How Your Business Can Comply With the Oregon Consumer Privacy Act (OCPA)

Introduction 

The governor of Oregon signed SB 619, or the Oregon Consumer Privacy Act (OCPA) on July 18, 2023. This makes Oregon the latest state to sign a comprehensive consumer data privacy bill into law this year.

OCPA is scheduled to go into effect on July 1, 2024, giving businesses about a year to get ready for compliance.

If your business has already been preparing for the other state privacy laws that are going into effect this year and beyond, you’ve already done a lot of the work for Oregon’s privacy law. 

But, each state privacy law is unique. Businesses must take into account the different rights and regulations mandated in each state law. 

This blog post will tell you everything you need to know and do to comply for Oregon’s new privacy law. 

Does Oregon’s Privacy Law Apply to My Business?

Oregon’s privacy law applies to businesses (controllers) that operate in Oregon or target products or services to Oregon consumers. Additionally, businesses subject to OCPA must either:

1. Control or process the personal data of 100,000 or more consumers (excluding for the purpose of completing a payment transaction), or;
2. Control or process the personal data of 25,000 or more consumers, while earning 25% or more of annual gross revenue from selling personal data.

One interesting note is that OCPA shares the same applicability standards as Connecticut, Indiana, and Montana’s privacy law. Make sure your business is processing the minimum amount of Oregon consumers’ data from above to see if it’s subject to OCPA.. 

What Your Business Needs to Know About Oregon’s Privacy Law

If Oregon’s privacy law applies to you’re business, you’ll need to enable Oregon consumers to exercise their data subject rights and consent rights on your website. It’s also important to know how OCPA is enforced and the consequences of privacy violations. 

This section will go over these requirements in more detail.

Consumer Rights:

OCPA grants Oregon consumers data subject rights, or the ability to control how companies can collect, process, and disclose their personal data. These rights include:

• Right to know and access;
• Right to correction;
• Right to deletion;
• Right to data portability;
• Right to appeal.

Like in Iowa, Indiana, Montana, Tennessee, Texas, and Florida, Oregon consumers do not have a private right of action. So far, only California’s CCPA grants this right to its residents.

Consent Requirements

Oregon residents also have specific opt-out and opt-in consent rights that businesses must allow consumers to choose from. 

For opt-out consent, consumers have the right to opt out of the processing of personal data for:

• Targeted advertising.
• The sale of personal data.
• Profiling.

OCPA also requires companies to start recognizing Universal Opt-Out Signals on their websites by July 1, 2026. This gives businesses around two years to prepare for compliance. Luckily, Ethyca easily enables your website to detect Universal Opt-Out Signals, including GPC.

In terms of opt-in consent, Oregon consumers have the right to opt-into the processing of sensitive data. OCPA defines “sensitive data” as personal data revealing:

• Racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or nonbinary, status as a victim of crime or citizenship or immigration status;
• A child’s personal data (under 13 years old);
• A consumer’s present or past location, or the present or past location of a device that links or is linkable to a consumer by means of technology that includes, but is not limited to, a global positioning system that provides latitude and longitude coordinates (within a radius of 1,750 feet); or
• Genetic or biometric data.

If your business is subject to Oregon’s privacy law, you must also enable a user to revoke consent at any time. Your business would be required to explain how consumers can exercise their opt-out and opt-in rights on your website’s Privacy Notice.

Violations and Enforcement

Companies must respond to consumers’ data subject requests within 45 days. They can also extend for an additional 45 days if necessary. The Attorney General has exclusive authority to enforce OCPA and can issue notices of privacy violations or start civil investigations, 

Once notified of a privacy violation, businesses have a 30-day cure period to correct infractions. If violations are not corrected within the timeframe, businesses can incur a civil penalty of up to $7,500 per violation. Oregon’s cure period will sunset on January 1, 2026, so make sure your business’ privacy practices are in order before then to avoid fines.

What Your Business Needs to Do to Comply with Oregon’s Privacy Law

Now that you know what consumer data subject and consent rights Oregon consumers have,  as well as the consequences of privacy violations, let’s go over the additional business obligations required under OCPA.

Practice Data Minimization and Purpose Limitation

Oregon’s privacy law explicitly states that businesses must limit the collection of personal data to only “the personal data that is adequate, relevant and reasonably necessary to serve the purposes the controller specified” in its website’s Privacy Notice.

This practice is also known as data minimization. Rather than simply collecting less data, data minimization requires businesses to be more deliberate about what data they collect. Collecting only the necessary data your organization needs reduces the risk of non-compliant data processing.

OCPA also explicitly states that businesses may not process consumers’ personal data in a way that is not specified in the Privacy Notice without consent. This practice is called purpose limitation and serves a similar function as data minimization. 

To comply with OCPA, identify what data your business needs to collect and process, why, and for what business purpose. Make sure all of this information is published on your website’s Privacy Notice.

