IDC Names Securiti a Worldwide Leader in Data PrivacyView
On June 22, 2023, the Oregon House of Representatives passed the Senate Bill 619, also known as Oregon Consumer Privacy Act (OCPA), following an almost unanimous passage from the Senate on June 20, 2023. The Act’s passage demonstrates wide bipartisan support for stronger privacy protections in the state of Oregon. The Attorney General's Consumer Privacy Task Force, formed in response to the request for comprehensive consumer privacy laws, prepared the bill over the past four years.
Modeled on Connecticut and Virginia data privacy laws, the OCPA must be signed by Governor Tina Kotek before it becomes law. Should it be approved, the law shall come into force on July 1, 2024.
The law applies to any person that conducts business in Oregon, or that provides products or services to residents of Oregon, and during a calendar year, controls or processes:
The law exempts certain types of entities, data, and activities from its application.
The law also does not have any application to the following entities:
The law also does not have any application to the following types of data:
The law also does not have any application to the following activities:
Personal data that is generated by automatic measurements of a consumer’s biological characteristics, such as the consumer’s fingerprint, voiceprint, retinal pattern, iris pattern, gait, or other unique biological characteristics that allow or confirm the unique identification of the consumer. Biometric data does not include the following:
An affirmative act by means of which a consumer clearly and conspicuously communicates the consumer’s freely given, specific, informed, and unambiguous assent to another person’s act or practice under the following conditions:
An individual under the age of 13.
A person that, alone or jointly with another person, determines the purposes and means for processing personal data.
Data, derived data, or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to, or is reasonably linkable to one or more consumers in a household. Personal data does not include de-identified data or data that:
A person that processes personal data on behalf of a controller.
Sensitive data is any personal data that:
Controllers must ensure transparency regarding their data collection activities and limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which that personal data is processed, as initially disclosed to the consumer.
Controllers must provide consumers with an effective means to revoke their consent from having their personal information processed by the controller. The method must be at least as simple as the method used to obtain the consumer's consent. The controller must stop processing personal data as soon as possible when the consumer withdraws consent but no later than 15 days after receiving the revocation. A controller must not:
A controller must not process a consumer's personal data for the purposes of targeted advertising, profiling the consumer to support decisions that have legal or significant consequences, or selling the consumer's personal data without the consumer's consent if the controller has actual knowledge that the consumer is at least 13 years old and not older than 15 years of age.
A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that:
To protect the confidentiality, integrity, and accessibility of personal data, the controller must establish, implement, and maintain the same safeguards described in ORS 646A.622 that are required to protect personal information, as defined in ORS 646A.602, to the extent necessary for the volume and nature of the data.
A controller that possesses de-identified data must:
A controller that discloses de-identified data must exercise reasonable oversight to ensure that any contractual obligations to which the deidentified data is subject are being followed, and they must take the necessary action to resolve any breaches of those obligations. This does not prohibit a controller from attempting to re-identify de-identified data solely to test the controller’s methods for de-identifying data.
A data protection assessment must be carried out and documented for each of the controller's processing operations that carry a heightened risk of harming a consumer. Processing activities that put consumers at heightened risk of harm include:
A data protection assessment must identify and compare potential risks to consumers with how processing personal data may directly or indirectly benefit the controller, the consumer, other stakeholders, and the public while also considering the potential efficiency of the controller's security measures to reduce risks. The controller must conduct the assessment while considering the risks that de-identified data may help mitigate, consumers' reasonable expectations, the context in which the data is processed, and the relationship between the controller and the individuals whose personal data it will be processing.
Any data protection assessments that a controller has completed must be given to the Attorney General if those assessments are relevant to an investigation the Attorney General is conducting.
A controller can conduct a single data protection assessment to address a comparable set of processing operations that present a similar heightened risk of harm. Further, a data protection assessment conducted by the controller under any other law can also satisfy the requirements under the OCPA if the data protection assessment is reasonably similar in scope and effect to a data protection assessment conducted under OCPA.
Requirements for a data protection assessment are not retroactive and only apply to processing operations that start on or after July 1, 2024. A controller must keep all of their data protection assessments for at least five years. A data protection evaluation is private and cannot be disclosed.
The controller must explain all categories of third parties—including sensitive data categories—with whom the controller shares personal data in sufficient detail for the consumer to understand the nature of each third party and, to the extent possible, how each third party may process personal data. Personal data should not be sold or otherwise voluntarily disclosed to a third party.
A controller must not discriminate against a consumer who exercises a privilege provided to them by, for example, refusing to provide them with products or services, charging them a different price or rate, or offering them a different quality or variety of goods or services.
