Oregon's privacy law: How does it compare to others

The Oregon Consumer Privacy Act (OCPA) is due to take effect on 1 July 2024. The law looks a lot like many of the other US comprehensive state privacy laws that have been passed since 2021. But there are subtle differences between all these laws, and Oregon’s law has some interesting features.

This article looks at how the OCPA compares to comprehensive privacy laws enacted in 12 other states: California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, New Jersey, Tennessee, Texas, Utah, and Virginia.

Territorial application

Oregon’s law applies to a company that:

• Either:
  • Conducts business in Oregon, or
  • Provides products or services to consumers in Oregon, and
• Meets one of the two thresholds described below.

Note that most states aim their privacy laws at companies that “produce products or services targeting consumers” in their jurisdictions. The OCPA narrows this provision to cover only companies providing products or services directly to Oregonian consumers.

Application thresholds

The OCPA applies to companies that, in the preceding calendar year, either:

• Controlled or processed the personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction, or
• Both:
  • Controlled or processed the personal data of 25,000 or more consumers, and
  • Derived 25% or more of its annual gross revenue from selling personal data

There are a couple of noteworthy elements about the OCPA’s application compared to other states:

The first arm of the population threshold (100,000 or more consumers) covers around 2.35% of Oregon’s 4.2 million population. This is around average in terms of the threshold at which the law applies.

For example, California’s threshold is the same (at 100,000) but across a far larger population (39 million), Montana’s is just 50,000, but the state’s small population (1.1 million) makes the threshold higher.

As in a couple of other states, such as Texas and New Jersey, the first application threshold excludes personal data processed solely for payment transactions. This should take a number of retailers out of scope—unless, for example, they expose Oregonians to targeted advertising.

As with all other states except California, Tennessee, and Utah, there’s no monetary threshold in Oregon’s privacy law.

Exemptions

As in most states, the OCPA includes a complicated list of exemptions, but pitches these at the “data level” rather than the “entity level”.

So, for example, there’s an exemption for “protected health information” under the Health Insurance Portability and Accountability Act (HIPAA), but not for HIPAA-covered entities or business associates per se.

As in Colorado, Delaware, and New Jersey, nonprofits are not exempt from the UCPA by default—only nonprofits operating in specific sectors, such as insurance fraud and media programming.

However, like in every state bar California, Oregon excludes residents acting in employment and business-to-business (B2B) contexts from its “consumer” definition.

Consumer rights

The OCPA provides a full suite of consumer privacy rights, including rights to:

• Know
• Access
• Obtain a list of third parties to which personal data was disclosed
• Data portability
• Delete
• Correct
• Non-discrimination
• Opt-out of:
  • The sale of personal data
  • Targeted advertising
  • Certain forms of profiling
• Use of universal opt-out mechanisms

This list of consumer rights is more comprehensive than any other state, with Delaware—where consumers can obtain a list of the categories of third parties to which their personal data was disclosed—coming a very close second.

As in all other states except California, Iowa, and Utah, Oregon’s law requires opt-in consent before processing sensitive data.

Sensitive data

Oregon’s law considers personal data to be “sensitive data” if it:

• Reveals a consumer’s:
  • Racial or ethnic background,
  • National origin,
  • Religious beliefs,
  • Mental or physical condition or diagnosis,
  • Sexual orientation,
  • Status as transgender or nonbinary,
  • Status as a victim of crime, or
  • Citizenship or immigration status
• Is a child’s personal data
• Accurately identifies within a radius of 1,750 feet a consumer’s present or past location, or the present or past location of a device that links or is linkable to a consumer by means of technology that includes, but is not limited to, a GPS that provides latitude and longitude coordinates; or
• Is genetic or biometric data

Besides the highly specific “precise geolocation data” equivalent, Oregon’s list of sensitive data categories is relatively broad. For example, the categories of

• “National origin” is unique to Oregon
• “Status as victim of crime” is shared only with Connecticut
• “Status as transgender or nonbinary” is shared only with New Jersey, Delaware, and Connecticut

The inclusion of “biometric data” with no qualifier (such as “processed for the purposes of identifying a consumer”) also helps make Oregon’s “sensitive data” definition particularly broad.

Other provisions

Finally, here’s a roundup of the other rules and obligations under the OCPA.

• There’s no private right of action in Oregon’s law, aligning the state with every other on our list besides California (but note that Washington’s My Health My Data Act also includes one).
• Data protection assessments are required in Oregon under certain conditions, like in all states except Iowa and Utah.
• A “sale” of personal data need not involve any money changing hands—Oregon recognizes any “valuable consideration”—as do all other states bar Iowa, Indiana, Utah, and Virginia.
• There’s a “notice and cure” provision, but it’s only 30 days and will sunset in January 2026.
• And, just like in every other state on our list, the UCPA includes the following obligations:
  • Publishing a privacy notice
  • Implementing reasonable security measures
  • Putting data processing agreements in place with processors