Oregon is set to become the 11^th US state (and the 6^th since the beginning of the year) to enact a comprehensive data protection law, after its legislature nearly unanimously passed Senate Bill 619 to adopt the Oregon Consumer Privacy Act (“OCPA“)

Once approved by the Governor, the OCPA will become operative on 1 July 2024.

Scope of Application

The OCPA applies to any entity that conducts business in Oregon or provides products or services to Oregon residents, and that, during a calendar year, controls or processes the personal data of either:

(a) at least 100,000 Oregon consumers (2.35% of the state’s 4.24 million population) other than personal data controlled or processed solely for the purpose of completing a payment transaction; or

(b) at least 25,000 Oregon consumers, with at least 25% of its gross revenue attributable to the sale of personal data.

Pursuant to OCPA, Oregon will be the second US state (after Colorado) that applies its comprehensive privacy law to nonprofits (starting 1 July 2025).

Consumer Rights and Controllers Obligations

The OCPA‎ grants several rights to consumers, including the ability to obtain confirmation of whether a controller is processing or has processed their personal data, a list of the categories of the personal data subject to processing, a list of the specific third parties to which personal data has been disclosed (a unique right which is not provided by the other states’ privacy laws), and a copy of all of the consumer’s personal data that the controller has processed or is processing.

Consumers can also require a controller to correct inaccuracies in their personal data, delete personal data about them, and to opt-out of targeted advertising, selling of personal data, and certain profiling. There is also an opt-in requirement for sensitive personal data, mirroring similar provisions in other state laws, although the OCPA‎ provides an expanded definition of sensitive personal data which encompasses unique categories such as national origin, status as transgender or nonbinary, status as a victim of a crime, and a broadened the definition of biometric data.

For your convenience, we have published a comparative guide, addressing the key data subject rights in the previous 10 states to enact comprehensive privacy laws, which will be soon updated with those of Oregon’s as well.

The OCPA also mandates controllers to provide a clear and meaningful privacy notice to consumers that lists categories of personal data the controller processes, describes the purpose for processing personal data, and describes how consumers may exercise their rights with respect to personal data.

Enforcement

Unlike several US privacy laws, such as California’s for example, the OCPA does not include a private right of action, and the Attorney General will have exclusive authority to enforce it, subject to a 30-day cure period (which will sunset on 1 Jan 2026).

If the violations are not cured within these 30 days, the Attorney General may impose a civil penalty of up to $7,500 for each violation.

Companies providing services to consumers in the United States should evaluate their exposure to this additional data protection regulatory regime in Oregon and the rest of the relevant US states. Feel free to contact us if you have any questions regarding this new act ‎and its practical implications.