Keypoint: Oregon is the eleventh state to pass consumer data privacy legislation with a bill that is one of the strongest passed to date.
On June 22, 2023, the Oregon legislature passed the Oregon Consumer Privacy Act (OCPA) (SB 619). Subject to the procedural formalities, the bill will move to Oregon Governor Tina Kotek for consideration.
Assuming the bill becomes law, Oregon will become the eleventh state – and sixth this year – to pass a consumer data privacy bill. It is the first Democrat-controlled state to pass a consumer data privacy bill in 2023.
The OCPA – which is the product of a work group led by the Oregon Attorney General’s office – is based on the Washington Privacy Act model that has been used by all of the non-California states. However, the bill contains some notable and unique provisions discussed in the below article.
Click here if you would like to see a more detailed comparison of the OCPA against the ten other state laws enacted to date.
As noted, the OCPA is the product of a work group coordinated by the Oregon Attorney General’s office. In broad strokes, the OCPA is perhaps best understood as taking provisions from the Connecticut Data Privacy Act, the Colorado Privacy Act and its Rules, and adding some unique provisions as discussed below.
On the spectrum of state consumer privacy laws, it is difficult to say what is the “strongest” law. That is particularly true given that Colorado engaged in rulemaking and Connecticut recently added health and children’s data privacy provisions to its law. It is perhaps better to characterize state consumer data privacy laws into tiers, such as Keir Lamont from the Future of Privacy Forum recently proposed. In that regard, Oregon no doubt fits into the same tier as Colorado and Connecticut (with California not included because it is not based on the same model). Further, Oregon certainly can argue that it has passed a more consumer-friendly law on several issues.
The OCPA follows the consumer threshold standard that has become common with the Washington Privacy Act variants. Specifically, it applies to persons that conduct business in Oregon or that provide products or services to Oregon residents and that, during a calendar year, control or process the personal data of 100,000 or more consumers (other than personal data controlled or processed solely for the purpose of completing a payment transaction) or the personal data of 25,000 or more consumers while deriving 25% or more of the person’s annual gross revenue from selling personal data.
The OCPA defines “consumer” as state residents acting in any capacity other than in a commercial or employment context. It also contains an exemption for employment-related data.
With a population of around 4.24 million people, the 100,000 threshold is approximately 2.35% of the state’s population. For reference, the 100,000 threshold is approximately 1.72% and 2.78% of Colorado and Connecticut’s populations, respectively.
One important aspect of the OCPA is that it does not contain the same exemptions found in other state privacy laws. For example, as the bill was originally introduced it contained both data-level and entity-level exemptions for GLBA-regulated financial institutions. However, as the bill progressed the entity-level exemption language was removed, and the final exemption reads as follows:
(2) Sections 1 to 9 of this 2023 Act do not apply to:
. . . .
(k) Information collected, processed, sold or disclosed under and in accordance with the following federal laws, all as in effect on the effective date of this 2023 Act:
(A) The Gramm-Leach-Bliley Act, P.L. 106-102, and regulations adopted to implement that Act;
. . . .
(L) A financial institution, as defined in ORS 706.008, or a financial institution’s affiliate or subsidiary that is only and directly engaged in financial activities, as described in 12 U.S.C. 1843(k), as in effect on the effective date of this 2023 Act;
(m) Information that originates from, or is intermingled so as to be indistinguishable from, information described in paragraph (k)(A) of this subsection and that a licensee, as defined in ORS 725.010, collects, processes, uses or maintains in the same manner as is required under the laws and regulations specified in paragraph (k)(A) of this subsection;
In its drafting comments, the Office explained that the change was the Office’s “proposed compromise to address concerns raised at the last task force meeting about the breadth of an entity-level GLBA exemption. For example, exempting ‘financial institutions’ and their affiliates as defined in the GLBA would lead to the exemption of businesses like payday lenders and car dealerships. Note that there is already a data-level exemption above, so this would supplement that exemption by fully exempting . . . banks, credit unions and other entities defined as a financial institution under state law.”
The OCPA also does not contain a HIPAA covered entity exemption but does contain several data level exemptions – similar to Colorado. The Office argued that the “problem with [an entity-level exemption] is that there are many HIPAA-covered entities that are covered only for a small portion of the data they process. Including an entity-level exemption would create a huge loophole for any entity that engages in any amount of HIPAA covered activities, no matter how much data they process that is not covered by HIPAA.”
Finally, like Colorado, Oregon does not exempt non-profits although it does contain limited non-profit exemptions for organizations established to detect and prevent fraudulent acts in connection with insurance and organizations that provide programming to radio or television networks.
Definition of Personal Data
The OCPA defines “personal data” as “data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household.” In comparison, Connecticut defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable individual.”
It its drafting comments, the Office explained that “[n]ot covering data that is linked/linkable to a device that is itself linked/linkable to a consumer could create a significant loophole, considering how much data our personal devices are collecting these days (and this will only increase as technology advances).”
With respect to including derived data the Office explained: “Derived data can reveal many things about a consumer that they may wish to keep private. If we exclude data, when a consumer exercises their deletion rights, a controller could still retain significant amounts of derived data they hold about that consumer based on inferences they made from the consumer’s data. This would frustrate the ability of consumers to truly exercise their rights under the bill.”
