Oregon Enacts Comprehensive Privacy Law
On July 18, 2023, Governor Tina Kotek, the governor of Oregon signed Senate Bill 619 [1] (SB 619), also known as the Oregon Consumer Privacy Act (OCPA or Act), into law. The enactment of SB 619 makes Oregon the 12th state in the United States (US) to enact a comprehensive privacy law.
According to a media release by the Oregon Department of Justice (ODOJ), the OCPA was “developed over the last four years by the Attorney General’s Consumer Privacy Task Force, created to answer the call for comprehensive consumer privacy legislation.” The Act is meant to utilize the “immense value” of consumer data derived from Oregon and to fuel innovation while ensuring that consumers are protected from being targeted, exploited, or exposed without their consent.
The OCPA will outline how consumer data resulting from an Oregon resident can be processed, shared, and maintained. The key provisions of the Act are as follows:
Applicability
The OCPA applies to entities that:
Conduct business or produce products and/or services intentionally directed at Oregon residents and either:
Control or process personal data of 100,000 or more consumers per calendar year, excluding “personal data controlled or processed solely for the purpose of completing a payment transaction”); or
Derive 25 percent or more of annual gross revenue from the sale of consumers’ personal data and process or control the personal data of more than 25,000 consumers.
The OCPA specifically provides several exemptions to applicability, including financial institutions and their affiliates, nonprofit organizations, and businesses whose data is governed by HIPAA, the Gramm-Leach-Bliley Act, and certain other federal laws.
Exclusions
Additionally, the OCPA will not apply to personal information collected in the context of employment or for engaging in a business-to-business relationship.
Consumer Rights
The Act provides Oregon consumers with the following rights regarding their personal information:
Right to Know – consumers have a right to:
Receive confirmation from a data controller as to whether they are processing or have processed the consumer’s personal data and, if so, a copy of this personal information and a list of the categories of their personal data; and
Receive a list of specific third parties to which the data controller has disclosed the consumer’s personal data.
Right to Correction – consumers may require a data controller to correct any inaccuracies in their personal data;
Right to Deletion – consumers may instruct a data controller to delete any of the consumer’s personal data that they maintain, including any personal data obtained or derived from a source other than the consumer. Additionally, under the Act, if the consumer data was derived from a source other than the consumer, the data controller may satisfy this requirement by either:
Deleting the data while retaining “a record of the deletion request and a minimal amount of data necessary to ensure that the personal data remains deleted and does not use the minimal data for any other purpose;” and
Opting the consumer “out of the controller’s processing of the consumer’s personal data for any purpose other than a purpose that is exempt under the Act.”
Right to Opt-Out – consumers may opt out of the sale of their personal data, the use of their personal data for any targeted advertising or profiling which would “produce legal effects or effects of similar significance” as a result of the processing of their personal data;
Right to Data Portability – a data controller which provides a consumer with a copy of their personal data pursuant to a consumer request under the Act must provide the data “in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the personal data to another person without hindrance;” and
Sensitive Data – data controller may not, without first obtaining consent, process any consumer personal data which:
Reveals “a consumer’s racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or nonbinary, status as a victim of crime or citizenship or immigration status”;
Belongs to a child. If the consumer is a child, the data controller must process the child consumer’s sensitive data in accordance with the Children’s Online Privacy Protection Act (COPPA);
Identifies a consumer's global positioning system accurately; or
Is considered genetic or biometric data.
Additionally, if a consumer submits a request pursuant to a right granted under the Act, the data controller must respond within 45 days after the request is received. These 45-days can be extended by an additional 45 days if the controller deems it “reasonably necessary” and notifies the consumer of the reason for the extension. A data controller is only required to provide a consumer with information related to a consumer request once in any 12-month period without assessing a charge to the consumer.
The data controller is authorized under the Act to authenticate consumer requests through commercially reasonable methods which do not require additional information to be provided by the consumer. However, if the controller cannot properly authenticate a request in this manner, then the controller is required to notify the consumer of the issue and is excused from completing the consumer’s request until the consumer provides the necessary information to authenticate the request. Data controllers must establish a process by which consumers may appeal the controller’s refusal to take action in response to their request.
Among other requirements, this appeals process must:
Provide a reasonable time period for the appeal to be conducted;
Be easily available to the consumer;
Resemble the data request process;
Provide the consumer with a written response within 45 days of receiving the request. This 45-day period can be extended by an additional 45 days if the controller deems it “reasonably necessary” and provides the consumer with notice of the extension and the reason therefore; and
Provide or specify information that enables the consumer to contact the AG to submit a complaint alleging a violation of the Act as a result of the controller denying an appeal.
Controller Responsibilities
Among other things, controllers covered under the Act are required to:
Provide a compliant response to consumer requests under the Act within 45 days after request receipt;
Provide consumers with clear and meaningful privacy notices which specify the “express purposes for which the controller is collecting and processing personal data”;
Provide consumers with a process for opting out from or revoking previously-provided consent for a controller to engage in the sale of their personal data to third parties or targeted advertising;
Limit the collection of personal data to that which is “adequate, relevant, and reasonably necessary” to serve the purposes the controller specified in the privacy notice;
Create safeguards that protect the confidentiality, integrity, and accessibility of the personal data; and
Avoid unlawful discrimination.
Data Processing Agreement
The Act requires data processors to follow the instructions given to them by a data controller and to assist controllers in satisfying their obligations concerning processing personal data.
The Act places requirements on contracts between the controller and processor, which must, among other things:
Establish “clear instructions” for processing, identify the nature of and purpose for processing, the type of data that will be processed, and the duration of processing;
Hold each person processing personal data to a duty of confidentiality;
Require the processor to comply with obligations applicable to the Controller under this act, such as:
Deleting consumer personal data at the Controller’s direction “or at the end of the provision of services, unless a law requires the processor to retain the personal data”; and
Making available all information needed by the controller to verify that the processor is complying with the obligations of the Act;
Requiring the processor to enter into subcontract agreements with any person who assists in the processing of consumers’ personal data, which mirror’s the processor’s requirements under the control-processor agreements; and
Allow the controller, the controller’s designee, or a qualified and independent person the processor engages, in accordance with an appropriate and accepted control standard, “to assess the processor’s policies and technical and organizational measures for complying with the processor’s obligations . . . and require the processor to cooperate with the assessment and, at the controller’s request, report the results of the assessment to the controller.”
Additionally, processors that engage subcontractors must ensure that their subcontractors meet the obligations applicable to processors in these controller-processor contracts.
Enforcement
Unlike many of its sibling laws, the Act does not provide consumers with a private right of action. Instead, Oregon’s attorney general will have the sole authority to investigate any alleged violations of the Act and seek civil penalties of no more than $7,500 per violation against the violating party. However, prior to initiating such action, the AG may be permitted to grant the data controller more than 30 days to cure any assessed violation.
Reception
According to Oregon Attorney General (AG) Rosenblum, “[t]his is a huge win for Oregonians and sets a high-water mark for consumer data privacy nationwide.” This sentiment was echoed in a statement by Matt Schwartz, a policy analyst at Consumer Reports, Consumer Reports, “commend[s] Governor Kotek for signing this bill into law, which will improve privacy protections for all Oregonians[.]”
Kennedy Sutherland will continue to outline state legislative efforts for comprehensive privacy regimes.
[1] https://olis.oregonlegislature.gov/liz/2023R1/Downloads/MeasureDocument/SB619/Enrolled