Oregon Consumer Privacy Act Signed Into Law

The Oregon Consumer Privacy Act (OCPA) became law on July 18, 2023. Oregon is the twelfth state to enact a comprehensive consumer data privacy law, joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Florida, and Texas. The OCPA goes into effect July 1, 2024 (the same date as the recently enacted privacy laws in Texas and Florida). The effective date for non-profits—which, unlike under most other state privacy laws, are not exempt under the OCPA—is delayed until July 1, 2025.

Application Thresholds

The OCPA applies to a person who conducts business in Oregon or who provides products or services to Oregon residents and that during a calendar year:

• Controls or processes the personal data of 100,000 or more Oregon residents (other than personal data controlled or processed solely for the purpose of completing a payment transaction); or
• Controls or processes the personal data of 25,000 or more consumers while deriving 25 percent or more of the person's annual gross revenue from selling personal data.

These thresholds are the same as under the Colorado Privacy Act and, unlike some other state privacy laws, do not include an initial threshold based on an entity's annual revenue.

Notable Provisions

The OCPA is similar to other comprehensive state privacy laws, including those in Colorado, Connecticut and elsewhere, with some notable exceptions. Distinct features of the OCPA include:

• No GLBA or HIPAA Entity-Level Exemption: Most state privacy laws exempt both entities and data governed by the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA). The OCPA, however, follows the California Consumer Privacy Act (CCPA) in exempting only data governed by HIPAA and GLBA rather than the entities subject to those two laws. Entities subject to HIPAA and GLBA will be able to avail themselves of the data-level exemptions based on those laws, even though those exemptions are more limited, but will need to ensure compliance with the OCPA for personal information collected that is not covered by HIPAA and GLBA. The OCPA does exempt certain financial institutions as defined under Oregon law, including banks and credit unions and their affiliates that are only and directly engaged in financial activities.[1] However, these entity exemptions are narrower than exemptions for GLBA-covered entities found in other state privacy laws, as GLBA applies to broad categories of financial institutions, including non-bank and alternative lenders, retailers that extend credit to consumers, money transmitters, tax preparers, mortgage brokers, securities broker-dealers, investment advisors, investment companies, and others—as well as banks and credit unions.
• Expanded Consumer Rights: The OCPA provides Oregon residents (acting in any capacity other than in a commercial or employment context) the right to request the specific third parties (other than natural persons) to which the controller has disclosed personal data. Controllers may choose to respond to such a request either by providing the names of the specific third parties to which it has disclosed the consumer's personal data or the names of third parties to which it has disclosed any personal data. No other state privacy law currently requires controllers to identify specific third parties to which the controller disclosed a consumer's personal data. Other state privacy laws only require a controller to identify categories of third parties. Like other state privacy laws, the OCPA also provides residents with rights to confirm whether a controller is processing their personal data and the categories of personal data that the controller is processing, to obtain a portable and readily usable copy of their personal data, to correct inaccuracies in their personal data, to have their personal data deleted,[2] and to opt out of a controller's processing of the consumer's personal data for sales, targeted advertising, or profiling in furtherance of decisions that produce "legal effects or effects of similar significance."[3] The OCPA also does not define pseudonymous data or expressly exclude it from a consumer's right to confirm processing of, correct, delete and/or port their personal data. The majority of state privacy laws – including Virginia, Connecticut, and Texas (among others) – exempt pseudonymous data from consumer rights requests. For Oregon businesses subject to the OCPA, this may pose a more significant compliance burden due to the larger data set potentially subject to consumer rights requests.
• Non-Profits Not Exempt (Mostly): Like Colorado, Oregon does not exempt non-profits from its consumer privacy bill. However, the OCPA contains limited non-profit exemptions for organizations established to detect and prevent fraudulent acts and other certain activities in connection with insurance. Covered non-profits will have until July 1, 2025 – an extra year – to comply with the OCPA.
• Certain Non-commercial Activities Exempt: The OCPA contains unique exemptions for certain non-commercial activities of a publisher, editor, or reporter or other person connected with or employed by a newspaper, magazine, periodical, newsletter, pamphlet, report, or other publication in general circulation; of radio or television stations holding a license issued by the Federal Communications Commission; of non-profit organizations that provide programming to radio or non-commercial activities of television networks; and of entities providing an information service, including a press association or wire service.
• Recognition of Universal Opt-Out Mechanisms Required: The OCPA will require controllers to recognize universal opt-out mechanisms as of January 1, 2026. This aligns with privacy laws in California, Colorado, Connecticut, Montana, and Texas that require recognition of universal opt-out mechanisms.
• Unique Definition of Sensitive Data: The OCPA defines "sensitive data" broadly relative to other state privacy laws and includes information revealing an Oregon consumer's racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or non-binary, status as a victim of crime, or citizenship or immigration status, as well as specified precise location data, children's data, and genetic and biometric data. No other state privacy law specifically includes transgender or non-binary status or crime victim status in its definition of "sensitive data."
• Protections for Children's Data: Like some other state privacy laws, the OCPA requires prior parental consent under COPPA in order to process the personal data of a child for the purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects.[4] A child is defined as an individual under the age of 13. Controllers must also obtain consent for selling personal data, targeted advertising, or profiling "if the controller has actual knowledge that, or willfully disregards whether, the consumer is at least 13 years of age and not older than 15 years of age."

