Oregon Consumer Privacy Act (OCPA)

Who is excluded from compliance with the Oregon Consumer Privacy Act? 

The Oregon Consumer Privacy Act (OCPA) exempts several entities and types of data as follows: 

• state government bodies;
• financial institutions and their affiliates;
• specific types of nonprofit organizations “established to detect and prevent fraudulent acts in
• connection with insurance;”
• noncommercial activities of “a publisher, editor, reporter or other person who is connected with or employed by a newspaper, magazine, periodical, newsletter, pamphlet, report or other publication in general circulation;”
• noncommercial activities of “a radio or television station that holds a license issued by the Federal Communications Commission;”
• noncommercial activities of “a nonprofit organization that provides programming to radio or television networks;
• noncommercial activities of “an entity that provides an information service, including a press association or wire service;”
• insurers (producers, consultants, third party administrators);
• protected health information processed in compliance with HIPAA;
• information collected, processed, sold or disclosed under and in accordance with the Gramm-Leach-Bliley Act, the Driver’s Privacy Protection Act of 1994, the Family Educational Rights and Privacy Act, or the Airline Deregulation Act;
• information related to human research;
• patient identifying information and patient safety work processed in accordance with federal laws; 
• information and documents created for the purposes of the HealthCare Quality Improvement Act of 1986;
• information related to an individual’s employment, employment benefits, or employment benefits offered to the individual’s dependents or beneficiaries;
• activities related to the evaluation of an individual’s creditworthiness or personal data processed in accordance with the provisions of Fair Credit Reporting Act.
  
  
  

How can I keep my organization compliant with the Oregon Consumer Privacy Act? 

Under the Oregon Consumer Privacy Act, same as with other US privacy laws, both controllers and processors have a series of obligations. As a controller you have to do the following: 

• provide a “reasonably accessible, clear and meaningful privacy notice” in which you must specify the express purposes for which you are collecting and processing personal data that has to include the following: 
  • the categories of personal data, including the categories of sensitive data, that you process;
  • your purposes for processing the personal data;
  • how a consumer may exercise their consumer rights, including how they can appeal your denial of a consumer request;
  • all categories of personal data, including the categories of sensitive data, that you share with third parties;
  • all categories of third parties with which you share personal data at a level of detail that enables the consumer to understand what type of entity each third party is and, to the extent possible, how each third party may process personal data;
  • an electronic mail address or other online method by which a consumer can contact you that you actively monitor;
  • your details that identify you, including any business name under which you registered with the Secretary of State and any assumed business name that you use in the state of Oregon; 
  • a clear and conspicuous description of any processing of personal data in which you engage for the purpose of targeted advertising or for the purpose of profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance, and a procedure by which the consumer may opt out of this type of processing; 
  • the method/methods you have established for a consumer to submit a request, which must take into account ways in which consumers normally interact with you; a need for security and reliability in communications related to the request; and your ability to authenticate the identity of the consumer that makes the request, and has to provide a clear and conspicuous link to a webpage where the consumer or an authorized agent may opt out from your processing of the personal data or, if you do not have a capacity needed for linking to a webpage, provide another method the consumer can use to opt out.
• limit your collection of personal data to only the personal data that is adequate, relevant and reasonably necessary to serve the purposes specified in the privacy notice; 
• establish, implement and maintain for personal data safeguards required for protecting personal information, in order to protect the confidentiality, integrity and accessibility of the personal data to the extent appropriate for the volume and nature of the personal data; 
• provide an effective means by which a consumer may revoke their consent to your processing of their personal data. The means must be at least as easy as the means by which the consumer provided consent. Once a consumer revokes consent, you have to stop processing the personal data as soon as is practicable, but not later than 15 days after receiving the revocation;
• you are not allowed to process personal data for purposes that are not reasonably necessary for and compatible with the purposes you specified in your privacy notice, unless you obtain the consumer’s consent;
• you cannot process sensitive data about a consumer without first obtaining their consent or, if you know the consumer is a child, without processing the sensitive data in accordance with the Children’s Online Privacy Protection Act of 1998;
• you are not permitted to process a consumer’s personal data for the purposes of targeted advertising, of profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance or of selling the consumer’s personal data without the consumer’s consent if you have actual knowledge that, or willfully disregards whether, the consumer is at least 13 years of age and not older than 15 years of age; 
• you cannot discriminate against a consumer that exercises their consumer right provided to them by this law “by means such as denying goods or services, charging different prices or rates for goods or services or providing a different level of quality or selection of goods or services to the consumer;”
• as regards the opt out from the processing of personal data, Oregon’s law recognizes universal opt out mechanisms, which means you have to comply with an opt out request submitted via an authorized agent designated “by means of an internet link, browser setting, browser ex- tension, global device setting or other technology;”
• if a consumer or authorized agent uses a method described in this law to opt out of your processing of a consumer’s personal data and the decision conflicts with a consumer’s voluntary participation in a bona fide reward, club card or loyalty program or a program that provides premium features or discounts in return for their consent to the processing of personal data, you can may either comply with the request to opt out or notify the consumer of the conflict and ask them to affirm that they intend to withdraw from the bona fide reward, club card or loyalty program or the program that provides premium features or discounts. If the consumer affirms that the consumer intends to withdraw, you have to comply with the request to opt out;
• you have an obligation to conduct and document a data protection assessment for each of your processing activities that presents a heightened risk of harm to a consumer, understood as any of the following: 
• “processing personal data for the purpose of targeted advertising;
• processing sensitive data;
• selling personal data; and
• using the personal data for purposes of profiling, if the profiling presents a reasonably foreseeable risk of:
  • unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
  • financial, physical or reputational injury to consumers;
  • physical or other types of intrusion upon a consumer’s solitude, seclusion or private
  • affairs or concerns, if the intrusion would be offensive to a reasonable person; or
  • other substantial injury to consumers.”

