Exploring the New Oregon Privacy Law

It’s known for its picturesque forests, its stunning coastlines — and now its new privacy act. Oregon recently joined the ranks of the 14 US states that have enacted crucial data privacy legislation. Passed in July 2023, the Oregon Consumer Privacy Act solidifies consumer data privacy rights and imposes new obligations on data controllers.

In this blog post, we’ll explore the OCPA, examining its implications for individuals and businesses, its timeline for implementation and enforcement, and how it compares to data privacy laws in other states. We’ll also provide suggestions for organizations to enhance their data privacy practices in light of this new legislation.

What are the key elements of the Oregon privacy law?

The Oregon Consumer Privacy Act is one of seven state-level data privacy laws passed in 2023; other states include Iowa, Indiana, Tennessee, Montana, Delaware, and Texas. While the OCPA shares many core features with these laws, the details do vary. Below, we’ll explore the exact requirements of Oregon’s law.

Consumer rights under the OCPA

The Oregon Consumer Privacy Act enshrines new consumer rights into law, offering individuals more control over and insight into how their personal data is processed. These rights include the ability for consumers to:

Confirm whether their data is being processed
Obtain a copy of their data
Correct inaccuracies in their data
Delete their data
Gain a list of the third parties that their personal data has been disclosed to
Opt out of the processing of their data for sale, profiling, or targeted advertising

These rights are generally in keeping with the consumer rights established under most of the other state data privacy laws in the United States. Additionally, like Delaware’s privacy law, Oregon’s allows consumers to designate an “authorized agent,” e.g. a browser setting or privacy software, that can opt out of the processing of their personal data on their behalf.

Covered data under the OCPA

The OCPA does not apply to all types of data. Rather, it only governs personal data, which it defines as certain types of information that are reasonably linkable to a consumer or a household.

The Oregon privacy law also offers special protections for sensitive data, which includes information about a person’s race or ethnic background, religious beliefs, national origin, citizenship or immigration status, sexual orientation, status as transgender or nonbinary, status as victim of a crime, mental or physical diagnosis, precise geolocation data, and genetic and biometric data.

Under the Oregon law, the sensitive data category also includes the personal data of a known child under the age of 13, which must be processed in accordance with the Children’s Online Privacy Protection Act (COPPA).

New business obligations under the OCPA

Luckily, many organizations with existing data privacy programs will find that their programs can be easily adapted to the Oregon privacy law’s requirements. Those business requirements include:

Providing a clear privacy notice that discloses — among other things — the purposes for the processing of personal data, the ways that consumers can exercise their rights and appeal decisions, and the categories of third parties that consumer data will be shared with.
Obtaining clear and informed consumer consent to process sensitive data.
Data minimization, i.e. limiting data processing to only what is essential.
Establishing a way for consumers to exercise their privacy rights.
Conducting data protection assessments (DPAs) before engaging in types of data processing that present a heightened risk of harm.
Responding to consumer requests to exercise their rights within 45 days.

One unique obligation under the OCPA is the requirement that data controllers implement data protection safeguards that comply with Oregon’s ORS 646A.602, the state’s trade regulations. We’ll discuss this data security requirement in more detail below.

Logistics of the Oregon privacy law

The Oregon Consumer Privacy Act, formerly Senate Bill 619, was signed into law by Oregon Governor Tina Kotek in July 2023 with an effective date of July 1, 2024.

Once the OCPA takes effect, it will be enforced by the Oregon Attorney General. When violations are identified, businesses will have a 30-day cure period to address the issue — after which point the attorney general’s office may subject each violation to a civil penalty of up to $7,500. This cure period will only exist through the end of 2025 and will not be granted starting in 2026.

As is the case with most state data protection laws, Oregon’s does not contain a private right of action. This means that individual consumers cannot file lawsuits against organizations for violating their OCPA rights.

Who must comply with the OCPA, and who is exempt?

Like Tennessee, Oregon defines data controllers as entities that determine the purpose and means of processing personal data, while it defines data processors as entities that actually process personal data on behalf of the controller. Based on these definitions, certain organizations that process and/or control data will be subject to the OCPA.

Specifically, Oregon’s privacy law applies to organizations that either conduct business in Oregon or that provide products or services for Oregon residents, and that control or process the personal data of: 1) 100,000+ consumers or 2) 25,000+ consumers, while deriving at least 25% of their annual gross revenue in a calendar year from selling personal data. (Data processing activities for the sole purpose of completing a payment transaction are excluded.)

