New data protection law in Oregon


New data protection law in Oregon: What does it mean for companies?

On June 22, SB 619, the Oregon Consumer Privacy Act (OCPA), was passed by lawmakers in Salem. If signed into law by Governor Kotek, Oregon will become the eleventh state (and sixth in 2023) to enact comprehensive privacy laws governing the collection, use and transfer of consumer data. The majority of the OCPA's requirements will go into effect on July 1, 2024 (with the exception of nonprofit organizations, which will be subject to the law beginning July 1, 2025).

For Oregon businesses or businesses doing business in Oregon, the new privacy law has some important implications. Here are the key provisions that businesses should be aware of:

1. wide area of application

Unlike many other state privacy laws, the OCPA does not automatically exclude organizations that are already subject to federal privacy laws. There are only exemptions for certain data that is already governed by laws such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA). In addition, non-profit organizations are not considered exempt under the OCPA, except in the case of organizations that "detect and prevent insurance-related fraud" or are classified as "financial institutions" under state law.

2. extended definitions of recorded data

The OCPA refers to "personal information" and also establishes a category of "sensitive information" that is afforded special protection. However, the definition of "personal information" in the OCPA is unique in that it explicitly includes "derived information", i.e. inferences about a customer, as well as information associated with a "device" that can reasonably be attributed to one or more individuals in a "household". Unlike similar laws, there is no specific definition and exceptions for pseudonymized data in the OCPA.

The definition of "sensitive information" in Oregon law is also broader than in other states and includes "race", "gender identity as transgender or non-binary" and "victim status of a crime", among others. In addition, the OCPA defines the term "biometric data" broadly and includes information that uniquely identifies an individual. However, there is an exception for "facial mapping or facial geometry", provided that these technologies are not used to uniquely identify an individual.

3. new consumer rights

The OCPA grants consumers a number of rights that are now widely accepted, such as the right to confirmation of the

data processing, access, rectification, erasure, portability of personal information, as well as the right to object to targeted advertising, data sales and significant profiling decisions. One interesting aspect of the OCPA, however, is the right of consumers to request a list of "specific third parties" to whom a business discloses personal information. This presents an operational challenge and is similar to the requirements set forth in recently enacted healthcare privacy laws in Washington State and Nevada. In addition, the OCPA is the first comprehensive privacy law to explicitly provide for the right to erasure of "derivative data".

4. stricter obligations for data controllers

The OCPA imposes a number of obligations on affected companies that are already familiar from other data protection laws, such as maintaining adequate data security, contractual requirements for processors, publishing privacy statements and obtaining consent for the processing of sensitive data. However, the obligations in the OCPA are somewhat stricter than in comparable laws in other states. For example, data controllers must obtain explicit consent to profile data from young people aged 13 to 15 for significant decisions. In addition, the OCPA notes that design mechanisms intended to interfere with consumer choice may invalidate consumer consent under the Act. Finally, the law requires that privacy impact assessments be retained for a period of five years. Only Colorado has established similar retention periods in its implementing regulations.

5. data use and exchange for research purposes

The OCPA contains exceptions to consumer rights and obligations for certain uses of personal information, such as internal operations that meet consumer expectations, complying with law enforcement investigative requests, and maintaining data security. However, unlike other privacy laws, there are no specific requirements in the OCPA for the use of data for research purposes. As long as the use of identifying data is in compliance with applicable law, companies are exempt from the consumer rights and obligations of the Act.

Oregon's new privacy law presents changes and challenges for businesses. It is important that companies, especially those in Oregon or doing business in Oregon, carefully review the provisions of the OCPA and take appropriate steps to comply with the requirements of the law and ensure the protection of consumer data.

Share this post :