An Overview of Oregon’s Consumer Privacy Act (Senate Bill 619)

I. Introduction

On June 22, 2023, the Oregon House of Representatives passed the Senate Bill 619, also known as Oregon Consumer Privacy Act (OCPA), following an almost unanimous passage from the Senate on June 20, 2023. The Act’s passage demonstrates wide bipartisan support for stronger privacy protections in the state of Oregon. The Attorney General's Consumer Privacy Task Force, formed in response to the request for comprehensive consumer privacy laws, prepared the bill over the past four years.

Modeled on Connecticut and Virginia data privacy laws, the OCPA must be signed by Governor Tina Kotek before it becomes law. Should it be approved, the law shall come into force on July 1, 2024.

II. Who Needs to Comply with OCPA

A. Material Scope

The law applies to any person that conducts business in Oregon, or that provides products or services to residents of Oregon, and during a calendar year, controls or processes:

• the personal data of 100,000 or more consumers, other than personal data controlled or processed solely to complete a payment transaction; or
• the personal data of 25,000 or more consumers while deriving 25 percent or more of the person’s annual gross revenue from selling personal data.

B. Exemptions

The law exempts certain types of entities, data, and activities from its application.

Exempt Entities

The law also does not have any application to the following entities:

• Public bodies/corporations;
• Financial institutions, their affiliates, or their subsidiaries that are only and directly engaged in financial activities, as described in 12 U.S.C. 1843(k);
• An insurer, as defined in ORS 731.106;
• An insurance producer, as defined in ORS 731.104;
• An insurance consultant, as defined in ORS 744.602;
• A person that holds a third party administrator license issued under ORS 744.710; and
• A nonprofit organization that is established to detect and prevent fraudulent acts in connection with insurance.

Exempt Data

The law also does not have any application to the following types of data:

• Data covered under medical laws: Protected health information processed in accordance with HIPAA, or other federal or state medical laws;
• Personal data used for research: Identifiable private information collected, used or shared in research conducted in accordance with applicable laws;
• GLBA data: Personal data collected, processed, sold, or disclosed in compliance with the Gramm-Leach-Bliley Act.
• Driver data: Personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994;
• FERPA data: Personal data regulated by the federal Family Educational Rights and Privacy Act (FERPA);
• ADA data: Personal data collected, processed, sold, or disclosed in relation to price, route, or service under the Airline Deregulation Act (ADA), to the extent the provisions of OCPA are preempted by ADA; and
• Employment data: Personal data maintained for employment records.

Exempt Activities

The law also does not have any application to the following activities:

• Any activity that involves collecting, maintaining, disclosing, selling, communicating or using information if done strictly in accordance with the provisions of the federal Fair Credit Report Act (FCRA) by:
  • A consumer reporting agency;
  • A person who furnishes information to a consumer reporting agency; or
  • A person who uses a consumer report.
• Non-commercial activity of:
  • A publisher, editor, reporter or other person who is connected with or employed by a newspaper, magazine, periodical, newsletter, pamphlet, report or other publication in general circulation;
  • A radio or television station that holds a license issued by the Federal Communications Commission;
  • A nonprofit organization that provides programming to radio or television networks; or
  • An entity that provides an information service, including a press association or wire service.

III. Definitions of Key Terms

A. Biometric Data

Personal data that is generated by automatic measurements of a consumer’s biological characteristics, such as the consumer’s fingerprint, voiceprint, retinal pattern, iris pattern, gait, or other unique biological characteristics that allow or confirm the unique identification of the consumer. Biometric data does not include the following:

1. A photograph recorded digitally or otherwise;
2. An audio or video recording;
3. Data from a photograph or from an audio or video recording, unless the data were generated for the purpose of identifying a specific consumer or were used to identify a particular consumer;
4. Facial mapping or facial geometry, unless the facial mapping or facial geometry was generated for the purpose of identifying a specific consumer or was used to identify a specific consumer.

B. Consent

An affirmative act by means of which a consumer clearly and conspicuously communicates the consumer’s freely given, specific, informed, and unambiguous assent to another person’s act or practice under the following conditions:

1. The user interface by means of which the consumer performs the act does not have any mechanism that has the purpose or substantial effect of obtaining consent by obscuring, subverting, or impairing the consumer’s autonomy, decision-making, or choice; and
2. The consumer’s inaction does not constitute consent.

C. Child

An individual under the age of 13.

D. Controller

A person that, alone or jointly with another person, determines the purposes and means for processing personal data.

E. Personal Data

Data, derived data, or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to, or is reasonably linkable to one or more consumers in a household. Personal data does not include de-identified data or data that:

1. Is lawfully available through federal, state, or local government records or through widely distributed media; or
2. A controller reasonably has understood to have been lawfully made available to the public by a consumer.

