In 2023, Oregon enacted the Oregon Consumer Data Privacy Act (“OCDPA”). The OCDPA is similar to other consumer data protection acts that have been enacted in the U.S. In Part One of this series, the Consumer Data Privacy and Compliance Lawyers at Revision Legal discussed many of the obligations imposed by the OCDPA on businesses and individuals that collect, control, and process personal consumer data. In Part Two, we answer some frequently asked questions for consumers.

Q. What rights are granted to consumers by the OCDPA?

These consumer data protection statutes are becoming somewhat standardized. Thus, under the OCDPA, consumers are granted rights similar to those granted in other consumer data protection statutes. The OCDPA grants the following rights:

• Right to a privacy notice that is conspicuous, meaningful, and assessable
• Right to access data — that is, to know what data is being held by a data controller
• Right to know if data is being processed
• Right to correct and delete data — even data that has been received from some source other than the consumer; this is a pro-consumer provision since other statutes only mandate deletion of data provided by the consumer (see, for example, Kentucky statute, section 3(2)(b)
• Right to obtain a copy of the personal data
• Right to not be discriminated against or retaliated against for exercising rights under the OCDPA
• Right to an appeal process if the controller of data refuses or fails to take action requested
• Right to notice and to give consent — or to opt-out AND to revoke consent — for processing of personal data for (i) targeted advertising, (ii) profiling in furtherance of decisions that produce legal effects, and/or (iii) the selling of the personal data
• Right to notice and to give consent — or to opt out AND to revoke consent — for any processing of sensitive data — data that, for example, identifies the consumer’s race, gender, biometric data, geolocation, etc.

Q. Can I sue a company or person who violates my rights under the OCDPA?

A. No. The OCDPA does not grant a private right of action. Where a violation occurs, consumers must contact the Oregon Attorney General’s Office to file a complaint. The Oregon Attorney General’s Office can then open an investigation. If violations are found, civil fines can be imposed of $7,500 per violation.

Q. Is all my personal data covered?

A. No, only your consumer personal data is covered. Data obtained when you are acting in an employment or commercial capacity can be freely collected, processed, and shared. In addition, there are numerous exceptions for data covered by other statutes, such as federal health laws. There are also a large number of exceptions for entities like government agencies, insurance companies, credit reporting agencies, etc. Such entities are exempt from coverage of the OCDPA.

Q. Is the OCDPA more pro-consumer than similar statutes?

A. In some way, yes, the OCDPA has a few provisions that could be deemed more “pro-consumer” than what is contained in similar statutes. For example, “consent” under the OCDPA is explicitly forbidden to be any sort of non-action. In other states, a consumer might be deemed to have consented to data processing by failing to click on a button or failing to click “No.”  See, for example, the recent Kentucky statute, section 1(6). Under the OCDPA, non-action is not the same as consent. As another example, nonprofit entities are NOT exempt from coverage under the OCDPA. This is a large expansion of consumer data privacy protection since some nonprofits are very large and collect/process a lot of data. As another example, unlike other statutes, the OCDPA will require that controllers accept universal or global privacy settings and choices. These are becoming available through apps, software, and browser settings. Obviously, this will enhance the convenience and effectiveness of consumer choices.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.