We’re On to Oregon: Sixth State Privacy Law of 2023 Creates New Consumer Rights and Protections

On June 22nd, lawmakers in Salem passed SB 619, the Oregon Consumer Privacy Act (“OCPA”). If enacted by Governor Kotek, Oregon will become the eleventh U.S. state (and sixth in 2023) to adopt broad-based data privacy legislation governing the collection, use, and transfer of consumer data. The bulk of OCPA’s requirements will take effect on July 1, 2024 (with a July 1, 2025 effective date for nonprofit organizations).

OCPA is the product of a multi-year stakeholder task force held under the auspices of Attorney General Rosenblum’s office.* The bill shares a common underlying framework, rooted in the proposed Washington Privacy Act, with every non-California state to enact comprehensive privacy legislation. Nevertheless, stakeholders should pay particular attention to OCPA as it would join the Texas Data Privacy and Security Act as the only two comprehensive state privacy laws enacted so far in 2023 that extend privacy rights and protections beyond the existing high-water marks established by states such as Colorado and Connecticut in modest but meaningful ways.

Below, we identify the key provisions that distinguish OCPA from comparable state privacy laws:

1. Broad Scope

State privacy laws typically exclude entities that are subject to existing federal privacy laws from coverage; however, OCPA carves out only specific data held by organizations that is subject to laws such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA). Furthermore, OCPA does not include an entity-level exception for non-profit organizations, joining only the Colorado Privacy Act in applying to such organizations. Notably, Oregon’s bill does carve out nonprofits “established to detect and prevent fraudulent acts in connection with insurance” as well as organizations designated as “financial institutions” under state law.

2. Expansive Definitions of Covered Data

Consistent with the ten existing state privacy laws, OCPA applies to “personal data” and creates a subcategory of “sensitive data” that is subject to heightened protections. However, OCPA’s definition of “personal data” is unique in explicitly including “derived data” (presumably covering inferences about a customer) and data associated with a “device” that is reasonably linkable to one or more consumers in a “household.” Furthermore, contrary to other Washington Privacy Act-style laws, OCPA lacks a definition of and dedicated exemptions for personal data that is maintained in a “pseudonymous” format.

The Oregon bill’s definition of “sensitive data” is also broader than other state laws, covering “national origin,” “status as transgender or nonbinary,” and “status as a victim of crime.” OCPA also contains a comparatively broad definition of “biometric data” (a category of sensitive data), including information that may allow the unique identification of an individual, not just data collected or used for the purpose of such identification. However, the scope of “biometric information” is also limited by a novel exception providing that “facial mapping or facial geometry” only qualifies as biometric data if collected for or used for the purpose of uniquely identifying an individual, likely carving out technologies used solely for facial detection and characterization.

3. Novel Consumer Rights

OCPA provides for now-routine individual rights to obtain confirmation of data processing, to access, correct, delete, receive personal information in a portable format, and to opt-out of targeted advertising, data sales, and significant profiling decisions. However, Oregon’s bill also allows individuals to obtain a list of the “specific third parties” to whom a controller discloses personal data. This may be the most operationally complicated novel aspect of the Act and mirrors similar requirements included in recently enacted health privacy laws in Washington State and Nevada. OCPA would also be the first comprehensive state privacy law to explicitly provide that individuals have a right to request the deletion of “derived data.”

4. Slightly Stricter Controller Obligations

Oregon’s bill includes a number of routine obligations for covered organizations including maintaining reasonable data security, contractual requirements for processors, posting privacy notices, and obtaining consent for the processing of sensitive data. However, OCPA does establish slightly stricter data controller obligations than comparable state laws. First, controllers are required to obtain affirmative consent in order to profile adolescent data (individuals from 13-15 years of age), for significant decisions. Second, while OCPA does not explicitly use the term “dark patterns,” it does provide that design mechanisms deployed with a purpose to frustrate consumer choice, not just those that have “substantial effect” of doing so, will invalidate consumer consent under the law. Finally the Act requires that data protection impact assessments must be retained for a period of five years, joining only Colorado which established a similar retention period through its implementing regulations.

5. Enabling Data Use and Sharing for Research

Finally, OCPA includes a familiar list of uses of personal data that are exempt from that Act’s consumer rights and obligations, including processing for the purposes of internal operations reasonably aligned with consumer expectations, complying with law enforcement inquiries, and maintaining data security. However, unlike other state privacy laws providing that the use of data for research must be governed by an IRB-like entity and conducted in the “public interest” (a subjective term that may be applied differently across jurisdictions), SB 619 exempts identifying data used for research so long as it is consistent with applicable law.

*The Future of Privacy Forum submitted written feedback to the Oregon task force in early 2022.