Oregon Consumer Privacy Act
The Oregon Consumer Privacy Act (OCPA), originally known as Oregon Bill 619, is a landmark law passed in the state of Oregon on July 18, 2023. In the absence of a federal privacy law, the OCPA serves as Oregon’s approach to consumer privacy for its more than 4.2 million residents. This legislation establishes responsibilities for companies doing business in the state and imposes penalties for violations. enters into force in July 2024.
Which businesses need to comply with OCPA?
The OCPA applies to businesses that either conduct business in Oregon or provide products or services to Oregon residents and meet certain thresholds, such as processing personal data of at least 100,000 Oregon consumers or deriving more than 25% of their annual gross revenues from the sale of personal data while processing personal data of at least 25,000 Oregon consumers.
What is the OCPA about?
- Consumer Rights: The Act grants consumers the right to access, correct, and delete their data, and to opt out of the sale of their data, targeted advertising, or profiling.
- Sensitive data: Certain categories of sensitive information, such as racial or ethnic origin and biometric data, cannot be processed without the consumer’s explicit consent.
- Data processing and security obligations: Companies are required to limit data processing to what is necessary for the purposes disclosed in their privacy notices and to implement reasonable security measures to protect personal data.
- Contractual obligations: Controllers and processors must enter into legal contracts that outline processing policies and ensure compliance with the OCPA.
Impact on Businesses
- Increased costs: In order to comply with the OCPA, companies may need to revise internal processes or conduct employee training programs, increasing operating expenses.
- Potential legal liability: Non-compliant companies could face legal consequences, including fines and class-action lawsuits from aggrieved consumers, resulting in potentially significant monetary damages.
- Reputation management: Companies that prioritize user privacy through transparent communication and robust compliance measures will enhance their reputations with environmentally conscious consumers. Conversely, those that fail to meet expectations risk losing customer loyalty and tarnishing their brand image.