In 2023, Oregon enacted the Oregon Consumer Data Privacy Act (“OCDPA”). The OCDPA is similar to other consumer data protection acts that have been enacted in the U.S. In Part One of this series, the Consumer Data Privacy and Compliance Lawyers at Revision Legal discussed many of the obligations imposed by the OCDPA on businesses and individuals that collect, control, and process personal consumer data. In Part Two, we answer some frequently asked questions for consumers.

Q. What rights are granted to consumers by the OCDPA?

These consumer data protection statutes are becoming somewhat standardized. Thus, under the OCDPA, consumers are granted rights similar to those granted in other consumer data protection statutes. The OCDPA grants the following rights:

• Right to a privacy notice that is conspicuous, meaningful, and assessable
• Right to access data — that is, to know what data is being held by a data controller
• Right to know if data is being processed
• Right to correct and delete data — even data that has been received from some source other than the consumer; this is a pro-consumer provision since other statutes only mandate deletion of data provided by the consumer (see, for example, Kentucky statute, section 3(2)(b)
• Right to obtain a copy of the personal data
• Right to not be discriminated against or retaliated against for exercising rights under the OCDPA
• Right to an appeal process if the controller of data refuses or fails to take action requested
• Right to notice and to give consent — or to opt-out AND to revoke consent — for processing of personal data for (i) targeted advertising, (ii) profiling in furtherance of decisions that produce legal effects, and/or (iii) the selling of the personal data
• Right to notice and to give consent — or to opt out AND to revoke consent — for any processing of sensitive data — data that, for example, identifies the consumer’s race, gender, biometric data, geolocation, etc.

Q. Can I sue a company or person who violates my rights under the OCDPA?

A. No. The OCDPA does not grant a private right of action. Where a violation occurs, consumers must contact the Oregon Attorney General’s Office to file a complaint. The Oregon Attorney General’s Office can then open an investigation. If violations are found, civil fines can be imposed of $7,500 per violation.

Q. Is all my personal data covered?

A. No, only your consumer personal data is covered. Data obtained when you are acting in an employment or commercial capacity can be freely collected, processed, and shared. In addition, there are numerous exceptions for data covered by other statutes, such as federal health laws. There are also a large number of exceptions for entities like government agencies, insurance companies, credit reporting agencies, etc. Such entities are exempt from coverage of the OCDPA.

Q. Is the OCDPA more pro-consumer than similar statutes?

A. In some way, yes, the OCDPA has a few provisions that could be deemed more “pro-consumer” than what is contained in similar statutes. For example, “consent” under the OCDPA is explicitly forbidden to be any sort of non-action. In other states, a consumer might be deemed to have consented to data processing by failing to click on a button or failing to click “No.”  See, for example, the recent Kentucky statute, section 1(6). Under the OCDPA, non-action is not the same as consent. As another example, nonprofit entities are NOT exempt from coverage under the OCDPA. This is a large expansion of consumer data privacy protection since some nonprofits are very large and collect/process a lot of data. As another example, unlike other statutes, the OCDPA will require that controllers accept universal or global privacy settings and choices. These are becoming available through apps, software, and browser settings. Obviously, this will enhance the convenience and effectiveness of consumer choices.

When Does the OCDPA Apply to a Business?

The Oregon Consumer Data Privacy Act applies to any person or entity that conducts business in Oregon or provides products or services to Oregon residents AND either: (1) controls or processes personal data of 100,000 or more consumers during a calendar year; or (2) controls or processes personal data of 25,000 or more consumers and derives 25% or more of annual gross revenue from the sale of personal data. Unlike some other state statutes, Oregon’s threshold includes an explicit revenue-from-sale trigger at the lower 25,000-consumer threshold, making it applicable to data broker businesses that might otherwise fall below larger consumer-count thresholds.

The OCDPA became effective July 1, 2024 for most covered entities. Notably, Oregon included nonprofit organizations within the OCDPA’s scope — a departure from the majority of other state consumer privacy statutes, which typically exempt nonprofits. Large nonprofits such as healthcare systems, universities, charities, and advocacy organizations that collect substantial consumer personal data must evaluate their OCDPA compliance obligations just as for-profit businesses do.

Q. What Happens If a Business Ignores My Request?

A. If a covered business fails to respond to a verifiable consumer request within the required 45-day period, or provides an inadequate response, you should first use the business’s internal appeal mechanism — which the OCDPA requires all covered controllers to establish. If the appeal is denied or ignored, your next step is filing a complaint with the Oregon Attorney General’s Consumer Protection Division at oregonlawhelp.org or by calling 503-229-5576.

The Oregon AG can investigate OCDPA complaints and bring civil enforcement actions. Civil penalties under the OCDPA can reach $7,500 per violation. The AG also has authority to seek injunctive relief requiring the business to cease non-compliant practices. While the OCDPA does not give individual consumers the right to sue directly, the AG’s enforcement authority is meaningful, and documented patterns of non-compliance can lead to substantial penalties, particularly given that each consumer request denied constitutes a separate “violation.”

Q. What Does “Consent” Mean Under the OCDPA?

A. This is one area where Oregon’s statute is notably more protective than most similar laws. Under the OCDPA, “consent” must be a clear, affirmative act that signals a freely given, specific, informed, and unambiguous indication of the consumer’s agreement to the processing of their personal data. Critically, the OCDPA explicitly states that “consent does not include” pre-checked boxes, inactivity, or silence. If a website presents a consent pop-up and you simply ignore it or navigate away without taking action, that is NOT consent under Oregon law.

You also have the right to revoke consent at any time. Upon revocation, the business must stop processing the personal data for which consent was given within a reasonable time. Revocation of consent does not affect the lawfulness of processing that occurred before the revocation. If you believe a business has treated your silence or inaction as consent, you have grounds to file a complaint with the Oregon AG’s office.

Q. How Does the OCDPA Protect Me From Discrimination?

A. The OCDPA prohibits covered businesses from discriminating against you for exercising your consumer rights under the Act. This means a business cannot deny you goods or services, charge you a higher price, provide you with a lower quality of service, or otherwise penalize you simply because you exercised your right to access, correct, delete, or opt out of the processing of your personal data. This anti-discrimination protection is important for consumers who worry that opting out of data sharing will result in worse service or higher prices — the OCDPA makes that retaliation unlawful.

There is a limited exception for loyalty or financial incentive programs where a business offers enhanced benefits in exchange for participation in data collection — but participation in such programs must be voluntary, clearly explained in advance, and the benefits must reasonably relate to the value of the data being shared. If you believe you have been discriminated against for exercising OCDPA rights, document the adverse treatment and file a complaint with the Oregon AG.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.