The Oregon Consumer Data Privacy Act (OCDPA), scheduled to come into force from June 2024, implements specific requirements for organizations which process the data of Oregon residents.
The Oregon Consumer Data Privacy Act (OCDPA) is a state data privacy law that aims to protect the personal information of Oregon residents. The OCDPA establishes a comprehensive set of rules governing the collection, use, and disclosure of personal information by businesses that meet certain criteria. The law applies to businesses that conduct business in Oregon or intentionally target Oregon consumers with their goods or services. Businesses that collect personal information from Oregon residents and meet the threshold requirements outlined in the OCDPA must comply with the law. It’s important for businesses operating in Oregon to familiarize themselves with the requirements of the OCDPA to ensure compliance and protect consumer privacy. This law will come into force on July 1st, 2024.
The OCDPA applies to businesses that collect personal information from Oregon residents and meet the threshold requirements.
The OCDPA applies to any person who conducts business in Oregon or who provides products or services to residents of the state and controls or processes:
- The personal data of 100,000 or more consumers in a calendar year, other than personal data controlled or processed solely for the purpose of completing a payment transaction, or
- The personal data of 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal data.
Businesses governed by the OCDPA are subject to various obligations under this law.
The OCDPA imposes a number of obligations on businesses that are subject to the law. These obligations include:
- Providing consumers with notice of their privacy rights. Businesses must provide consumers with clear and concise notice of their privacy rights, including the types of personal information that is being collected, the purposes for which it is being used, and the parties with whom it is being shared.
- Obtaining consent for the collection and use of personal information. Businesses must obtain consent from consumers before collecting or using their personal information for any purpose other than those that are necessary for the business to provide its products or services.
- Giving consumers access to their personal information. Businesses must provide consumers with access to their personal information upon request and allow them to correct or delete any inaccurate or incomplete information.
- Taking reasonable security measures to protect personal information. Businesses must take reasonable security measures to protect personal information from unauthorized access, use, or disclosure.
- Notifying consumers of data breaches. Businesses must notify consumers in the event of a data breach that results in the unauthorized access, use, or disclosure of their personal information.
Consumers in Oregon are granted specific consumer rights under the OCDPA.
The OCDPA also grants consumers a number of rights, including the right to:
- Opt out of the sale of their personal information. Consumers have the right to opt out of the sale of their personal information to third parties.
- Delete their personal information. Consumers have the right to request that businesses delete their personal information.
- File a complaint with the Oregon Attorney General. Consumers who believe that their privacy rights have been violated may file a complaint with the Oregon Attorney General.
The OCDPA considers certain types of data, as well as certain entities exempt for various reasons.
Oregon’s privacy law, the Oregon Consumer Privacy Act (OCDPA), includes several exemptions for certain types of data and specific entities. These exemptions are important to consider when determining whether the OCDPA applies to your organization and the data you process. One of the key exemptions is for public corporations or bodies, including state, local, and special government bodies. This means that personal information collected or used by government entities is not subject to the OCDPA. This exemption is in line with the general principle that government entities are subject to their own privacy laws and regulations, such as the Public Records Law and the Oregon Public Records Act.
Another important exemption is for protected health information processed in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This exemption ensures that the OCDPA does not interfere with the existing federal HIPAA framework for protecting the privacy of health information.The OCDPA also exempts information used only for public health activities, such as disease surveillance and outbreak control. This is necessary to ensure that public health officials can access and use personal information to protect the health and safety of the public. In addition to these exemptions, the OCDPA provides limited exemptions for other health-related uses, such as medical research and clinical trials.
It is important to note that the OCDPA does not provide a general exemption for entities subject to HIPAA or the Gramm-Leach-Bliley Act (GLBA). Instead, it only exempts data that is governed by those acts. This is a significant distinction from most other state privacy laws, which typically exempt both entities and data subject to HIPAA or the GLBA. As a result of this distinction, organizations subject to HIPAA or the GLBA must still comply with the OCDPA when it comes to data they process that is not covered by HIPAA or the GLBA. This means that these entities need to carefully review the OCDPA requirements and take steps to ensure compliance.
The OCDPA is enforced by the Oregon state attorney general, and temporarily provides a grace period for rectifying violations.
The state attorney general has exclusive enforcement authority of the OCDPA. Entities found to be in violation of this law can be provided a 30-day grace period to rectify their violations (at the attorney general’s discretion), until January 1, 2026. Like other states, violators of this law can be fined up to $7,500 per violation. Unlike other state laws, however, Oregon’s privacy law includes a statute of limitations of five years after the date of the last violation. The OCDPA also states that the court can award reasonable attorney fees, expert witness fees, and costs of investigation to the attorney general on top of the regular fines if the attorney general finds fault.
If you have any questions about complying with the OCDPA or other US data privacy laws, or need assistance reviewing your data privacy practices, connect with Aphaia today.