Oregon: Consumer Privacy Act - a comprehensive consumer state privacy law
On July 18, 2023, Oregon become the latest US State to adopt a comprehensive consumer privacy law when the Governor of Oregon, Tina Kotek, signed into law Senate Bill 619 relating to the protections for the personal data of consumers.
OneTrust DataGuidance Research brings you up to speed, by providing an overview of the Oregon Consumer Privacy Act (OCPA), prior to the entry into force of most of its provisions on July 1, 2024.
The OCPA includes definitions for terms, such as 'consent,' 'child,' 'processing,' 'controller,' 'profiling,' 'sale,' and 'targeted advertising.'
Under the OCPA, most of the key terms replicate other US State consumer privacy laws. Specifically:
- 'consumer' means a natural person who resides in Oregon and acts in any capacity other than in a commercial or employment context;
- 'controller' means a person that, alone or jointly with another person, determines the purposes and means of processing personal data;
- 'processor' means a person that processes personal data on behalf of a controller; and
- 'personal data' denotes data, derived data, or any unique identifier that is linked to or is reasonably linkable to a consumer, or to a device that identifies, is linked to, or is reasonably linkable to one or more consumers in a household, with the exclusion of deidentified data.
Regarding 'sensitive data,' the definition provided by the OCPA is broader than in other US State consumer privacy laws, in that the term comprises personal data that:
- reveals a consumer's racial or ethnic background, national origin, or religious beliefs;
- mental or physical condition or diagnosis, sexual orientation, status as transgender or non-binary, status as a victim of crime, or citizenship or immigration status;
- is a child's personal data;
- accurately identifies within a radius of 1,750 feet a consumer's present or past location, or the present or past location of a device that links or is linkable to a consumer by means of technology that includes, but is not limited to, a global positioning system that provides latitude and longitude coordinates, with certain exemption within certain exceptions; or
- is genetic or biometric data.
Importantly, with regard to genetic and biometric data, while all other US State consumer privacy laws include genetic and biometric data within the category of 'sensitive data' subject to their processing for the purpose of uniquely identifying a consumer or individual, the OCPA does not require such usage.
Scope of application
The OCPA applies to any person that conducts business in Oregon or provides products or services to residents of Oregon, and who during a calendar year, controls or processes:
- the personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or
- the personal data of 25,000 or more consumers, while deriving 25% or more of the person's annual gross revenue from selling personal data.
On the other hand, the OCPA expressly specifies certain organizations or data that fall outside its scope of application. Notably, the OCPA does not provide an entity-level exemption for Health Insurance Portability and Accountability Act (HIPAA) or Gramm-Leach Bliley Act (GLBA) covered entities, but rather a data-level exemption, as indicated below.
Specifically, the OCPA does not apply to, among others:
- public corporations or bodies;
- protected health information that a covered entity, or business associate, processes in accordance with, or documents that a covered entity or business associate creates for the purpose of complying with, HIPAA and its regulations;
- information that identifies a consumer in connection with certain research activities;
- patients' information under certain circumstances;
- information processed or maintained solely in connection with, and for the purpose of enabling:
- an individual's employment or application for employment;
- an individual's ownership of, or function as a director or officer of, a business entity;
- an individual's contractual relationship with a business entity;
- an individual's receipt of benefits from an employer, including benefits for the individual's dependents or beneficiaries; or
- notice of an emergency to persons that an individual specifies;
- any activity that involves collecting, maintaining, disclosing, selling, communicating, or using information for the purpose of evaluating a consumer's creditworthiness and credit status, if done strictly in accordance with the provisions of the Fair Credit Reporting Act (FCRA);
- consumer reporting agencies and persons that provide information to them;
- information collected, processed, sold, or disclosed under, and in accordance with, certain federal laws, including the GLBA; and
- financial institutions, insurers, insurance producers, and insurance consultants in certain circumstances.
Notably, unlike other US State consumer privacy laws, the OCPA does not provide for a general exemption for non-profit organizations, and instead, only non-profit organizations established to detect and prevent fraudulent acts in connection with insurance and non-profit organizations that provide programming to radio or television networks are outside the OCPA's scope. Likewise, non-commercial activities of certain actors in the editorial and media sectors are also exempt.
