Following the footsteps of other states like California, Virginia, Indiana, and others, Oregon state passed its comprehensive state privacy law, coming into effect from 1st July 2024. Giving businesses and applicable entities less than a year to comply, the Oregon Consumer Data Privacy Act (OCDPA) aligns with six other state privacy laws enacted in the last three months.

Here's an overview of the law, including its scope, exemptions, rights to consumers, obligations, and enforcing authorities.

Key Definitions

Oregon's state privacy law followed non-California state privacy laws in defining the consumers. OCDPA defines the following terms linked to the law.

Consumer – With a narrow definition, a consumer is the state resident acting in individual capacity and does not include employment and commercial context.

Controller – person/entity/business obtaining or collecting personal data from consumers and determining the purpose and means of processing a consumer's personal data.

Processor – person/entity processing personal data of a consumer on behalf of a controller, based on the contract with the controller.

OCDPA defines controllers and processors like most other state privacy laws in the US.

Personal Data – The law defines personal data in broader terms, including derived data too that can be linked to or reasonably linked to a consumer or a device that identifies consumers in a household.

Sensitive Data – special categories of personal data that can reveal racial and ethnic information, national origin, religious beliefs, health diagnosis, sexual orientation, geolocation data, genetic or biometric data, and personal information collected from a child.

Sale of Personal Data – the law defines it as an exchange of personal data for monetary and other valuable considerations with a third party.

The law follows other state privacy laws in defining personal and sensitive data and the sale of personal data while giving them a broader scope.

Scope

The Oregon State Privacy Law presents a scope similar to Connecticut's privacy law. However, unlike the other state privacy laws, this law doesn't include a monetary threshold for businesses. OCDPA is applicable to entities providing products and services to the state residents when :

• The personal data of at least 100,000 consumers is controlled or processed by entities.

• The personal data of 25,000 consumers is controlled or processed to derive 25 percent of the annual revenue through the sale of personal data.

Exemptions

The law doesn't completely exclude non-profit organizations (which are excluded by all the other state privacy laws except for Colorado) and exempts specific types of non-profits. Non-profit organizations working to detect frauds associated with insurance and those providing programming to radio or television networks have an exemption from OCDPA.

Any non-profit entities with tax exemption under 501 (c) (3) will be subject to the law starting from 1st July 2025. OCDPA also applies to HIPPA-covered entities and businesses governed by the Gramm – Leach – Bliley Act. However, the law exempts health information protected under HIPPA and personal data regulated by GLBA.

The broader scope of exempt information may require non-profit entities to consider their compliance measures and understand the kind of information falling under the law's scope.

Enforcement

Like all the non-California state privacy laws, OCDPA restricts private rights to action. The Oregon Attorney General holds the authority to bring an enforcement action against the entities violating the law. Businesses have 30 days after receiving the violation notice to cure the violations if the Attorney General finds the violations curable. However, this right to cure is only valid until 1st January 2026. The Attorney General can seek a civil penalty of up to $7500 for each violation paired with an injunction or other equitable relief, like Virginia, Iowa, and others.

Consumer Rights

The Oregon state privacy law provides consumers with different rights related to their personal data, like other state privacy laws in the US. As per the law, consumers have the right to:

Access - Know and access their personal information held by any controller. Consumers can also ask for the list of third parties to whom their personal data is disclosed.

Correction – Correct any inaccuracies in their personal data.

Deletion – Delete their personal data (provided by the consumer or collected by the controller from different sources).

Portability – obtain a copy of their personal data held by the controllers in a feasible and readily usable format.

Opt-out – Opt-out of personal data processing used for targeted advertising, sale, or profiling.

OCDPA gives 45 days to the controllers to respond to consumer requests. A 45-day extension is also applicable in case of complex and bulk requests from a consumer. The law also provides the controllers with a right to appeal, and the controller has 45 days to respond to such appeals.

Compliance Obligations

The obligations defined in the Oregon State Privacy Law align with most non-California state privacy laws. Entities subject to this law are required to follow the obligations, including:

Privacy Notices – Provide consumers with clear and accessible privacy notices explaining the purpose of collecting and processing their personal information, like Colorado's privacy law.

Processor Contracts – Controllers and processors should enter written contracts requiring the processor to maintain confidentiality of personal data, adhere to the controller's instructions for processing, and return/ delete the provided data after providing the services.

DPAs – conduct data protection assessments for at least five years for every activity presenting a heightened risk of harm to consumers.

Controllers are also required to restrict the collection and processing of personal data to what is relevant and necessary. They are also required to obtain the consumer's consent before processing their sensitive information and parental consent for processing a child's sensitive data.

Moreover, controllers processing de-identified information must implement reasonable measures to prevent such data from being linked to any individual and respond to browser opt-out signals.

Conclusion

With less than a year for the Oregon State Privacy Law to become operative, businesses must review their privacy compliance programs to meet the new requirements. Though the law aligns with other state privacy laws in the US in most areas, it does include some unique aspects like narrow definitions and exemptions. Applicable entities should work to address the obligations set by the lawmakers and ensure compliance with the latest legislative developments.