Update: In the 2024 legislative session, a fix was made to change “employees of the Attorney General” to “persons employed by the Attorney General.” See SB 1576.
For the latest on the OCPA, read: “Countdown to Compliance: Preparing for the Oregon Consumer Privacy Act (OCPA).”
On July 18, 2023, the Oregon governor signed into law SB 619, Oregon’s Consumer Privacy Act (OCPA). OCPA is, in many ways, very similar to the other comprehensive state privacy laws1. However, in keeping with the state motto alis volat propriis (“She flies with her own wings”), OCPA includes some unique provisions.
As with most other comprehensive state privacy laws, OCPA applies to consumers that reside in the state, and does not cover employees. It applies to businesses that, during a calendar year, control or process (1) the personal data of 100,000 consumers but does not include consumers if only completing a payment transaction or (2) the personal data of 25,000 consumers if 25% or more of annual gross revenue comes from selling personal data. Similar to other laws, a “sale” is defined as the exchange of personal data “for monetary or other valuable consideration,” with some exceptions.
Also familiar are the consumer rights granted by OCPA:
- Right of access;
- Right to appeal;
- Right to correct inaccuracies;
- Right of data portability;
- Right of deletion;
- Right to opt-out of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects; and
- Right of no discrimination for exercising a right.
However, the right of access is broader than in other laws; a business can choose to either provide a list of specific third parties who have received the consumer’s personal data or a list of specific third parties with whom the business shares personal data, in addition to providing a copy of the consumer's personal data. Otherwise, the rights are similar to other state laws: a consumer can designate an authorized agent to opt-out; a consumer can make one free rights request every 12 months; and a business has 45 days to respond to a consumer's request, with an option for a 45 day extension. Starting on January 1, 2026, businesses need to accept a global opt-out signal.
Similar to other comprehensive state privacy laws, OCPA contains certain consent requirements, data minimization standards, security standards, and required information in a posted privacy notice. Following in California’s footsteps, OCPA does not eliminate existing state statutes when incorporating new standards; for example, Oregon has existing law requiring reasonable administrative, technical, and physical safeguards (ORS 646A.622), security features for IoT devices (ORS 646A.813), and truthful privacy notices (ORS 646.607(12)).
Other provisions under OCPA that are similar to other comprehensive state privacy laws include:
- A controller must conduct and document a data protection assessment when there is a heightened risk of harm to a consumer. The same data protection assessment can be used to comply with Oregon and other state, federal, or international laws.
- A controller needs to enter into a contract with a processor that contains specific contractual requirements.
- A controller needs to take certain steps to protect deidentified data.
- Children 13 to 15 years old have opt-in (consent required) rather than opt-out protections for certain uses of data.
There are also some notable differences between OCPA and other comprehensive state privacy laws. These include:
- The definition of “biometric data.” In addition to the usual exclusions, it also excludes facial mapping or facial geometry unless generated or used for the purpose of identifying a specific consumer.
- The definition of “sensitive data.” In addition to the usual data, it also includes status as transgender or non-binary and status as a crime victim.
- Most exceptions apply to types of data, not to entities. For example, instead of exempting covered entities and business associates, OCPA exempts protected health information that is processed in accordance with the Health Insurance Portability and Accountability Act (HIPAA). The exempted entities include governmental and quasi-governmental agencies; consumer reporting agencies, furnishers, and anyone who uses a consumer report under the Fair Credit Reporting Act (FCRA); financial institutions; and insurance companies, insurance producers, and third-party insurance administrators. Other new exemptions include information processed for the purpose of enabling “an individual’s contractual relationship with a business entity” and non-commercial activities of written publications, radio and television stations, and other media entities. Some standard exemptions remain, such as for legal compliance, responding to security incidents, providing a product or service requested by a consumer, loyalty programs, and conducting internal research to develop products and services.
For Oregon practitioners, some of the most interesting portions may relate to the Attorney General’s investigatory and enforcement powers. Enforcement of OCPA is not under Oregon’s Unlawful Trade Practices Act (UTPA), the Oregon consumer protection law. Key differences between the enforcement mechanism provided under OCPA and the UTPA include:
- During an investigation, there is an explicit right to an attorney during an investigative interview. There is also an explicit right to refuse to answer questions under certain circumstances.
- The Attorney General is prohibited from having an expert present at the investigative interview or from sharing any documents obtained during the course of an investigation (including a data protection assessment, answers to interrogatories, or transcripts of oral testimony) to any non-employee expert.
- Civil penalties that the Attorney General can seek are limited to $7,500 per violation (as opposed to $25,000 per violation under the UTPA).
- The appropriate court to bring an action is Multnomah County or a circuit court where a violation occurred. (Under the UTPA, an action must be brought where a defendant is located, where a violation occurred, or where the Attorney General has an office but only with the defendant’s consent.)
- A court may award reasonable attorney fees to a defendant that prevails if the court finds that the Attorney General had no objectively reasonable basis for asserting the claim.
- There is a five-year statute of limitations that starts from the last date of a violation. (Note that this new statute of limitations does not apply the discovery rule.)
- Until January 1, 2026, there is a 30-day right to cure.
Additionally, OCPA does not contain a private right of action. (Under the UTPA, certain enforcement is Attorney General-only and certain enforcement can be by the Attorney General or by a private plaintiff.)
OCPA goes into effect on July 1, 2024. Non-profit organizations have until July 1, 2025 to comply with OCPA.
While there are many similarities between Oregon’s Consumer Privacy Act and other comprehensive state privacy laws, there are also a number of key distinctions. If you need assistance with determining your business’s obligations under OCPA, please contact our privacy & data security team.
1 For purposes of comparison, the other comprehensive state privacy laws are in California, Colorado, Connecticut, Indiana, Iowa, Montana, Tennessee, Texas, Utah, and Virginia. Florida’s Digital Bill of Rights is not included due to its limited applicability. Washington’s My Health My Data and Nevada SB 370 are not included due to the stated limitation of health data. For further analysis of My Health My Data, click here.
This article is provided for informational purposes only—it does not constitute legal advice and does not create an attorney-client relationship between the firm and the reader. Readers should consult legal counsel before taking action relating to the subject matter of this article.