The OCPA provides consumers with certain rights and lays down procedures for their exercise.
Right of access
The consumer has the right to obtain from the controller confirmation as to whether the controller is processing or has processed their personal data and the categories of personal data the controller is processing or has processed. Similarly, the consumer may obtain a list of specific third parties, that are not natural persons, to which the controller has disclosed the consumer's personal data or any personal data; however, this is subject to the controller's option.
The consumer may also exercise the right to obtain a copy of the data processed by the controller (in this regard, please see also the subsection on the right to data portability below).
Right to correction
The consumer may require the controller to correct inaccuracies, taking into account the nature of the personal data and the controller's purpose for processing it.
Right to deletion
The consumer may require a controller to delete personal data about them, including personal data the consumer provided to the controller or personal data the controller obtained indirectly, as well as derived data.
Further to the above, a controller that obtains personal data about a consumer from a source other than the consumer complies with the consumer's request to delete the personal data if the controller:
- deletes the data but retains a record of the deletion request and a minimal amount of data necessary to ensure that the personal data remains deleted and does not use the minimal data for any other purpose; or
- opts the consumer out of the controller's processing of the consumer's personal data for any purpose other than a purpose that is exempt under Section 2 of the OCPA.
Right to opt-out
The consumer may opt-out from a controller's processing of personal data if the controller processes it for:
- targeted advertising;
- selling the personal data; or
- profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance.
Right to data portability
When the consumer obtains a copy of their personal data, in the exercise of their right of access, they also have the right to receive the personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the personal data to another person without hindrance.
Procedures for the exercise of consumer's rights
Consumers may exercise the above rights by submitting a request to a controller, and the method or methods for submitting a consumer's request to a controller must be identified in the controller's privacy notice. The methods adopted must be decided by the controller taking into account:
- the ways in which consumers normally interact with it (and in this sense, the method chosen by the controller may consist of using an account the consumer created previously with the controller);
- a need for security and reliability in communications related to the request; and
- the controller's ability to authenticate the identity of the consumer that makes the request.
Regarding the right to opt-out, the controller must provide a clear and conspicuous link to a webpage where the consumer or an authorized agent (please see below under this subsection for further information) may opt out from a controller's data processing. Only if the controller does not have the capacity needed for linking to a webpage can another method be provided to the consumer to opt-out.
Importantly, starting from January 1, 2026, controllers must recognize and process universal opt-out preference signals as a method for submitting a request. Accordingly, from such date, controllers must honor signals received by a consumer or authorized agent that indicates the consumer's preference to opt out of the sale of personal data or targeted advertising by means of a platform, technology, or mechanism that:
- does not unfairly disadvantage another controller;
- does not use a default setting but instead requires the consumer or authorized agent to make an affirmative, voluntary, and unambiguous choice to opt out;
- is consumer friendly and easy for an average consumer to use;
- is as consistent as possible with similar platforms, technologies, or mechanisms required under federal or state laws or regulations; and
- enables the controller to accurately determine whether the consumer is a resident of Oregon and has made a legitimate request to opt-out.
Once the controller receives a request, it must respond to the same without undue delay and in any case within 45 days of the request; however, the deadline may be extended by an additional 45 days if reasonable and necessary. In any case, whether the consumer extends the deadline or rejects the request altogether, the outcome must be notified to the consumer within the initial 45-day timeframe. Importantly, the consumer must be notified without undue delay and not later than 45 days if the controller declines to take action on the request. The controller, in the notice, must explain the justification for not taking action and include instructions for appealing the controller's decision.
As a general rule, the controller may only fulfill a request that it can authenticate, including by means of further information provided by the consumer. As an exception to this general rule, requests to opt out must be carried out without requiring authentication, although the controller may still ask the consumer for additional information necessary to comply with the request, such as to ascertain the identity of the requestor.
