In July, Senate Bill 619 was signed into law by Oregon Governor Tina Kotek, making Oregon the eleventh state to pass comprehensive data privacy laws.
Most of these bills are very similar, but there are a few differences in SB 619. The OCPA (Oregon Consumer Privacy Act) will apply to any entity that does business in the state and controls or processes the personal data of at least 100,000 Oregon residents OR at least 25,000 Oregon residents and deriving 25% of revenue from the sale of said personal data. Notably, the OCPA doesn't include the monetary threshold that we have seen with other similar bills.
Most other state privacy acts exempt non-profit organizations entirely, but this act only exempts non-profit entities that were/are established to detect and prevent insurance fraud or that provide programming to television and radio networks. All other non-profits have until July 1, 2025, to comply.
Rather than exempting entities covered by HIPAA, or governed by the Gramm-Leach-Bliley Act, the OCPA exempts the information covered by those acts and any information co-mingled with protected information covered by those acts. This act also does not apply to employment or B2B data or data collected and processed in accordance with several other federal laws.
Sale of personal data- "the exchange of personal data for monetary or other valuable consideration by the Controller with a third party." Meaning a "sale" is not limited to an exchange of data for money. Here are a few more exclusions from the Oregon definition of a "sale"
Data transferred to third parties in the process of a merger or acquisition, or in bankruptcy.
Personal data intentionally and/or directly shared by the consumer with the Controller or to the public
Data exchanged with third parties that allows a Controller to provide a product or service that the consumer has requested.
Biometric data-"personal data generated by automatic measurements of a consumer's biological characteristics," (excluded from this definition: Audio and video recordings, photographs, and face mapping unless it is being collected for the purpose of identifying an individual.
Profiling-"An automated processing of personal data for the purpose of evaluating, analyzing or predicting an identified or identifiable consumer's economic circumstances, health, personal preferences, interests, reliability, behavior, location or movements."
Targeted Advertising-"Advertising that is selected for display to a consumer on the basis of personal data obtained from the consumer's activities over time and across one or more unaffiliated websites or online applications and is used to predict the consumer's preferences or interests."
Personal Data-"means data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household."
Sensitive Data-"means personal data that: (A) Reveals a consumer’s racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or nonbinary, status as a victim of crime or citizenship or immigration status; (B) Is a child’s personal data; (C) Accurately identifies within a radius of 1,750 feet a consumer’s present or past location, or the present or past location of a device that links or is linkable to a consumer by means of technology that includes, but is not limited to, a global positioning system that provides latitude and longitude coordinates; or (D) Is genetic or biometric data"
Child-"means an individual under the age of 13"
Consent- "an affirmative act by means of which a consumer clearly and conspicuously communicates the consumer's freely given, specific, informed and unambiguous assent to another person's act or practice."
As with other laws, there is the requirement to allow consumers to opt out of data sharing and in the case of the OCPA, a requirement to allow consumers to use GPCs (Global Privacy Control) to exercise their right to opt out by July 2026.
The Act can only be enforced by the Oregon Attorney General and can include injunctions and fines of up to $7,500 per violation. It also includes a 30 day right to cure period, which is fairly common in these privacy laws, though the OCPA's right to cure period has no expiration date at the moment.
No doubt we will continue to see more states passing their own versions of these comprehensive data privacy laws, and it will be interesting to see how things differ from state to state. Perhaps we will see an actual federal framework for this in the near future.