Oregon Privacy Law
Please note that this is intended to be a summary. It is not a complete recitation of the applicable laws and/or regulations and is not intended to be used as legal advice.
Oregon Governor Tina Kotek signed Senate Bill 619, the Oregon Consumer Privacy Act (OCPA) into law on July 18, 2023. The OCPA’s main provisions become effective on July 1, 2024.
The Oregon law creates obligations on “controllers” and “processors” of personal data; defined as persons alone or jointly with another person, who determine the purposes and means for processing personal data, and the persons who process personal data on behalf of a controller, respectively.
Controllers and processors subject to the OCPA are any persons who conduct business in Oregon, or who produce a product or offer a service to Oregon residents, and controls or processes the personal data of:
(1) 100,000 “consumers” (defined as Oregon residents operating outside of an employment or business context) or more in a calendar year; or
(2) at least 25,000 consumers, while deriving at least 25% of its annual gross revenue from selling the personal data.
Information and data exempt from the OCPA include, among other types, personal data subject to regulation under the FRCA, HIPAA, FERPA, and GLBA.
Controllers have the following obligations under the OCPA:
- Privacy Notice: controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice which specifies the express purposes for which the controller is collecting and processing personal data.
- Restraint: controllers shall limit the controller’s collection of personal data to only the personal data that is adequate, relevant and reasonably necessary to serve the controller’s purposes specified in the privacy notice.
- Security: establish, implement and maintain for personal data the safeguards described in O.R.S. 646A.622 that are required for protecting personal information so the controller’s safeguards protect the confidentiality, integrity and accessibility of the personal data.
- Rights Request Mechanism: controllers must provide an effective means by which a consumer may revoke the consent given to the controller’s processing of the consumer’s personal data, which must be at least as easy as the means by which the consumer provided consent.
Consumer rights under the OCPA include the right to:
- Confirm whether a controller is processing or has processed the consumer’s personal data and allow the consumer to access that personal data, and to receive a list of specific third parties to whom the controller has disclosed the consumer’s personal data or any personal data, and receive a copy of the consumer’s personal data that the controller has processed or is processing;
- Require a controller to correct inaccuracies in personal data about the consumer;
- Require a controller to delete personal data about the consumer, including personal data the consumer provided to the controller or personal data the controller obtained from another source; and,
- Opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling the consumer in furtherance of decisions made by the controller that produce legal effects or effects of similar significance for the consumer, such as those that result in the provision or denial by the controller of financial or lending services, housing, insurance, education enrollment or opportunity, or access to essential goods or services.
Controllers must respond to a consumer’s rights request within 45 days of receipt of the consumer’s request, with an option to extend such response by an additional 45 days with notice to the consumer.
Like the privacy laws in Utah and Iowa, the OCPA does not provide a private right of action, with violations only enforceable by the Oregon Attorney General’s office. The civil penalty associated with violations of the OCPA is $7,500 for each violation, or the Oregon Attorney General may bring a civil action to enjoin a violation or obtain other equitable relief.