Oregon enacts latest comprehensive consumer data privacy law

Oregon Governor Tina Kotek has signed into law Senate Bill 619, also known as the Oregon Consumer Privacy Act (OCPA). The law’s main provisions are set to take effect on July 1, 2024.

While similar to the comprehensive consumer data privacy laws enacted in such states as Connecticut and Colorado, the OCPA also contains several unique provisions. Among other things, it applies to nonprofits and includes expansive definitions of covered data, a narrower than usual carveout for HIPAA, and a right for Oregon residents to obtain a list of specific third parties to whom controllers disclosed their personal data.

Covered entities

The OCPA applies to any entity that conducts business in Oregon or that provides products or services to Oregon residents, and controls or processes the personal data of:

• At least 100,000 consumers, except for purposes of completing a payment transaction or
  
  
• At least 25,000 consumers, while deriving at least 25 percent of its annual gross revenue from selling the personal data.

Like the Colorado Privacy Act, the OCPA also applies to nonprofit organizations.

Exempted entities

The OCPA does not apply to:

• State government bodies
  
  
• Activities related to evaluating a consumer's creditworthiness or personal information conducted in accordance with the provisions of the Fair Credit Reporting Act (FCRA)
  
  
• Financial institutions or their affiliates
  
  
• Insurers (ie, producers, consultants, or third-party administrators)
  
  
• Nonprofit organizations focused on detecting and preventing insurance fraud
  
  
• Noncommercial activities of individuals connected to newspapers, magazines, or general circulation publications and
  
  
• Noncommercial activities of entities that provide information services (eg, radio or television stations, or nonprofits that provide programming to radio or television networks).

Covered data

The OCPA applies to “personal data,” which includes “derived data” or any unique identifier that is reasonably linkable to a consumer or to a device that identifies one or more consumers in a household.

The law also applies heightened protections to “sensitive data,” which includes:

• The personal data of a child (“an individual under the age of 13”)
  
  
• Information about a consumer’s (1) racial or ethnic background, (2) national origin, (3) religious beliefs, (4) mental or physical condition, (5) sexual orientation, (6) transgender or nonbinary status, (7) status as a victim of a crime, or (8) citizenship or immigration status
  
  
• Information that accurately identifies a consumer’s current or past location within a radius of 1,750 feet, or the location of a device connected to that consumer using technology like a GPS system
  
  
• A consumer’s “biometric data,” including information generated by automatic measurements of biological characteristics, such as fingerprints, voiceprints, retinal patterns, iris patterns, or gait that may allow or confirm the unique identification of the consumer and
  
  
• A consumer’s genetic information.

Exempted data

The OCPA’s definition of “sensitive data” excludes the content of communications or any information related to utility metering systems.

In addition, the law’s definition of “biometric data” excludes:

• Photographs, audio recordings, and video recordings – as well as data from such photographs or recordings, unless generated for the purpose of identifying a specific consumer and
  
  
• Facial mapping or facial geometry, unless generated for the purpose of identifying a specific consumer.

The OCPA also does not apply to:

• Protected health information processed in compliance with the Health Insurance Portability and Accountability Act (HIPAA)
  
  
• Information collected, processed, sold, or disclosed in accordance with the Gramm-Leach-Bliley Act (GLBA)
  
  
• Information collected, processed, sold, or disclosed in accordance with the Family Educational Rights and Privacy Act (FERPA)
  
  
• Information related to activities subject to federal regulations for the protection of human subjects
  
  
• Research conducted in accordance with applicable federal law and good clinical practice guidelines
  
  
• Patient identifying information and patient safety work product collected and processed in accordance with federal regulations regarding the confidentiality of patient substance use disorder records
  
  
• Information and documents created for the purposes of the Health Care Quality Improvement Act and
  
  
• Information that is indistinguishable from the above types of information if it is handled by covered entities or business associates.

Consumer rights

The OCPA provides consumers with the following privacy rights:

• To confirm whether and what categories of their personal data has been processed
  
  
• To obtain a copy of all of their personal data
  
  
• To correct inaccuracies in their personal data
  
  
• To delete their personal data – including both information the controller obtained from another source as well as “derived data”
  
  
• To opt out from a controller’s processing of the consumer’s personal data for (1) targeted advertising, (2) selling the personal data, or (3) profiling the consumer
  
  
• To revoke consent provided to a controller for processing their personal data
  
  
• Not to be discriminated against for exercising a consumer privacy right and
  
  
• To appeal the controller’s denial of a request to exercise one of the above rights.

In addition, like the recently enacted consumer health data privacy laws in Washington and Nevada (the My Health My Data Act and SB 370), the OCPA also allows consumers to obtain a list of the “specific third parties” – persons other than a consumer, controller, processor, or affiliates of a controller or processor – to whom a controller discloses their personal data.

Controller and processor obligations

Consistent with other comprehensive state consumer data privacy laws, the OCPA requires a controller to:

• Provide a reasonably accessible, clear, and meaningful privacy notice
  
  
• Limit collection of personal data to what is adequate, relevant and reasonably necessary to serve the purposes specified in the privacy notice (unless it obtains the consumer’s consent)
  
  
• Establish, implement and maintain safeguards to protect the confidentiality, integrity and accessibility of personal data
  
  
• Provide an effective means for consumers to revoke consent to the processing of their personal data and
  
  
• Recognize consumer-enabled universal opt-out mechanisms, starting January 1, 2026.

The law further prohibits controllers from:

• Processing sensitive data about a consumer without first obtaining the consumer’s consent – or, if they know the consumer is a child, without processing the sensitive data in accordance with the Children’s Online Privacy Protection Act (COPPA) and
  
  
• Processing a consumer’s personal data for purposes of (1) targeted advertising, (2) profiling the consumer, or (3) selling such data without the consumer’s consent if they know or should know that the consumer is between 13 and 15 years of age.

As with other state comprehensive privacy laws, processors must enter into contracts with controllers in order to process personal data on their behalf. And, as has become increasingly common (although not universal) in such laws, controllers are required to conduct data protection assessments for processing activities that present a heightened risk of harm to consumers.

Enforcement and effective date

The Oregon Attorney General (OAG) has sole authority to enforce OCPA. There is no private right of action. Before initiating an enforcement proceeding, the OAG must provide 30 days’ written notice and an opportunity to cure. If an enforcement action follows, each violation of the OCPA is subject to a fine of up to $7,500.

Most sections of the law are set to become effective July 1, 2024.

Key takeaways

• As the OCPA shares significant similarities with Virginia’s and Colorado’s data privacy laws, many privacy programs will find incorporating OCPA’s requirements to be a relatively easy lift.
  
  
• Nevertheless, companies should be mindful of the OCPA’s expansive definitions. In addition to data linkable to an identifiable individual, “personal data” includes “derived data” as well as data linkable to a device that itself is linkable to an individual. Further, the law’s definition of “sensitive data” includes status as transgender or non-binary, and status as the victim of a crime. “Biometric data,” moreover, includes information that may allow the unique identification of an individual, not just data collected or used for the purpose of such identification.
  
  
• While it largely tracks the consumer rights afforded in Connecticut and Colorado, the OCPA also grants Oregon residents the right to obtain, at the controller’s option, a list of specific third parties (as opposed to categories of third parties) to which the controller has disclosed the consumer’s personal data or any personal data.

For more information, please contact the authors or your DLA Piper relationship attorney.