F. Processor

A person that processes personal data on behalf of a controller.

G. Sensitive Data

Sensitive data is any personal data that:

1. Reveals a consumer’s racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or nonbinary, status as a victim of crime or citizenship or immigration status;
2. Is a child’s personal data;
3. Accurately identifies within a radius of 1,750 feet a consumer’s present or past location, or the present or past location of a device that links or is linkable to a consumer by means of technology that includes, but is not limited to, a global positioning system that provides latitude and longitude coordinates; or
4. Is genetic or biometric data.

IV. Obligations for Organizations Under OCPA

A. Data Minimization and Purpose Limitation

Controllers must ensure transparency regarding their data collection activities and limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which that personal data is processed, as initially disclosed to the consumer.

B. Consent Requirements

Controllers must provide consumers with an effective means to revoke their consent from having their personal information processed by the controller. The method must be at least as simple as the method used to obtain the consumer's consent. The controller must stop processing personal data as soon as possible when the consumer withdraws consent but no later than 15 days after receiving the revocation. A controller must not:

• process personal data without obtaining the consent of the data subject for purposes that are neither reasonably necessary nor compatible with those the controller specified;
• process sensitive consumer data without the consumer's consent or, if the controller is aware that the consumer is a child, without following the Children's Online Privacy Protection Act's (COPPA) guidelines.

C. Targeted Advertising

A controller must not process a consumer's personal data for the purposes of targeted advertising, profiling the consumer to support decisions that have legal or significant consequences, or selling the consumer's personal data without the consumer's consent if the controller has actual knowledge that the consumer is at least 13 years old and not older than 15 years of age.

D. Privacy Notice Requirements

A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that:

• outlines the categories of sensitive data, along with the types of personal data, that the controller processes;
• specifies the reasons why the controller is processing the personal data;
• explains how a consumer can exercise their rights, including how to appeal a controller's denial of a request made by a consumer;
• specifies a list of all sensitive data categories, as well as all other categories of personal data, that the controller discloses with third parties;
• specifies in sufficient detail each category of the third party that the controller shares personal data so that the consumer may determine the nature of each third party and, to the degree practicable, how each third party may process personal data;
• provides consumers with the controller's email address or another online contact method that the controller actively reviews;
• identifies the controller, including any assumed business name used in this state as well as any business name the controller registered with the Secretary of State;
• provides a procedure by which the consumer may opt out of this type of processing;
• describes any processing of personal data that the controller engages in for targeted advertising or to profile the consumer in support of decisions that have legal effects or effects of similar significance;
• specifies the method(s) the controller has defined for receiving customer requests.

E. Security Requirements

To protect the confidentiality, integrity, and accessibility of personal data, the controller must establish, implement, and maintain the same safeguards described in ORS 646A.622 that are required to protect personal information, as defined in ORS 646A.602, to the extent necessary for the volume and nature of the data.

F. De-identified Data Requirements

A controller that possesses de-identified data must:

• Make reasonable efforts to ensure that the deidentified data cannot be used to identify a specific person;
• Publicly commit to maintaining and using de-identified data without attempting to re-identify the deidentified data; and
• Sign a contract with the recipient of the deidentified data, specifying that the recipient is responsible for complying with the controller's obligations.

A controller that discloses de-identified data must exercise reasonable oversight to ensure that any contractual obligations to which the deidentified data is subject are being followed, and they must take the necessary action to resolve any breaches of those obligations. This does not prohibit a controller from attempting to re-identify de-identified data solely to test the controller’s methods for de-identifying data.

G. Data Protection Impact Assessment

A data protection assessment must be carried out and documented for each of the controller's processing operations that carry a heightened risk of harming a consumer. Processing activities that put consumers at heightened risk of harm include:

• Processing personal data for the purpose of targeted advertising;
• Processing sensitive data;
• Selling personal data; and
• Using the personal data for purposes of profiling if the profiling presents a reasonably foreseeable risk of:
  • Unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
  • Financial, physical, or reputational injury to consumers;
  • Physical or other types of intrusion upon a consumer’s solitude, seclusion, or private affairs or concerns if the intrusion would be offensive to a reasonable person; or
  • Other substantial injury to consumers.

A data protection assessment must identify and compare potential risks to consumers with how processing personal data may directly or indirectly benefit the controller, the consumer, other stakeholders, and the public while also considering the potential efficiency of the controller's security measures to reduce risks. The controller must conduct the assessment while considering the risks that de-identified data may help mitigate, consumers' reasonable expectations, the context in which the data is processed, and the relationship between the controller and the individuals whose personal data it will be processing.

Any data protection assessments that a controller has completed must be given to the Attorney General if those assessments are relevant to an investigation the Attorney General is conducting.

