor universal opt-out mechanisms?

The OCPA requires the honoring of universal opt-out mechanisms sent by consumers, such as the Global Privacy Controls (GPC). If you receive a GPC signal from a consumer's browser, you must treat it as a valid opt-out request and honor it.

This obligation will be effective from January 1, 2026.

What is a Data Protection Assessment?

A Data Protection Assessment helps the controller identify the risks associated with processing activities and determine the necessary measures to mitigate those risks. While it may not be mandatory for all businesses, conducting a Data Protection Assessment is a good and useful practice. If you are unsure whether you need to perform one, it is advisable to opt for conducting the assessment.

The law explicitly specifies that businesses must conduct and document a Data Protection Assessment in the following scenarios:

• Sale of personal data
• Processing of sensitive data
• Processing data for targeted advertising
• Processing of data for profiling
• Any other processing that presents an elevated risk to consumers

What are the OCPA consumer rights and requests?

The OCPA grants consumers specific rights regarding their personal data. To exercise these rights, consumers can submit requests to your organization. It is crucial for your organization to comply with these requests to avoid potential penalties.

Consumers have the following rights:

• Right to be informed about the processing
• Right to access their data
• Right to correct their data
• Right to delete their data
• Right to data portability
• Right to opt-out of the sale of data, targeted advertising, or profiling
• Right to opt-in for the processing of sensitive data
• Right to revoke consent
• Right to appeal

The response deadline for consumer requests is 45 days. For complex requests, you may take an additional 45 days, provided that you justify the need for the extension.

How is OCPA enforced and what are the penalties?

Unlike California, Oregon has not established a dedicated data protection agency. Instead, similar to other US states, the enforcement authority lies with the Attorney General.

In Oregon, the Attorney General has the power to investigate violations of data protection laws and can issue a notice to businesses, granting them a 30-day cure period to address the violations.

Failure to remedy the violations within the specified 30-day period can result in fines of up to $7,500 per violation. It's important to note that the cure period will expire in 2026, after which businesses will no longer be given any time to address the violations and will face penalties immediately.