Oregon Becomes 11th State to Enact a Comprehensive Data Privacy Law
On July 18, 2023, Oregon Governor Tina Kotek signed Senate Bill 619, referred to as the "Oregon Consumer Privacy Act" ("OCPA" or "the Act"), making Oregon the 11th state to enact a comprehensive data privacy law.
Notable provisions include:
- The OCPA will apply to an entity that: (i) conducts business in Oregon or that provides products or services to state residents; and that (ii) controls or processes (1) the personal data of at least 100,000 Oregon consumers or (2) the personal data of at least 25,000 Oregon consumers, while deriving 25% or more of the entity's annual gross revenue from selling personal data.
- The Act goes into effect on July 1, 2024, for subject businesses, but 501(c)(3) nonprofit companies have a one-year exemption expiring on July 1, 2025. The law, like that of many other states with comprehensive privacy legislation, does not apply to employee data and B2B data.
- There are no entity-level exemptions for financial institutions regulated by the Gramm-Leach-Bliley Act ("GLBA") or entities subject to the Health Insurance Portability and Accountability Act ("HIPAA"). However, OCPA does exempt health data covered under HIPAA and information governed by the GLBA, Family Educational Rights and Privacy Act, Airline Deregulation Act, and Driver's Privacy Protection Act.
- Oregon has expanded the definition of "personal data." Unlike other states, "personal data" is broadly defined as "data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household." (Emphasis added). "Derived data" is largely defined as information deduced from an individual consumer—meaning that businesses in Oregon can no longer deduce information about consumers despite having requested that their data be deleted.
- Additionally, OCPA is the only state privacy law enacted so far that includes transgender or nonbinary status or crime victim status in its definition of "sensitive data."
- Like privacy laws enacted in other states, the OCPA affords individuals in Oregon a wide array of privacy rights, including the right to access, right to correct, right to delete, right to opt out of sales, and right to opt in for sensitive data processing, among others.
- The OCPA has adopted California's broader definition of a "sale" of personal data to mean the "exchange of a personal data for monetary or other valuable consideration by the controller with a third party." (Emphasis added). The OCPA will require controllers to recognize universal opt-out mechanisms as of January 1, 2026.
- The Oregon State Attorney General's Office is responsible for enforcement. If businesses do not cure violations within 30 days of notice, the Attorney General can seek a civil penalty of up to $7,500 for each violation.
- There is no private right of action under the OCPA.
The Act will become effective in less than a year, alongside similar new laws in Montana, Texas, and Utah. Businesses should assess their current data collection and privacy practices, as well as monitor their privacy compliance programs in preparation for these new obligations.