The Oregon Consumer Privacy Act (OCPA) is the sixth U.S. state privacy law to be signed in 2023. Effective on July 1, 2024, see what your business needs to do to comply, and how Ethyca’s automated privacy solutions make it easy.
The governor of Oregon signed SB 619, or the Oregon Consumer Privacy Act (OCPA) on July 18, 2023. This makes Oregon the latest state to sign a comprehensive consumer data privacy bill into law this year.
OCPA is scheduled to go into effect on July 1, 2024, giving businesses about a year to get ready for compliance.
If your business has already been preparing for the other state privacy laws that are going into effect this year and beyond, you’ve already done a lot of the work for Oregon’s privacy law.
But, each state privacy law is unique. Businesses must take into account the different rights and regulations mandated in each state law.
This blog post will tell you everything you need to know and do to comply for Oregon’s new privacy law.
Oregon’s privacy law applies to businesses (controllers) that operate in Oregon or target products or services to Oregon consumers. Additionally, businesses subject to OCPA must either:
One interesting note is that OCPA shares the same applicability standards as Connecticut, Indiana, and Montana’s privacy law. Make sure your business is processing the minimum amount of Oregon consumers’ data from above to see if it’s subject to OCPA..
If Oregon’s privacy law applies to you’re business, you’ll need to enable Oregon consumers to exercise their data subject rights and consent rights on your website. It’s also important to know how OCPA is enforced and the consequences of privacy violations.
This section will go over these requirements in more detail.
OCPA grants Oregon consumers data subject rights, or the ability to control how companies can collect, process, and disclose their personal data. These rights include:
Like in Iowa, Indiana, Montana, Tennessee, Texas, and Florida, Oregon consumers do not have a private right of action. So far, only California’s CCPA grants this right to its residents.
Oregon residents also have specific opt-out and opt-in consent rights that businesses must allow consumers to choose from.
For opt-out consent, consumers have the right to opt out of the processing of personal data for:
OCPA also requires companies to start recognizing Universal Opt-Out Signals on their websites by July 1, 2026. This gives businesses around two years to prepare for compliance. Luckily, Ethyca easily enables your website to detect Universal Opt-Out Signals, including GPC.
In terms of opt-in consent, Oregon consumers have the right to opt-into the processing of their sensitive data. OCPA defines “sensitive data” as personal data revealing:
If your business is subject to Oregon’s privacy law, you must also enable a user to revoke consent at any time. Your business would be required to explain how consumers can exercise their opt-out and opt-in rights on your website’s Privacy Notice.
Companies must respond to consumers’ data subject requests within 45 days can extend for an additional 45 days. The Attorney General has exclusive authority to enforce OCPA and can issue notices of privacy violations or start civil investigations,
Once notified of a privacy violation, businesses have a 30-day cure period to correct infractions. If violations are not corrected within the timeframe, businesses can incur a civil penalty of up to $7,500 per violation. Oregon’s cure period will sunset on January 1, 2026.
Now that you know what consumer data subject and consent rights Oregon consumers have, as well as the consequences of privacy violations, let’s go over the additional business obligations required under OCPA.
Oregon’s privacy law explicitly states that businesses must limit the collection of personal data to only “the personal data that is adequate, relevant and reasonably necessary to serve the purposes the controller specified” in its website’s Privacy Notice.
This practice is also known as data minimization. Rather than simply collecting less data, data minimization requires businesses to be more deliberate about what data they collect. Collecting only the necessary data your organization needs reduces the risk of non-compliant data processing.
OCPA also explicitly states that businesses may not process consumers’ personal data in a way that is not specified in the Privacy Notice without consent. This practice is called purpose limitation and serves a similar function as data minimization.
To comply with OCPA, be sure to identify what data your business needs to collect and process, why, and for what business purpose. Make sure all of this information is published on your website’s Privacy Notice.
Businesses subject to Oregon’ privacy law must submit a clear and accessible Privacy Notice on their website. Privacy Notices should include:
Work with your legal team to ensure that all of the above necessary information is included in your business’ Privacy Notice.
Oregon’s privacy law also requires businesses to enter into data processing contracts between processors, or entities that “process personal data on behalf of a controller.” Examples of this include third-party SaaS vendors that process and store data for your business.
