The recent enactment of SB 19 (the Oregon Consumer Privacy Act or “OCPA”) will have varying impacts on a large portion of businesses (including nonprofits) operating within Oregon – especially those with websites. For those businesses required to follow the OCPA, understanding how it applies, its exemptions, and its key consumer rights, will be crucial to ensure compliance and avoid penalties.
Effective July 1, 2024, the OCPA introduces a framework outlining the responsibilities of covered businesses and entities in safeguarding consumer data and upholding individual privacy rights. The OCPA emphasizes data protection measures, data processing limitations, and the necessity of obtaining explicit consent where required (such as for sensitive data or changes in the way data is used). Key requirements include implementing robust data security safeguards, responding to consumer rights requests promptly, and maintaining transparent privacy notices. The OCPA applies to any non-exempt Oregon business that meets either of the following minimum processing thresholds on an annual basis:
- Business controls or processes the personal data of 100,000 or more consumers (excluding personal data controlled or processed solely for purposes of completing a payment transaction)
- Business has 25,000 or more consumers and derives more than 25% of its annual gross revenue from selling personal data
Oregon joins a growing list of states (now at 15 and counting) that have passed comprehensive privacy bills in the last few years. Businesses should carefully assess the way that they process data to ensure compliance with the upcoming OCPA obligations. From conducting data protection assessments to ensuring compliance with exceptions to processing limitations, we strongly urge businesses to proactively review their data handling practices. The OCPA brings a new era of data privacy regulation to Oregon and businesses will need to engage in internal discussions and seek guidance on navigating the intricacies of applicable privacy laws lest they face the consequences of non-compliance.
Tonkon Torp will be hosting a webinar outlining all the key details of the OCPA – be sure to look out for that invitation. Talk to your Tonkon Torp attorney now if you have any questions.
This client alert is prepared for the general information of our clients and friends. It should not be regarded as legal advice. If you have any questions regarding this update, or for more information about this topic, please contact any of the attorneys in our Information Privacy & Security Practice Group, or the attorney with whom you normally consult.