Definition of Biometric Data
The OCPA’s definition of “biometric data” also is unique:
“Biometric data” means personal data generated by automatic measurements of a consumer’s biological characteristics, such as the consumer’s fingerprint, voiceprint, retinal pattern, iris pattern, gait or other unique biological characteristics that allow or confirm the unique identification of the consumer.
“Biometric data” does not include:
(A) A photograph recorded digitally or otherwise;
(B) An audio or video recording;
(C) Data from a photograph or from an audio or video recording, unless the data were generated for the purpose of identifying a specific consumer or were used to identify a particular consumer; or
(D) Facial mapping or facial geometry, unless the facial mapping or facial geometry was generated for the purpose of identifying a specific consumer or was used to identify a specific consumer.
Oregon’s definition does not require controllers to use biometric data to identify an individual, which is required by Connecticut and the Colorado Rules. The drafting comments explain that this distinction is intentional because biometric data is “extremely sensitive and something many consumers wish to keep private, regardless of whether it is used for identification purposes.” However, with respect to photographs and audio and video recordings, the OCPA requires those to be used for identification purposes “[b]ecause of the pervasiveness of photos, audio and video on the Internet.”
Part (D) also is a new provision as compared to other laws. There, the Office explained “This was added to address the concern that ‘photograph’ and ‘video’ don’t include websites that use real-time facial mapping to apply filters, try on glasses, etc. We are adding this language to exclude those specific uses of technology, as long as the data isn’t generated for the purpose of identifying someone or being used to identify a person (for the same reason explained above).”
The OCPA’s definition of sensitive data largely tracks the definitions in other laws; however, it includes “status as transgender or nonbinary” and “status as a victim of crime.” For reference, Connecticut’s law was amended this year through SB 3 to add status as a victim of crime as sensitive data (as well as adding consumer health data). Colorado also now covers sensitive data inferences through rulemaking. As with other laws, Oregon’s definition of sensitive data includes biometric and genetic data but, for the reasons discussed above, it does not require such data to be used to identify an individual.
Oregon largely tracks the consumer rights provided in Connecticut and Colorado with some notable distinctions. Perhaps the most significant distinction is that Oregon residents will be able to obtain, at the controller’s option, “a list of specific third parties, other than natural persons, to which the controller has disclosed: (i) The consumer’s personal data; or (ii) Any personal data.” No other law requires the identification of specific third parties as opposed to categories of third parties. Explaining the reason for this addition, the Office stated: “We think it is very important for consumers to have the right to know specific third parties so that they can track their data downstream and effectively exercise their rights under the bill.”
Oregon also will require controllers to recognize universal opt-out mechanisms as of January 1, 2026. Oregon joins California, Colorado, Connecticut, Montana and, in some instances, Texas as mandating this requirement. Oregon also tracks Connecticut and California in not requiring controllers to authenticate opt-out requests.
Another important distinction is that Oregon does not exclude pseudonymous data from certain rights. For example, Colorado states that the rights to access, correct, delete and port do not “apply to pseudonymous data if the controller can demonstrate that the information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information.” Oregon does not contain this exemption.
Explaining its unwillingness to add this exemption, the Office stated: “We were asked to exclude pseudonymous data from the scope of this bill with respect to access, deletion, correction, and portability rights. We are deeply concerned that pseudonymous data does not afford consumers adequate protection, as it can be easily made personally identifiable. While this may be a good topic to explore for future legislation, we are not satisfied that a framework for adequately protecting consumers with respect to this data has been proposed.”
With respect to children’s rights, Oregon tracks Connecticut by requiring children between the ages of 13 and 15 to consent to targeted advertising and the sale of personal data. Oregon takes this one step further by also requiring such individuals to consent to profiling. That said, Connecticut recently added profiling through this year’s SB3 in addition to many other children’s privacy provisions and extending the age range to include children ages 16 and 17.
Privacy Notices / Duty of Purpose Specification
The OCPA borrows from Colorado by stating that controllers must specify in their “privacy notice . . . the express purposes for which the controller is collecting and processing personal data.” The Colorado Attorney General’s Office recently used similar language found in the Colorado Privacy Act as the basis for its purpose specification rulemaking found in Rules 6.03 and 6.06.
The OCPA’s privacy notice requirements are more detailed than those found in Connecticut and Colorado; however, for the most part, the Colorado Privacy Act Rules contain similar (and additional) requirements. One difference is that the OCPA requires the privacy notice to identify “the controller, including any business name under which the controller registered with the Secretary of State and any assumed business name that the controller uses in this state.”
Data Protection Assessments
The OCPA’s data protection assessment requirements are consistent with those in Connecticut and Colorado – although the Colorado Privacy Act Rules go much further. The OCPA does contain a requirement for controllers to maintain data protection assessments for at least five years. The Colorado Privacy Act Rules added a three-year retention requirement.
The OCPA does not authorize Attorney General rulemaking.
The OCPA will be enforced by the Oregon Attorney General’s Office. As originally introduced, the OCPA contained a private right of action, but that was removed. The OCPA contains a thirty-day right to cure that sunsets January 1, 2026. The Office can seek a civil penalty of not more than $7,500 for each violation.
The OCPA goes into effect July 1, 2024, with the exception that the effective date for non-profits is July 1, 2025.