Comprehensive consumer privacy laws continue to hit the desks of governors in states across the country, with nineteen state laws now on the books. Since we wrote our 2023 Round-Up on State Consumer Data Privacy Laws article detailing the various privacy statutes enacted at the end of last year, 7 more states have passed these laws, and 5 statutes passed before 2024 became effective during that time. What started only a few years ago as a patchwork of state laws is quickly turning into a dense web of similar but varying requirements across the country. It is becoming increasingly complex for companies collecting personal data from consumers to assess if and where consumer privacy laws apply to their business operations.
To help our readers with this effort, we will be rolling out a series of articles over the next two months providing in-depth summaries of privacy laws we have not covered on the blog in the past, including laws passed in Oregon; Nebraska, Delaware, Iowa, Minnesota, and Kentucky. At the end of this article, we are including an index with hyperlinks to our articles covering all other states that have put a consumer privacy law on the books.
Please also keep your eye out for our 2024 round-up article that will be published in December as it will be a helpful overview of the full landscape of consumer privacy laws across the U.S.
Oregon Consumer Privacy Law
Oregon is first up in our series. Oregon’s consumer privacy law took effect in July of 2024, a year after Oregon governor Tina Kotek (D) signed the Oregon Consumer Data Privacy Act (OCDPA). Oregon Attorney General Ellen Rosenblum asserted that the OCDPA establishes “the gold standard in consumer privacy protections nationwide.” The law aligns with other robust state privacy laws, such as those enacted by California, Connecticut, and Virginia. However, Oregon’s statute imposes even more stringent requirements and features, notably by declining to exempt non-profit organizations, and it takes a more sweeping approach to applicability as described below to cover a broader range of businesses.
To Whom Does the Oregon Consumer Data Privacy Act Apply?
The OCDPA applies to any individual or entity that conducts business in Oregon, or that provides products or services to Oregon residents, if, during a calendar year, that individual or entity controls or processes the personal data of:
At least 100,000 consumers; or 25,000 or more consumers and derives over 25% of annual gross revenue from the sale of personal data. Unlike most other states’ data privacy laws, Oregon’s law is broader, as it applies to entities that ‘provide’ products or services to Oregon residents, as opposed to specifically ‘target’ Oregon residents.
The OCDPA defines consumer as a natural person who resides in Oregon and acts in any capacity other than in a commercial or employment context.
Oregon Consumer Data Privacy Act Exemptions
The OCDPA does not apply to persons that process personal data of consumers exclusively for the purpose of completing a payment transaction; thus, generally excluding businesses that only collect payment information from their consumers.
Similar to other state privacy laws, the OCDPA exempts government entities, state public corporations or organizations, and information regulated by privacy laws such as HIPAA and the Gramm-Leach-Bliley Act. Additionally, the OCDPA exempts specific types of data such as consumer credit-reporting data, health records, scientific research data, employment-related information, business-to-business personal data, and information regulated under the Family Educational Rights and Privacy Act. Notably, and unlike many other state privacy laws, the OCDPA does not exempt non-profit organizations. Non-profits that otherwise satisfy the applicability thresholds above are still subject to the OCDPA, although, applicability and enforcement for non-profit entities is deferred until July 1, 2025.
Oregon Consumer Data Privacy Act Consumer Rights
Consumers have the following rights under the OCDPA:
- Right to confirm whether or not their personal data is processed;
- Right to access their personal data;
- Right to correct inaccuracies in their personal data;
- Right to deletion of their personal data;
- Right to obtain a copy of their personal data;
- Right to portability of their personal data;
- Right to opt-out of the processing of their personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer;
- Right to opt in for sensitive data processing, such as the collection of precise geolocation data or voice recognition features;
- Right to revoke previously given consent to process the consumer’s personal data; and
- Right to know identity of specific third parties such as service providers that have received their personal data.
Business Obligations to Consumers
The OCDPA requires covered entities to:
- Respond to consumer requests under the OCDPA without undue delay, but not later than 45 days of receipt of such request (may be extended an additional 45 days when reasonably necessary, so long as the business notifies the consumer of their intent to extend within the initial 45-day response period and explain the reason for the extension).
- If the business declines to take action to the consumer’s request, inform the consumer within 45 days of receipt of the consumer’s request of the justification for declining to take action and provide instructions on how to appeal the decision.
- Provide required information to consumers free of charge, once per twelve-month period.
- Notify the consumer if the business cannot, using commercially reasonable methods. authenticate the consumer’s request without additional information from the consumer.
- Establish a process for consumers to appeal any refusal to take action on a consumer request.
- Provide a decision as to any appeal in writing within 45 days of receipt of such appeal, and if denied, respond to the consumer with information on how to submit a complaint with the attorney general.
Notices to Consumers
Covered entities must provide consumers with a “reasonably accessible, clear and meaningful” privacy notice that includes at a minimum the following:
- The categories of personal data, including the categories of sensitive data, that the business processes;
- the express purposes for which the business is collecting and processing personal data;
- a list of all categories of personal data, including the categories of sensitive data, that a business shares with third parties;
- a description of the categories of third parties with which the business shares personal data;
- a clear and conspicuous description of any processing of personal data in which the business engages for the purpose of targeted advertising or for the purpose of profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance, and a procedure by which the consumer may opt out of this type of processing;
- the manner in which consumers can exercise their rights under the OCDPA, including the process for appeals of denials of consumer requests;
- the methods for consumers to submit a request to exercise their consumer rights, which must include a clear and conspicuous link on the businesses website enabling opt-out of targeted advertising or sale of the consumers personal data; and
- an email address or other online method by which a consumer can contact the business, which should be a method that allows the business to monitor incoming communications regularly on a daily basis.
