Oregon has become the eleventh U.S. state to enact a comprehensive privacy law with the recent enactment of the Oregon Consumer Privacy Act (OCPA). The OCPA is among the most privacy protective of U.S. state general privacy laws, with expansive definitions of personal and sensitive data together with broad consumer rights. While the OCPA is modeled on the Virginia/ Colorado/ Connecticut framework and hews most closely to the Colorado and Connecticut statutes, it includes some notable differences, further adding to the ever-expanding patchwork of U.S. state general privacy laws.
The OCPA was signed into law on July 18, 2023, by Oregon Governor Tina Kotek and will go into effect on July 1, 2024.
Expanded Consumer Rights:
The OCPA provides consumers with a relatively robust set of rights with respect to their “personal data,” including the following rights, which, if “authenticated,” the controller must honor:
- Right to Access
- Right to Delete
- Right to Data Portability
- Right to Correct
As part of the “Right to Access,” the OCPA provides the broad right for the consumer to know the specific third parties to which the controller has disclosed the consumer’s personal data, rather than simply the “categories” of third parties. Controllers may choose to respond to such a request either by providing the names of the specific third parties to which it has disclosed the consumer’s personal data or the names of third parties to which it has disclosed any personal data. No other state privacy law currently requires controllers to identify specific third parties to which the controller disclosed a consumer’s personal data. Other state privacy laws only require a controller to identify categories of third parties.
The OCPA also provides consumers with the rights to “opt out” of:
- Targeted advertising
- Sales of personal data
- “Profiling” in furtherance of decisions that produce legal or similarly significant effects concerning the consumer
Significantly, like the California, Connecticut, and Colorado statutes, the OCPA requires controllers to comply with opt-out preference signals (sent by a platform, technology, or mechanism – such as Global Privacy Control) indicating a consumer’s intent to opt out of the sale of personal data and/or the processing of personal data for targeted advertising. Such obligation goes into effect for the OCPA on January 1, 2026.
The OCPA extends traditional deletion rights to deletion of personal data that the controller obtained from another source as well as “derived data”.
Expansive Definition of “Personal Data” and “Sensitive Data”
Companies should be mindful of the OCPA’s expansive definitions. The OCPA applies to “personal data,” which includes “derived data” or any unique identifier that is reasonably linkable to a consumer or to a device that identifies one or more consumers in a household.
The definition of “sensitive data” in the OCPA generally means a category of personal data that includes:
- personal data revealing racial or ethnic background/origin, religious beliefs, mental or physical [health] condition or diagnosis, sexual orientation, status as transgender or non-binary, or citizenship or immigration status;
- genetic or biometric data;
- personal data collected from a known child; or
- precise geolocation data.
Notably, the OCPA: (i) follows the relatively broad formulation of “condition” or “diagnosis” with respect to health data [for comparison, Virginia’s VCDPA, among other laws, includes only “diagnosis”]; and (ii) includes “status as transgender or non-binary” as a category of sensitive data, in addition to sexual orientation, the first state general privacy law to expressly do so. In addition, under the OCPA: (a) “biometric data,” includes information that may allow the unique identification of an individual, not just data collected or used for the purpose of such identification; and (b) “precise geolocation data” means 1,750 feet (approximately one-third of a mile).
The OCPA also includes “status as a victim of a crime” as a category of sensitive data. While “noncommercial activity” of media providers represents a unique exemption under the OCPA, commercial activity of journalists and other media providers will be subject to obligations with respect to such sensitive data.
Following the Virginia/Colorado/Connecticut model, the OCPA requires affirmative “opt-in” consent for the processing of “sensitive data”.
Similar to Connecticut’s CTDPA (as well as California’s CCPA), the OCPA prohibits the processing of a consumer’s personal data for targeted advertising or selling a consumer’s personal data without consent if the controller has actual knowledge that, or willfully disregards whether, the consumer is at least 13 years of age but younger than 16 years of age. The OCPA goes further than either the CTDPA or the CCPA by also prohibiting the profiling of such teenage consumers in furtherance of decisions that produce legal or similarly significant effects.
