In a continuing trend, the Oregon legislature has passed its own privacy law, further extending the reach of data protection rules in the United States. The new law is based closely on the Virginia model, but also deviates in some important ways. Most notably, the Oregon law applies to nonprofit organizations as well as for-profit businesses.

Here are the essential facts organizations should know about the Oregon Consumer Privacy Act (OCPA).

When Does It Go into Effect?

For businesses, the Oregon Consumer Privacy Act will go into effect on July 1, 2024.

Nonprofits are given a little more time—they must be in compliance by July 1, 2025.

Who Must Comply?

The OCPA applies to any person (including nonprofit organizations) that does business in the state or offers its products or services to Oregon residents AND meets at least one of these two conditions:

1. Controls or processes the personal data of at least 100,000 state residents in a calendar year, OR
2. Controls or processes the personal data of 25,000 or more state residents per year and derives 25% or more of gross annual revenue from the “sale” of personal data.

Privacy Rights Under the Oregon Law

Organizations covered by the OCPA must extend the following privacy rights to Oregonians:

• Right to Know - Consumers have the right to confirm whether an organization is processing their personal data and, if so, obtain a copy of that data as well as a list of third parties to whom the business discloses the data.

• Right to Correct - Consumers can request that an organization correct any inaccurate personal information it holds about a consumer.

• Right to Delete - Upon request, organizations must delete personal data provided by or obtained about the consumer.

• Right to Portability - Upon request, organizations must provide a copy of the consumer’s personal data in a readily portable format so that it can be transmitted to another controller.

• Right to Opt Out - Consumers can opt out of:

• The sale of their personal data
• Targeted advertising
• Profiling in furtherance of decisions that produce legal or similarly significant effects

What Is “Personal Data”?

As with other state laws, the OCPA defines “personal data” quite broadly. It means:

Data, derived data, or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household.

An interesting addition not included in other state privacy laws so far is the language about devices; i.e., if data is linkable to a specific device (such as a cell phone or smart tv) which is itself linkable to an individual or household, it is considered personal data. Such data is likely already covered by other laws, but Oregon lawmakers appear to have intended to close any potential loopholes.

Are Data Protection Assessments Required?

Yes, the Oregon Consumer Privacy Act does require organizations to perform data protection assessments for certain types of processing activities that are deemed to present a heightened risk of harm to consumers. An assessment is required for:

• Targeted advertising
• Sale of personal data
• Profiling of consumers, where it presents a foreseeable risk of harm
• Processing of sensitive personal data
• Any other processing activity that presents a heightened risk of harm to consumers

In a data protection assessment, organizations are required to provide detailed information about a particular processing activity, and weigh the benefits it provides against the risks to consumers. These assessments are internal documents that are not made public, but must be made available to the Oregon Attorney General’s Office upon request.

How Much Do Violations Cost?

Courts may impose fines of up to $7,500 per violation per consumer. Additionally, the Oregon Attorney General’s Office can recover attorney fees and other costs related to the investigation.

Can Organizations Be Sued by Consumers?

The OCPA does not grant a private right of action to consumers, meaning they cannot sue over alleged violations. Only the state attorney general can enforce the law.

‍