Authors: Sean Clancy, Shareholder; Leticia Maskell, Law Clerk
Introduction
The Oregon Consumer Privacy Act (“OCPA”) is a recent state-level privacy law designed to give Oregon consumers greater control over their personal information. The OCPA became legally effective July 1, 2024, except that 501(c)(3) nonprofits have until July 1, 2025 to comply. The OCPA requires certain businesses and individuals to implement measures to ensure compliance, which include updating privacy notices, establishing processes for handling consumer data requests, and enhancing data security practices.
Key Provisions of the OCPA include Oregon consumers’ right to:
- Access information regarding what personal data businesses collect, the purpose of the collection, and with whom this data is shared;
- Request deletion of stored personal data (subject to certain exceptions);
- Opt-Out of the sale of personal data to third parties;
- Request corrections to inaccurate personal data; and
- Non-Discrimination against consumers who exercise their privacy rights under the OCPA.
Note that a “sale” under the OCPA includes the exchange of personal data for anything of value, not just money. So, for example, a data controller is still selling data if they exchange personal data they collected for personal data from another entity.
Does the OCPA apply to my business?
The OCPA applies to any enterprise or person conducting business in Oregon, or providing products or services to residents of Oregon who, over the course of a calendar year, either:
- Controls or processes the personal data of 100,000+ consumers (unless solely for the purpose of a payment transaction); or
- Controls or processes the personal data of 25,000+ consumers and derives 25% or more of their annual gross revenue from “sales” of personal data.
Compliance under the OCPA
Anyone subject to the OCPA must adhere to several key obligations, including but not limited to:
- Maintaining a comprehensive inventory of personal data that is collected, processed, and shared;
- Updating privacy notices to include detailed information about consumer rights under the OCPA;
- Establishing and maintaining procedures for consumers to make OCPA related requests (for example, an OCPA request inbox or dedicated customer service number); and
- Implementing appropriate security measures to protect personal data from unauthorized access and breaches.
OCPA challenges
While the OCPA marks a significant step towards better privacy protection, the Act is not without its challenges. Many express a reasonable worry that compliance will be costly and complex, particularly for small and medium-sized businesses. There are also concerns about the potential for overlapping regulations as other states implement their own privacy laws, leading to a fragmented regulatory landscape.
Conclusion
While compliance with the OCPA will require a period of updates and adaptation for many businesses, the Act overall represents a critical advancement in consumer privacy rights and aligns with broader trends towards enhanced data protection in an increasingly digital world.
The OCPA’s complete language may be viewed here. If you have any questions or concerns about how the Oregon Consumer Privacy Act may affect your business, please contact our office to speak to one of our attorneys. Our team looks forward to helping you navigate the new privacy landscape more easily and effectively.
Subscribe to more legal news and updates here.