A Major Milestone for Osano...and the Industry
When we founded Osano, our goals were ambitious. We wanted to...Read Now
October 17, 2023
Oregon has joined the ranks of states to pass a comprehensive consumer privacy act. Senate Bill 619 (SB 619), also known as the Oregon Consumer Privacy Act or OCPA, is the culmination of four years of work by the Oregon Attorney General’s Consumer Privacy Task Force.
We’ll outline the law’s provisions, notable differences between the OCPA and other state laws, and considerations if you’re a company trying to navigate the complex and piecemeal data privacy landscape in the U.S.
Without a federal privacy law in place, the OCPA serves as Oregon’s approach to addressing consumer privacy for its more than 4.2 million residents. The law establishes responsibilities for entities that do business in the state and penalties for violations.
Oregon modeled the OCPA after other similar laws, including the Connecticut Data Privacy Act, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Utah Consumer Privacy Act, and the California Consumer Privacy Act. The regulation applies to consumers acting in individual or household contexts, but not as employees.
Signed by Governor Tina Kotek in July 2023, OCPA takes effect July 1, 2024—the same day as Texas’s privacy law. An important note is that not-for-profit businesses are not exempt from the law, but they have until July 1, 2025, to comply.
Like a number of other data privacy laws, the OCPA applies to companies based on how much data they control and process or how much revenue they generate from the sale of personal data.
Oregon’s law applies to any person who conducts business in Oregon or who provides products or services to residents of the state and controls or processes:
Oregon’s privacy law carves out some exemptions both for certain types of data and certain entities.
The act does not apply to public corporations or bodies (including state, local, and special government bodies), to protected health information processed in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), information used only for public health activities, and other health- and medical research-related uses.
It’s an important distinction that the OCPA doesn’t provide a general exemption for entities subject to HIPAA or the Gramm-Leach-Bliley Act (GLBA), but to data governed by those acts. Most other states exempt both entities and data subject to HIPAA or the GLBA from their local privacy regulations. As a result, these entities usually don’t have to worry about state privacy law compliance. That’s not the case under the OCPA; organizations subject to HIPAA or the GLBA must still comply with the OCPA when it comes to data they process that is not covered by HIPAA or the GLBA.
Data collected or processed in accordance with the following federal regulations is exempt, including:
As is common with many state privacy laws, the act excludes de-identified data and publicly available data from its definition of personal data.
Lastly, there are a number of additional exemptions for entities, including various entities defined or regulated at the state level, radio and TV stations that hold an FCC license, and more.
The OCPA gives consumers the right to obtain:
They also may:
Controllers have up to 45 days to respond to a consumer’s request, with an additional 45-day extension, if needed, based on the complexity of the request and the number of requests the consumer makes. The controller must notify the consumer of an extension and the reason it is needed. If the controller rejects a request, they must also explain the justification for not taking action and provide instructions for appealing the decision.
Under the law, controllers—which are defined as a person who acts alone or in concert with another person to determine purposes and means for processing personal data—must specify in their privacy notice the purposes for which they are collecting and processing personal data. Furthermore, the collection should be limited to personal data that is “adequate, relevant, and reasonably necessary to serve the purposes the controller specified.”
In addition to limiting the collection of data as defined above, controllers also must:
If your organization is a processor rather than a controller (i.e., an organization that processes personal data on behalf of a controller), then you must help controllers meet their obligations and enter into a contract that governs how you process personal data on the controller’s behalf.
Businesses and nonprofit organizations subject to the OCPA should review the law with their legal team. Consider who your customers are and whether your processing activities fall within the legal framework of the OCPA.
It’s important to understand the law and establish procedures that follow state laws, including creating and implementing the required privacy notices, developing a process for handling requests from consumers, reviewing any data transfers to third parties, and ensuring informed consent before collecting sensitive personal data.
If this all seems overwhelming, it may be time to consider a data privacy platform like Osano. With Osano, you can manage the spectrum of data privacy tasks required by laws like the OCPA, such as automated subject rights requests, consent management, data mapping to track down personal information, and more.
The state attorney general has exclusive enforcement authority of the OCPA. Those in violation can be provided a 30-day right to cure, meaning violators may get a 30-day grace period to fix their violations (at the attorney general’s discretion). Note, however, that the grace period provision will sunset on January 1, 2026.
Like other states, those who do not comply with the law can be fined up to $7,500 per violation.
Unlike other state laws, though, Oregon’s privacy law includes a statute of limitations of five years after the date of the last violation. It also states that the court can award reasonable attorney fees, expert witness fees, and costs of investigation to the attorney general on top of the regular fines if the attorney general prevails in an action.
A parent or legal guardian can exercise rights on behalf of their child, which the OCPA defines as an individual under the age of 13. Additionally, sensitive data of a child must be processed in accordance with the Children’s Online Privacy Protection Act of 1998 (COPPA). For children ages 13 to 15, opt-in consent is required to process personal data for targeted advertising or sale.
Under most circumstances, the OCPA uses an opt-out model, which means explicit consent is not required prior to the collection of personal data—rather, consumers must be given the option to opt out of personal data collection. However, consumers must opt-in for the collection of sensitive data.
A Global Privacy Control (GPC) signal can be used to automatically send a request to opt out of the collection of certain personal information. Starting January 1, 2026, controllers must recognize these universal opt-out methods.
No, there is no private right of action granted by the OCPA. The state attorney general is the enforcement authority.
The attorney general may bring an action to seek a civil penalty of not more than $7,500 for each violation. A court may award reasonable attorney fees, expert witness fees, and costs of investigation to the attorney general if the attorney general prevails in an action.
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.