Definition of "Sale" of Personal Data

The OCPA defines "sale" of personal data as the exchange by the controller with a third party of personal data for monetary or other valuable consideration. By comparison, some states (Virginia, for example) define a "sale" as an exchange of personal information for monetary consideration only.

The definition of a "sale" under the OCPA (and other state privacy laws) is important because a "sale" is one of the processing activities for which consumers can opt out (along with targeted advertising and certain types of profiling). In practical terms, the OCPA's broader definition of "sale" may, among other things, provide consumers with the ability to opt out of third-party marketing and other disclosures of personal information that involve "valuable" non-monetary consideration.

The following activities are exempted from the definition of "sale" under the OCPA:

• Disclosure of personal data to a processor;
• Disclosure of personal data to an affiliate of a controller or to a third party for the purpose of enabling the controller to provide a product or service to a consumer who requested the product or service;
• Disclosure or transfer of personal data from a controller to a third party as part of a proposed or completed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets, including the personal data; or
• Disclosure of personal data that occurs because a consumer does the following:
  • Directs a controller to disclose the personal data;
  • Intentionally discloses their personal data in the course of directing a controller to interact with a third party; or
  • Intentionally discloses their personal data to the public by means of mass media.

  Despite the lack of a general exemption for entities subject to HIPAA or GLBA, the OCPA contains a series of entity-level, data-specific, and employment-related exemptions.

  Entity-level exemptions include:

  • Public corporations;
  • State government bodies, local government bodies and special government bodies;
  • Financial institutions as defined under Oregon law and their affiliates that are only and directly engaged in financial activities;
  • Insurers and related entities as defined under Oregon law;
  • Non-profit organizations that are established in connection with certain specified insurance activities.

  Data-specific exemptions include:

  • Protected health information governed by HIPAA;
  • Information used for public health activities and purposes described in 45 C.F.R. 164.512;
  • Patient identifying information that is collected and processed in accordance with 42 C.F.R. part 2;
  • Patient safety work product created for the purpose of improving patient safety under 42 C.F.R. part 3;
  • Information and research that identifies a consumer in connection with activities subject to the Federal Policy for the Protection of Human Subjects, set forth in 45 C.F.R. part 46 and in various other federal regulations;
  • Information that identifies a consumer in connection with research on human subjects undertaken in accordance with good clinical practice guidelines issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use;
  • Information and documents created for the purpose of the Health Care Quality Improvement Act of 1986;
  • Information collected, processed, sold, or disclosed under and in accordance with the GLBA;
  • Personal information covered by and/or processed in accordance with the Fair Credit Reporting Act, Driver's Privacy Protection Act, Family Educational Rights and Privacy Act of 1974, the Airline Deregulation Act, among several others;
  • Personal data processed by a person in the course of a purely personal or household activity; and
  • Emergency contact information.

  Employment-related exemption:

  • Information processed or maintained solely in connection with and for the purpose of enabling:
    • An individual's employment or application for employment;
    • An individual's ownership of or function as a director or officer of a business entity;
    • An individual's contractual relationship with a business entity;
    • An individual's receipt of benefits from an employer, including benefits for the individual's dependents or beneficiaries; or
    • Notice of an emergency to persons that an individual specifies.

    Activity-related exemptions:

    • Non-commercial activities of a publisher, editor, or reporter or other person who is connected with or employed by a newspaper, magazine, periodical, newsletter, pamphlet, report, or other publication in general circulation;
    • Non-commercial activities of a radio or television station that holds a license issued by the Federal Communications Commission;
    • Activities that are subject to the protections provided in 21 C.F.R. parts 50[5] and 56;[6] and
    • Nonprofit organizations that provide programming to radio or television networks or non-commercial activities of television networks, or an entity that provides an information service, including a press association or wire service.

