United States: Oregon Consumer Privacy Act: Time to Get Ready, But Does It Apply to My Organization?
Ready or not, the Oregon Consumer Privacy Act (OCPA) is coming your way. Oregon joins several other states in passing comprehensive data privacy legislation. In doing so, Oregon consumers will have increased control over their personal data, and entities doing business in Oregon will face new restrictions on handling such data. While the OCPA goes into effect on July 1, 2024, it is important to note that the effective date for nonprofits is delayed until July 1, 2025. Although the OCPA generally follows the majority privacy model (excluding California), certain aspects of the legislation are novel, even to those who are experienced data privacy practitioners. Nevertheless, we have you covered — this OCPA Series anticipates your burning questions and is intended to provide a digestible breakdown of the OCPA’s unique requirements. That said, the first step is to determine whether the OCPA applies to your organization, which is why we are kicking off the OCPA Series addressing exactly that!
Does the OCPA apply to my organization?
The OCPA applies if your organization: (1) conducts business in Oregon, (2) is not exempt, and (3) meets at least one of the minimum processing thresholds. Please see the explanations outlined below to determine whether your organization meets all three of these factors.
1. Does my organization conduct business in Oregon?
Your organization conducts business in Oregon if it engages in any of the following activities:
- Has a physical office or location in Oregon.
- Has an employee or employees residing or working in Oregon.
- Provides products or services to residents of Oregon (in person and/or online).
- Aims to provide its products and services to residents of Oregon through advertising, marketing, or similar means.
2. Is my organization exempt?
Your organization is exempt under the OCPA if it is categorized as one of the following:
- Nonprofit organization established to detect and prevent fraudulent acts in connection with insurance.
- Insurer, insurance producer, or insurance consultant (must satisfy certain requirements under Oregon law).
- Financial institution, as defined under Oregon’s Bank Act, or an affiliate or subsidiary of a financial institution that is only and directly engaged in financial activities, as described in 12 U.S.C. 1843(k).
- State, local, or special government body.
- Public corporation.
The OCPA also exempts certain non-commercial activities, including the following:
- Certain non-commercial activities related to publishing, print, radio, television, and related activities.
- Non-commercial activities of a nonprofit organization that provides programming to radio or television networks.
- Any activity related to the processing of information for the purpose of evaluating a consumer’s creditworthiness if done strictly in accordance with the Fair Credit Reporting Act by a consumer reporting agency, a person who furnishes information to a consumer reporting agency, or a person who uses a consumer report.
If your organization engages in any of the foregoing non-commercial activities, the OCPA’s exemption is limited to those activities and does not extend to the organization as a whole. The OCPA does not grant broad exemptions for entire organizations, except for what is listed above. For this reason, the exemptions listed do not include entities regulated by federal statutes such as FERPA, HIPAA, and GLBA. Although the OCPA has an exemption related to these laws, it only applies to the processing of information subject to those laws. Therefore, entities that are exempt under other privacy statutes may find themselves subject to the OCPA. Stay tuned for upcoming articles in this OCPA Series, where we take a closer look at the specific information subject to and exempt from the OCPA, and more!
3. Does my organization meet the minimum processing thresholds?
The OCPA applies only to organizations that process a certain amount of personal data. Personal data includes data, derived data, or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to, or is reasonably linkable to one or more consumers in a household. Note that the OCPA exempts information collected from an individual acting in a commercial or employment context and should not be considered when determining whether your organization meets the minimum processing threshold.
Your organization meets the minimum processing threshold if, on an annual basis, it controls or processes the personal data of either:
- 100,000 or more consumers, excluding personal data controlled or processed solely for purposes of completing a payment transaction; or
- 25,000 or more consumers and derives more than 25% of its annual gross revenue from selling personal data.
If your organization satisfies all three (3) factors listed above, then voilà, the OCPA applies to your organization. Even if the OCPA does not apply, adopting a privacy policy that meets minimum requirements under the majority privacy model may provide a mechanism to mitigate risk and limit potential liability under laws other than the OCPA. For example, an updated privacy policy may provide protection if your organization is subject to certain common law torts or statutes aimed at unfair and deceptive acts or practices.
Have questions? Please don’t hesitate to reach out to Parisa Zarelli, Rishi Puri, or Magdalena Bragun — we are here to help you navigate the complexities of the OCPA. Special thanks to Lane Powell 2023 Summer Associate Stephanie Chavez for her assistance in authoring this Legal Update.
Sign up to recieve the next installment in this series by subscribing to the Privacy & Data Security mailing list.