Oregon: New comprehensive Consumer Privacy Act
In this Insight article, Jeffrey M. Csercsevits and Risa B. Boerner, Partners at Fisher & Phillips, examine Oregon's recent implementation of the Oregon Consumer Privacy Act (OCPA), which introduces unique provisions, reflecting the evolving nature of state-level data protection laws.
Oregon is now the 11th state, and the sixth in 2023 alone, to enact comprehensive consumer privacy legislation. The OCPA follows the passage of similar legislation in California, Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Tennessee, Montana, and Texas. In addition to these 11 states, similar legislation was recently passed by the Delaware state legislature and is now being considered by the state's Governor.
The drive for consumer privacy legislation has gained undeniable momentum within various state legislatures across the United States. This trend is expected to persist, with more states likely to adopt consumer privacy legislation in the near future. However, states are not content with simply mirroring legislation that was previously passed elsewhere. These laws continue to expand and evolve, forcing covered entities to navigate a patchwork of state laws with varying requirements.
The OCPA is no exception as it contains numerous provisions that differ from the laws of the other 10 states. Consequently, covered entities must have a clear understanding of what their obligations are under the OCPA and make necessary operational adjustments tailored to Oregon's unique requirements.
The OCPA is designed to provide individuals in Oregon with consumer privacy rights regarding access to and control over their personal data that is collected by covered entities. The OCPA imposes requirements on certain entities that are collecting, using, storing, disclosing, analyzing, deleting, or modifying personal data.
The OCPA will come into effect on July 1, 2024, for for-profit organizations and July 1, 2025, for covered non-profit organizations.
In contrast to similar laws enacted in other states, this is a short period of time for covered entities to prepare. Notably, Tennessee and Indiana both passed similar legislation in 2023, yet the enforcement of these laws is postponed until July 1, 2025, and January 1, 2026, respectively.
The scope of the OCPA encompasses individuals or entities engaged in business activities within Oregon or that provide products or services to Oregon residents, and that control or process the following data during a calendar year:
- personal data of 100,000 or more consumers, excluding data controlled or processed solely to complete a payment transaction; or
- personal data of 25,000 or more consumers, providing that the entity generates a minimum of 25% of its yearly gross revenue from the sale of personal data.
The term 'consumer' as stipulated by the law refers to a natural person who resides in Oregon and activities outside the scope of commercial or employment contexts.
The definition of 'personal data' encompasses data, derived data, or any unique identifier linked to or is reasonably linkable to a consumer or a device that serves to identify, is linked to, or is reasonably linkable to one or more consumers within a household. It is worth noting that 'personal data' excludes de-identified data or data that falls into either of the following categories:
- data lawfully available through government records or widely distributed media; or
- data that a controller reasonably understands has been lawfully disclosed to the public by a consumer.
Similar to the Colorado Privacy Act (CPA), the OCPA does not provide a full exemption for non-profit organizations. It only exempts:
non-profit organizations established to detect and prevent fraudulent activities related to insurance; and
- non-commercial endeavors of non-profit organizations that furnish programming to radio or television networks.
Regarding entities subject to the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA), the OCPA does not provide entity-level exemptions. Nonetheless, it does incorporate data-level exemptions for these entities.
Consumers are granted the following rights under the OCPA:
- Access: consumers possess the right to confirm whether the controller is processing, or has previously processed, their personal data. This encompasses knowledge of the categories of personal data undergoing processing. Additionally, consumers can obtain a copy of their personal data that the controller has processed or is in the process of processing.
- Correction: consumers may require a controller to correct inaccuracies present within their personal data.
- Deletion: consumers may require a controller to delete their personal data, including personal data that the consumer provided to the controller and personal data the controller obtained from other sources.
- Opt-out: consumers may opt out from a controller's processing of their personal data for targeted advertising, sale of personal data, or profiling the consumer.
- Data portability: controllers are required to provide personal data to a consumer in a portable and, to the extent technically feasible, readily usable format that enables the consumer to transmit the personal data to another person without hindrance.
Oregon also provides its consumers with an additional access right. Under the law, consumers are granted the right to request a list of specific third parties (excluding natural persons) to whom the controller has disclosed personal data. In response, the controller has the option to indicate the precise third parties to which it has disclosed either that consumer's personal data or any personal data. To comply with this request, a covered entity would need to maintain a list of specific third parties, imposing a greater obligation compared to the upkeep of third-party categories, as required by other privacy laws.