A controller can conduct a single data protection assessment to address a comparable set of processing operations that present a similar heightened risk of harm. Further, a data protection assessment conducted by the controller under any other law can also satisfy the requirements under the OCPA if the data protection assessment is reasonably similar in scope and effect to a data protection assessment conducted under OCPA.

Requirements for a data protection assessment are not retroactive and only apply to processing operations that start on or after July 1, 2024. A controller must keep all of their data protection assessments for at least five years. A data protection evaluation is private and cannot be disclosed.

H. Third-Party Processing Requirements

The controller must explain all categories of third parties—including sensitive data categories—with whom the controller shares personal data in sufficient detail for the consumer to understand the nature of each third party and, to the extent possible, how each third party may process personal data. Personal data should not be sold or otherwise voluntarily disclosed to a third party.

I. Non-Discrimination Requirements

A controller must not discriminate against a consumer who exercises a privilege provided to them by, for example, refusing to provide them with products or services, charging them a different price or rate, or offering them a different quality or variety of goods or services.

However, if a consumer voluntarily enrolls in a legitimate loyalty, rewards, premium features, discount, or club card program, the controller may make an offer to them for a different price, rate, level of quality, or selection of goods or services, including one for no fee or charge.

V. Data Processor Responsibilities

A. Assistance to Controller

A processor must comply with a controller's instructions and assist the controller in upholding its duties. In assisting the controller, the processor must:

• Enable the controller to respond to consumer requests by using methods that, to the extent reasonably practical, utilize appropriate technological and organizational measures, taking into consideration how the processor processes personal data and the information at its disposal;
• Implement reasonable administrative, technical, and physical security measures to ensure the security and privacy of the personal data the processor processes, taking into account how the processor uses the data and the information at its disposal;
• Provide the controller with information that is reasonably required to carry out and record data protection assessments.

B. Processing Under Contract

To process personal data on the controller's behalf, the processor and the controller must enter into a contract. The agreement must:

• Be valid and binding on both parties;
• Clearly state how to process data, its nature and purpose, the categories of data that will be processed, and how long the processing will take;
• Clearly state each party's obligations and rights concerning the contract’s subject;
• Ensure that each individual processing personal data is obligated to maintain the data's confidentiality;
• Require that the processor deletes the personal data or return it to the controller upon request from the controller or completion of the services unless the processor is required by law to keep the data;
• Require the processor to make available to the controller, at the controller’s request, all information the controller needs to verify that the processor has complied with all obligations of the processor;
• Require the processor to enter into a subcontract with a person the processor engages to assist with processing personal data on the controller’s behalf and, in the subcontract, requires the subcontractor to meet the processor’s obligations under the processor’s contract with the controller; and
• Enable the controller, the controller's designee, or a qualified and independent person the processor engages in evaluating the processor's policies and organizational and technical measures for complying with its obligations in accordance with an appropriate and accepted control standard, framework, or procedure. Require the processor to cooperate with the assessment and report the assessment results to the controller upon the controller's request.

VI. Data Subject Rights

A. Right to Know

Consumers have the right to obtain confirmation as to whether a controller is processing or has processed a consumer’s personal data and the categories of personal data the controller is processing or has processed. Additionally, the controller must provide a consumer, at its option, with a list of the specific third parties—other than natural persons—to whom the controller has disclosed the consumer’s personal data or any personal data.

B. Right to Correction

Consumers have the right to require a controller to correct inaccuracies in personal data about the consumer, taking into account the nature of the personal data and the controller’s purpose for processing the personal data.

C. Right to Delete

Customers have the right to request that a controller delete any personal data about them, including data they gave to the controller directly as well as the data the controller got from another source, and derived data.

D. Right to Opt-Out

Consumers have the right to opt-out from a controller’s processing of personal data of the consumer that the controller processes for any of the following purposes:

• Targeted advertising;
• Selling the personal data; or
• Profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance.

E. Right to Data Portability

Consumers have the right to obtain a copy of their personal data processed by the controller in a portable and, to the degree technically possible, easily accessible format that enables hassle-free transmission of the personal data to another party.

How can consumers exercise their rights:

Consumers have the right to exercise their rights at any time by making a request, through a method specified by the controller in its privacy notice, to a data controller and specifically highlighting the consumer rights they want to exercise. A parent or legal guardian of the child may exercise the child's consumer rights concerning the processing of personal data belonging to a known child. Similarly, a guardian or conservator may exercise the rights on behalf of a consumer that is subject to a guardianship, conservatorship or other protective arrangement

Controller’s response to data subject rights:

A controller must respond to a consumer's request to exercise their rights without undue delay and no later than 45 days after receiving it. If the extension is considered to be reasonably necessary for meeting the consumer's request, taking into account the complexity of the request and the frequency of requests the consumer makes, the controller may extend the time frame within which the controller responds by an additional 45 days. When extending the original 45-day response window, a controller must inform the consumer and provide a justification for the extension within the first 45 days after receiving the request.

