By enacting the Oregon Consumer Privacy Act (OCPA) or Senate Bill 619 (SB619), Oregon has become the 11th US state with a data privacy law. It aims to protect consumers’ personal data by guaranteeing consumer rights and imposing duties upon businesses.  

Effective date: July 1, 2024

Official text: Senate Bill 619

What is the Oregon Consumer Privacy Act?

Oregon Consumer Privacy Act (OCPA) is the data privacy law of Oregon. The Oregon governor signed it in July 2023 and it will come into force in July 2024. The law confers rights to the residents of Oregon and imposes duties on businesses that provide products to them. It also requires businesses to get affirmative consent for the sale, profiling and targeted advertisement of children between 13 to 15 years of age.

OCPA requires businesses to disclose in their privacy notice the categories of third parties involved in processing personal data along with how these third parties process the data.

The Attorney General of Oregon is the enforcement authority of OCPA. The penalty for each violation can be up to $7500.

Who does OCPA apply to?

OCPA applies to businesses in Oregon or elsewhere that provide their products or services to residents of Oregon and meet the following requirements:

  • Controls/processes personal data of 100,000 or more consumers for any purpose other than for completing a payment transaction.
  • Controls/processes personal data of 25,000 or more consumers and generates 25% or more of its gross revenue from the sale of personal data.

A consumer is a resident of Oregon who acts in any capacity other than in an employment/commercial context.

The law provides some notable exemptions compared to other privacy laws. For example, it exempts the information but not the entity covered by the HIPAA, Gramm-Leach-Bliley Act, The Driver’s Privacy Protection Act, etc

The law also provides an exception for non-commercial activities of many entities like radio or television, entities in the information service sector, non-profit organizations delivering programming to information services, or non-commercial activities of publishers, editors, reporters, or other persons related to newspapers, magazines, and similar publications. In contrast to other US privacy laws like CCPA, OCPA does not exempt all non-profit organizations from its scope. 

What is personal data under OCPA? 

Any data, derived data, or a unique identifier that is:

  • linked or reasonably linkable to a consumer 
  • linked or reasonably linkable to a device that identifies or is linked to or is reasonably linkable to one or more consumers in a household.

The following information is not personal data:

  • De-identified data
  • Lawfully available data through government records or widely distributed media
  • Data published by the consumer to a public audience.

What is sensitive data under OCPA?

OCPA provides special protection for sensitive data and requires businesses to provide opt-in mechanisms to consumers. Here is the list of data that comes under the category of sensitive data.

  • Personal data that discloses consumer’s
    •  racial/ethnic background
    •  national origin
    •  religious beliefs 
    •  mental/physical condition or diagnosis 
    •  sexual orientation 
    •  status as a transgender/non-binary 
    •  status as a victim of a crime
    •  citizenship and immigration status.
  • Genetic/biometric data
  • Child’s personal data
  • Precisely identifies the present or past location within a radius of 1750 ft of a consumer or of a device that links to such consumer using any technology including GPS.   

What are the obligations of businesses under OCPA?

Let’s look at the various obligations businesses have under OCPA:

Privacy notice

Businesses are obliged to provide a privacy notice to consumers that contains the categories of personal data collected along with the specific purposes for which it is collected. We will discuss the privacy notice requirements in detail in the subsequent section.

Data minimization and purpose limitation

Only collect personal data that is relevant and necessary for the specific purpose disclosed to the consumer. Also, limit the processing of such personal data to what is essential for the specific purpose. Additional consent must be obtained if you want to process the data for other purposes.

Implement security safeguards 

Businesses should take necessary steps to protect the data from unauthorized access or other security breaches. The safeguards should be proportionate to the nature and volume of data stored. Take steps towards training your employees in security program practices.

 Consent

Obtain consent from the consumer for the processing of sensitive data. To process the personal data of a child, consent should be obtained from a parent/ legal guardian. The law also requires businesses (if they are aware of the age) to get affirmative consent for targeted advertising, profiling, and sale of personal data of children between the ages of 13 and 15 years.

Effectual mechanism to withdraw consent

Provide a convenient and effective method for the revocation of consent by the consumers. Businesses must stop processing the personal data of the consumer who withdrew the consent within 15 days.

Non-discrimination

Do not discriminate against consumers who exercise their rights guaranteed under OCPA. This means that you cannot deny products, increase prices, or reduce the quality of the product solely based on the exercise of consumer rights. Nevertheless, you do not have to provide goods/services that require the processing of personal data that you do not collect or maintain. 

Contractual obligation

Have a contractual obligation with the processors and determine the rights and duties of each party. Require the processor to maintain the confidentiality of the data, delete the data at your direction, and clarify the nature and other aspects of the processing.

Data protection assessments 

Businesses should conduct data protection assessments concerning each processing activity that poses a risk of harm to the consumers like that of sensitive data, targeted advertising, sale of personal data, and profiling. Data protection assessments should be documented and kept confidential. Furthermore, each assessment should be retained for at least 5 years. 

Opt-outs

Businesses should provide mechanisms to opt out of targeted advertising, profiling, and sale of personal data. The act also enables consumers to designate another person including a global device setting to act on their behalf to exercise the right to opt-out. Therefore, businesses are required to recognize global opt-out mechanisms as well.

If there is a conflict between an opt-out made by an authorized agent and the voluntary participation by the consumer in a loyalty or club-card program, the controller can either deliver the request or ask the consumer to affirm his withdrawal from such program. If the consumer withdraws, comply with the opt-out request.