Now that the OCDPA is effective, covered entities should make sure they have set up any required opt out or opt in mechanisms based on their business activities.
Other Business Obligations:
Covered entities must (the DO’s):
- limit the collection of personal data to only the data that is “adequate, relevant, reasonably necessary, and proportionate” to serve the purposes for which the data is collected and processed;
- establish, implement, and maintain reasonable administrative, technical, and physical safeguards to protect the confidentiality, integrity, and security of the personal data;
- provide a conspicuous link to a webpage where the consumer or an authorized agent may from a business’ processing of the consumer’s personal data (via an opt-out preference signal);
- clearly and conspicuously disclose if the business sells consumers” personal data to third parties or engages in targeted advertising,
- provide consumers an opportunity to opt out from the sale of their personal data to third parties or engaging in targeted advertising;
- provide an effective means by which a consumer may revoke consent a consumer gave to the business’ processing of the consumer’s personal data;
- conduct and document data protection assessments for activities that present a heightened risk of harm to the consumer, such as:
- targeted advertising
- processing sensitive data
- selling personal data or
- using personal data for profiling purposes that present a reasonably foreseeable risk of
- unfair or deceptive treatment of or unlawful disparate impact to consumers,
- financial, physical, or reputational injury to consumers,
- physical or other types of intrusion upon a consumer’s private affairs if the intrusion would be offensive to a reasonable person, or
- other substantial injury to consumers;
- If in possession of deidentified data, take reasonable measures to ensure that such data cannot be associated with an individual and enter into a contract with a recipient of the deidentified data which will provide that the recipient must comply with the business’ obligations under the OCDPA.
Please note that these requirements only became effective on July 1, 2024. Requirements such as conducting and documenting data protection assessments do not apply retroactively, and are only required for activities conducted July 1, 2024 onward.
Covered entities must not (the DON’Ts):
- Process consumers’ sensitive data without obtaining the consumer’s consent; or if the consumer is a child, must process sensitive data in accordance with the federal Children’s Online Privacy Protection Act
- Sensitive data is defined to include “information revealing racial or ethnic origin, religious beliefs, sexual orientation, status as transgender or non-binary, status as victim of a crime, citizenship or immigration status, and health status; genetic or biometric data; past or present geolocation within 1,750 feet; or any personal data of a child;”
- process a consumer’s personal data for the purposes of targeted advertising, of profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance or of selling the consumer’s personal data without the consumer’s consent if the controller has actual knowledge that, or willfully disregards whether, the consumer is at least 13 years of age and not older than 15 years of age; or
- discriminate against consumers who exercise the rights under the OCDPA;
Impact on Vendors/ Data Processors
Subprocessors such as vendors to covered entities most often will have direct obligations under the OCDPA, such as:
- adhering to instructions from the covered entity;
- assisting the covered entity with their own compliance obligations;
- assisting the covered entity with data protection impact assessments; and
- adopting administrative, technical, and physical safeguards that are reasonably designed to protect the security and confidentiality of the relevant personal data.
Sub processors must enter into a contract with the covered entity that governs how it processes personal data on the covered entity’s behalf. The OCDPA contains specific requirements that must be included in data processing agreements between the parties, including the following which are found in Section 6 of the OCDPA:
- Be valid and binding on both parties;
- Set forth clear instructions for processing data, the nature and purpose of the processing, the type of data that is subject to processing and the duration of the processing;
- Specify the rights and obligations of both parties with respect to the subject matter of the contract;
- Ensure that each person that processes personal data is subject to a duty of confidentiality with respect to the personal data;
- Require the processor to delete the personal data or return the personal data to the covered entity at its direction or at the end of the provision of services, unless a law requires the processor to retain the personal data;
- Require the processor to make available to the covered entity, at its request, all information the covered entity needs to verify that the processor has complied with its OCDPA obligations;
- Require the processor to enter into a subcontract with a person the processor engages to assist with processing personal data on the covered entity’s behalf and in the subcontract require the subcontractor to meet the processor’s obligations under the processor’s contract with the covered entity; and
- Allow the covered entity or its designee or a qualified and independent person the processor engages, in accordance with an appropriate and accepted control standard, framework or procedure, to assess the processor’s policies and technical and organizational measures for complying with the processor’s obligations under the OCDPA, and require the processor to cooperate with the assessment and, at the covered entity’s request, report the results of the assessment to the covered entity
Enforcement
Like most state privacy laws, the OCDPA does not provide for a private right of action. The OCDPA is exclusively enforced by the Oregon Office of the Attorney General and provides for a 30-day cure period where, prior to bringing an enforcement action, the AG will notify a covered entity and grant it an opportunity to cure (if a cure is deemed possible). The cure period is not permanent and will terminate on January 1, 2026.
Fines and Penalties
The Attorney General may recover up to $7,500 in civil penalties per violation of the OCDPA.
Index
Here are links to our articles covering all other states that have enacted consumer privacy laws:
California (and additional information here)
Here you’ll find our 2023 Round-Up on State Consumer Data Privacy Laws
Paty Garza Gonzalez also contributed to this article.