The OCPA offers a number of exemptions, including:

State government organizations
Financial institutions
Insurers, including third-party insurance administrators
Nonprofits specifically focused on detecting and preventing insurance fraud
Organizations like TV and radio stations that provide information services, as long as the data processing is noncommercial
Protected health information (PHI) subject to the Health Insurance Portability and Accountability Act (HIPAA) or the Health Care Quality Improvement Act
Data subject to the Gramm-Leach-Bliley Act (GLBA)
Data subject to the Fair Credit Reporting Act (FCRA)
Data subject to the Family Educational Rights and Privacy Act (FERPA)
Research conducted in accordance with federal law

These exemptions are largely in keeping with those of other US state-level data protection laws. However, most states exempt all nonprofit organizations, not just those in the insurance fraud sector.

How does the Oregon privacy law compare to other states’ laws?

It’s increasingly challenging to compare and contrast the growing number of state data privacy laws, especially since most share a core emphasis on safeguarding consumer data and requiring transparency in data processing. However, the specifics of exemptions, qualifying thresholds, and penalties vary from state to state. Here are two key comparisons for the Oregon Consumer Privacy Act.

Nonprofit applicability. Many state privacy laws exempt nonprofits from meeting compliance. However, several are more expansive, and Oregon’s law is one. Like the Colorado Privacy Act and the Delaware Personal Data Privacy Act, the OCPA applies to all nonprofits other than those dedicated to detecting or preventing insurance fraud.

Disclosing third-party processing activities. While most state data privacy laws require that businesses disclose the categories of data shared with third parties — as well the categories of third parties — the OCPA takes things a step further. Oregon’s law additionally requires controllers to disclose, at least as much as possible, how those third parties may process a consumer’s personal data.

How to prepare for compliance with the Oregon Consumer Privacy Act

In the absence of a comprehensive privacy law at the national level, preparing for compliance with a patchwork of state-level laws can seem daunting. With 14 data privacy laws now on the books (and more likely to be passed soon), it’s important to prepare now. That’s especially true for Oregon’s privacy law, which goes into effect in just a few months.

Fortunately, there are several steps that organizations can take now to mitigate their data privacy risks and prepare for the OCPA.

Prepare privacy notices. Under the Oregon law, businesses will be required to develop written privacy notices that outline their reasons for processing personal data, the ways that consumers can assert their rights, and more. These privacy notices should include opt-out mechanisms as well as an online contact method like a working email address.

Conduct DPAs. Companies will need to conduct data protection assessments that analyze both the positive and negative impacts of their data processing on all relevant parties. These DPAs should cover the following types of data processing activities: processing sensitive data, processing personal data for the purpose of targeted advertising, processing personal data for certain kinds of profiling, and the sale of personal data.

Employ data minimization techniques. Companies should also implement a data minimization framework in order to reduce the amount of personal information collected, processed, and stored to only what is strictly necessary. By employing data minimization practices, organizations can limit the potential risks associated with handling sensitive data and enhance their overall cybersecurity posture. Taking a proactive approach here will not only ensure compliance with the Oregon privacy law but also foster greater trust and confidence among consumers.

Become familiar with data protection safeguards. Since Oregon’s privacy legislation requires that businesses follow the safeguards established in the ORS 646A.622 trade regulations, gaining familiarity with these rules is crucial. Summed up very briefly, the required safeguards must protect the confidentiality, integrity, and accessibility of consumer personal data. This may require implementing new technologies for ensuring strong data protection.

Consult the experts

Finally, to prepare for compliance with the Oregon Consumer Privacy Act, companies should remember to consult the experts. Law firms that specialize in compliance can be especially helpful for organizations just getting started with state-level data privacy legislation.

It can also be useful to consult data privacy and security experts. With the Oregon privacy law requiring more specific and advanced technical safeguards than some of its counterparts, it’s important to understand exactly what kinds of technologies are best for protecting data.

ShardSecure offers one solution. The ShardSecure platform provides agentless data protection, privacy, and resilience for data stored on-prem, in the cloud, or in hybrid-cloud architectures. Our technology safeguards sensitive data against unauthorized third-party access, including by infrastructure admins and cloud providers, reducing the risk of noncompliance in the event of a cyberattack. As a foundational part of a comprehensive cybersecurity strategy, ShardSecure’s platform enables businesses to protect not only their consumer data but also any other critical data they wish to secure.

Take a look at our resources page or check out our other compliance blog posts to learn more.