The controller should provide information the consumer requests only once during any 12-month period, without charging any fees. Thereafter, the controller may charge a reasonable fee to cover the administrative costs of complying with a second or subsequent request within the 12-month period unless the purpose of the second or subsequent request is to verify that the controller complied with a previously exercised correction or deletion request.
The consumer may also exercise their rights by designating another person to act on their behalf as an authorized agent. Similarly, a parent, legal guardian, or conservator may exercise the rights discussed above on behalf of the child, the child's parent, or the consumer under a protective arrangement, respectively.
Controllers are subject to various obligations under the OCPA. Specifically, controllers must:
- specify in the privacy notice the express purposes for which the controller is collecting and processing personal data;
- limit the collection of personal data to only the personal data that is adequate, relevant, and reasonably necessary to serve the purposes the controller specified in the privacy notice;
- establish, implement, and maintain for personal data the same safeguards that are required for protecting personal information, such that the controller's safeguards protect the confidentiality, integrity, and accessibility of the personal data to the extent appropriate for the volume and nature of the personal data; and
- provide an effective means by which a consumer may revoke consent a consumer gave to the controller's processing of the consumer's personal data. The means must be at least as easy as how the consumer provided consent. Once the consumer revokes consent, the controller must cease processing the personal data.
Conversely, a controller is prohibited from undertaking certain actions, including:
- processing personal data for purposes that are not reasonably necessary for, and compatible with, the purposes the controller specified in the privacy notice unless the controller obtains the consumer's consent;
- processing sensitive data about a consumer without first obtaining the consumer's consent, or, if the controller knows the consumer is a child, without processing the sensitive data in accordance with the Children's Online Privacy Protection Act (COPPA) and the regulations, rules, and guidance adopted under the same;
- processing a consumer's personal data for the purposes of targeted advertising, profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance, or selling the consumer's personal data without the consumer's consent if the controller has actual knowledge that, or willfully disregards whether the consumer is at least 13 years of age and not older than 15 years of age; or
- discriminate against a consumer that exercises a right by means such as denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality or selection of goods or services to the consumer.
More in detail, controllers must maintain a reasonably accessible, clear, and meaningful privacy notice that specifies the express purposes for which the controller is collecting and processing personal data. Specifically, the privacy notice must:
- list the categories of personal data, including the categories of sensitive data, that the controller processes;
- describe the controller's purposes for processing the personal data;
- describe how a consumer may exercise their rights and the method or methods the controller has established for a consumer to submit a request to exercise their rights;
- list all categories of personal data, including the categories of sensitive data, that the controller shares with third parties;
- describe all categories of third parties with which the controller shares personal data at a level of detail that enables the consumer to understand what type of entity each third party is and, to the extent possible, how each third party may process personal data;
- specify an electronic mail address or other online methods by which a consumer can contact the controller that the controller actively monitors;
- identify the controller; and
- provide a clear and conspicuous description of any processing of personal data in which the controller engages for the purpose of targeted advertising or for the purpose of profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance and a procedure by which the consumer may opt out of this type of processing.
As noted in the section on definitions above, deidentified data does not constitute personal data under the OCPA. Nevertheless, controllers that process deidentified data are still required to abide by certain obligations. Among other things, controllers must:
- take reasonable measures to ensure that the deidentified data cannot be associated with an individual;
- publicly commit to maintaining and using deidentified data without attempting to reidentify the deidentified data; and
- enter into a contract with a recipient of the deidentified data and provide in the contract that the recipient must comply with the controller's obligations under the OCPA.
Moreover, a controller (or a processor) is not required to comply with a consumer request if it:
- cannot reasonably associate the request with personal data or if the controller's attempt to associate the request with personal data would be unreasonably burdensome;
- does not use personal data to recognize or respond to the specific consumer who is the subject of the personal data or associate the personal data with any other personal data about the specific consumer; and
- does not sell or otherwise voluntarily disclose personal data to a third party, except as otherwise provided.
A controller that discloses de-identified data must exercise reasonable oversight to monitor compliance with any contractual commitments to which the deidentified data is subject and shall take appropriate steps to address any breaches of the contractual commitments.