    Processing-related exemptions:

    The OCPA does not restrict a controller or processor from collecting, using, or retaining personal data to:

    • Comply with federal, state, or local laws, rules, or regulations;
    • Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons, by federal, state, municipal, or other governmental authorities;
    • Cooperating with a law enforcement agency concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state or local statutes, ordinances, rules or regulations;
    • Investigate, establish, exercise, prepare for, or defend legal claims;
    • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, and to preserve the integrity or security of systems or investigate, report, or prosecute those responsible for breaches of system security;
    • Provide a product or service specifically requested by a consumer;
    • Fulfill the terms of a written warranty;
    • Conduct internal research to develop, improve, or repair products, services, or technology;
    • Effectuate a product recall;
    • Identify and repair technical errors that impair existing or intended product functionality; or
    • Perform internal operations that are reasonable based on consumer expectations or the consumer relationship.

    Definition of Biometric Data

    The OCPA defines "biometric data" to mean personal data generated by automatic measurements of a consumer's biological characteristics, such as the consumer's fingerprint, voiceprint, retinal pattern, iris pattern, gait or other unique biological characteristics that allow or confirm the unique identification of the consumer. Biometric data is a form of "sensitive data" for which companies must obtain consumer consent to process.

    The OCPA states the following do not fall under the definition of biometric data:

    • A photograph recorded digitally or otherwise;
    • An audio or video recording;
    • Data from a photograph or from an audio or video recording, unless the data were generated or used to identify a particular consumer; or
    • Facial mapping or facial geometry unless the facial mapping or facial geometry was generated or used to identify a specific consumer.

    Enforcement

    The OCPA gives the Oregon Department of Justice (the state's office of attorney general) exclusive authority to enforce the OCPA's provisions, including levying civil penalties of "not more than $7,500 per violation." In addition, the attorney general may bring an action to enjoin a violation of the OCPA or obtain other equitable relief.

    Unlike other state privacy laws, the OCPA contains a specific statute of limitations for attorney general enforcement actions. The OCPA states the attorney general "shall bring an action … within five years after the date of the last act of a controller that constituted the violation for which the [attorney general] seeks relief."

    An Oregon court may award reasonable attorney fees, expert witness fees, and costs of investigation to the Oregon attorney general if the attorney general prevails in an action. However, a court may also award reasonable attorney fees to a defendant that prevails in an action "if the court finds that the [attorney general] had no objectively reasonable basis for asserting the claim or for appealing an adverse decision of the trial court."

    The OCPA does not authorize any rulemaking.

    No Private Right of Action

    No private right of action is available to consumers. The OCPA states that its provisions "or any other laws of this state, do not create a private right of action to enforce a violation of [the OCPA]."

    30-Day Cure Period with Sunset Provision

    The OCPA provides businesses a 30-day right to cure violations "if the attorney general determines that the controller can cure the violation," and if the controller fails to cure, the attorney general "may bring an action without further notice." However, similar to the laws in Colorado and Connecticut, the cure period will "sunset" after a period of time. The OCPA's cure period will sunset on January 1, 2026.

    Privacy Notices

    Like other state privacy laws, the OCPA requires controllers to specify in their privacy notice the "express purposes for which the controller is collecting and processing personal data." The OCPA's privacy notice requirements are more detailed in some respects than those in other states, however. Specifically, they require that the privacy notice identify "the controller, including any business name under which the controller registered with the Secretary of State and any assumed business name that the controller uses in" Oregon.

    Privacy notices under the OCPA must be "reasonably accessible, clear and meaningful" and include:

    • The categories of personal data, including the categories of sensitive data, that the controller processes;
    • A description of the controller's purposes for collecting and processing the personal data;
    • A description of how a consumer may exercise their rights under the law, including how to appeal a controller's denial of a consumer's request;
    • The categories of personal data, including the categories of sensitive data, a controller shares with third parties;
    • A description of all categories of third parties with which the controller shares personal data at a level of detail that enables the consumer to understand what type of entity each third party is and, to the extent possible, how each third party may process personal data;[7]
    • A specific email address or other online method that the controller actively monitors by which a consumer can contact the controller;
    • A clear and conspicuous description of any processing of personal data in which the controller engages for the purpose of targeted advertising or for the purpose of profiling the consumer in furtherance of decisions that produce legal effects or effects or similar significance (see note 4, above), and a procedure by which the consumer may opt out of this type of processing; and
    • A description of the method or methods that the controller established for a consumer to submit a request to exercise the rights described above in "Expanded Consumer Rights."

    Processor Contracts

    Like most of the other state privacy laws, the OCPA distinguishes a "controller"—a person who "alone or jointly with another person, determines the purposes and means for processing personal data"—from a "processor"—a person who "processes personal data on behalf of a controller."[8] A processor must adhere to the processing instructions of a controller, as set forth in a written contract between the controller and processor. That contract also must require the processor to keep personal data confidential, to return or delete personal data at the end of the services provided by the processor (except where required by law), make available to the controller information needed to demonstrate the processor's compliance with the OCPA, allow and cooperate with reasonable assessments by the controller or its agent (see below), report the results to the controller as the controller requests, and engage any subcontractor to assist with processing using written contracts requiring the subcontractor to meet the same obligations as the processor regarding the personal data.

