Oregon Enacts Consumer Privacy Act with Unique Provisions: Key Insights and Implications

Oregon Governor Tina Kotek has recently signed Senate Bill 619, officially known as the Oregon Consumer Privacy Act (OCPA), into law, according to an article by DLA Piper. The legislation is slated to come into effect on July 1, 2024, introducing comprehensive consumer data privacy regulations in Oregon. While sharing similarities with privacy laws in other states such as Connecticut and Colorado, the OCPA includes distinctive features.

The OCPA applies to entities conducting business in Oregon or offering products/services to Oregon residents, with specific criteria based on consumer numbers and revenue percentages. Notably, it also covers nonprofit organizations. Exempted entities range from state government bodies to financial institutions, insurers, and certain noncommercial activities.

Covered data under the OCPA includes “personal data” and “sensitive data,” the latter encompassing information related to a consumer’s background, location, biometric data, and genetic information. Exempted data categories include the content of communications, certain biometric data types, and information processed in compliance with acts like HIPAA and GLBA.

Apart from data directly linkable to an identifiable individual, the definition of “personal data” encompasses “derived data” and data linked to a device that, in turn, can be linked to an individual. Notably, the law’s definition of “sensitive data” includes categories like transgender or non-binary status and victimhood of a crime. The scope of “biometric data” is broad, encompassing information that could enable the unique identification of an individual.

Consumers are granted various privacy rights under the OCPA, including the right to confirm, obtain, correct, and delete personal data, opt out from processing for specific purposes, and appeal denials of these rights. Controllers must adhere to obligations such as providing clear privacy notices, limiting data collection, safeguarding data, and recognizing consumer-enabled opt-out mechanisms.

Although mirroring consumer rights in Connecticut and Colorado, OCPA uniquely grants Oregon residents the right to request a list of specific third parties, not just categories, to which their personal data has been disclosed by the controller.

Enforcement of the OCPA falls under the jurisdiction of the Oregon Attorney General, with fines of up to $7,500 per violation. The law lacks a private right of action. The effective date for most sections is July 1, 2024. Companies are advised to take note of the OCPA’s expansive definitions and ensure compliance with the new regulations. The law’s unique provisions, including the right for residents to obtain a list of specific third parties to whom their data has been disclosed, distinguish it from other state privacy laws.