Understanding The Oregon Consumer Privacy Act

The Oregon Consumer Privacy Act (OCPA) was signed into law on July 18, 2023. The OCPA goes into effect July 1, 2024, the same day as the Texas law. However, non-profit organizations – which are not exempt under the OCPA – are delayed until July 1, 2025.

Thresholds for covered businesses

The OCPA applies to entities who conduct business in Oregon or who provide products or services to Oregon residents and that during a calendar year:

• Control or process the personal data of 100,000 or more Oregon residents (other than personal data controlled or processed solely for the purpose of completing a payment transaction); or
• Controls or processes the personal data of 25,000 or more consumers while deriving 25% or more of the person’s annual gross revenue from selling personal data.

These thresholds are the same as under the Colorado Privacy Act and, unlike some other state privacy laws, do not include an initial threshold based on an entity’s annual revenue.

Recent Developments that Influenced This Law

Oregon’s OCPA was heavily influenced by other similar laws, including the California Consumer Privacy Act (CCPA), the Colorado Privacy Act (CPA), the Utah Consumer Privacy Act (UCPA), the Virginia Consumer Data Protection Act (VCDPA), and the Connecticut Data Privacy Act (CTDPA). The OCPA was also influenced by several key initiatives and settlements led by the Oregon DOJ:

• 2022 – Google Settlement: A historic $391.5 million settlement with Google over location tracking practices, reflecting Oregon’s leadership in consumer privacy enforcement.
• 2019 – Oregon Consumer Privacy Task Force: Established to develop comprehensive privacy legislation, the task force introduced key bills enhancing consumer rights and data protection.
• 2017 – Amendment to Include Privacy Terms of Agreement: AG Rosenblum supported updates to Oregon’s Unlawful Trade Practices Act to include the privacy terms consumers agree to prior to downloading an app or other online tools.
• 2015 – The Oregon Student Information Protection Act: More students and educators than ever attend classes through online platforms every day. AG Rosenblum helped pass an act that prohibits online educational sites, services, and applications from compiling, sharing or disclosing student information for any non-educational purpose.

For more details, request a copy of the Oregon OCPA white paper!

What is in this white paper?

• Thresholds For Covered Businesses
• Recent Developments that Influenced This Law
• Consumer Rights
• Expanded Consumer Rights
• The Penalty for Noncompliance
• Exemptions
• Cure Periods
• Response Time Frames
• Maturing your privacy program

Consumer Rights

Similar to other US states, the OCPA provides its residents with rights over their personal information, and imposes specific obligations on businesses (“controllers”) who process consumers’ personal data and those entities who process personal data on behalf of controllers (“processors”):

• Right to Know. Consumers have the right to know whether controllers are processing their data, as well as the categories of data being processed and third parties the data has been disclosed to. Consumers also have a right to obtain a copy of the consumer’s personal data that a controller has or is processing;
• Right to Correction. Consumers have the right to correct inaccuracies in their data;
• Right to Deletion. Consumers will have the right to require a controller to delete their personal data held by a controller;
• Right to Opt Out. Consumers will have the right to opt out of the processing of their personal data for targeted advertising, sale or profiling of the consumer in a way that produces legal effects;
• Right to Data Portability. When consumers exercise their right to obtain a copy of their personal data held by a controller, it must be provided in a portable and usable format; and
• Right to revoke consent. Consumers will have the right to revoke consent previously given to process the consumer’s personal data, which must be honored within 15 days of receiving the request.

The OCPA also contains heightened protections (a requirement that data may not be processed without a consumer’s affirmative “opt in” consent) for “sensitive data”, which includes:

• Personal data revealing racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, gender identity, crime victim status, or citizenship or immigration status;
• Genetic or biometric data; and
• Precise geolocation data.

To learn more about US privacy laws, check out
the Clarip US Privacy Law Tracker

Clarip’s Data Privacy Governance Platform ensures compliance with all consumer privacy regulations, including the “Do Not Sell/Do Not Share My Personal Information” solution. Allow customers to submit, revoke and update granular consent with Clarip’s Universal Consent Management. Clarip takes enterprise privacy governance to the next level and helps organizations reduce risks, engage better, and gain customers’ trust! Contact us at www.clarip.com or call Clarip at 1-888-252-5653 for a demo.

Email Now:

Mike Mango, VP of Sales
mmango@clarip.com

Related Articles:

Data Privacy and the Future of Digital Marketing
US Privacy Law Tracker
Understanding US Data Privacy Law Fines
Evolution of digital consent and preferences
What Is GPC (Global Privacy Control), And why does it matter?