Oregon Consumer Privacy Act – OCPA – 11th US State with Data Privacy Legislation

Recently signed by the state House and Senate, Oregon’s new privacy law is a matter of days from becoming reality. SB 619, as its formally known, will see the northwestern state become the 11th in the country to pass comprehensive consumer privacy legislation. Read below for more information about the up-and-coming Oregon Consumer Privacy Act (OCPA), and what you should know before its implementation on July 1st, 2024.

Oregon State Privacy Law (OCPA) Oregon becomes 11th US State with comprehensive data privacy law.

The State of Data Privacy In the U.S.

For context, it’s worth briefly explaining how the United States approaches data privacy law. Unlike other major jurisdictions such as the European Union, or fellow countries Canada and Singapore, the U.S. does not have a broad law in place governing data privacy. The responsibility of policing it is left up to individual states, with some having their own regional regulations and others yet to create any. Oregon recently added a little more coverage to the map by becoming the 11th state to pass comprehensive law on the matter. Those that are still developing plans – namely will definitely be watching this rollout closely to see what can be learned.

Getting Acquainted With the Oregon Consumer Privacy Act (OCPA)

Oregon was once a spectator state itself watching others design, pass, and launch local data privacy laws. Now with its turn at the table, it’s drawing inspiration from other states in establishing a set of rules that meet international standards while remaining true to lawmakers’ specific wishes. The Oregon Consumer Privacy Act (OCPA) can be thought of as an amalgamation of several already-released statutes, incorporating provisions from the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act, and largely reflecting the GDPR principles that both of those state laws were built upon.

Here’s everything we know about it so far:

Scope

Intended to protect everyday citizens and consumers, the Oregon Consumer Privacy Act will apply to anyone who does business with a minimum number of people in the state or makes a certain amount of money from their data. The threshold stands at 100,000 people for data processing activity alone and 25,000 for organizations that derive 25% or more of their yearly gross revenue from that processing.

There are some exceptions of course, including public corporations, state and local government bodies, financial institutions as defined under the Bank Holding Company Act, and insurers that meet specific definitions under Oregon state law. Unique from other statutes of its kind, the OCPA exempts organizations governed by the Health Insurance Portability and Accountability Act (HIPAA) from its rules.

Rights and Protections for Consumers

This state law, along with the 10 others that exist in the U.S. to date, all provide similar rights and protections to consumers that work towards achieving the same thing: peace of mind.

Fleshed out in writing, consumers have…

The Right to Know
The right to know what data is being collected and why, as well as who sees that data and why.

The Rights to Access and Portability
The right to access personal data stored by companies or government entities and obtain a portable, machine-readable version of that personal information for transfer elsewhere.

The Right to Delete
The right to delete personal information held by companies, either upon request or through automated processes.

The Right to Correct
Should inaccurate or incomplete data be stored by a company, the consumer has the right to request that it be corrected.

The Right to Object
Data collection is optional; Oregon citizens are in no way obliged to consent (for example cookie consent) to it and reserve every right to say ‘no’ without repercussions.

Obligations for Businesses

Businesses are in no way off the hook with regard to their responsibilities as data controllers under the OCPA. They must follow a slew of rules, standards, and best practices in order to maintain good standing with the law.

These include:

Privacy Notices
Privacy notices, like a cookie banner, must be provided to consumers in clear and plain language. They must also detail what data is being collected and how it will be used.

Data Security
Businesses are required to take reasonable measures for protecting personal information under their control from unauthorized access or disclosure. They are also expected to complete data protection assessments for every high-risk processing activity they undertake – such as processing for the purposes of targeted advertising or profiling.

Privacy by Design
A fundamental concept in the realm of data security, Privacy by Design can be found in both domestic and international law. Its principles purport that security should be “baked in” to the design phase of a product or service, so as to anticipate and mitigate any potential privacy or data protection risks. Businesses must follow this standard to comply with the OCPA.

Next Steps for the OCPA

The Oregon Consumer Privacy Act (OCPA) cannot call itself official law just yet. The legislation has one final hurdle to pass – a signature from the governor’s desk. After that, implementation will be slated for July 1st, 2024, with an initial 30-day cure period to help ease the transition for businesses until January 1st, 2026.

The world of technology is ever-changing, and so must be the laws that govern it. The Oregon Consumer Privacy Act is an important step towards a more secure and privacy-focused future where individuals can confidently use online services without fear of their data being exposed or shared without permission.