An Overview of Oregon Data Privacy Law: Oregon Consumer Privacy Act (OCPA)
In July 2023, Oregon became the eleventh US state to enact a data privacy law. Like other data privacy legislation, the Oregon Consumer Privacy Act (OCPA) regulates how businesses collect, use, and disclose personal information.
Here, we’ll explore OCPA in more detail and how it might impact your business.
What is OCPA?
The Oregon Consumer Privacy Act enshrined a set of customer rights and legal obligations for businesses that collect personal data.
According to the bill, an Oregon resident whose data has been processed is classed as a ‘consumer’. Businesses that use personal data are referred to as ‘data controllers’.
If your business falls under the scope of OCPA, you must
- Gather consent before collecting any sensitive personal data.
- Disclose when working with third-party data processors, and explain how they process data.
- Gain consent before using children’s data for profiling or targeted advertising, or before selling data relating to a child.
- Update your privacy policies to include information about your data practices and the rights consumers have.
- Ensure that appropriate measures are in place to protect consumer data.
It should be noted that OCPA follows the EU’s definition of consent outlined in the General Data Protection Regulation (GDPR). According to the bill, consent is defined as “an affirmative act by means of which a consumer clearly and conspicuously communicates the consumer’s freely given, specific, informed and unambiguous assent to another person’s act or practice…”
In other words, consent cannot be gathered through inaction (eg, clicking neither accept nor reject on a cookie banner).
What rights do consumers have according to OCPA?
The Oregon data privacy act affords five key rights to consumers. These are
- The right to access – Upon a request, businesses must disclose whether a consumer’s data has been processed. They must list the types of data processed and any information that has been shared with a third party. Consumers can also request access to any information held about them directly.
- The right to deletion – Consumers can request that a data controller delete any information they hold about them.
- The right to opt-out -consumers can request that their data not be sold, used for targeted advertising, or profiling.
- The right to portability – Consumers can request a copy of any data they have provided. Data must be presented in a format that consumers can access easily.
- The right to correction – Consumers can request that inaccurate data be corrected.
How does OCPA impact my business?
OCPA applies to businesses that sell products or services to consumers in Oregon. Alongside this, the business must meet one of the following criteria. An organisation must either
- Control or process personal data relating to 100,000 or more residents for purposes other than completing a transaction.
Or
- Control or process personal data of 25,000 or more residents, and generate 25% of its gross revenue from the sale of personal data.
There are some exceptions to the above. Most non-profit organisations and businesses in the information sector are exempt from OCPA.
Other exceptions are based on the types of data processed by an organisation. For example, healthcare businesses aren’t automatically exempt under the Health Insurance Portability and Accountability Act (HIPAA). Health information handled in compliance with HIPAA isn’t covered by OCPA, but other processed information could fall under the bill’s scope.
How is OCPA enforced?
The OCPA is enforced by the Oregon Attorney General’s office. Consumers can file complaints to the office, which is then investigated by the Attorney General. During assessment, organisations might be asked to provide a data protection assessment and other documents.
If a business is deemed non-compliant, it can be fined up to $7,500 for each violation. The Attorney General may also pursue additional actions. They might, for example, claim any profits generated from violations.
Gathering consent
The OCPA uses an ‘opt out’ model. This means that in most cases, unlike certain worldwide data privacy laws, you don’t need to collect consent before gathering data.
There are some exceptions to this, however. You’ll need to gather permission from consumers if you use data in any of the following ways
- Processing any form of data that is considered sensitive.
- For purposes other than those specified in your privacy policy.
- Processing data from a child younger than 13 (consent must be collected from the parent or legal guardian).
- Using a child’s data for sale, profiling, or targeted advertising.
Remember, even if consent is not required, you still need to provide mechanisms for consumers to exercise their rights. The easiest way for consumers to grant or withhold consent is through a compliant consent management platform.
Displaying a privacy policy
As mentioned, transparency is central to the OCPA. A privacy policy is essential for clearly outlining your business’s data handling practices.
It’s important to note that a privacy policy designed for other data privacy laws will not be enough to comply with OCPA. While the law shares similarities with other bills, it still requires a unique approach. Your privacy policy must address the following areas, in particular.
- An explanation of why you are processing data and the purposes it will be used for.
- A full list of categories of the different forms of data processed.
- The categories of any third-party data processors you work with, and a description of how each party processes data.
- A list of the different forms of data shared with third parties.
Alongside the areas listed above, your policy should also explain how consumers can exercise their rights. This could cover:
- A description of how to submit a consumer rights request.
- A description of at least one method for customers to contact your business.
- How consumers can opt out of data processing (if their data is used for profiling or targeted advertising).
- A description of the controller, including your business name registered in Oregon.
- How consumers can appeal a denial of rights.
Ensuring OCPA compliance
If your business falls under the scope of the Oregon Consumer Privacy Act, it’s important to ensure compliance as soon as possible. Here are some of the steps you can take to stay on the right side of the law.
Collect clear consent
You need methods for registering consumer consent to ensure compliance with OCPA. The best way of registering consent is through a compliant cookie banner. This should provide a clear method for consumers to accept or reject data processing.
Choose a CMP that provides granular consent options, so that consumers can specify the sorts of information they share. It shouldn’t use manipulative tactics to influence users to act in certain ways (eg, using a bigger accept button).
Consumers should also be able to alter their consent preferences at any time by accessing a clearly labelled space on your site. The screenshot below is taken from the MeasureMinds website and shows how this might look in practice.
If you intend to process data relating to children, you’ll need permission from parents or guardians. There are different methods you can use to gather parental consent, such as
- Having parents/guardians fill out a downloadable form.
- Gathering verbal consent through a phone call.
- Holding a face-to-face video call.
Improve your data security
OCPA obligates businesses to have the right security in place to protect consumer data. It’s worth running an audit of your existing data protection practices to spot potential risks. Consider the following areas in particular:
- Password usage – Make sure that strong passwords are used across your organisation, particularly for those that deal with sensitive data. A password manager can help ensure the strongest passwords possible.
- Data access management controls – It’s important that sensitive data is only accessible on a ‘need to know’ basis. Through data access management, you can make sure that only authorised personnel can access sensitive data.
- Data encryption – Make sure that end-to-end encryption is in place to prevent sensitive information from falling into the wrong hands.
- Data protection training – It’s critical that staff know how to handle sensitive data and spot any potential risks. Through regular training and boosting employee awareness, you can reduce the risk of mistakes and other threats.
Ensure clear communication channels
To ensure compliance with OCPA, consumers must be able to exercise their rights easily. This requires a dedicated channel for requests, such as a phone line or email address. These channels should be easy to access and signposted clearly. They should be monitored to ensure a prompt response to customer requests.
It’s important to identify users who submit requests. If a consumer’s identity cannot be verified, you have the power to reject requests. When doing so, you must explain why you are unable to fulfil the customer’s wishes.
Review your compliance
The Oregon Consumer Privacy Act is a detailed piece of legislation with a wide scope. Without proper care and attention, it’s easy to fall on the wrong side of the law. It’s important to assess (A) whether OCPA applies to you and (B) whether you have the appropriate measures to ensure compliance.
Of course, OCPA is just one of the many worldwide data privacy laws. If you’d like to learn about another important piece of legislation, you can read our blog about creating a GDPR compliance checklist.