However, if a consumer voluntarily enrolls in a legitimate loyalty, rewards, premium features, discount, or club card program, the controller may make an offer to them for a different price, rate, level of quality, or selection of goods or services, including one for no fee or charge.
A processor must comply with a controller's instructions and assist the controller in upholding its duties. In assisting the controller, the processor must:
To process personal data on the controller's behalf, the processor and the controller must enter into a contract. The agreement must:
Consumers have the right to obtain confirmation as to whether a controller is processing or has processed a consumer’s personal data and the categories of personal data the controller is processing or has processed. Additionally, the controller must provide a consumer, at its option, with a list of the specific third parties—other than natural persons—to whom the controller has disclosed the consumer’s personal data or any personal data.
Consumers have the right to require a controller to correct inaccuracies in personal data about the consumer, taking into account the nature of the personal data and the controller’s purpose for processing the personal data.
Customers have the right to request that a controller delete any personal data about them, including data they gave to the controller directly as well as the data the controller got from another source, and derived data.
Consumers have the right to opt-out from a controller’s processing of personal data of the consumer that the controller processes for any of the following purposes:
Consumers have the right to obtain a copy of their personal data processed by the controller in a portable and, to the degree technically possible, easily accessible format that enables hassle-free transmission of the personal data to another party.
How can consumers exercise their rights:
Consumers have the right to exercise their rights at any time by making a request, through a method specified by the controller in its privacy notice, to a data controller and specifically highlighting the consumer rights they want to exercise. A parent or legal guardian of the child may exercise the child's consumer rights concerning the processing of personal data belonging to a known child. Similarly, a guardian or conservator may exercise the rights on behalf of a consumer that is subject to a guardianship, conservatorship or other protective arrangement
Controller’s response to data subject rights:
A controller must respond to a consumer's request to exercise their rights without undue delay and no later than 45 days after receiving it. If the extension is considered to be reasonably necessary for meeting the consumer's request, taking into account the complexity of the request and the frequency of requests the consumer makes, the controller may extend the time frame within which the controller responds by an additional 45 days. When extending the original 45-day response window, a controller must inform the consumer and provide a justification for the extension within the first 45 days after receiving the request.
If a controller chooses not to act on a consumer's request, the controller must inform the consumer without undue delay and no later than 45 days after receiving the request. The controller must include the justification for not taking action and also provide guidelines for appealing the controller's decision.
A controller is required to give consumers any data they want, just once for free every year. If a consumer makes a second or subsequent request within a year, the controller may do so with a reasonable fee to cover the administrative costs of doing so unless the purpose of the second or subsequent request is to confirm that the controller complied with the consumer's request to delete or correct inaccurate personal data. A controller must notify the consumer if the controller cannot, using commercially reasonable methods, authenticate the consumer’s request without additional information from the consumer.
A controller is not required to authenticate an opt-out request; however, it may ask for additional information necessary to comply with the request, such as information necessary to identify the consumer requesting to opt-out. A controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that such a request is fraudulent. In such a case, the controller must notify the person who made such a request disclosing that such controller believes such request is fraudulent and the controller shall not comply with such request.
A controller shall establish a process by means of which a consumer may appeal the controller’s refusal to take action on a request. The controller’s appeal process must:
The provisions of OCPA do not restrict a controller or a processor from doing the following:
Any obligation placed on a controller or a processor under OCPA does not apply if compliance by the controller or processor would violate an evidentiary privilege under Oregon laws.
The Oregon Attorney General has the exclusive authority to enforce the provisions of OCPA.
For each infraction, the Attorney General could seek a civil penalty of up to $7,500. If the Attorney General determines the controller can correct the violation, the controller must be notified of the violation before the Attorney General may initiate an action. The Attorney General may file a lawsuit without additional notice if the controller doesn't correct the infraction within 30 days after receiving notice of it.
The Attorney General shall bring an action within five years after the date of the last act of a controller that constituted the violation for which the Attorney General seeks relief.
Organizations can operationalize Oregon Consumer Privacy Act (OCPA) by:
Securiti’s Unified Data Controls framework enables organizations to comply with Senate Bill 619 – Oregon Consumer Privacy Act (OCPA) by securing the organization’s data and enabling organizations to maximize data value and fulfilling an organization’s obligations around data security, data privacy, data governance, and compliance.
Organizations can overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, enabling organizations to swiftly comply with privacy, security, governance, and compliance requirements.
Request a demo to learn more.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.