Scope, applicability, and key definitions

Who does the OCPA apply to?

The OCPA applies to any person that conducts business in the State of Oregon or provides products or services to residents of Oregon, and who, during a calendar year, controls or processes:

• the personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or
• the personal data of 25,000 or more consumers, while deriving 25% or more of the person's annual gross revenue from selling personal data.

Are certain data exempted from the application of the OCPA?

The OCPA provides exemptions to certain organizations and data as indicated below:

• public corporations or bodies;
• protected health information that a covered entity, or business associate, processes in accordance with, or documents that a covered entity, or business associate, creates for the purpose of complying with, the Health Insurance Portability and Accountability Act (HIPAA) and its regulations;
• information that identifies a consumer in connection with certain research activities;
• patients' information under certain circumstances;
• information processed or maintained solely in connection with, and for the purpose of enabling:
  • an individual's employment or application for employment;
  • an individual's ownership of, or function as a director or officer of, a business entity;
  • an individual's contractual relationship with a business entity;
  • an individual's receipt of benefits from an employer, including benefits for the individual's dependents or beneficiaries; or
  • notice of an emergency to persons that an individual specifies;
• any activity that involves collecting, maintaining, disclosing, selling, communicating, or using information for the purpose of evaluating a consumer's creditworthiness and credit status, if done strictly in accordance with the provisions of the Fair Credit Reporting Act (FCRA);
• consumer reporting agencies and persons that provide information to them;
• information collected, processed, sold, or disclosed under, and in accordance with, certain federal laws, including the Gramm-Leach-Bliley Act (GLBA);
• financial institutions, insurers, insurance producers, and insurance consultants in certain circumstances;
• non-profit organizations established to detect and prevent fraudulent acts in connection with insurance;
• non-profit organizations that provide programming to radio or television networks; and
• non-commercial activities of certain actors in the editorial and media sectors.

How does the OCPA define 'consumer'?

The OCPA defines a 'consumer' as a natural person who resides in Oregon and acts in any capacity other than in a commercial or employment context.

How does the OCPA define 'consent'?

'Consent,' under the OCPA, is defined as an affirmative act by means of which consumers clearly and conspicuously communicate their freely given, specific, informed, and unambiguous assent to another person's act or practice under the following conditions:

• the user interface by means of which the consumer performs the act does not have any mechanism that has the purpose or substantial effect of obtaining consent by obscuring, subverting, or impairing the consumer's autonomy, decision-making, or choice; and
• the consumer's inaction does not constitute consent.

How does the OCPA define a 'controller'?

A 'controller,' under the OCPA, means a person who, alone or jointly with another person, determines the purposes and means for processing personal data.

How does the OCPA define a 'processor'?

A person that processes personal data on behalf of a controller is known as the 'processor' under the OCPA.

How does the OCPA define 'personal data'?

'Personal data,' under the OCPA, means data, derived data, or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to, or is reasonably linkable to one or more consumers in a household.

However, the term does not include de-identified data or data that:

• is lawfully available through federal, state, or local government records or widely distributed media; or
• a controller reasonably has understood to have been lawfully made available to the public by a consumer.

How does the OCPA define 'sensitive data'?

The OCPA provides a comprehensive definition of 'sensitive data' to mean personal data that:

• reveals a consumer's racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or nonbinary, status as a victim of crime, or citizenship or immigration status;
• is a child's personal data;
• accurately identifies within a radius of 1,750 feet a consumer's present or past location, or the present or past location of a device that links or is linkable to a consumer by means of technology that includes, but is not limited to, a global positioning system that provides latitude and longitude coordinates; or
• is genetic or biometric data.

However, sensitive data does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.

How does the OCPA define 'processing'?

The OCPA defines 'process' or 'processing' as an action, operation, or set of actions or operations that are performed, automatically or otherwise, on personal data or on sets of personal data, such as collecting, using, storing, disclosing, analyzing, deleting, or modifying the personal data.

How does the OCPA define 'sale' of personal data?

