Oregon’s law applies to any entity (“controller”) that conducts business in the state of Oregon, or that provides products or services to Oregon residents, and that, during a calendar year, controls or processes the personal data of
- 100,000 or more consumers, not including personal data controlled or processed solely for the purpose of completing a payment transaction; or
- 25,000 or more consumers, while deriving 25 percent or more of its annual gross revenue from the sale of personal data.
“Consumer” is defined by the OCPA as a person residing in Oregon and “acting in any capacity other than in a commercial or employment context.” Similar to the other laws passed this year, Oregon’s definition excludes employment-related data.
Oregon’s privacy law is similar to Washington State’s Privacy Act; however, the Oregon law does include some unique provisions. Below are some of the highlights from the OCPA:
Unlike some state privacy laws, the OCPA lacks some of the relatively common entity-level exemptions. For example, the OCPA does not exempt covered entities within the meaning of the Health Insurance Portability and Accountability Act or entities covered by the Gramm-Leach-Bliley Act. However, it does permit numerous data-level exemptions for data covered by federal law.
Like Colorado’s law, the OCPA does not generally exempt non-profits. However, there is a limited non-profit exemption for organizations that (1) are established to detect and prevent fraudulent acts associated with insurance, or (2) provide programming to radio or television networks. Moreover, the OCPA has a one-year exemption for all non-profits until July 1, 2025.
“Personal data” definition
Under the OCPA, “personal data” is defined as “data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household.” The definition excludes de-identified data. Covered entities will need to review their data collection and processing procedures, as well as public-facing disclosures related to data collection, use, and disclosure.
The OCPA provides consumers with a right of access to obtain from a controller the following:
- Confirmation that the controller is processing or has processed the consumer’s personal data and the categories of personal data that has been or is being processed.
- A list of the specific third parties, other than natural persons, to which the controller has disclosed the consumer’s personal data.
- A copy of the personal data that the controller has processed or is processing.
Additionally, out of concerns that doing so would not afford consumers adequate protection, the Oregon legislature does not exclude pseudonymous data from the scope of the OCPA. As a result, controllers must include pseudonymous data when assessing and complying with consumer requests to exercise their access, deletion, correction, or portability rights.
The OCPA also provides the following consumer rights, similar to legislation in other states:
- Correction: to require the controller to correct inaccuracies in personal data about the consumer.
- Deletion: to delete personal data about the consumer.
- Opt out: to opt out of personal data processing for purposes of
- targeted advertising,
- the sale of personal data, or
- profiling in furtherance of decisions producing legal effects or similar effects.
- Data Portability: to provide a copy of personal data in a portable and readily usable format.
Similar to California, Colorado, Connecticut, and Montana, Oregon will require data controllers to recognize universal opt-out mechanisms beginning on January 1, 2026.
Data protection assessments
Joining a number of other states, Oregon will require a controller to conduct a data protection assessment for all processing activities that present a heightened risk of harm to consumers, including processing of the following:
- Sensitive personal data.
- Personal data for targeted advertising, selling, or profiling, where certain foreseeable risks exist.
These data protection assessments must be retained by controllers for at least five years.
The OCPA provides authority to the Oregon Attorney General to enforce the OCPA and to levy civil penalties of up to $7,500 for each violation, or to enjoin the business from certain activities, or to seek other equitable relief. The OCPA has a five-year statute of limitations.
Right to cure
The Oregon Attorney General must provide controllers with a 30-day period to cure violations of the OCPA. However, this right to cure will sunset on January 1, 2026.
Private right of action
Although the initial drafts of the OCPA contained a private right of action for consumers, that provision was ultimately removed. Thus, California is still the only state whose privacy law includes a private right of action for consumers.Oregon