If there’s one thing you can count on in privacy, that’s change. In a surprising turn of events, Oregon crossed the legislative finish line with a remarkably rigorous privacy law set to go into effect on July 1, 2024. SB 619 has been signed by the Oregon House and Senate and is on its way to the desk of the governor of Oregon for signature (and, barring veto, is expected to become law). To summarize the latest law, the Oregon Consumer Privacy Act (OCPA) incorporates provisions from the Colorado Privacy Act and its unique rules, elements of the Connecticut Data Privacy Act, and an amalgamation of other laws while also introducing its own unique requirements.

The OCPA law does not include exemptions for organizations governed by the Health Insurance Portability and Accountability Act (HIPAA), in contrast to other comprehensive privacy measures passed this year. Additionally, unlike the Colorado Privacy Act, the Oregon statute does not grant non-profit organizations a broad exemption. Instead, it only grants certain non-profits a permanent exemption, and others a short-term exemption for one year that ends a year after the effective date on July 1, 2025.

Key Elements of the Oregon Consumer Privacy Act:

• Scope: Applies to any person that conducts business in Oregon or provides products or services to Oregon residents, and during a calendar year controls or process: (a) the personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or (b) the personal data of 25,000 or more consumers while deriving 25% or more of its annual gross revenue from selling personal data.
• Exemptions: Public corporations; state government bodies, local government bodies and special government bodies; financial institutions as defined under the Bank Holding Company Act; and insurers which meet specified definitions under Oregon state law including non-profit organizations that are established in connection with insurance activities.
• Consumer Rights: Right to know whether the controller is processing their personal information; the right to know which specific third parties the controller has disclosed their personal information to; the right to a portable, machine-readable copy of their personal information; the right to have inaccurate or incomplete personal information corrected; the right to have their personal information deleted; and the right to object to the controller’s use of their personal information.
• Privacy Notices: Consumers must receive privacy notices from controllers that outline the categories of personal data processed (including sensitive data), the reasons for said processing, the means by which consumers may exercise their rights regarding their personal data, the categories of personal data the controller shares with third parties, all categories of third parties with whom the controller shares personal data, the controller’s identity and email address, and any processing of personal data.
• Privacy by Design: Features privacy by design principles, including purpose restriction and prudent security measures.
• Sensitive Data: Places restrictions on the use of sensitive customer data by the controller without permission. Additionally, the Children’s Online Privacy Protection Act must be followed while processing children’s data.
• Opt-Out: Requires controllers to make opt-out preference signals that allows consumers to express the preference to not have their personal information sold or used for targeted advertising available to them. When preferences expressed by consumers during the consent-gathering process conflict with opt-out choices, the controller must either honor the opt-out request or tell the customer of the discrepancy and request their affirmative consent. The opt-out clause will go into effect on January 1, 2026.
• Privacy Assessments: Controllers must complete a data protection assessment for each processing activity that poses a higher risk of causing harm to a consumer, such as processing sensitive data and processing personal information for the purposes of targeted advertising, selling, or profiling where specific foreseeable risks exist.
• Cure Period: The Oregon Attorney General must provide controllers with a 30-day cure period. This will sunset on January 1, 2026.
• Enforcement: The Oregon AG may fine up to $7,500 for each violation or obtain injunctive or other equitable relief.

What to Expect for the Rest of 2023

If you had asked us a week ago, we would have said we don’t anticipate any additional laws to pass this legislative session. Truyo President Dan Clarke says, “Well, I was wrong about Oregon, so who knows what other states might follow suit? I believe the laws in New Hampshire and Delaware are technically still active, but not likely to pass. I anticipate New York and Pennsylvania will gain momentum during the next session, as they had broad support this time around, but I don’t think we will see any other states successfully pass a new law this legislative season.”

If you have any questions about how Truyo can help you in preparing for the onslaught of new laws, please reach out to hello@truyo.com or click here to schedule a demo of the full suite of Truyo privacy products.