Update applicable to:
All employers in Oregon who meet the applicability
What happened?
On June 22, 2023, the Oregon legislature passed the Oregon Consumer Privacy Act (OCPA) (SB 619), and currently as of 7/5/2023, it is at Governor Tina Kotek’s desk, awaiting signature.
What are the details?
The bill is awaiting consideration by Governor Tina Kotek. If signed into law, Oregon will become the eleventh state and the first Democrat-controlled state in 2023 to pass a consumer data privacy bill.
The OCPA is based on the Washington Privacy Act model used by other states, but it also includes some unique provisions. The article provides an overview of the key aspects of the OCPA:
- Applicability: The OCPA applies to businesses that conduct business in Oregon or provide products/services to Oregon residents and control/process the personal data of 100,000 or more consumers or 25,000 or more consumers while deriving 25% or more of their annual revenue from selling personal data.
- Exemptions: The OCPA does not include certain exemptions found in other state privacy laws, such as exemptions for GLBA-regulated financial institutions and HIPAA-covered entities. However, it does contain data-level exemptions and limited exemptions for non-profit organizations.
- Definition of Personal Data: The OCPA defines personal data as any data or unique identifier linked or reasonably linkable to a consumer or a device linked to a consumer. It also includes derived data that can reveal information about a consumer.
- Definition of Biometric Data: The OCPA defines biometric data as personal data generated by automatic measurements of a consumer’s biological characteristics. It includes various characteristics but excludes certain types of data unless used for identification purposes.
- Sensitive Data: The OCPA defines sensitive data, which includes biometric and genetic data, and adds additional categories such as the status as transgender or nonbinary and the status as a victim of crime.
- Consumer Rights: Oregon provides consumers with rights similar to those in Connecticut and Colorado. Notably, Oregon residents can request a list of specific third parties to which their personal data has been disclosed. Oregon also mandates recognition of universal opt-out mechanisms and does not exclude pseudonymous data from certain rights.
- Privacy Notices/Duty of Purpose Specification: Controllers must specify the purposes for collecting and processing personal data in their privacy notices.
- Data Protection Assessments: The OCPA requires controllers to conduct data protection assessments and maintain them for at least five years.
- Rulemaking: The OCPA does not authorize Attorney General rulemaking.
- Enforcement: The OCPA will be enforced by the Oregon Attorney General’s Office, and there is no private right of action. The Office can seek civil penalties of up to $7,500 per violation.
The OCPA will take effect on July 1, 2024, with the exception of non-profits, which will have until July 1, 2025, to comply.
For more information, please see the links below:
What do employers need to do?
Employers should review the above details and keep checking the bill site for updates to the status. Once the Governor signs the bill, employers should consult with their employment attorney to review their privacy policy and practices to ensure that they are prepared and compliant by the effective dates.
Need help understanding how changes to employment laws will affect your business?
Learn more about how Vensure's Oregon PEO services can help you navigate complex employment laws and keep your business compliant.
This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.