Portland, Ore. (August 9, 2023) – The Oregon Consumer Privacy Act (OCPA) is the 11th comprehensive privacy law passed in the United States that gives individuals – in this case, Oregonians – significant control over their personal information. The OCPA, which goes into effect on July 1, 2024, applies to businesses that provide services and products to Oregonians and either control (i.e., collect) or process personal information from at least 100,000 Oregon consumers, or control or process personal information from 25,000 Oregon consumers where 25% of the business's gross annual revenue comes from selling personal information.

The OCPA gives Oregonians the following rights:

  • Right to Know - Consumers have the right to request information from businesses about how their personal information is being collected, used, and shared. This includes information about the categories of personal information that are collected, the purposes for which the information is collected, the third parties with whom the information is shared, and the business' data retention policies.
  • Right to Correct - Consumers have the right to correct any inaccurate or incomplete personal information that a business has about them.
  • Right to Delete - Consumers have the right to request that a business delete their personal information.
  • Right to Opt Out - Consumers have the right to opt out of the sale of their personal information and the processing of personal information when the purpose is for targeted advertising or automated decision-making.
  • Right to Data Portability - Consumers have the right to request that a business provide them with a copy of their personal information in a portable format.

The OCPA is of the same flavor as the as the Colorado and Connecticut laws – leaning heavily in favor of consumer rights. Similar to Colorado, the OCPA requires businesses to treat sensitive information with heightened security and to create an "opt-in" mechanism (meaning obtaining affirmative consent). Sensitive information under the OCPA includes personal data revealing racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, gender identity, crime victim status, citizenship or immigration status, genetic or biometric data, and precise geolocation data. The OCPA also includes non-profit organizations in its scope.

What is Unique about OCPA?

  • Under the OCPA, children's (under the age of 13) data processed should receive the same protections afforded under the Children's Online Privacy Protection Act (COPPA). In addition, the OCPA requires businesses to obtain affirmative consent from individuals between the ages of 13 and 15 before processing any data.
  • The definition of sensitive data expands to include status as transgender or non-binary and crime victim status.
  • The definition of biometric data includes data generated from a photograph, audio or video recording, facial mapping, or facial geometry for the purpose of identifying a specific consumer.
  • The definition of personal data includes derived data such as data obtained from devices.

What Does This Mean for Businesses?

Businesses that collect or process personal information from Oregon consumers and meet the threshold requirements described above should consider taking the following steps to comply with the OCPA:

  • Review your privacy practices. Make sure that your privacy policy is clear, transparent, and easy to understand. Your privacy policy should explain how you collect, use, and share personal information, and it should provide consumers with information about their rights under the OCPA. Additionally, your privacy notice should include the categories of data processed, the purposes for processing the data, the categories of data shared with third parties, and the categories of third parties that are receiving data.
  • Create a process for responding to consumer requests. You will need to have a process in place for responding to consumer requests for information, correction, deletion, opt-out, and data portability.
  • Implement security measures. You will need to implement reasonable security measures to protect the confidentiality, integrity, and availability of personal information.
  • Train your employees. Your employees should be aware of the OCPA and how to comply with the law. You should train your employees on the OCPA and on your company's privacy policies and procedures.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.