The Oregon Consumer Privacy Act (OCPA) is a comprehensive privacy legislation designed to protect the personal data of Oregon residents. Effective July 1, 2024, the OCPA aims to give consumers more control over their personal information by establishing clear rights and obligations for businesses that handle such data. Key objectives of OCPA include enhancing transparency, ensuring data security, and empowering consumers with rights related to their personal data.

The OCPA also provides for some exemptions for certain entities and types of data, such as government agencies, nonprofit organizations, and entities subject to federal privacy regulations like the Health Insurance Portability and Accountability Act (HIPAA).

Who Does the OCPA Apply To?

The OCPA applies to entities that conduct business in Oregon or provide products or services to Oregon residents and meet specific thresholds related to data processing volume or revenue derived from selling personal data.

Controllers and Processors

The OCPA distinguishes between two types of entities:

• Controllers: Entities that determine the purposes and means of processing personal data
• Processors: Entities that process personal data on behalf of controllers

Applicability Thresholds

The OCPA applies to entities that meet either of the following criteria:

1. Control or process personal data of 100,000 or more Oregon consumers in a calendar year (excluding data processed solely for payment transactions)
2. Control or process personal data of 25,000 or more Oregon consumers while deriving 25% or more of annual gross revenue from selling personal data

Nonprofit organizations have an additional year to achieve compliance, with their obligations taking effect on July 1, 2025.

Who Is Exempted under OCPA?

The OCPA doesn’t apply to:

1. Public corporations and bodies including the Oregon Health and Science University and the Oregon State Bar.
2. Protected health information processed in accordance with HIPAA (Health Insurance Portability and Accountability Act).
3. Information used solely for public health activities as described in specific federal regulations.
4. Information related to human subjects research that follows certain guidelines and regulations.
5. Patient identifying information processed according to specific federal regulations.
6. Patient safety work products created to improve patient safety.
7. Information and documents created for the Health Care Quality Improvement Act of 1986.
8. Financial institutions, their affiliates, and subsidiaries engaged directly in financial activities.
9. Information collected, processed, sold, or disclosed under specific federal laws such as the Gramm-Leach-Bliley Act, Driver’s Privacy Protection Act, Family Educational Rights and Privacy Act, and Airline Deregulation Act.
10. Insurers, insurance producers, consultants, and third-party administrators.
11. Nonprofit organizations established to detect and prevent insurance fraud.
12. Noncommercial activities of media organizations, including newspapers, magazines, radio and television stations, and nonprofit organizations providing programming to radio or television networks.

What are the Business Obligations Under the OCPA?

Businesses subject to the OCPA must comply with several obligations:

Privacy Policy Requirements

Controllers must provide a clear and comprehensive privacy policy that includes:

• Categories of personal data processed
• Purposes for processing personal data
• How consumers can exercise their rights
• Categories of personal data shared with third parties
• Categories of third parties with whom personal data is being shared

Data Minimization and Purpose Limitation

Controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the specified purposes of processing.

Transparency

Controllers must be transparent about their data processing activities and provide clear information to consumers about how their personal data is used.

Non-Discrimination

Controllers are prohibited from discriminating against consumers for exercising their rights under the OCPA.

Data Security

Controllers must implement and maintain reasonable security practices to protect the confidentiality, integrity, and accessibility of personal data.

What Can Controllers and Processors Do?

The OCPA permits the following activities for the Controllers and processors of personal data:

1. Comply with all relevant federal, state, or local laws, rules, or regulations.
2. Address inquiries, investigations, subpoenas, or summons from governmental bodies related to civil, criminal, or administrative matters.
3. Cooperating with a law enforcement agency regarding conduct or activity that the controller reasonably and in good faith believes that certain activities might violate laws or regulations.
4. Investigate, establish, initiate, or defend against legal claims.
5. Addressing security incidents, fraud, and other malicious activities.
6. Identify and repair technical errors in information systems that affect their functionality.
7. Deliver products or services specifically requested by the consumer or, in the case of a child, requested by their parent or guardian.
8. Negotiate or perform contractual agreements with consumers, including fulfilling the terms of any written warranties.
9. Take actions to protect the health and safety of individuals.
10. Implement procedures for recalling products when necessary.
11. Conducting internal research to develop, improve, or repair products, services, or technology.
12. Conduct internal operations in a way that meets consumer expectations. This includes actions that consumers can reasonably expect based on their relationship with the business, or that are necessary for providing requested products or services or fulfilling contractual obligations.
13. Assisting another controller or processor with any of the above activities.

What Rights Do Consumers Have Under the OCPA?

The OCPA grants Oregon consumers several rights regarding their personal data:

1. Right to Access: Consumers can request confirmation of whether a controller is processing their data and obtain a copy of their data.
2. Right to Correction: Consumers can request the correction of inaccurate personal data.
3. Right to Deletion: Consumers can request the deletion of their data.
4. Right to Data Portability: Consumers can obtain a copy of their data in a format that allows easy transfer to another entity.
5. Right to Opt-Out: Consumers can opt out of processing their personal data for purposes such as targeted advertising, sale of personal data, and certain types of profiling.

Consumers can submit a verifiable request to the controllers to exercise these rights. Controllers must respond to these requests within 45 days, with the possibility of a 45-day extension if reasonably necessary.

What are the Potential Penalties for Non-Compliance?

The Oregon Attorney General has exclusive authority to enforce the OCPA. While the law does not provide for a private right of action, non-compliant businesses may face:

• Investigations by the Attorney General’s office
• Potential civil penalties of up to $7,500 per violation
• Reputational damage and loss of consumer trust

Initially, the OCPA includes a 30-day cure period for violations. However, this provision will expire on January 1, 2026.

How Can Businesses Achieve OCPA Compliance?

For compliance with the OCPA, businesses should consider the following steps:

1. Conduct a Data Inventory: Identify and categorize the personal data your organization collects, processes, and shares.
2. Perform a Risk Assessment: Evaluate your data processing activities and identify potential privacy risks.
3. Update Privacy Policies: Revise your privacy policy to include all required information under the OCPA.
4. Implement Consumer Rights Processes: Establish procedures for receiving and responding to consumer rights requests.
5. Review and Update Data Security Measures: Ensure your organization has appropriate safeguards to protect personal data.
6. Train Employees: Educate your staff on OCPA requirements and your organization’s compliance procedures.
7. Monitor Compliance: Regularly assess and update your privacy practices to maintain ongoing compliance.
8. Consent Management Platform: Implement a system to manage consumer consent preferences effectively and ensure compliance with consent requirements under the OCPA.

At PrivacyPillar, we ensure that organizations collect and manage user consent effectively, enhancing transparency, trust, and compliance with regulations. Our Consent Management Platform offers a transparent and user-friendly consent experience, allowing customers to understand and control how their data is processed and to customize consent options based on specific data processing activities.