Consumers will also have the right to appeal a controller's decision to decline action on a consumer's request under the OCPA. The law provides guidelines that controllers must follow in establishing an appellate process.
Under the OCPA, controllers are required to:
- precisely outline the explicit purposes for which personal data is being collected and processed in a privacy notice;
- limit the collection of personal data to only that which is adequate, relevant, and reasonably necessary to serve the purposes stipulated in the privacy notice;
- establish, implement, and maintain security safeguards for protecting personal information;
- provide an effective method for consumers to retract previously granted consent for the processing of their personal data;
- obtain consent before processing data for purposes that are not reasonably necessary for and compatible with the purposes set forth in the privacy notice; and
- not discriminate against consumers who exercise their rights under the OCPA, by means such as denying goods or services, charging different prices for goods or services, or providing a different level of services to such consumers.
Employees and employee information
The OCPA explicitly excludes employees from the definition of 'consumer'. Furthermore, the law stipulates its inapplicability to information processed or maintained solely in connection with, and for the purpose of, enabling:
- an individual's employment or application for employment;
- an individual's role or position as a director or officer within a business entity;
- an individual's contractual relationship with a business entity; or
- an individual's reception of benefits from an employer, including benefits for the individual's dependents or beneficiaries.
Information about minors
The OCPA also provides additional protections for minors. If the controller has knowledge that a consumer falls within the age range of 13 to 15 years old, the consumer must provide consent before a controller can process the consumer's personal data aimed at targeted advertising or profiling. In addition, if the controller knows that the consumer is under 13 years old, data processing must align with the stipulations outlined in the Children's Online Privacy Protection Act of 1998 (COPPA).
There is no private right of action that would permit consumers to bring claims for OCPA violations. The Oregon Attorney General holds the jurisdiction to initiate legal actions in order to halt violations or pursue penalties of up to $7,500 per violation.
If the Attorney General prevails, the court may award attorneys' fees, expert witness fees, and costs of investigation. The court may also award attorneys' fees to a prevailing defendant if the court determines that the Attorney General had no objectively reasonable basis for bringing the claim or for appealing an adverse decision from the trial court.
The OCPA also includes a 30-day cure provision, which requires the Attorney General to notify a controller of an OCPA violation if the Attorney General determines that the controller can cure the violation. If the violation is not cured within 30 days, the Attorney General can proceed with an enforcement action. It is important to note, however, that the 30-day rectification provision is set to expire on January 1, 2026.
Sensitive and biometric data
The OCPA prohibits controllers from processing a consumer's sensitive data without first obtaining the consumer's consent. If the controller knows that the consumer is a child, the processing of sensitive data must adhere to the provision outlined in COPPA. Sensitive data, as defined by the law, encompasses personal data that:
- discloses a consumer's racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or non-binary, status as a victim of crime, or citizenship or immigration status;
- compromises the personal data of a minor;
- accurately identifies within a radius of 1,750 feet a consumer's present or past location, or the present or past location of a device that links or is linkable to a consumer by means of technology that includes, but is not limited to, a global positioning system that provides latitude and longitude coordinates; or
- is genetic or biometric data.
This definition of sensitive data is broader than the definitions used by other states, given its inclusion of transgender or non-binary status and the status of a victim of a crime.
Biometric data is defined to mean 'personal data generated by automatic measurements of a consumer's biological characteristics, such as the consumer's fingerprint, voiceprint, retinal pattern, iris pattern, gait or other unique biological characteristics that allow or confirm the unique identification of the consumer.' Notably, the OCPA does not require that the biometric data actually be used. By comparison, Connecticut's Data Privacy Act (CTDPA) contains a definition of biometric data that requires the data to be used to identify a specific individual.
Given the imminent compliance dates, entities covered by OCPA should be taking immediate steps to prepare. These steps may include:
- reviewing and assessing current data collection and privacy practices;
- conducting an inventory of historical and anticipated future data collection;
- developing internal policies and procedures for responding to consumer requests under the OCPA, along with training the staff who will respond to such requests;
- preparing the required privacy notice;
- determining what, if any, data is collected about minors; and
- working with data privacy counsels to ensure compliance with OCPA requirements.