Add Oregon to the list of states passing consumer privacy laws this year. On June 22, 2023, the Oregon House of Representatives passed SB 619, the proposed Oregon Consumer Privacy Act (OCPA), following the Senate’s passage on June 20. Assuming Governor Tina Kotek signs the bill into law, as is expected, the OCPA is set to become effective on July 1, 2024. We have updated our state privacy map to reflect this latest development.
Below we provide an overview of some of the key aspects of this potential new consumer privacy law in Oregon.
WHAT BUSINESSES ARE SUBJECT TO THE OCPA?
Modeled off the Connecticut and Virginia templates, the OCPA applies to any person that conducts business in Oregon or provides products/services to Oregon residents, and:
Control or process personal data of 100,000 or more Oregon consumers (excluding personal data controlled or processed solely for the purpose of completing a payment transaction); or
Control or process personal data of 25,000 or more Oregon consumers and derive over 25% of gross revenue from the sale of that data.
WHO IS A “CONSUMER”?
A “consumer” is a natural person who is a resident of Oregon acting in any capacity other than in a commercial or employment context. Like most other state privacy laws, this means that employees and business-to-business contacts are expressly excluded from the definition of “consumer.”
WHAT IS “PERSONAL DATA”?
“Personal data” is any “data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household.” The term excludes deidentified data and publicly available information or, if not truly publicly available, information the controller reasonably understood to have been lawfully made available to the public by a consumer.
The OCPA does not define what “derived data” means. However, a plain reading of derived data would mean any data extrapolated from derived data and that remains linked or reasonably linkable to one or more consumers or households.
WHO CAN ENFORCE?
The Oregon Attorney General has exclusive enforcement authority. There is no private right of action. Before initiating any enforcement proceeding, the attorney general must give 30 days’ written notice and an opportunity to cure. If an enforcement action follows, violations of the OCPA are subject to fines of up to $7,500 per violation. The OCPA contains a five-year state of limitations.
Of interest for businesses, the OCPA allows a defendant to recover attorneys’ fees where the attorney general “had no objectively reasonable basis for asserting” the claim or appealing an adverse decision.
WHO IS EXEMPT?
Many of the data and entity-level exemptions under OCPA mirror other state consumer privacy laws. For example, personal information covered by laws such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), the Family Educational Rights and Privacy Act, and a litany of other federal laws is exempt.
The OCPA also exempts public corporations and governmental bodies, insurers (including insurance producers and consultants as defined by Oregon law), as well as noncommercial activities performed by a publisher, editor, reporter, or similar role in journalism and a radio or TV station licensed by the Federal Communications Commission (FCC).
The OCPA only applies to nonprofits to the extent that the nonprofit is (i) an organization established to detect and prevent fraudulent acts in connection with insurance or (ii) providing programming to radio or TV networks. Under these circumstances, the nonprofit’s noncommercial activity is excluded.
The OCPA also exempts the use of personal data for certain specific purposes, such as compliance with the law, preventing fraud or injury to others and defending legal claims (just as in various other state consumer privacy laws).
WHAT OBLIGATIONS ARE IMPOSED?
The OCPA imposes what have become “standard” obligations on data controllers under state consumer privacy laws, with a few twists. Specifically, controllers must:
Limit the processing of personal data to that which is reasonably adequate, relevant and necessary for the purposes of the processing as disclosed to the consumer;
Take steps to implement reasonable safeguards to protect the personal data within their control;
The OCPA specifically requires controllers to comply with the safeguards described in ORS 646A.602, which makes the OCPA more proscriptive than other state consumer privacy laws.