If a controller chooses not to act on a consumer's request, the controller must inform the consumer without undue delay and no later than 45 days after receiving the request. The controller must include the justification for not taking action and also provide guidelines for appealing the controller's decision.

A controller is required to give consumers any data they want, just once for free every year. If a consumer makes a second or subsequent request within a year, the controller may do so with a reasonable fee to cover the administrative costs of doing so unless the purpose of the second or subsequent request is to confirm that the controller complied with the consumer's request to delete or correct inaccurate personal data. A controller must notify the consumer if the controller cannot, using commercially reasonable methods, authenticate the consumer’s request without additional information from the consumer.

A controller is not required to authenticate an opt-out request; however, it may ask for additional information necessary to comply with the request, such as information necessary to identify the consumer requesting to opt-out. A controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that such a request is fraudulent. In such a case, the controller must notify the person who made such a request disclosing that such controller believes such request is fraudulent and the controller shall not comply with such request.

Appeal process:

A controller shall establish a process by means of which a consumer may appeal the controller’s refusal to take action on a request. The controller’s appeal process must:

• Give the consumer a reasonable amount of time to file an appeal after receiving the controller's denial;
• Be readily accessible to consumers;
• Appear and be equivalent to how a consumer must submit a request; and
• Require the controller to inform the consumer in writing of their decision and the reasons behind it within 45 days of receiving the appeal, whether they approved it or denied it. The notice must include or define information enabling the consumer to contact the Attorney General and file a complaint if the controller denies the appeal.

VII. Limitations

The provisions of OCPA do not restrict a controller or a processor from doing the following:

• Comply with federal, state, or local laws, rules, or regulations;
• Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
• Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations;
• Investigate, establish, initiate, or defend legal claims;
• Prevent, detect, protect against, or respond to, and investigate, report, or prosecute persons responsible for security incidents, identity theft, fraud, harassment, malicious or deceptive activity, or illegal activity, or preserve the integrity of systems;
• Identify and repair technical errors in a controller’s or processor’s information systems that impair existing or intended functionality;
• Provide a product/service specifically requested by a consumer, or the parent or guardian of a child on the child’s behalf or as the guardian or conservator of a person subject to a guardianship, conservatorship or other protective arrangement on the person’s behalf;
• Negotiate, enter into or perform a contract with a consumer, including fulfilling the terms of a written warranty;
• Protect any person’s health and safety;
• Effectuate a product recall;
• Conduct internal research to develop, improve or repair products, services or technology;
• Perform internal operations that are reasonably aligned with a consumer’s expectations, that the consumer may reasonably anticipate based on the consumer’s existing relationship with the controller or that are otherwise compatible with processing data for the purpose of providing a product or service the consumer specifically requested or for the purpose of performing a contract to which the consumer is a party; or
• Assisting another controller or processor with any of the activities listed above.

Any obligation placed on a controller or a processor under OCPA does not apply if compliance by the controller or processor would violate an evidentiary privilege under Oregon laws.

VIII. Regulatory Authority

The Oregon Attorney General has the exclusive authority to enforce the provisions of OCPA.

IX. Penalties for Non-Compliance

For each infraction, the Attorney General could seek a civil penalty of up to $7,500. If the Attorney General determines the controller can correct the violation, the controller must be notified of the violation before the Attorney General may initiate an action. The Attorney General may file a lawsuit without additional notice if the controller doesn't correct the infraction within 30 days after receiving notice of it.

The Attorney General shall bring an action within five years after the date of the last act of a controller that constituted the violation for which the Attorney General seeks relief.

X. How an Organization Can Operationalize the Law

Organizations can operationalize Oregon Consumer Privacy Act (OCPA) by:

• Establishing policies and procedures for processing data in compliance with the requirements of the OCPA;
• Developing clear and accessible privacy notices in compliance with the requirements of the OCPA;
• Obtaining informed consent from individuals before processing their sensitive personal data;
• Developing a robust framework for receiving and processing data requests and complaints from consumers;
• Ensuring personal data security by taking appropriate security measures; and
• Training employees who handle the consumers’ data on the organization's policies and procedures, as well as the requirements of the OCPA.

XI. How Can Securiti Help

Securiti’s Unified Data Controls framework enables organizations to comply with Senate Bill 619 – Oregon Consumer Privacy Act (OCPA) by securing the organization’s data and enabling organizations to maximize data value and fulfilling an organization’s obligations around data security, data privacy, data governance, and compliance.

Organizations can overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, enabling organizations to swiftly comply with privacy, security, governance, and compliance requirements.

Request a demo to learn more.