The Wave Continues: Oregon Becomes 11th State to Enact Comprehensive Privacy Law

On July 18, 2023, Oregon’s Governor, Tina Kotek, signed Senate Bill 619, enacting the Oregon Consumer Data Privacy Act (the “OCDPA”). Oregon is now the eleventh state to enact a state comprehensive privacy law, and it follows six other states that enacted similar laws in the last three months. For subject businesses (other than 501(c)(3) non-profit organizations), the OCDPA will take effect on July 1, 2024, giving them approximately a year to comply. Then, starting on July 1, 2025, the OCDPA will apply to 501(c)(3) non-profit organizations, giving them more time to comply, likely because non-profits are exempt under most of the other state comprehensive privacy laws (only the Colorado Privacy Act currently applies to non-profit entities). This staggered effective date is just one of the unique aspects of the OCDPA.

Applicability

The OCDPA will apply to persons or entities conducting business in Oregon or providing products or services to residents of Oregon and that, during a calendar year, either:

  1. control or process personal data of at least 100,000 consumers (defined below), other than personal data controlled or processed solely for the purpose of completing a payment transaction; or
     
  2. control or process personal data of at least 25,000 consumers and derive over 25% of their annual gross revenue from the sale of personal data.

The applicability thresholds under the OCDPA are most similar to those under Connecticut’s privacy law. Notably, there is no monetary threshold as part of the applicability requirements under the OCDPA, and the initial threshold encompasses businesses merely providing Oregon residents with products or services (as opposed to targeting such residents with products or services, which is a typical threshold in the other state comprehensive privacy laws).

Additionally, like the other state comprehensive privacy laws, the OCDPA contains exemptions for certain types of entities. However, these exempt entities differ from those contained in such other state laws. For example, all the state comprehensive privacy laws enacted to date, other than the Colorado Privacy Act, wholly exempt non-profit organizations. The OCDPA only exempts non-profit organizations established to detect and prevent fraudulent acts in connection with insurance or that provide programming to radio or television networks. Any other non-profit organization that is tax exempt under 501(c)(3) will be subject to the OCDPA starting on July 1, 2025.

Further, unlike the other comprehensive privacy laws, the OCDPA does not exempt HIPAA covered entities or business associates or financial institutions governed by the Gramm-Leach-Bliley Act (“GLBA”). Rather, the OCDPA exempts protected health information under HIPAA, information that is intermingled with protected health information under HIPAA, and personal data regulated by the GLBA, in addition to other types of exempt information, such as data processed or maintained in the course of employment. Non-exempt entities will need to consider how the exempt information impacts their compliance efforts and what information will remain within the OCDPA’s scope. Ultimately, the broad scope of exempt information may effectively exempt an entity from the scope of the OCDPA.

Key Definitions

Like all of the state comprehensive privacy laws other than California’s, the OCDPA narrowly defines “consumer” to mean an individual who is an Oregon resident acting in any capacity other than in a commercial or employment context. As a result, employee personal information and business contact personal information fall outside the scope of the OCDPA.

With respect to these consumers, the OCDPA regulates their “personal data,” which it defines broadly to include both data and derived data that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to, or is reasonably linkable to one or more consumers in a household. The OCDPA also regulates a special category of personal data known as “sensitive data,” which it defines as (i) personal data revealing racial or ethnic background, national origin, religious beliefs, a mental or physical health condition or diagnosis, sexual orientation, status as transgender or nonbinary, status as a victim of crime or citizenship or immigration status; (ii) personal data collected from a child (i.e., an individual under thirteen); (iii) precise geolocation data; or (iv) genetic or biometric data. The OCDPA’s definitions of “personal data” and “sensitive data” are similar to the definitions used in the other state comprehensive privacy laws, but are a bit broader in scope.

Under the OCDPA, the “sale of personal data” means the exchange of personal data for monetary consideration or other valuable consideration with a third party. This is a broader definition of “sale” in comparison to the definitions used in other states that apply only to exchanges of personal data for monetary consideration. The OCDPA also provides broad exceptions to the definition of “sale” that are similar to exceptions in other state privacy laws and should cover many ordinary business activities, such as disclosure of personal data to a processor who processes the personal data on behalf of a controller or to a third party or affiliate for the purpose of providing a product or service requested by a consumer.

Compliance

The compliance obligations found in the OCDPA are substantially similar to those found in the other state comprehensive privacy laws, such as requiring controllers to provide a compliant privacy notice to consumers and to enter into contracts with processors that process personal data for the controller. Further, like the privacy laws in Colorado, Connecticut, Florida, Indiana, Montana, Tennessee, Texas, and Virginia, the OCDPA requires controllers to undertake data protection impact assessments of any processing activities that involve personal data used in targeting advertising, the sale of personal data, processing of sensitive data, or profiling (in certain instances). This is unlike the privacy laws in California, Iowa, and Utah, which currently do not require data protection impact assessments.

Consumer Rights and Requests

Like the other state comprehensive privacy laws, the OCDPA grants rights to consumers regarding their own personal data. Specifically, the OCDPA grants consumers the right to make requests to (1) know and access their personal data; (2) correct inaccuracies in their personal data; (3) delete their personal data; (4) obtain a copy of their personal data; and (5) opt out of the processing of their personal information for targeted advertising, the sale of personal data, or certain types of profiling. These rights align with the rights granted to consumers under the privacy laws in Colorado, Connecticut, Indiana, Montana, Texas, Tennessee, and Virginia.

When a consumer requests to exercise these rights, the OCDPA gives a controller 45 days to respond, which period may be extended once by an additional 45 days when reasonably necessary upon considering the complexity and number of the consumer’s requests. Additionally, the OCDPA requires a controller to provide consumers with an appeals process if it denies a consumer’s request, and a controller has 45 days to respond to an appeal. The privacy laws in California and Utah do not contain a right to appeal.

Enforcement

Like all of the state comprehensive privacy laws (except in limited circumstances under California’s law), the OCDPA does not allow for a private right of action. Rather, the OCDPA grants enforcement exclusively to the Oregon Attorney General, who can seek civil penalties of up to $7,500 for each violation of the law, the same amount under the comprehensive privacy laws in Iowa, Tennessee, Utah, and Virginia. If the Oregon Attorney General determines a violation is curable, then, before the Attorney General can bring an enforcement action, violators will receive an opportunity to cure such violation within 30 days of receiving notice from the Attorney General. However, this right to cure sunsets on January 1, 2026.

Conclusion

The next few years will continue to be important for businesses’ privacy compliance efforts. For most subject businesses, the OCDPA will take effect July 1, 2024, the same year as the recently-enacted Montana Consumer Data Privacy Act, Florida Digital Bill of Rights, and Texas Data Privacy and Security Act. Then, in 2025, the Iowa Consumer Data Protection Act and Tennessee Information Protection Act will take effect, followed by the Indiana Consumer Data Protection Act in 2026. The privacy law movement at the state level is moving quicker and quicker, and there may be more laws enacted to take effect in the next few years. As these laws continue to come into play, the benefits of a universal approach to privacy compliance, especially for medium to large businesses, is increasingly important. Impacted businesses should consider integrating compliance for all of the upcoming comprehensive privacy laws into their current privacy compliance plans.

If you would like assistance with, or have any questions about, complying with the OCDPA or other data privacy laws, or need assistance reviewing your data privacy practices, please contact one of our Cybersecurity & Data Privacy attorneys. Check out our U.S. Privacy Laws page for more information.