Provide an effective means for consumers to revoke consent. If the consumer revokes consent, the controller shall cease processing within 15 days;
Refrain from discriminating against consumers for exercising their rights, and refrain from processing personal data in violation of federal laws that prohibit discrimination;
Obtain freely given, specific, informed and unambiguous consent prior to processing sensitive data;
Obtain freely given, specific, informed and unambiguous consent prior to processing personal data for the purposes of targeted advertising, profiling (where profiling is being used to produce a legal or similarly significant effect) or selling the personal data of an individual the controller either (i) knows is at least 13 years old but not older than 15 years old or (ii) the controller has willfully disregarded whether the individual is between 13-15 years old;
Provide a privacy notice that is reasonably accessible, clear and meaningful; and
Notably, such privacy policies must identify the controller, including other business name(s) under which the controller registered with the Secretary of State and any assumed business name(s) that the controller uses” in Oregon.
Ensure that contracts control relationships with their processors (the law itself includes the minimum necessary provisions of these contracts) and that processors are adhering to the OCPA.
WHAT CONSUMER RIGHTS ARE CREATED BY THE OCPA?
Controllers must provide the following rights to Oregon consumers:
Access rights, including a right to confirm if the controller is processing their data at all and a right to obtain, at the controller’s option, a list of specific parties, other than natural persons, to which the controller disclosed personal data;
Correction rights, considering the nature of the personal data and the purposes for processing the personal data;
Deletion rights, with respect to the data provided by or about the consumer, including from “derived data” (a term not yet defined in OCPA);
Opt-out rights related to the sale of personal data, targeted advertising and profiling, where profiling is being used to produce a legal or similarly significant effect;
Appeal rights; and
Data portability rights.
Under the OCPA, the definition of “sensitive data” is broader than in other state consumer privacy laws due to the inclusion of an individual’s status as a victim of a crime, or transgender or nonbinary status. In full, “sensitive data” in the OCPA includes the following:
Racial or ethnic origin;
Mental or physical condition or diagnosis;
Status as transgender or nonbinary;
Status as a victim of a crime;
Citizenship or immigration status;
Personal data about a child (under the age of 13);
Genetic or biometric data; and
Precise geolocation, past or present (location within a radius of 1,750 feet).
Under the OCPA, controllers may not process sensitive data without first obtaining the consumer’s freely given, specific, informed and unambiguous consent or, in the case of a child, complying with the Children’s Online Privacy Protection Act.
RESPONSE TO CONSUMER INQUIRIES
Controllers must respond to a consumer personal data request within 45 days of receipt of the request, with a 45-day extension available. If a consumer appeals a controller’s decision to deny the consumer’s request, the appeal response must be delivered within 45 days of the controller receiving the appeal. Similar to the new Texas law, if the appeal is denied, controllers must provide the consumer with a method for contacting the attorney general.
DATA PROTECTION ASSESSMENTS
The OCPA requires controllers to document data protection assessments before engaging in processing activities that present a heightened risk of harm to a consumer. These processing activities include:
Processing for targeted marketing;
Sale of personal data;
Processing of personal data for profiling if the profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of, and unlawful disparate impact on consumers, as well as financial, reputational or physical harms, physical or other types of intrusion upon a consumer’s solitude, seclusion of private affairs or concerns (assuming intrusion is offensive to a reasonable person), or other substantial injury to consumers;
Processing sensitive data; and
A catch-all category of “any processing activities involving personal data that present a heightened risk of harm to consumers.”
As with other state consumer privacy laws, these impact assessments must analyze the benefits of the processing to the company, consumer and public, while weighing the harms and potential mitigants. The OCPA allows for the use of impact assessments done under other state laws to count towards its own requirement, and it does not require retroactive impact assessments for processing activities occurring prior to the effective date of the law.
WHEN DOES THE OCPA TAKE EFFECT?
The OCPA comes into effect on July 1, 2024.
Creating a successful, effective, and comprehensive privacy program for your organization requires a thorough understanding of both the relevant legal obligations and the personal data subject to compliance. Setting up a program that is prepared to respond to various state privacy laws as they come into effect will save organizations time in the long run, especially as many of these laws reflect one another.
If you have questions or need assistance in readiness work for the new state consumer laws, please contact your regular McDermott lawyer or reach out to David Saunders or Allison M. Tassel.
Check out our additional coverage on new state consumer privacy laws: