Oregon’s Consumer Privacy Act (OCDPA): What to Know
Privacy & Compliance | August 22, 2023
On July 18th, 2023, Oregon Governor Tina Kotek signed the Oregon Consumer Privacy Act (OCPA) into law, making Oregon the 11th state to pass a comprehensive consumer data privacy law and the sixth to do so in 2023.
The OCPA largely mirrors the slate of VCDPA-inspired laws passed in 2023, and shares key definitions, business obligations, and core consumer rights, such as requiring consent for processing sensitive personal data and offering opt-out options for data sales, targeted advertising, and significant profiling decisions, with those laws.
However, there are unique aspects to OCPA that organizations must be mindful of, including expanded definitions for personal and sensitive data, as well as a new consumer right to obtain from data controllers a list of specific third parties to which the controller has disclosed the consumer’s personal data or any personal data. The law will go into effect on July 1st, 2024.
In this blog, we’ll cover the scope of the Oregon Consumer Privacy Act (OCPA), the rights it grants to Oregon citizens, regulatory requirements for businesses, and how the law will be enforced.
For a more in-depth breakdown of state-level privacy laws, check out our new Comprehensive Guide to US Privacy Law for 2023, a free 46-page eBook that gives a comparison chart of all state-level privacy laws, as well as an in-depth breakdown of each law, the consumer rights and business requirements of each law, and best practices for compliance with the patchwork of US privacy laws.
Who does the Oregon Consumer Privacy Act Apply to?
The OCPA applies to persons who conduct business in Oregon or persons who produce products or services that are targeted to residents of Oregon and control or process the personal data of:
- At least 100,000 consumers, except for purposes of completing a payment transaction or
- At least 25,000 consumers, while deriving at least 25 percent of its annual gross revenue from selling personal data.
Unlike many other state privacy laws, the OCPA does not set a minimum revenue threshold for applicability. The OCPA also applies to nonprofit organizations.
However, there are significant exemptions from Oregon’s new law. The OCPA does not apply to state government bodies, financial institutions and their affiliates, nonprofits focusts on preventing insurance fraud, and noncommercial activities related to journalism.
What Rights does the Oregon Consumer Privacy Act provide for Oregon citizens?
Oregon’s privacy law grants citizens of the state several new rights, primarily based on the rights put forth by VCDPA, which in turn based its consumer rights on the EU’s General Data Protection Regulation (GDPR). Below, we examine several rights common among US data privacy laws, whether Oregon’s law provides them, and the specific requirements for each right.
Right to Access
Oregon consumers have the right to confirm whether a controller is processing or has processed the consumer’s personal data and the categories of personal data the controller is processing or has processed.
Oregon consumers also have to right to obtain, at the controller’s option, a list of specific third parties, other than natural persons, to which the controller has disclosed (a) the consumer’s personal data or (b) any personal data.
This is in contrast to the majority of state privacy laws, which merely require that controllers make available a list of the categories of third parties with whom they share data, and could create a much more complex task for marketing and compliance departments.
Right to Correction
Consumers have the right to require a controller to correct inaccuracies in personal data about the consumer, taking into account the nature of the personal data and the controller’s purpose for processing the personal data.
Right to Deletion
Oregon consumers may require a controller to delete personal data about the consumer, including personal data the consumer provided to the controller, personal data the controller obtained from another source and derived data.
Right to Data Portability
Consumers have the right to a copy of their personal information in a portable and readily usable format.
Right to Opt-Out of Data Processing
Under the OCPA, consumers have the right to opt out of the processing of the consumer’s personal data for purposes of (a) targeted advertising, (b) the sale of the consumer’s personal data, and (c) profiling in furtherance of decisions that produce legal or similarly significant effects.
Controllers may not process sensitive data about a consumer without first obtaining the consumer’s consent – or, if they know the consumer is a child, without processing the sensitive data in accordance with the Children’s Online Privacy Protection Act (COPPA). Sensitive data includes an individual’s status as transgender or non-binary and status as the victim of a crime.
Controllers may not process the personal data of a person between the ages of 13 and 15.
Data controllers must also provide an effective means for consumers to revoke consent to the processing of their personal data and must recognize consumer-enabled universal opt-out mechanisms, starting January 1, 2026.
Right to Opt-Out of Automated Decision Making
Consumers have the right to opt out of the processing of personal data for the purpose of profiling.
What are the Regulatory Requirements for Businesses?
Privacy Notice Requirements
Controllers must provide a “reasonably accessible, clear and meaningful” privacy notice that lists the categories of personal data, including the categories of sensitive data, that the controller processes, describes the controller’s purposes for processing personal data, describes how a consumer may exercise their consumer’s rights, and lists all categories of personal data, including the categories of sensitive data, that the controller shares with third parties, among other requirements
Consent Management Requirements
As demonstrated by the ‘right to opt-out,’ Oregon’s law follows the opt-out consent model common to US laws. However, the law follows an opt-in consent model where sensitive personal information is concerned.
Data Security Requirements
Controllers must establish, implement, and maintain reasonable data security measures for personal data, and must enter into contracts with controllers in order to process personal data on their behalf.
Data Protection Assessment Requirements
The OCPA requires that data controllers conduct and document data protection assessments before engaging in processing activities that present a heightened risk of harm (e.g., processing personal data for the purpose of targeted advertising, processing of sensitive data, sale of personal data, and using personal data for certain types of profiling).
Data Collection and Purpose Limitation Requirements
Data controllers must limit the processing of personal data to that which is reasonably adequate, relevant and necessary for the purposes of the processing
Explicit consent is required for any new purpose beyond those previously disclosed.
How will the law be enforced?
The Oregon Attorney General has exclusive jurisdiction over the enforcement of the OCPA, and noncompliance with the law can result in civil penalties of up to $7,500 per violation.
Upon notice of violation, a controller will have 30 days to remedy the violation. There is currently no sunset date for the cure period provision. There is no private right of action under Oregon law.
Get Compliant with CHEQ Privacy
State privacy laws like this one are pressing new responsibilities—and penalties—on businesses and marketers. CHEQ Privacy offers organizations a solution to help build a fully compliant website and simplify compliance with Oregon’s law, as well as the UCPA, CTCDPA, VCDPA, CCPA, CPA, GDPR, and any future privacy laws.
Request a demo to see how CHEQ can help your organization meet its compliance and consent management needs.