'Sale' or 'sell' under the OCPA means the exchange of personal data for monetary or other valuable consideration by the controller with a third party. But the sale of personal data does not include:

• a disclosure of personal data to a processor;
• a disclosure of personal data to an affiliate of a controller or to a third party for the purpose of enabling the controller to provide a product or service to a consumer that requested the product or service;
• a disclosure or transfer of personal data from a controller to a third party as part of a proposed or completed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets, including the personal data; or
• a disclosure of personal data that occurs because a consumer:
  • directs a controller to disclose the personal data;
  • intentionally discloses personal data in the course of directing a controller to interact with a third party; or
  • intentionally discloses personal data to the public by means of mass media, if the disclosure is not restricted to a specific audience.

Key provisions and requirements

Does the OCPA provide for consumer rights?

The OCPA provides for consumer rights as well as lays down the procedure for the exercise of these rights. These rights include the right to:

• confirm whether or not the controller is processing or has processed the consumer's personal data, the categories of personal data processed;
• obtain from a controller, at the controller's option, a list of specific third parties, other than natural persons, to which the controller has disclosed the consumer's personal data or any personal data;
• delete and correct inaccuracies in their personal data;
• obtain a copy of their personal data, in a portable and, to the extent technically feasible, in a readily usable format that allows the data to be transmitted to another person; and
• opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal effects or effects of similar significance.

Importantly, the controller is not required to disclose any trade secrets when complying with consumer rights requests.

Are there obligations in relation to sensitive data?

In terms of processing sensitive data, the controllers are required to:

• obtain the data subject's consent prior to the processing;
• provide consumers with an accessible and clear privacy notice that lists the categories of any sensitive data processed by the controller and the categories of sensitive data the controller shares with third parties; and
• conduct and document a Data Protection Impact Assessment (DPIA) for processing activities involving sensitive data; and
• process the sensitive data of a consumer who is known to be a child in accordance with the Children's Online Privacy Protection Act of 1998 (COPPA), if the child is below the age of 13 years.

What are the main obligations for data controllers?

Under the OCPA, the controller has various obligations including:

• maintaining a reasonably accessible, clear, and meaningful privacy notice that specifies, among other things, the express purposes for which the controller is collecting and processing personal data;
• limit the collection of personal data to only the personal data that is adequate, relevant, and reasonably necessary to serve the purpose;
• establish, implement, and maintain safeguards to protect the confidentiality, integrity, and accessibility of the personal data;
• provide an effective means by which a consumer may revoke their consent to the processing of their personal data and the means for revoking the consent must be at least as easy as how the consumer provided consent;
• once the consumer revokes consent, cease processing the personal data as soon practicable, but not later than 15 days after receiving the revocation; and
• conduct DPIA for processing activity that presents a 'heightened risk of harm' to a consumer.

Additionally, even though de-identified data is excluded from the definition of personal data, controllers must, among other things:

• take reasonable measures to ensure that the de-identified data cannot be associated with an individual;
• publicly commit to maintaining and using de-identified data without attempting to reidentify the deidentified data;
• enter into a contract with a recipient of the de-identified data and provide in the contract that the recipient must comply with the controller's obligations under the OCPA; and
• in case of disclosure of de-identified data, exercise reasonable oversight to monitor compliance with any contractual commitments to which the deidentified data is subject and must take appropriate steps to address any breaches of the contractual commitments.

The OCPA further prohibits the controller from undertaking certain actions, including:

• processing personal data for purposes that are not reasonably necessary for, and compatible with, the purposes the controller specified in the privacy notice unless the controller obtains the consumer's consent;
• processing sensitive data about a consumer without first obtaining the consumer's consent, or, if the controller knows the consumer is a child, without processing the sensitive data in accordance with COPPA and the regulations, rules, and guidance adopted under the same;
• processing a consumer's personal data for the purposes of targeted advertising, profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance, or selling the consumer's personal data without the consumer's consent if the controller has actual knowledge that, or wilfully disregards whether the consumer is at least 13 years of age and not older than 15 years of age; and
• discriminate against a consumer that exercises a right by means such as denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality or selection of goods or services to the consumer.

What are the main obligations for data processors?

In turn, processors must adhere to a controller's instructions and assist the same in meeting its obligations under the OCPA, by, among other things:

• enabling the controller to respond to a consumer's requests;
• adopting administrative, technical, and physical safeguards that are reasonably designed to protect the security and confidentiality of the personal data processed, taking into account how the processor processes the personal data and the information available to the processor; and
• providing information reasonably necessary for the controller to conduct and document a DPIA.