    Data Protection Assessments

    The OCPA's data protection assessment requirements are similar to the requirements in Connecticut and Colorado, among other states. The OCPA states that a controller must conduct and document a data protection assessment for each of the controller's processing activities that present a "heightened risk of harm to a consumer," including the following:

    • Processing personal data for the purpose of targeted advertising;
    • Processing sensitive data;
    • Selling personal data; and
    • Using the personal data for purposes of profiling, if the profiling presents a reasonably foreseeable risk of:
      • Unfair or deceptive treatment of or unlawful disparate impact on consumers;
      • Financial, physical, or reputational injury to consumers;
      • Physical or other types of intrusion upon a consumer's solitude, seclusion or private affairs or concerns, if the intrusion would be offensive to a reasonable person; or
      • Other substantial injury to consumers.

      The OCPA states that data protection assessments apply "only to processing activities that occur on and after July 1, 2024, and are not retroactive." The attorney general may require controllers to provide relevant assessments to enable the attorney general to evaluate compliance with the OCPA. Controllers will be able to do so without waiving applicable attorney-client or work product privileges.

      The OCPA also stipulates that data protection assessments are confidential and not subject to disclosure under Oregon's open public record laws. An assessment performed under another state's laws will satisfy the OCPA if the assessment "is reasonably similar in scope and effect" to that required by the OCPA. Controllers must maintain data protection assessments for at least five years.

      Looking Ahead

      The OCPA will go into effect at the same time as the recently-enacted Florida Digital Bill of Rights and the Texas Data Privacy and Security Act (which is prior to four other state privacy laws passed earlier in 2023).

      The state privacy laws enacted so far in 2023 go into effect as follows:

      • July 1, 2024 – Oregon
      • July 1, 2024 – Florida
      • July 1, 2024 - Texas
      • October 1, 2024 – Montana
      • January 1, 2025 – Iowa
      • July 1, 2025 – Tennessee
      • January 1, 2026 – Indiana

      DWT's Privacy and Security team regularly counsels clients on how their business practices can comply with state privacy laws. We will continue to monitor the rapid development of other state and new federal privacy laws and regulations.

      [1] "Financial institution" under Oregon law "means an insured institution, an extranational institution, a credit union as defined in ORS 723.006 ("Credit union" defined), an out-of-state credit union under ORS 723.042 (Interstate credit unions) or a federal credit union." ORS 706.008(9). In addition, the OCPA exempts information collected, processed, sold, or disclosed by a "financial institution, as defined in ORS 706.008, or a financial institution's affiliate or subsidiary that is only and directly engaged in financial activities, as described in 12 U.S.C. 1843(k), as in effect on the effective date of this 2023 Act." The OCPA also exempts "information that originates from, or is intermingled so as to be indistinguishable from, information described in [the GLBA and regulations adopted to implement the GLBA] and that a licensee, as defined in ORS 725.010, collects, processes, uses or maintains in the same manner as is required under the laws and regulations specified in [the GLBA]."

      [2] This expressly includes the right to have deleted both personal data that the consumer provided to the controller and that the controller obtained from another source, and derived data.

      [3] "Decisions that produce legal effects or effects of similar significance" are defined to mean "decisions that result in providing or denying financial or lending services, housing, insurance, enrollment in education or educational opportunity, criminal justice, employment opportunities, health care services or access to essential goods and services."

      [5] Part 50 applies to all clinical investigations regulated by the Food and Drug Administration (FDA) under sections 505(i) and 520(g) of the Federal Food, Drug, and Cosmetic Act, as well as clinical investigations that support applications for research or marketing permits for products regulated by the FDA, including foods, including dietary supplements, that bear a nutrient content claim or a health claim, infant formulas, food and color additives, drugs for human use, medical devices for human use, biological products for human use, and electronic products.

      [6] Part 56 contains the general standards for the composition, operation, and responsibility of an Institutional Review Board (IRB) that reviews clinical investigations regulated by the FDA under sections 505(i) and 520(g) of the act, as well as clinical investigations that support applications for research or marketing permits for products regulated by the FDA, including foods, including dietary supplements, that bear a nutrient content claim or a health claim, infant formulas, food and color additives, drugs for human use, medical devices for human use, biological products for human use, and electronic products.

      [7] While the notice only requires the controller to list categories of third parties with which the controller shares personal data, as mentioned earlier, consumers have the right to request a list of specific third parties to which the controller has either disclosed the consumer's personal data or any personal data.

      [8] The exception is the California law, which uses terms "business," "service provider," and "third party."