The Oregon Consumer Privacy Act (OCPA)
The state of Oregon has taken a significant step towards protecting its residents’ online privacy. The Oregon Consumer Privacy Act (OCPA), took effect on July 1, 2024, and is introducing a comprehensive framework for data protection and consumer rights. This landmark legislation positions Oregon at the forefront of the ongoing national dialogue on digital privacy.
Understanding the OCPA:
A New Era for Data Protection
What Is the Oregon Consumer Privacy Act?
The OCPA, signed into law by Governor Tina Kotek in July 2023, represents Oregon’s response to the growing concern over consumer data privacy. This legislation establishes a robust set of rights for Oregon residents and imposes new obligations on businesses that handle personal data.
Key Consumer Rights Under the OCPA
The OCPA empowers Oregon consumers with several crucial rights:
Data Access and Portability:
Consumers can request confirmation of data processing and obtain copies of their personal data.
Correction:
The right to correct inaccuracies in personal data.
Deletion:
Consumers can request the deletion of their personal data.
Opt-Out Rights:
Consumers can opt out of data processing for targeted advertising, sales, or certain profiling activities.
Appeal Process:
Consumers have the right to appeal a business’s decision regarding their data requests.
Who Falls Under the OCPA’s Scope?
The OCPA applies to entities that:
- Conduct business in Oregon or target products/services to Oregon residents
- Control or process personal data of:
- 100,000 or more Oregon consumers annually (excluding payment transaction data), or
- 25,000 or more Oregon consumers while deriving 25% or more of annual gross revenue from selling personal data
Notably, the OCPA does not have a minimum revenue threshold, potentially affecting a broader range of businesses compared to some other state privacy laws.
The 100,000 consumer threshold excludes data processed solely for payment transactions.
Business Obligations Under The OCPA
1. Transparency and Disclosure
Businesses must provide clear, accessible privacy notices detailing:
- Categories of personal data processed
- Purposes for processing
- Consumer rights and how to exercise them
- Categories of third parties with whom data is shared
2. Data Protection and Management
- Data Minimization: Limit data collection to what’s necessary for specified purposes.
- Security Measures: Implement reasonable safeguards to protect personal data. There’s also a requirement for controllers to establish safeguards that comply with Oregon’s ORS 646A.602, which is more prescriptive than other state laws.
- Sensitive Data Handling: Obtain explicit consent for processing sensitive information.
- Children’s Data: Special protections for data belonging to minors under 16. Opt-in consent is required for processing personal data of 13-15 year olds for targeted advertising or sale of personal data.
3. Operational Requirements
- Data Protection Assessments: Conduct assessments for high-risk processing activities.
- Processor Agreements: Establish contracts governing data processing by third parties.
- Opt-Out Mechanisms: Provide clear methods for consumers to opt out of certain data processing. Controllers must recognize universal opt-out methods, including GPC signals, starting January 1, 2026.
Unique Aspects of the OCPA
Non-Profit Inclusion
Unlike many state privacy laws, the OCPA applies to most non-profit organizations, albeit with a delayed compliance date of July 1, 2025.
Some specific types of non-profits are exempt, such as those established to detect and prevent insurance fraud and non-commercial activities of non-profits providing programming to radio or TV networks.
Broad Definition of Sensitive Data
The OCPA’s definition of sensitive data is more expansive than many other state laws, including factors like citizenship status and precise geolocation data.
Third-Party Disclosure Requirements
Controllers must provide detailed information about how third parties may process shared personal data, a requirement more stringent than in many other state laws.
“(e) Describes all categories of third parties with which the controller shares personal data at a level of detail that enables the consumer to understand what type of entity each third party is and, to the extent possible, how each third party may process personal data;”
Enforcement and Penalties
The Oregon Attorney General has exclusive enforcement authority, with the power to impose civil penalties of up to $7,500 per violation.
Cure Period
Until January 1, 2026, businesses will have a 30-day period to cure violations before facing penalties.
Preparing for OCPA Compliance
- Data Audit: Review current data collection and processing practices.
- Privacy Policy Updates: Revise policies to meet OCPA disclosure requirements.
- Consumer Rights Processes: Implement systems to handle consumer data requests.
- Employee Training: Educate staff on new privacy obligations and procedures.
- Third-Party Assessments: Review and update agreements with data processors.
Conclusion
The OCPA represents a significant shift in the privacy landscape for Oregon businesses and consumers alike. As part of a growing trend of state-level privacy legislation, it underscores the increasing importance of data protection in our digital age.
For businesses, compliance with the OCPA may present challenges, but it also offers an opportunity to build trust with consumers through transparent and responsible data practices. As we move closer to the July 2024 implementation date, organizations should prioritize understanding and preparing for these new obligations.
Noa Kahalon
Noa is a certified CIPM, CIPP/E, and a Fellow of Information Privacy (FIP) from the IAPP. Her background consists of marketing, project management, operations, and law. She is the co-founder and COO of hoggo, an AI-driven SaaS platform for B2B trust where sellers can showcase & improve compliance and buyers can evaluate, manage and monitor them.