The Oregon Consumer Data Privacy Act: Oregon joins the data privacy field
Starting in July 2024, the Oregon Consumer Data Privacy Act (OCDPA) ushers in a new era of consumer data protection. Signed into law in 2023, the OCDPA aims to enhance the privacy and security of personal data for Oregon residents. This legislation aligns Oregon with other states like California, Virginia, and Connecticut, emphasizing robust consumer rights and business obligations.
Who must comply with the OCDPA?
The OCDPA applies to entities that:
Conduct business in Oregon or provide products or services to Oregon residents,
Control or process the personal data of over 100,000 consumers annually, or
Derive 25% or more of their revenue from selling personal data of at least 25,000 consumers.
Consumer rights under the OCDPA
The OCDPA grants Oregon residents several rights regarding their personal data, empowering them to control how their information is used and shared. These rights include:
Right to access: consumers can request access to their personal data held by a business, to see what information is collected and how it is used.
Right to correct: consumers can correct inaccuracies in their data, to ensure the information held by businesses is accurate and up-to-date.
Right to delete: consumers can request the deletion of their personal data, to remove information from business databases.
Right to data portability: consumers can obtain and reuse their personal data across different services, for easy data transfers and interoperability.
Right to opt-out: consumers can opt out of the sale of their data and targeted advertising, giving them control over how their data is monetized.
Business obligations under the OCDPA
To comply with the OCDPA, businesses must adhere to several key obligations:
Data minimization: limit data collection to what is necessary for specified purposes, to reduce the amount of data collected and stored.
Data security: implement measures to ensure data integrity, confidentiality, and accessibility, and protect personal data from breaches and unauthorized access.
Consent requirements: obtain explicit consent for processing sensitive data, including for targeted advertising.
Privacy notices: provide clear and accessible information about data processing activities and consumer rights, to enhance transparency and consumer awareness.
Data protection assessments: conduct assessments for activities posing a heightened risk of harm, such as targeted advertising and profiling, and identify and mitigate potential risks to consumer privacy.
How will compliance be enforced under the OCDPA?
The Oregon Attorney General (AG) is responsible for enforcing the OCDPA. To help facilitate easy compliance, the AG adopts a phased enforcement approach. Initially, businesses will receive notices to correct violations. However, beginning in July 2024, the enforcement will become more stringent, with fines reaching up to $7,500 per violation.
The Attorney General also holds the authority to conduct thorough investigations into suspected violations. This includes the power to demand pertinent documents and impose penalties, all aimed at upholding the provisions of the OCDPA.
To foster transparency and accountability, the AG will also release annual reports detailing enforcement activities and compliance trends. These mandated reports are a valuable feature of the law, as they will improve business compliance by offering clear guidance on best practices and highlighting what to avoid. These reports will also provide the public with insights into the state of compliance and the effectiveness of the enforcement efforts.
Comparing the OCDPA with other state laws
Similar to other state privacy laws, the OCDPA requires controllers to implement robust data protection measures and conduct data protection assessments for high-risk processing activities.
However, unlike most state privacy laws that apply to entities targeting state consumers, the OCDPA's scope extends to persons providing products or services to Oregon residents, potentially broadening its applicability. There is also no revenue threshold, making the Act more applicable to a wider range of businesses.
The OCDPA excludes businesses processing personal data solely for payment transactions, likely exempting many brick-and-mortar stores. The law also includes most non-profit organizations within its scope, breaking with other states that traditionally exclude this sector. However, enforcement for non-profit organizations is delayed until July 1, 2025.
Steps for compliance
Businesses can take several steps to ensure compliance with the OCDPA, namely:
Conduct data audits: document data processing activities thoroughly, to identify what data is collected, how it is used, and who it is shared with.
Develop policies: implement data minimization and security policies, to ensure that data is collected and stored responsibly.
Establish consumer request processes: handle data access, correction, and deletion requests efficiently, to provide consumers with control over their data.
Implement opt-out mechanisms: provide clear options for consumers to opt out of data sales and targeted advertising.
Adopting video redaction: ensure video footage containing personal data is properly redacted before sharing or processing to protect individual privacy.
The Oregon Consumer Data Privacy Act marks a significant step in enhancing data privacy and protection. As businesses prepare for its implementation, they must adapt to its requirements to ensure compliance and maintain consumer trust.