Oregon Consumer Data Privacy Act (Part One) — An Overview For Businesses featured image

Oregon Consumer Data Privacy Act (Part One) — An Overview For Businesses

by John DiGiacomo

Partner

Internet Law

In mid-summer 2023, Oregon joined the list of U.S. states that have enacted consumer data protection statutes. The Oregon version is called the Oregon Consumer Data Privacy Act (“OCDPA”). The OCDPA is similar to every other consumer data protection act that has been enacted in the U.S.

The basic framework identifies “controllers” and “processors” of consumer data and requires them to provide notices to consumers and, under some circumstances, to obtain consent from consumers for the processing of their personal data. Consumers are given certain “rights” vis-a-vis the controllers — such as the right to know what data is possessed by the controller. Enforcement powers are given to the Oregon Attorney General’s Office and punishments are in line with punishments set forth in similar statutes — a $7,500 civil fine per violation.

Like the most recent versions of these statutes, the OCDPA is narrow in scope covering consumer data and specifically excluding data collected and processed when a person is acting in an employment or commercial capacity. Further, there are dozens of excluded types of organizations — such as government entities, insurance companies, and more — and dozens of excluded types of data. One significant difference between the OCDPA and other data protection statutes is that the OCDPA does NOT exempt nonprofit organizations from coverage. It seems that the OCDPA is the first consumer privacy statute to apply to nonprofit entities. Presumably, consumer privacy advocates are pleased with this development and will push for the trend to continue.

Which businesses are covered by the OCDPA?

As with similar statutes, the OCDPA has certain thresholds so that coverage applies to large businesses that collect and process consumer personal data. The OCDPA applies to businesses (or persons) that:

  • Conduct business in Oregon OR provide products/services to residents of Oregon AND
  • that control or process personal data of at least 100,000 Oregon consumers OR
  • that control or process personal data of at least 25,000 Oregon consumers and derive over twenty-five percent (25%) of their annual gross revenue from the sale of personal data

Note that this definition excludes data that is “controlled or processed solely for the purpose of completing a payment transaction.” Note also that the OCDPA specifically applies to businesses/persons providing goods and services to Oregon consumers. Other data protection statutes use the word “target” instead of “provide.” See, for example, the recent Kentucky statute, section 2(1).

What obligations are imposed by the OCDPA?

The OCDPA imposes many of the same obligations that are imposed by similar statutes. There are, however, some nuances. For example, all of these statutes require controllers to identify the business purpose or purposes for which the data is being collected. However, the OCDPA adds the word “express.” Thus, under the OCDPA, a business must disclose the “express purpose” for which data is being collected (emphasis added). The OCDPA imposes the following obligations:

  • Controllers must provide a privacy notice that is “reasonably accessible, clear and meaningful”
  • Limit collection of personal data to only the personal data that is adequate, relevant and reasonably necessary to serve the purposes specified
  • Obtain consumer consent before processing sensitive data about a consumer
  • Obtain consumer consent before processing personal data for the purposes of (i) targeted advertising, (ii) profiling the consumer in furtherance of decisions that produce legal effects, or (iii) selling the consumer’s personal data
  • Provide an easy and accessible online means for consumers to revoke consent
  • Provide an easy online method for consumers to exercise their rights under the OCDPA including an appeal process
  • Abide by a consumer’s global or universal choice apps or software choices — effective in 2025
  • Provide consumers with an easily-located online email address or another method of contact
  • For contracts with processors and third parties, written contracts are required and must include provisions and safeguards must be included obligating the contracting parties to comply with the OCDPA and to assist the controller in complying with the OCPDA
  • Conduct and document data protection assessments when certain data is processed for certain purposes
  • For deidentified data, controllers must take reasonable measures to ensure that such data cannot be associated with an individual, must via contract obligate any recipients of deidentified data to comply with the OCDPA, and must “publicly commit” not to re-identify de-identified data

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

Extra, Extra!
Recent Posts

The Minnesota Consumer Data Privacy Law: What Businesses Should Know (Part Two)

The Minnesota Consumer Data Privacy Law: What Businesses Should Know (Part Two)

Internet Law

In May 2024, Minnesota enacted the Minnesota Consumer Data Privacy Act (“MCDPA”). In Part One of this two-part article, the Consumer Data Protection Attorneys at Revision Legal discussed the consumer rights and consumer-facing business obligations imposed by the MCDPA, including additional consumer rights related to automated decisions that utilize profiling data. The MCDPA allows consumers […]

Read more about The Minnesota Consumer Data Privacy Law: What Businesses Should Know (Part Two)

Advantages of Forming Corporate Entities for Operating Your Business

Advantages of Forming Corporate Entities for Operating Your Business

Corporate

Under most circumstances, the experienced Business Lawyers at Revision Legal deem it prudent for clients to operate their businesses through a corporate entity like a standard corporation or a limited liability company. Of course, there are some circumstances where a partnership of some type might be the better option, but it would be a rare […]

Read more about Advantages of Forming Corporate Entities for Operating Your Business

The Minnesota Consumer Data Privacy Law: Summary For Consumers

The Minnesota Consumer Data Privacy Law: Summary For Consumers

Internet Law

In May 2024, Minnesota enacted a consumer data privacy statute called the Minnesota Consumer Data Privacy Act (“MCDPA”). About 20 States have enacted consumer data privacy statutes similar to the MCDPA, and the MCDPA follows the general template of those statutes. However, there are some unique and additional features of the MCDPA that are very […]

Read more about The Minnesota Consumer Data Privacy Law: Summary For Consumers

Put Revision Legal on your side

Let's Discuss Your Case