These contracts should legally obligate the processor to follow the instructions of the controller, and help the controller comply with consumer privacy requests and demonstrate compliance through data protection assessments.
Data processing contracts should also specify the purposes of processing, the types of data being processed, the duration of processing, and the rights and obligations of both the controller and processor.
If your business works with third-parties that process data on your behalf, be sure to enter into a legally binding data processing contract with each of them.
Businesses that process de-identified data must:
If your business processes de-identified data, make sure to take appropriate measures to monitor compliance with OCPA.
Like most state privacy laws, OCPA requires businesses to perform data protection assessments (DPAs).
DPAs are meant to help businesses carefully assess the risks of processing data on the consumer, the business itself, and other stakeholders. They are also meant for businesses to examine how they can mitigate such risks.
Businesses must document specific considerations in DPAs, such as “how deidentified data might reduce risks, the reasonable expectations of consumers, the context in which the data is processed and the relationship between the controller and the consumers whose personal data the controller will process.”
The Attorney General can request a DPA at any time to determine whether a company is compliant with OCPA or not. Businesses are also required to keep records of DPAs conducted over the past five years.
To make sure your business is ready for Oregon regulators, work with your legal team to conduct and document DPAs appropriately.
Different U.S. state privacy laws have different consent requirements your business needs to fulfill. With the Fides privacy intelligence platform, your business can easily manage users’ consent preferences for any privacy law.
Your business will be able to set multiple opt-out links on your website footer, customize a Privacy Center for easy consent intake, and set single or multiple opt-in or opt-out consent preferences to comply with different state privacy laws at the same time.
Users can submit requests through a Privacy Center on your website and verify their identity via a code sent through SMS or email. With a simple and intuitive Admin UI. your business will be able to quickly process and record users’ consent preferences as proof of compliance.
All privacy regulations require businesses to complete user subject requests, or data subject requests (DSRs). Unfortunately, this process is often costly, labor-intensive, and causes lots of friction for legal, compliance, and engineering teams.
The Fides privacy intelligence platform streamlines these workflows. Your business will be able to automate DSR processing end-to-end with Fides. Users can submit their DSR requests via the same Privacy Center they would use to submit their consent preferences.
After DSR requests are submitted, you can approve or deny them with the same Admin UI. Users will then receive an email containing a link to the data they requested in a machine-readable format or a confirmation that their data has been deleted.
Fides will also maintain a log of the requests your business has received and processed. That way, if regulators come knocking, you can prove that your business’ privacy practices are compliant.
What makes the Fides privacy intelligence platform so powerful is its ability to connect to all of your business’ internal and third-party databases and systems. Once connected, Fides will be able to produce a real-time data map, or visualization, of all the data in your organization.
Unlike manual spreadsheets that immediately become out of date, Fides’ automated data map will give you an accurate inventory of all the data in your systems, i.e. what the data is, where it goes, and where it’s stored.
In fact, connecting to all of your systems is how Fides can automate consent management and data subject requests in the first place. Using the Fides privacy intelligence platform will integrate privacy across your entire business. That’s the true power of privacy intelligence.
Oregon follows Iowa, Indiana, Montana, Tennessee, Texas, and Florida as the latest U.S. state privacy law to be signed in 2023. U.S. privacy is a patchwork of state-by-state laws, and more are constantly on the way. Your business will need to keep an eye out on all of the privacy regulations coming out at the state level.
Thankfully, you don’t have to do it alone. Ethyca is here to help your business comply with privacy obligations every step of the way. If you have any questions about new or existing privacy laws, schedule a free 15-minute call to talk to one of our privacy experts today.
Ethyca’s VP of Engineering Neville Samuell recently spoke at the University of Texas at Austin’s Texas McCombs School of Business about privacy engineering and its role in today’s digital landscape. Read a summary of the discussion by Neville himself here.
Learn more about all of the updates in the Fides 2.24 release here.
Ethyca’s Senior Software Engineer Adam Sachs goes through the thought process of creating Fideslang, the privacy engineering taxonomy that standardizes privacy compliance in software development.
Learn more about all of the updates in the Fides 2.23 release here.
Our Senior Software Engineer Dawn Pattison walks you through implementing data minimization into your business.
Learn more about all of the updates in the Fides 2.22 release here.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!Request a Demo