Data Protection Assessment
The OCPA imposes on controllers the duty to conduct and document a data protection assessment (DPA) for each processing activity that presents a heightened risk of harm to a consumer, which is identified by the OCPA to include:
- processing personal data for the purpose of targeted advertising;
- processing sensitive data;
- selling personal data; and
- using the personal data for purposes of profiling, if the profiling presents a reasonably foreseeable risk of:
- unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
- financial, physical, or reputational injury to consumers;
- physical or other types of intrusion upon a consumer's solitude, seclusion, or private affairs or concerns, if the intrusion would be offensive to a reasonable person; or
- other substantial injury to consumers.
However, a single DPA may address a comparable set of processing operations that present a similar heightened risk of harm. In addition, DPAs that the controller conducts for compliance with another law or regulation may satisfy the requirement to conduct a DPA under the OCPA if the scope and effects are reasonably similar.
Looking at DPA content, the controller should identify and weigh how processing personal data may directly or indirectly benefit the controller, the consumer, other stakeholders, and the public, against potential risks to the consumer, also taking into account how de-identified data might reduce risks.
In general, under the OCPA, DPAs are confidential and are not subject to disclosure. Nevertheless, the Oregon Attorney General (AG) may require a controller to provide the DPA the controller has conducted, if relevant to an investigation of the AG under the OCPA.
The OCPA also establishes a retention period of five years for any DPAs conducted by a controller.
It should be noted that the requirements that apply to a DPA under the OCPA apply only to processing activities that occur on and after July 1, 2024, and are not retroactive.
In turn, processors must adhere to a controller's instructions and assist the same in meeting its obligations under the OCPA, by, among other things:
- enabling the controller to respond to a consumer's requests;
- adopting administrative, technical, and physical safeguards that are reasonably designed to protect the security and confidentiality of the personal data processed, taking into account how the processor processes the personal data and the information available to the processor; and
- providing information reasonably necessary for the controller to conduct and document a DPA.
Controllers and processors must enter into a contract to govern their relationship and the processing operations that take place as a result. The contract must be binding on both parties and must lay down clear instructions for processing data, the nature and purpose of the processing, the type of data that is subject to processing, and the duration of the processing. It must also specify the rights and obligations of both parties with respect to the subject matter of the contract.
In addition, among other things, the OCPA mandates that a contract includes an obligation for a processor to enter into a subcontract with a person the processor engages to assist with processing personal data on the controller's behalf and in the subcontract, require the subcontractor to meet the processor's obligations under the processor's contract with the controller.
Importantly, the processor must allow the controller, the controller's designee, or a qualified and independent person the processor engages, in accordance with an appropriate and accepted control standard, framework, or procedure, to assess the processor's policies and technical and organizational measures for complying with the processor's obligations under the OCPA. The processor must also cooperate with the assessment and, at the controller's request, report the results of the assessment to the controller.
The OCPA also specifies that the assessment as to whether an entity operates in practice as a controller or a processor is a fact-based determination that must take into account the context in which a set of personal data is processed.
Enforcement and penalties
The AG has exclusive authority to enforce the OCPA, which does not create any private right of action. In exercising its authority, the AG may bring an action to seek a civil penalty of not more than $7,500 for each violation of Sections 1 to 9 of the OCPA, to enjoin a violation, or obtain other equitable relief. The OCPA also establishes a statute of limitations of five years for the AG to seek relief. The five-year period is counted from the date of the last act of a controller that constituted the violation for which the AG seeks relief.
The OCPA establishes a cure period of 30 days for controllers and processors found in breach of the OCPA. If the controller fails to cure the violation within 30 days after receiving the notice of the violation by the AG, the latter may bring the action without further notice. Importantly, under the OCPA, the right to cure will sunset on January 1, 2026.
Entry into force
The OCPA will enter into force on July 1, 2024, except for non-profit entities, to which the OCPA will not apply until July 1, 2025.
In addition, as mentioned above, the requirement to recognize and process universal opt-out preference signals will commence on January 1, 2026, which also marks the date when the 30-day cure period for violations will sunset.
Anna Baldin Senior Privacy Analyst