​On June 22, 2023, the Oregon legislature passed the Oregon Consumer Privacy Act (OCPA) SB 619 with a nearly unanimous vote in the senate. The bill was developed over the last four years by the Attorney General's Consumer Privacy Task Force, created to answer the call for comprehensive consumer privacy legislation. Oregon became the eleventh state to join the most recent trend in state legislation when Governor Kotek signed the OCPA into law on July 18, 2023. 

What You Need to Know About Oregon's Consumer Privacy Law (OCPA):

• The OCPA contains standards to safeguard personal information, shield Social Security numbers, and notify consumers in case of a security breach. The law covers entities that control or process personal data on 100,000 consumers or derive 50 percent of revenue from selling the data of more than 25,000 consumers.
• The OCPA does not contain a general exemption for entities subject to the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA). Instead, the law exempts only the data governed by these acts, meaning entities must still ensure compliance for any personal information collected that is not covered by HIPAA and GLBA.
• The OCPA's definition of "sensitive data" is broader than other state laws, covering "national origin," "status as transgender or nonbinary," and "status as a victim of crime." It also contains a comparatively broad definition of "biometric data" including information that may allow the unique identification of an individual, not just data collected or used for the purpose of such identification. 

Oregon follows other states that have recently enacted comprehensive privacy legislation, starting with California's Privacy Rights Act (CPRA) that went into effect on January 1, 2023, and swiftly followed by Colorado, Connecticut, Utah, Virginia, Iowa, Indiana, Montana, Tennessee, Florida and now Oregon. This flurry of legislation is a result of lawmakers establishing individual state data privacy laws in the absence of a comprehensive data privacy law at the federal level. 

Scope of OCPA

The OCPA will affirmatively provide Oregonians with a number of important rights over their personal information, and imposes specific obligations on businesses who collect, use, store, disclose, analyze, delete or modify consumers' personal data and those entities who process personal data on behalf of controllers. To exclude small businesses, the Act has a threshold that must be met before it applies. To be subject to the Act, a business must annually control or process personal data of 100,000 or more consumers and/or devices linked to consumers; or 25,000 or more consumers, while deriving 25 percent gross revenue from personal data sales. This would include 501(c)(3) nonprofits on July 1, 2025, which are currently exempt from all the other state privacy laws except the one that recently took effect in Colorado.

Consumer rights

Consumers are granted the right to do all of the following under the OCPA including :

• Right to Know: Consumers will have the right to know whether controllers are processing their data, as well as the categories of data being processed and third parties the data has been disclosed to. 
• Consumers will also have a right to obtain a copy of the consumer's personal data that a controller has or is processing at Oregon Department of Justice | 1162 Court Street NE, Salem, OR 97301 | 503-378-6002 | www.OregonAttorneyGeneral.gov  
• Right to Correction: Consumers will have the right to correct inaccuracies in their data.
• Right to Deletion: Consumers will have the right to require a controller to delete their personal data held by a controller.
• Right to Opt Out: Consumers will have the right to opt out of the processing of their personal data for targeted advertising, sale or profiling of the consumer in a way that produces legal effects.
• Right to Data Portability: When consumers exercise their right to obtain a copy of their personal data held by a controller, it must be provided in a portable and useable format.
• The Act contains heightened protections (a requirement that data may not be processed without a consumer's affirmative "opt in" consent) for "sensitive data", which includes: personal data revealing racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, gender identity, crime victim status, or citizenship or immigration status; genetic or biometric data; and precise geolocation data.

Children and youth are also given heightened protections under the Act. Specifically:

• Controllers must follow the requirements of the federal Children's Online Privacy Protection Act (COPPA) when processing data of children under 13 years old. Further, "opt in" consent is required for targeted advertising or sale of the personal data of a youth 13 to 15 years old. 
• The Act requires controllers to provide a comprehensive privacy notice, including:
  • Categories of data processed;
  • Purposes for processing data;
  • How to exercise consumer rights;
  • Categories of data shared with third parties and categories of third parties receiving data; and
  • Contact information.

Controller duties

Controllers must:

• Limit the collection of personal data to what is adequate, relevant and reasonably necessary for the purposes set out in the controller's privacy notice; 
• Obtain consent to process data beyond the specified purposes set out in the privacy notice; 
• Maintain reasonable data security practices;
• Not discriminate against consumers for exercising their rights under the Act (note that there is an exception here for loyalty rewards programs); 
• Ensure that deidentified data stays deidentified; and
• Conduct data privacy assessments for activities that present a heightened risk of harm to a consumer, including targeted advertising, sale of data, profiling that presents a risk of unfair treatment, disparate impact or injury, and processing of sensitive data. 