The OCPA provides that an agreement obtained through the use of a user interface that has the substantial effect of subverting or impairing a consumer’s “autonomy, decision-making, or choice” (a “dark pattern”) does not constitute valid “consent”.
Data Protection Risk Assessments
The OCPA requires controllers to conduct and document a data protection assessment for each of their “processing activities that presents a heightened risk of harm to a consumer”. Under the OCPA, “heightened risk of harm” follows a relatively customary framework by including, without limitation, targeted advertising, sale of personal data, and profiling that presents any one of a number of enumerated “reasonably foreseeable risks” to consumers.
Imposes a range of requirements on processors, including, among other things, requiring that a contract govern a processor’s handling of data processing activities on behalf of the controller.
Cure Periods, Enforcement, and Damages
The OCPA provides a 30-day cure period to correct violations following receipt of notice of the violation from the Oregon state attorney general, although such cure period sunsets on December 31, 2025.
The Oregon state attorney general has exclusive enforcement authority under the OCPA, meaning that California currently remains the only general state privacy law with a private right of action (albeit a limited one).
The OCPA provides for a relatively customary civil penalty of up to $7,500 per violation.
Scope of Applicability
The applicability standards framework of the OCPA directionally follows that of the Virginia/Colorado/Connecticut framework, but with a key difference with respect to the initial, “business conduct” prong.
Like Texas’s TDPSA, under the OCPA goods and services need not be “targeted” to the state’s residents; instead, an entity satisfies the “business conduct” prong if it either (i) conducts business in Oregon or (ii) provides products or services to residents of Oregon. Under the “number(s) of consumers-based” prong, the OCPA is more customary, requiring that the entity (a) “process” or control the “personal data” of at least 100,000 “consumers” or (b)(x) “process” or control the “personal data” of at least 25,000 “consumers” and (y) derive more than 25% of their gross revenue from the “sale” of “personal data”. The 25% gross revenue threshold is on the low end for such threshold.
The OCPA excludes from the definition of “consumer” individuals “acting in a commercial or employment context”, leaving California’s CCPA as the only U.S. state general privacy law that currently covers personal data with respect to such individuals.
Notably, unlike such other laws as Virginia’s VCDPA, Colorado’s CPA, and Connecticut’s CTDPA, the OCPA does not include an entity-level exemption for financial institutions subject to the Gramm-Leach-Bliley Act (GLBA). Rather, the OCPA exempts (i) information collected, processed, sold, or disclosed under and in accordance with GLBA and the regulations thereunder, as well as (ii)(a) “financial institutions” (as defined in Oregon Revised Statutes 706.008) and (b) their affiliates that are “only and directly engaged” in certain financial activities.
Similarly, the OCPA does not contain an entity-level exemption for HIPAA “covered entities” or “business associates”; rather, the OCPA more narrowly provides exemptions in that area at the data level, including with respect to the HIPAA “protected health information”.
Unlike each other state privacy law other than Colorado’s CPA, the OCPA does not provide a general exemption for nonprofits, although it contains exemptions for certain enumerated categories of nonprofits.
Directionally similar to Tennessee’s TIPA (which provides an exemption for licensed insurance companies), the OCPA provides separate exemptions for insurers, insurance producers, and insurance consultants.
The first half of 2023 saw seven new general privacy laws passed by U.S. state legislatures, with Oregon’s OCPA the sixth to be signed into law. Following the enactment of the OCPA, more than one-third of the U.S. population now resides in a state with a general privacy law either currently in effect or scheduled to go into effect.
We have substantial experience helping our clients navigate complex patchworks of data protection laws and building compliance programs. Please contact us if you’d like to discuss.
For further information, please contact:
Ieuan Jolly, Partner, Linklaters