Publish a Clear and Accessible Privacy Notice

Businesses subject to Oregon’ privacy law must submit a clear and accessible Privacy Notice on their website. Privacy Notices should include: 

• The categories of personal data, including the categories of sensitive data that the controller processes;
  • The controller’s purposes for processing the personal data;
  • How a consumer may exercise the consumer’s rights, including how a consumer may appeal.
• All categories of personal data, including the categories of sensitive data, that the controller shares with third parties;
• All categories of third parties with which the controller shares personal data at a level of detail that enables the consumer to understand what type of entity each third party is and, to the extent possible, how each third party may process personal data;
• An electronic mail address or other online method by which a consumer can contact the controller that the controller actively monitors;
• Any business name under which the controller registered with the Secretary of State and any assumed business name that the controller uses in this state;
• A clear and conspicuous description of any processing of personal data in which the controller engages for the purpose of targeted advertising or for the purpose of profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance, and a procedure by which the consumer may opt out of this type of processing;
• The method or methods the controller has established for a consumer to submit a request under.

Work with your legal team to ensure that all of the above necessary information is included in your business’ Privacy Notice.

Enter Into Data Processing Contracts 

Oregon’s privacy law also requires businesses to enter into data processing contracts between processors, or entities that “process personal data on behalf of a controller.” Examples of this include third-party SaaS vendors that process and store data for your business. 

These contracts should legally obligate the processor to follow the instructions of the controller, and help the controller comply with consumer privacy requests and demonstrate compliance through data protection assessments. 

Data processing contracts should also specify the purposes of processing, the types of data being processed, the duration of processing, and the rights and obligations of both the controller and processor.

If your business works with third-parties that process data on your behalf, be sure to enter into a legally binding data processing contract with each of them.

Process De-Identified Data Securely

Businesses that process de-identified data must:

• Take reasonable measures to ensure that the data cannot be re-identified;
• Publicly commit to maintaining and using the data in its de-identified form.
• Enter into a confidentiality contract with the recipient of the de-identified data.

If your business processes de-identified data, make sure to take appropriate measures to monitor compliance with OCPA.

Perform Data Protection Assessments (DPAs)

Like most state privacy laws, OCPA requires businesses to perform data protection assessments (DPAs). 

DPAs are meant to help businesses carefully assess the risks of processing data on the consumer, the business itself, and other stakeholders. They are also meant for businesses to examine how they can mitigate such risks. 

Businesses must document specific considerations in DPAs, such as “how deidentified data might reduce risks, the reasonable expectations of consumers, the context in which the data is processed and the relationship between the controller and the consumers whose personal data the controller will process.”

The Attorney General can request a DPA at any time to determine whether a company is compliant with OCPA or not. Businesses are also required to keep records of DPAs conducted over the past five years.

To make sure your business is ready for Oregon regulators, work with your legal team to conduct and document DPAs appropriately.

How Ethyca Can Help Your Business Comply with Oregon’s Privacy Law

Making sure your business complies with all U.S. state privacy laws can feel overwhelming. Luckily, Ethyca makes it easy with the Fides privacy intelligence platform. With Fides, your business will be able to automate privacy obligations for all U.S. state privacy laws.

Read on to learn how.

Easy Consent Management

Different U.S. state privacy laws have different consent requirements your business needs to fulfill. With the Fides privacy intelligence platform, your business can easily manage users’ consent preferences for any privacy law.

Your business will be able to set multiple opt-out links on your website footer, customize a Privacy Center for easy consent intake, and set single or multiple opt-in or opt-out consent preferences to comply with different state privacy laws at the same time.

Users can submit requests through a Privacy Center on your website and verify their identity via a code sent through SMS or email. With a simple and intuitive Admin UI. your business will be able to quickly process and record users’ consent preferences as proof of compliance.

Automated Data Subject Requests Fulfillment

All privacy regulations require businesses to complete user subject requests, or data subject requests (DSRs). Unfortunately, this process is often costly, labor-intensive, and causes lots of friction for legal, compliance, and engineering teams.

The Fides privacy intelligence platform streamlines these workflows. Your business will be able to automate DSR processing end-to-end with Fides. Users can submit their DSR requests via the same Privacy Center they would use to submit their consent preferences.

After DSR requests are submitted, you can approve or deny them with the same Admin UI. Users will then receive an email containing a link to the data they requested in a machine-readable format or a confirmation that their data has been deleted.

Fides will also maintain a log of the requests your business has received and processed. That way, if regulators come knocking, you can prove that your business’ privacy practices are compliant.

Real-Time Data Mapping and System Inventorying

What makes the Fides privacy intelligence platform so powerful is its ability to connect to all of your business’ internal and third-party databases and systems. Once connected, Fides will be able to produce a real-time  data map, or visualization, of all the data in your organization.

Unlike manual spreadsheets that immediately become out of date, Fides’ automated data map will give you an accurate inventory of all the data in your systems, i.e. what the data is, where it goes, and where it’s stored.

In fact, connecting to all of your systems is how Fides can automate consent management and data subject requests in the first place. Using the Fides privacy intelligence platform will integrate privacy across your entire business. That’s the true power of privacy intelligence.

Conclusion

Oregon follows Iowa, Indiana, Montana, Tennessee, Texas, and Florida as the latest U.S. state privacy law to be signed in 2023. U.S. privacy is a patchwork of state-by-state laws, and more are constantly on the way. Your business will need to keep an eye out on all of the privacy regulations coming out at the state level. 

Thankfully, you don’t have to do it alone. Ethyca is here to help your business comply with privacy obligations every step of the way. If you have any questions about new or existing privacy laws, schedule a free 15-minute call to talk to one of our privacy experts today.