Background Brief: Oregon Consumer Privacy Act

After many years of consumer data privacy advocacy campaigns, including by several senators, Oregon joined the growing list of U.S. states to introduce comprehensive consumer data rights and protections when Oregon Governor Tina Kotek signed into law the Oregon Consumer Privacy Act (OCPA) on July 18, 2023.

Most of its provisions are like those introduced in other states in recent years, though Oregon has joined California by not broadly exempting all organizations considered financial institutions under the U.S. federal Gramm-Leach-Bliley Act.

Oregon Privacy Law effective dates

For-profit organizations must comply with OCPA rules by July 1, 2024, while non-profit organizations must comply a year later, on July 1, 2025. All covered entities must also honor consumers’ opt-out preferences signaled via their browsers from January 1, 2026.

Key dates: Oregon Consumer Privacy Act

• June 2019 – Attorney General Rosenblum forms the Oregon Consumer Privacy Task Force, to address “the growing call for legislation that would give consumers more control over their online privacy and require businesses to adhere to basic standards when handling personal information”. The task force includes more than 150 participants, many from privacy and consumer rights advocacy backgrounds.
• Mid-2020 – in response to concerns about COVID-19 contact tracing, a subcommittee of the Oregon Consumer Privacy Task Force develops rules about the handling of personal health data during the COVID crisis.
• April 28, 2021 – Oregon House of Representatives passes a contract tracing privacy bill (HB 3284) to protect personal health data related to COVID-19. The bill does not apply to healthcare providers, the Oregon Health Authority, or public health agencies, who are already covered by separate health information privacy laws.
• November 14, 2022 – AG Rosenblum announces a $391.5 million consumer privacy settlement with Google over its location tracking practices. The settlement was led by AG Rosenblum and Nebraska AG Doug Peterson and involved Attorneys General from 38 other states.
• January 9, 2023 – Oregon Senate Bill 619 (titled ‘OCPA’) is introduced for a first reading, followed by public hearings in March.
• June 20, 2023 – Oregon Senate votes 23-2 to pass the text of the Oregon Consumer Privacy Act, referring it to the House of Representatives for a vote.
• June 22, 2023 – Oregon House of Representatives votes unanimously (54 in favor) to pass OCPA. “Passage of the bill by such wide margins demonstrates broad bipartisan support for greater privacy protections, and sends the bill to the Governor for signing,” says AG Rosenblum in a media release. “The Oregon Consumer Privacy Act defines personal and biometric data broadly, protects consumer data rights holistically, and holds companies that have access to our data to high standards. This is a huge win for Oregonians and sets a high-water mark for consumer data privacy nationwide.”
• July 18, 2023 – Oregon Governor Tina Kotek signs the Oregon Consumer Privacy Act into law.
• July 1, 2024 – for-profit organizations must comply with data privacy rules under OCPA.
• July 1, 2025 – non-profit organizations must comply with OCPA rules.
• January 1, 2026 – covered entities must recognize and honor consumers’ opt-out preference signals from their browsers.

Consumer rights under Oregon’s Data Privacy Law

The Oregon Consumer Privacy Act covers any consumer who is “a natural person who resides in this state and acts in any capacity other than in a commercial or employment context”.

The Act gives consumers rights over their personal data, which is defined in Section 1(13)(a) as meaning “data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household”.

The definition excludes ‘de-identified data’ which “cannot reasonably be used to infer information about or be linked to a consumer” (or their device/s), as well as other data that is legally in the public domain, data available lawfully through government records at all levels, and widely distributed media.

Note: the exclusion for deidentified data also includes anonymized patient information subject to the Health Insurance Portability and Accountability Act (HIPPA) and the Federal Policy for the Protection of Human Subjects.

Consumers in Oregon now have the following personal data privacy and protection rights:

1. Right of confirmation (Right to know) from a controller confirming whether the controller is processing (or has processed) their personal data, along with the categories of personal data. Consumers can also request (“at the controller’s option”) a list of specific third parties, other than natural persons, that have been given the consumer’s personal data or any personal data.
2. Right to data portability as part of their right to know. When a consumer requests a copy of all their personal data held by a controller for processing the controller must give them a copy of their personal data in a “readily usable format that allows the consumer to transmit the personal data to another person without hindrance”.
3. Right to correct inaccuracies in records of their personal data held by a controller. The text says this requirement must consider the nature of the personal data and the controller’s purpose for processing the data.
4. Right to delete their personal data held by a controller, including data the controller was given by the consumer or personal data collected from another source and any derived data (records created by collecting and analyzing existing raw data, such as observational data).
5. Right to opt-out from a controller’s processing of their personal data when the purposes of processing are selling the personal data, or using insights for targeted advertising or profiling. The text frames ‘profiling’ as the processing of data “in furtherance of decisions that produce legal effects or effects of similar significance”.
6. Right not to have sensitive personal data processed without consent – or if the controller knows the consumer is a child (under 13 years of age). Children under the age of 13 also have their sensitive personal data protected by the Children’s Online Privacy Protection Act of 1998. Older children between 13 and 15 years of age are protected under OCPA – when the controller knows their age – from having their personal data processed for the purposes of targeted advertising, profiling or sale.
   Sensitive data is defined in the OCPA text as personal data that “reveals a consumer’s racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or nonbinary, status as a victim of crime or citizenship or immigration status”. The definition also covers geolocation data that could be used to accurately identify the present or past location of a consumer or their device within a 1,750 feet radius; or genetic or biometric data.
7. Right not to be discriminated against for exercising OCPA consumer rights. Prohibited discrimination activities listed in the Act include: “denying goods or services, charging different prices or rates for goods or services or providing a different level of quality or selection of goods or services to the consumer”.