Are vendor privacy relationships regulated under the OCPA?

The OCPA requires controllers and processors to enter into a contract to govern their relationship. The contract must be binding on both parties and must lay down clear instructions for processing data, the nature and purpose of the processing, the type of data that is subject to processing, and the duration of the processing. It must also specify the rights and obligations of both parties with respect to the subject matter of the contract.

In addition, among other things, the OCPA mandates that a contract includes an obligation for a processor to enter into a subcontract with a person the processor engages to assist with processing personal data on the controller's behalf and in the subcontract, require the subcontractor to meet the processor's obligations under the processor's contract with the controller.

Importantly, the processor must allow the controller, the controller's designee, or a qualified and independent person the processor engages, in accordance with an appropriate and accepted control standard, framework, or procedure, to assess the processor's policies and technical and organizational measures for complying with the processor's obligations under the OCPA. The processor must also cooperate with the assessment and, at the controller's request, report the results of the assessment to the controller.

The OCPA also specifies that the assessment as to whether an entity operates in practice as a controller or a processor is a fact-based determination that must take into account the context in which a set of personal data is processed.

Are DPIAs regulated under the OCPA?

The OCPA requires controllers to undertake a DPIA for processing activity that presents a heightened risk of harm to a consumer, which includes:

• processing personal data for the purpose of targeted advertising;
• processing sensitive data;
• selling personal data; and
• using the personal data for purposes of profiling, if the profiling presents a reasonably foreseeable risk of:
  • unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
  • financial, physical, or reputational injury to consumers;
  • physical or other types of intrusion upon a consumer's solitude, seclusion, or private affairs or concerns, if the intrusion would be offensive to a reasonable person; or
  • other substantial injury to consumers.

Through the DPIA, a controller must identify and weigh how processing personal data may directly or indirectly benefit the controller, the consumer, other stakeholders, and the public, against potential risks to the consumer taking into account how de-identified data might reduce risks.

However, a single DPIA may be conducted that addresses a comparable set of processing operations that present a similar heightened risk of harm. Further, DPIAs conducted for compliance with another law or regulation may be used to satisfy the requirements under the OCPA if the scope and effects are reasonably similar.

Furthermore, the OCPA provides that DPIAs are confidential and are not subject to disclosure. Nevertheless, the Oregon Attorney General (AG) may require a controller to provide the DPIA the controller has conducted, if relevant to an investigation of the AG under the OCPA. The retention period for the DPIA is five years.

Who is empowered to enforce violations of the OCPA?

The AG has exclusive authority to enforce the OCPA. The OCPA does not provide for a private right of action.

What penalties are controllers and processors facing under the OCPA?

The AG may bring an action to seek a civil penalty of not more than $7,500 for each violation of Sections 1 to 9 of the OCPA, to enjoin a violation, or obtain other equitable relief. The OCPA also establishes a statute of limitations of five years for the AG to seek relief. The five-year period is counted from the date of the last act of a controller that constituted the violation for which the AG seeks relief.

The OCPA establishes a 30-day cure period for controllers and processors found in breach of the OCPA. If the controller fails to cure the violation within 30 days after receiving the notice of the violation by the AG, the latter may bring the action without further notice. This cure period will sunset on January 1, 2026.

Next stages

What is the legislative status of the OCPA?

The OCPA was signed into law by the Governor on July 18, 2023.

When will the OCPA come into force?

OCPA will enter into effect over time, as follows:

• Sections 1 to 9 of the OCPA will come into effect on July 1, 2024, for most organizations, and on July 1, 2025, for charitable organizations;
• the provision that would allow consumers to send opt-out signals to the controller will come into force on January 1, 2026;
• the provision allowing controllers to cure a violation within 30 days after receiving the notice of the violation by the AG will sunset on January 1, 2026; and
• the requirements that apply to a DPIA under the OCPA will apply only to processing activities that occur on and after July 1, 2024, and are not retroactive.

Madhura Sakharam Bhandarkar Privacy Analyst
[email protected]