As a processor, you have an obligation to adhere to the controller’s instructions and to assist the controller in meeting their obligations, as outlined above. Any processing activity done by you on behalf of a controller has to be done based on a contract with the controller that governs how you process personal data on the controller’s behalf and has to meet the following requirements: 

• it has to be valid and binding on both parties;
• it has to set forth clear instructions for processing data, the nature and purpose of the processing, the type of data that is subject to processing and the duration of the processing;
• it has to specify the rights and obligations of both parties with respect to the subject matter of the contract.

What data access rights does Oregon Consumer Privacy Act grant? 

Under the Oregon Consumer Privacy Act (OCPA) consumers have the following rights: 

• The Right to Know
• The Right to Correct
• The Right to Delete
• The Right to Data Portability
• The Right to Opt Out of personal data processing for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

How to address data subject access requests under Oregon Consumer Privacy Act?

A consumer request has to be submitted by consumers using the method that you, as a controller, specified in your privacy notice. When providing consumers with a copy of their personal data this has to be done “in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the personal data to another person without hindrance.” A parent or legal guardian can exercise the consumer rights granted by the Oregon Consumer Privacy Act “on behalf of the parent’s child or on behalf of a child for whom the guardian has legal responsibility” and “a guardian or conservator may exercise the rights [...] on behalf of a consumer that is subject to a guardianship, conservatorship or other protective arrangement.”

A consumer request has to be responded to “without undue delay and not later than 45 days after receiving the request” and an extension by an additional 45 days is permitted, “if the extension is reasonably necessary to comply with the consumer’s request, taking into consideration the complexity of the request and the number of requests the consumer makes” but this has to be notified to the consumer within the first 45 days. As a controller you cannot require a consumer to create an account to exercise their consumer rights but you may require them to use an account that they created previously.

If you decline a consumer request, you have an obligation to “notify the consumer without undue delay and not later than 45 days after receiving the consumer’s request,” including in the notification the justification for not taking action and instructions for appealing your decision.

Once during any 12-month period, you have to provide information to the consumer requests  without charge to the consumer. However, you may charge a reasonable fee to cover the administrative costs of complying with a second or subsequent request within the 12-month period, unless the purpose of the second or subsequent request is to verify that you corrected inaccuracies in, or deleted, the consumer’s personal data in compliance with the consumer’s request.

If you are unable to authenticate the consumer’s request “using commercially reasonable methods,” without additional information from the consumer, you have to notify the consumer and you are under no obligation to comply with the request until the consumer provides the information necessary to authenticate the request. In the case of an opt out request, this has to be done without requiring authentication, unless the following apply: 

• you may ask for additional information necessary to comply with the request, such as information that is necessary to identify the consumer that requested to opt out;
• you may deny a request to opt out if you have a good-faith, reasonable and documented belief that the request is fraudulent. In such a case, you have to notify the consumer that you believe the request is fraudulent, stating in the notice that you will not comply with the request.

In the case of a refusal of a consumer request, you have to establish a process by means of which a consumer may appeal your refusal to take action on a request. This process has to meet the following conditions: 

• it has to allow a reasonable period of time after the consumer receives your refusal within which to appeal;
• it has to conspicuously available to the consumer;
• it has to be similar to the manner in which a consumer must submit a consumer request; 
• it has to require you to approve or deny the appeal within 45 days after the date on which you received the appeal and to notify the consumer in writing of your decision and the reasons for the decision. If you deny the appeal, the notice must provide or specify information that enables the consumer to contact the Attorney General to submit a complaint.

Enforcement and penalties

The Attorney General has enforcement powers under the Oregon Consumer Privacy Act and can conduct investigations of violations.  

Before bringing an action, the Attorney General will notify a controller of a violation if the Attorney General determines that the controller can cure the violation, and will allow for a 30 day cure period. If the controller fails to cure the violation within 30 days after receiving the notice of the violation, the Attorney General may bring the action without further notice.

Penalties under the Oregon Consumer Privacy Act consist of a civil penalty of not more than $7,500 for each violation. 

Data Subject Rights - GDPR vs. the Oregon Consumer Privacy Act 

FAQs about the Oregon Consumer Privacy Act