Discover the Oregon Consumer Privacy Act (OCPA), its impact on businesses operating in Oregon, consumer rights, sensitive data, data processing contracts, privacy notices, and more. Ensure compliance to avoid fines of up to $7,500 per violation. Get all the details here.
On June 22, 2023, both legislative houses of Oregon passed SB619, also known as the Oregon Consumer Privacy Act. If it becomes law, Oregon will become the eleventh US state to pass a consumer privacy bill and grant consumers control over their data privacy.
Explore more privacy compliance insights and best practices
This control entails obligations for businesses operating in Oregon, and if you are one of them, it is important for you to learn more about this law.
The Oregon Consumer Privacy Act (OCPA) is designed to protect the consumer data privacy of Oregon residents. It provides specific rights to consumers and imposes obligations on businesses. Non-compliance with the OCPA may result in fines for businesses.
The OCPA aligns closely with the provisions found in other state laws addressing consumer data privacy. It primarily focuses on safeguarding consumer data privacy and excludes employment data from its scope of coverage.
The OCPA is scheduled to become effective on July 1, 2024.
The OCPA applies to your business if you operate in Oregon or target Oregon customers, and you meet either of the following criteria:
While initially achieving these numbers may seem challenging, it's important to consider that tools like Google Analytics, which process IP addresses, or Meta Pixel, which analyze browsing behavior, can effectively enable you to manage data from over 100,000 consumers and fulfill the requirements for applicability under the OCPA.
According to the OCPA, personal data is defined as "data, derived data, or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to, or is reasonably linkable to one or more consumers in a household."
This definition encompasses a wide range of data types. In addition to the obvious categories such as personal names, email addresses, and government-issued numbers, personal data also includes health history, fitness app data, purchase behavior, and other information that has the potential to identify an individual.
It is important to note that employment data, as well as data protected by HIPAA (Health Insurance Portability and Accountability Act) and GLBA (Gramm-Leach-Bliley Act), are explicitly exempt from the scope of the OCPA.
The OCPA explicitly lists the categories of personal information that are classified as sensitive. These categories include:
According to the OCPA, sensitive data must not be processed without obtaining explicit consent from the user. It is crucial to obtain explicit consent from individuals before processing any sensitive personal information falling within these categories.
Controllers that need to comply with the OCPA have several duties, including:
Processors, on the other hand, have the responsibility to:
The data processing contract serves as a crucial document that governs the relationship between the controller and the processor. It is necessary to have a valid contract in place to ensure legal compliance and avoid violating the OCPA. When drafting a data processing contract, it is essential to include provisions covering the following aspects:
Your OCPA privacy notice is actually your privacy policy. It is the document where you provide transparency about your privacy practices to consumers. Your notice should include the following minimum information:
While not mandated by law, you can include additional information to further enhance transparency.
Yes, explicit consumer consent is required for the processing of sensitive data. Collecting sensitive data without consent violates the law and may result in penalties. This consent must meet specific criteria, including being freely given, specific, informed, and unambiguous.
When collecting information from a known child for processing, obtaining parental consent in accordance with the standards outlined in COPPA (Children's Online Privacy Protection Act) is sufficient for compliance. This ensures that appropriate measures are taken to protect the online privacy of children.
The OCPA requires the honoring of universal opt-out mechanisms sent by consumers, such as the Global Privacy Controls (GPC). If you receive a GPC signal from a consumer's browser, you must treat it as a valid opt-out request and honor it.
This obligation will be effective from January 1, 2026.
A Data Protection Assessment helps the controller identify the risks associated with processing activities and determine the necessary measures to mitigate those risks. While it may not be mandatory for all businesses, conducting a Data Protection Assessment is a good and useful practice. If you are unsure whether you need to perform one, it is advisable to opt for conducting the assessment.
The law explicitly specifies that businesses must conduct and document a Data Protection Assessment in the following scenarios:
The OCPA grants consumers specific rights regarding their personal data. To exercise these rights, consumers can submit requests to your organization. It is crucial for your organization to comply with these requests to avoid potential penalties.
Consumers have the following rights:
The response deadline for consumer requests is 45 days. For complex requests, you may take an additional 45 days, provided that you justify the need for the extension.
Unlike California, Oregon has not established a dedicated data protection agency. Instead, similar to other US states, the enforcement authority lies with the Attorney General.
In Oregon, the Attorney General has the power to investigate violations of data protection laws and can issue a notice to businesses, granting them a 30-day cure period to address the violations.
Failure to remedy the violations within the specified 30-day period can result in fines of up to $7,500 per violation. It's important to note that the cure period will expire in 2026, after which businesses will no longer be given any time to address the violations and will face penalties immediately.