Coming in 2026: Opt-out preference signals must be honored

Consumers who want to exercise these rights will mainly need to submit requests to each controller individually, which can be time consuming. Parents and legal guardians can exercise these rights on behalf of their child/ren under the age of 13.

However, from January 1, 2026, the right to opt out will be easier for Oregon consumers, as from that date organizations must recognize and honor opt-out preferences sent via a universal opt-out signal.

The Oregon Consumer Privacy Act rules for opt-out signals state:

• “A consumer may designate another person to serve as the consumer’s authorized agent and act on the consumer ’s behalf to opt out of the processing of the consumer’s personal data.”
• “The consumer may designate an authorized agent using a technology, including a link to an Internet website, an Internet browser setting or extension, or a global setting on an electronic device, that allows the consumer to indicate the consumer ’s intent to opt out of the processing.”

By the time enforcement of this right begins there may be other methods alongside Global Privacy Control (GPC) for consumers to signal universal opt-out preferences.

Does the Oregon Consumer Privacy Act apply to your organization?

The OCPA applies to any person and organization that:

• Conducts business in Oregon; or
• Provides products and/or services to residents of Oregon;

AND

During a calendar year controls or processes the personal data of either:

• 100,000 or more consumers (excluding data controlled or processed solely for payment transactions; or
• 25,000 or more consumers if the person or organization derives 25% or more of their annual gross revenue from selling personal data.

Note: Most nonprofit organizations operating in Oregon or serving Oregon’s citizens must comply with OCPA rules after July 1, 2025, if they meet the thresholds above. There are a few exemptions – see below.

Organizations exempt from OCPA provisions

• Public corporations, including the Oregon Health and Science University and the Oregon State Bar.
• Some financial institutions – Unlike most other U.S. States that have introduced comprehensive consumer privacy laws – but like California – Oregon has a narrower exemption for financial institutions, which does not cover all organizations considered financial institutions under the U.S. federal Gramm-Leach-Bliley Act. Financial institutions defined in Oregon Revised Statute 706.008 are exempt, which mainly covers insured financial institutions, ‘extranational’ institutions (banks organized under the laws of a country other than the United States) and most types of credit unions. It also covers their affiliates or subsidiaries directly engaged in financial activities.
• Insurers and insurance consultants.
• Nonprofit organizations are established to detect and prevent insurance fraud.
• Non-commercial activity of media organizations – publications in general circulation and FCC-licensed radio and TV stations – and their employees (e.g. editors, publishers, reporters).

Data exempted from OCPA rules

• Protected health information processed or documented by a covered entity under the Health Insurance Portability and Accountability Act (HIPAA), including information used only for public health activities; and data protected under the Federal Policy for the Protection of Human Subjects.
• Employment and business relationship information about a person, when the personal information is solely processed or maintained for enabling employment or business relationships, such as employment applications, contracts with a business, receipts of benefits from an employer, business ownership or directorship.
• Credit reporting data covered by the Fair Credit Reporting Act.
• Data provided to comply with requests from federal, state or local law enforcement and legal authorities.

Compliance with Oregon Data Privacy Law

The Oregon Consumer Privacy Act requires controllers and processors to meet several shared obligations towards consumers’ personal information, including:

• Responding within 45 days to consumers’ privacy requests to exercise their rights under OCPA.
• Protecting consumers’ personal information with appropriate security measures to ensure confidentiality and integrity, and only allow access by authorized people for acceptable purposes.
• Conducting and documenting data protection assessments for processing activities that present a heightened risk of harm to a consumer, such as processing sensitive data or selling personal data. Documents of these assessments must be kept for at least five years.

A processor must enter a contract with a controller to follow the controller’s instructions on the processing of personal information and to assist the controller in meeting its OCPA compliance requirements.

Controllers are also required under OCPA to provide a reasonably accessible, clear and easy-to-understand Privacy Notice that describes:

• Categories of personal information it processes, including sensitive data;
• Express purposes for which the controller is collecting and processing personal information;
• Consumers’ privacy rights and how they can exercise those privacy rights, including descriptions of the method/s for submitting requests;
• Method (via conspicuous link) a consumer can exercise their right to opt-out from having their personal data processed for sale, targeted advertising or profiling;
• The appeal process if the controller refuses to act on a request;
• All categories of third parties with which the controller shares personal data, with enough detail that a consumer can understand the type of entity for each third party, and how each third party may process personal data;

From July 1, 2026, controllers must also include information in their privacy notices about universal opt-out signal methods, such as a Global Privacy Control signal.

Penalties for non-compliance with OCPA

The Oregon Attorney General has the exclusive authority to enforce OCPA compliance and can serve investigative demands on people and organizations it determines are in violation of the Act.

The AG can begin these investigations for violations up to five years after the date of the last alleged violation.

Controllers served with notices of alleged violations will be allowed a 30-day cure period during the first two years of the Act being in effect (from July 1, 2024, if they are for profit; or July 1, 2025, if they are nonprofit).

Note: The cure period is due to expire on January 1, 2026.

If a controller fails to cure a violation within 30 days, the Attorney General can then bring an action seeking a civil penalty of up to $7,500 per violation.

TrustArc U.S. State data privacy resources

TrustArc is committed to helping organizations understand and manage their compliance obligations for all existing and emerging U.S. state privacy laws.