Further, the OCPA expressly requires controllers to establish and maintain safeguards to protect personal data that complies with Oregon's Identity Theft Prevention Act, ORS 646A.602, which makes the OCPA more proscriptive than other comprehensive state privacy laws.

Enforcement

The OCPA does not contain a private right of action. The OCPA provides exclusive enforcement authority to the Oregon Attorney General including levying civil penalties of not more than $7,500 per violation. The OCPA takes effect July 1, 2024; however, amendments made to certain provisions of the OCPA would go in effect January 1, 2026. In addition, activities of an organization described in Section 501(c)(3) of the Internal Revenue Code that is exempt from tax under 501(a) of the Internal Revenue Code will have until July 1, 2025, to comply.

Pertinent Definitions

• Biometric data: Personal data generated by automatic measurements of a consumer's biological characteristics, such as the consumer's fingerprint, voiceprint, retinal pattern, iris pattern, gait or other unique biological characteristics that allow or confirm the unique identification of the consumer. "Biometric data" does not include: (A) A photograph recorded digitally or otherwise;(B) An audio or video recording; (C) Data from a photograph or from an audio or video recording, unless the data was generated for the purpose of identifying a specific consumer or were used to identify a particular consumer; or (D) Facial mapping or facial geometry, unless the facial mapping or facial geometry was generated for the purpose of identifying a specific consumer or was used to identify a specific consumer.
• Consumer: A natural person who resides in this state and acts in any capacity other than in a commercial or employment context.
• Controller: A person that, alone or jointly with another person, determines the purposes and means for processing personal data.
• Deidentified data: Data that: (a) Cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable consumer, or to a device that identifies, is linked to or is reasonably linkable to a consumer; or (b) Is: (A) Derived from patient information that was originally created, collected, transmitted or maintained by an entity subject to regulation under the Health Insurance Portability and Accountability Act of 1996, P.L. 104-191, as in effect on the effective date of this 2023 Act, or the Federal Policy for the Protection of Human Subjects, codified as 45 C.F.R. part 46 and in various other deferral regulations, as codified in various sections of the Code of Federal Regulations and as in effect on the effective date of this 2023 Act; and (B) Deidentified as provided in 45 C.F.R. 164.514, as in effect on the effective date of this 2023 Act.
• Personal data: Data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household. "Personal data" does not include deidentified data or data that: (A) Is lawfully available through federal, state or local government records or through widely distributed media; or (B) A controller reasonably has understood to have been lawfully made available to the public by a consumer.
• Processor: A person that processes personal data on behalf of a controller.
• Profiling: An automated processing of personal data for the purpose of evaluating, analyzing or predicting an identified or identifiable consumer's economic circumstances, health, personal preferences, interests, reliability, behavior, location or movements.
• Sensitive data: Personal data that: (A) Reveals a consumer's racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or nonbinary, status as a victim of crime or citizenship or immigration status; (B) Is a child's personal data; (C) Accurately identifies within a radius of 1,750 feet a consumer's present or past location, or the present or past location of a device that links or is linkable to a consumer by means of technology that includes, but is not limited to, a global positioning system that provides latitude and longitude coordinates; or (D) Is genetic or biometric data. "Sensitive data" as defined in paragraph (a)(C) of this subsection does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.
• Targeted advertising: Advertising that is selected for display to a consumer on the basis of personal data obtained from the consumer's activities over time and across one or more unaffiliated websites or online applications and is used to predict the consumer's preferences or interests. "Targeted advertising" does not include: (A) Advertisements that are based on activities within a controller's own websites or online applications; (B) Advertisements based on the context of a consumer's current search query, visit to a specific website or use of an online application; (C) Advertisements that are directed to a consumer in response to the consumer's request for information or feedback; or (D) A processing of personal data solely for the purpose of measuring or reporting an advertisement's frequency, performance or reach.

Exemptions

The OCPA provides an exemption to the personal data governed by the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, and a number of other federal laws. Entities subject to HIPAA and GLBA will be able to avail themselves of the data-level exemptions based on those laws, even though those exemptions are more limited, but will need to ensure compliance with the OCPA for personal information collected that is not covered by HIPAA and GLBA. The OCPA provides exemptions to specific types of non-profits. The OCPA does not apply to non-profit organizations that are established to detect and prevent fraudulent acts in connection with insurance and does not apply to non-commercial activities of non-profit organizations that provide programming to radio or television networks.