New state law takes effect, giving Oregonians major new consumer privacy protections
SALEM, Ore. (KTVZ) -- Did you notice you slept better last night? As of July 1, Oregonians have a new and powerful set of consumer privacy rights and protections.
The Oregon Consumer Privacy Act (OCPA) was signed into law in July 2023, but it did not take effect until now. The new law is the result of the efforts of the Attorney General’s Consumer Privacy Task Force, a group of over 150 experts and stakeholders who met every month for 4 years, gained insights from Oregon and national business and civic leaders, and studied best-practice models from states around the country.
The OCPA defines personal and biometric data broadly, protects consumer data rights holistically, and holds companies that have access to our data to high standards. The Act also gives consumers control over how businesses use their personal data. It guarantees Oregonians affirmative rights to manage and safeguard their personal data.
“As technology advances, our consumer protection laws must keep pace. The OCPA does just that— providing the gold standard in consumer privacy protections nationwide,” said Attorney General Ellen Rosenblum. “I am most grateful to all who participated on the Consumer Privacy Task Force, to the Oregon legislature for passing this law, and to the Governor for signing it. I strongly urge all Oregonians to familiarize themselves with their new rights and protections.”
Under the OCPA, Oregonians gain important rights over their personal information. The OCPA imposes specific obligations on businesses, including nonprofits. Highlights of the bill include these consumer rights:
- Right to Know — Consumers can get a list of the specific entities that received their personal data.
- Right to Correction—Consumers can edit any inaccuracies in the data about them.
- Right to Deletion— Consumers can delete the data a business has about them.
- Right to Opt Out—Consumers can say no to a business selling, profiling or otherwise using their data for targeted advertising.
- Right to Data Portability—Consumers can get a copy of the personal and sensitive data a business has about them.
- Sensitive Data Protections — The OCPA contains heightened protections (a requirement that data may not be processed without a consumer’s affirmative “opt in” consent) for “sensitive data”, which includes personal data revealing racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or nonbinary, crime victim status, or citizenship or immigration status; genetic or biometric data; and precise geolocation data.
- Special Protections for Youth — Children and youth are given heightened protections under the OCPA. Controllers (handlers of consumer data) must follow the requirements of the federal Children’s Online Privacy Protection Act (COPPA) when processing data of children under 13 years old. Further, “opt in” consent is required for targeted advertising, profiling, or sale of the personal data of a youth 13 to 15 years old.
While some businesses have provided these protections voluntarily, OCPA now makes it a legal requirement. Consumers can expect clearer and more tailored privacy notices, and an easy way to contact businesses. The OCPA requires covered businesses to:
- appropriately limit their collection of personal data;
- be transparent about how they use and secure that data and obtain consumer consent before collecting sensitive information—such as precise location data, biometric data, and certain health information; and,
- protect the personal data of children and teens. In addition to permitting a child’s parent or legal guardian to exercise privacy rights on the child’s behalf, businesses must obtain consent before selling the personal data of a consumer under 16 years old or using the consumer’s data for targeted ads or certain types of profiling.
The Act has threshold requirements that not all businesses meet, and it exempts certain industries and data regulated by other privacy frameworks.
While this new law may seem complicated, the Oregon Department of Justice has attempted to simplify it and make it immediately helpful to all Oregon consumers and businesses. More details, as well as FAQ’s, handouts and compliance checklists, can be found on the OCPA website (https://www.doj.state.or.us/consumer-protection/id-theft-data-breaches/privacy/), as well as educational information for both consumers and businesses.
A special thank you to DOJ’s legislative director, Kimberly McCullough, as well as Consumer Protection Chief Counsel Kelly Harpster and Privacy Unit Chief Kristen Hilton for their outstanding work in guiding OCPA from an idea—to a bill —to a law that will make life better for every Oregon consumer. And special thanks, as well, to the Consumer Privacy Task Force’s central table members.
The Oregon Department of Justice urges anyone who has a concern about a possible violation of their consumer privacy rights to fill out a privacy complaint form on the OCPA website above. If consumers have any questions, or aren’t sure if their complaint is OCPA related, they should call the DOJ Consumer Hotline at 1-877-877-9392.