On July 18, 2023, Oregon Governor Tina Kotek signed the Oregon Consumer Privacy Act (SB 619)(“OCPA”) into law, making Oregon the eleventh state to enact a comprehensive state privacy law. OCPA will take effect on July 1, 2024, however the effective date for covered non-profits is delayed until July 1, 2025. While OCPA aligns with some existing comprehensive state privacy laws, the various distinctions serve to highlight the fracturing data privacy and protection regulatory landscape that is emerging in the United States.
OCPA applies to any entity that conducts business in Oregon, or that provides products or services to Oregon residents, and, within a calendar year, controls or processes the personal data of:
- At least 100,000 consumers, except for purposes of completing a payment transaction; or
- At least 25,000 consumers, while deriving at least 25 percent of its annual gross revenue from selling the personal data.
While other state comprehensive privacy laws generally exempt non-profit organizations, OCPA differs by providing a limited exemption for certain non-profits, including those that detect and prevent insurance fraud, as well as non-profits that provide programming for radio or television networks. In addition, OCPA does not exempt covered entities under the Health Insurance Portability and Accountability Act (“HIPAA”) unlike all other state comprehensive privacy laws except for the Delaware Personal Data Privacy Act. Further, OCPA differs from other state comprehensive privacy laws in that may not fully exempt financial institutions covered by the Gramm-Leach-Bliley Act (“GLBA”) because with respect to financial institutions it solely exempts insured institutions, extranational institutions, credit unions defined under state law, federal credit unions and certain affiliates of financial institutions. However, OCPA does provide an exemption for Protected Health Information under HIPAA and information governed by GLBA.
The OCPA provides that consumers can exercise the rights to access, delete, and correct personal information held by data controllers. Unlike other state comprehensive privacy laws, OCPA permits consumers to request, at the data controller’s option, a list of specific third parties, other than natural persons, to which the controller has disclosed the requesting consumers’ personal data or any personal data (i.e., even if the data does not pertain to the requesting consumers). Additionally, OCPA permits consumers to request a “copy of all of the consumer’s personal data that the controller has processed or is processing,” which is a broader portability right then other state comprehensive privacy laws, such as in Virginia, Iowa, and Indiana, which qualify the portability right to personal data that the consumer provided to the controller.
Notably, OCPA differs from other state comprehensive privacy laws by expanding the definition of “sensitive data” to include information that reveals a consumer’s status as transgender, non-binary, or as a victim of a crime. This is the first time that a comprehensive state privacy law has defined “sensitive data” to include this information.
Like almost every other state comprehensive privacy law, OCPA does not include a private right of action. California continues to be the only state that provides consumers a private right of action, which is limited to certain security incidents. While the OCPA grants the Oregon Attorney General the exclusive right to bring an enforcement action, there is a 5-year statute of limitations for bringing such actions. Prior to bringing an enforcement action, the Attorney General must provide notice to the entity about the alleged violation and allow for a 30-day cure period. The 30-day cure period sunsets January 1, 2026. Enforcement penalties include $7,500 per violation and injunctive relief. The OCPA does not explicitly authorize the Attorney General to issue regulations.
Please contact our Privacy, Cyber & Data Strategy Team for questions about OCPA or other state comprehensive privacy laws.