In a continuing trend, the Oregon legislature has passed its own privacy law, further extending the reach of data protection rules in the United States. The new law is based closely on the Virginia model, but also deviates in some important ways. Most notably, the Oregon law applies to nonprofit organizations as well as for-profit businesses.
Here are the essential facts organizations should know about the Oregon Consumer Privacy Act (OCPA).
For businesses, the Oregon Consumer Privacy Act will go into effect on July 1, 2024.
Nonprofits are given a little more time—they must be in compliance by July 1, 2025.
The OCPA applies to any person (including nonprofit organizations) that does business in the state or offers its products or services to Oregon residents AND meets at least one of these two conditions:
Organizations covered by the OCPA must extend the following privacy rights to Oregonians:
As with other state laws, the OCPA defines “personal data” quite broadly. It means:
Data, derived data, or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household.
An interesting addition not included in other state privacy laws so far is the language about devices; i.e., if data is linkable to a specific device (such as a cell phone or smart tv) which is itself linkable to an individual or household, it is considered personal data. TSuch data is likely already covered by other laws, but Oregon lawmakers appear to have intended to close any potential loopholes.
Yes, the Oregon Consumer Privacy Act does require organizations to perform data protection assessments for certain types of processing activities that are deemed to present a heightened risk of harm to consumers. An assessment is required for:
In a data protection assessment, organizations are required to provide detailed information about a particular processing activity, and weigh the benefits it provides against the risks to consumers. These assessments are internal documents that are not made public, but must be made available to the Oregon Attorney General’s Office upon request.
Courts may impose fines of up to $7,500 per violation per consumer. Additionally, the Oregon Attorney General’s Office can recover attorney fees and other costs related to the investigation.
The OCPA does not grant a private right of action to consumers, meaning they cannot sue over alleged violations. Only the state attorney general can enforce the law.
The pace of state privacy legislation is picking up, with many more states likely to pass their own laws in the near future. With each new law, compliance becomes a little more complicated to manage, especially for organizations without in-house privacy experts.
TrueVault US helps businesses of all sizes get compliant with privacy laws from across the country with one streamlined platform. Designed by attorneys, TrueVault US is a software solution that guides you at every step of the way, from onboarding vendors to responding to consumer privacy requests.
To learn more about how TrueVault US can help your organization, contact our team today.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.