Consumer requests

Businesses are obliged to respond to consumer requests within 45 days. If it is necessary, the response time can be extended to another 45 days subject to a prompt notification to the consumer. Unlike CCPA, UCPA requires businesses to deliver the request for free only once a year. 

Notify data breaches

The Oregon data breach notification laws require businesses to inform consumers in the event of a data breach. If it affects more than 250 people, the breach should be reported to the Attorney general. Data breaches should be notified within 45 days of discovery.

What are the rights of consumers?

OCPA confers the following rights to consumers to protect their privacy in this digital era. Businesses are required to provide convenient methods to exercise these rights as well as to respond to requests without unnecessary delay.

Right to obtain

Consumers have the right to know if their personal data was processed or is being processed by any businesses and the categories of data so processed. They can also request businesses to provide them with information regarding the third parties (other than natural persons) that have access to their or any personal data. In addition, consumers have the right to obtain a copy of the personal data that was or is being processed by a business.

Right to correct 

Consumers can request businesses to correct any inaccuracies in the personal data stored and processed by them. The nature of personal data and the purpose for which it was collected may be considered to determine the inaccuracies.

Right to delete

Consumers have the right to require businesses to delete their personal data regardless of whether it was given by the consumer, collected from other sources or is derived data.

Right to opt-out

Consumers can opt out of the processing of their personal data for targeted advertising, sale of data, or profiling. Businesses must provide a convenient method for the same.

Right to portability

This right enables consumers to obtain their personal data in a portable, readily usable, and technically practicable manner.

These rights can be exercised by the consumers themselves or by a parent/legal guardian in the case of children and by guardians/conservators in the case of those consumers who are subjected to any protective arrangements like guardianship, conservatorship, etc.

Privacy notice requirements under OCPA

Businesses are obligated to provide an accessible privacy notice conspicuously with the following elements included in it:

  • Categories of personal data.
  • Specific purpose for the processing of personal data.
  • Procedure to exercise consumer rights including the process for appeal.
  • Categories of personal data shared with third parties.
  • Categories of third parties that have access to the personal data maintained by the controller/business along with a simple description of how they process the data.
  • Contact details of the controller/business (email address or any online methods).
  • Identity of the business like a registered or assumed business name.
  • Description of processing for targeted advertising, profiling, or any similar activities with a procedure to opt out of it.
  • Method to submit consumer requests.
  • Method to opt-out from the sale of personal data, targeted advertising, and profiling. It can be a link to a webpage or any other convenient method.

Generate a custom privacy policy
for your website

Create a free privacy policy

Generate instantlyNo signup required

Consent requirements under OCPA

Consent under OCPA refers to an affirmative action that indicates agreement to another person’s act. Under OCPA, opt-in consent is necessary for collecting sensitive data and children’s personal data.

For the consent to be valid, it must be given freely, be specific, informed, and unambiguous. It should not be collected by any means that limit the autonomy of the consumer’s decision-making or choice. 

Consumer’s inaction cannot be treated as consent. For example, if a consumer ignores or closes a cookie banner, it does not indicate consent.

A consumer can withdraw the consent at any time and once the consumer revokes the consent, the business should stop processing the data within 2 weeks.

Manage cookie consent
without any hassle

Add a cookie consent banner and manage cookie consent to comply with Oregon Privacy Law

Try for free

14-day free trialCancel anytime

 

What is the penalty for violating OCPA?

The law prescribes penalties for the violation of sections 1 to 9 of the act. The Attorney general is the enforcement agency of OCPA. The penalty for each violation can be up to $7500. The jurisdiction is conferred upon the circuit court of Multnomah County or a circuit court of a county where any part of the violation occurred. Businesses will get 30 days to cure the defect if the Attorney General determines that it is curable. If you can solve the issue within the prescribed time, no legal consequences might arise. If not, action can be taken without further notice.

The period of limitation is 5 years. That is, the Attorney General can only take action within 5 years of the violation, if it is a continuous violation, then 5 years from the last violation.

OCPA does not provide a private right of action to its consumers.

OCPA compliance checklist

  • Provide a clear and conspicuous privacy notice.
  • Minimize data collection to what is necessary.
  • Limit data processing to what is required for the specific purpose disclosed to the consumer.
  • Provide a convenient opt-out mechanism to consumers.
  • Implement robust security measures.
  • Obtain consent before processing sensitive data.
  • Obtain consent before processing the personal data of a child between 13 to 15 years for targeted advertising, profiling, or sale of personal data.
  • Have an efficient response plan for consumer requests.
  • Recognize global opt-out mechanisms.
  • Do not discriminate against consumers who exercise consumer rights.
  • Have a contractual relationship with processors.
  • Conduct data protection assessments.

CCPA vs OCPA [Infographic]

CCPA vs OCPA [Infographic]

FAQ on Oregon Consumer Privacy Act

Does Oregon have Privacy laws?

Yes. Oregon Consumer Privacy Act (SB619) is the data privacy law of Oregon. It was passed in 2023 and will be enforced from July 2024.

What is the summary of the Oregon Consumer Privacy Act?

OCPA guarantees rights to consumers and imposes obligations upon businesses regarding the handling of personal data. The Attorney General is the enforcement agency, and can impose a penalty of up to $7500 for a single violation.

Should my website recognize global opt-outs under the OCPA?

Yes. businesses are required to recognize global opt-outs under the Oregon Consumer Privacy Act.