Privacy & Information Security Law Blog

On June 22, 2023, the Oregon House of Representatives passed the Oregon Consumer Privacy Act (S.B. 619) (the “OCPA”), which was previously passed by the Oregon Senate on June 20, 2023. The OCPA has been sent to the Oregon governor’s desk for signature. If signed, the OCPA would make Oregon the 12th state to have enacted comprehensive privacy legislation.

Applicability

The OCPA applies to any person that conducts business in Oregon, or that provides products or services to residents of Oregon, and that during a calendar year, controls or processes: (a) the personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or (b) the personal data of 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal data. “Consumer” means a natural person who resides in Oregon and acts in any capacity other than in a commercial or employment context. Thus, like most other comprehensive state privacy laws, employee data and business-to-business data are excluded from the scope of the OCPA.

The OCPA provides an exemption to personal data subject to the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, and a number of other federal laws.  Notably, unlike many of the recently passed comprehensive privacy laws, the OCPA does not provide a general exemption for non-profit organizations. Instead, the OCPA provides exemptions to specific types of non-profits. The OCPA does not apply to non-profit organizations that are established to detect and prevent fraudulent acts in connection with insurance and does not apply to non-commercial activities of non-profit organizations that provide programming to radio or television networks.  

Controller Obligations

Controllers subject to the OCPA are required to, among other obligations, (1) provide a privacy notice with certain specified content; (2) limit the processing of personal data to that which is reasonably adequate, relevant and necessary for the purposes of the processing; (3) establish a secure and reliable means for consumers to exercise their privacy rights under the law; (4) obtain a consumer’s consent to process sensitive data; (5) enter into contracts with its processors; and (6) conduct and document data protection assessments before engaging in processing activities that present a heightened risk of harm (e.g., processing personal data for purpose of targeted advertising, processing of sensitive data, sale of personal data, and using personal data for certain types of profiling). Similar to the Colorado Privacy Act and its implementing regulations, the OCPA requires a controller’s privacy notice to describe “all categories of third parties with which the controller shares at a level of detail that enables the consumer to understand what type of entity each third party is and, to the extent possible, how each third party may process personal data.”

Further, the OCPA expressly requires controllers to establish and maintain safeguards to protect personal data that complies with Oregon’s ORS 646A.602, which makes the OCPA more proscriptive than other comprehensive state privacy laws.

Consumer Rights

The OCPA provides consumers the right to (1) confirm whether a controller is processing or has processed the consumer’s personal data and the categories of personal data the controller is processing or has processed; (2) obtain, at the controller’s option, a list of specific third parties, other than natural persons, to which the controller has disclosed (a) the consumer’s personal data or (b) any personal data; (3) obtain a copy of their personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another person without hindrance; (4) require a controller to correct inaccuracies in personal data about the consumer, taking into account the nature of the personal data and the controller’s purpose for processing the personal data; (5) require a controller to delete personal data about the consumer, including personal data the consumer provided to the controller, personal data the controller obtained from another source and derived data; and (6) opt out of the processing of the consumer’s personal data for purposes of (a) targeted advertising, (b) the sale of the consumer’s personal data, and (c) profiling in furtherance of decisions that produce legal or similarly significant effects.

Enforcement

The OCPA does not contain a private right of action. The OCPA provides exclusive enforcement authority to the Oregon Attorney General. If signed the OCPA would take effect July 1, 2024; however, amendments made to certain provisions of the OCPA would go in effect January 1, 2026. In addition, activities of an organization described in Section 501(c)(3) of the Internal Revenue Code that is exempt from tax under 501(a) of the Internal Revenue Code will have until July 1, 2025, to comply.

Update: On July 18, 2023, Oregon Governor Tina Kotek signed S.B. 619 making Oregon the 12th state to enact comprehensive privacy legislation.