On July 2, 2024, the Oregon Department of Justice published an article on the Oregon Consumer Privacy Act (OCPA), which took effect on July 1, 2024. The article explains that the OCPA defines personal and biometric data broadly, protects consumer data rights, and holds companies that have access to data to high standards.

Consumer rights

The article notes that the OCPA also gives consumers control over how businesses use their personal data. Specifically, the article outlines that under the OCPA, consumers have various rights, including the right to know, correction, deletion, opt-out, and portability.

The article points out that under the OCPA, sensitive data may not be processed without a consumer's affirmative consent. Additionally, the article explains that youth are given heightened protection under the OCPA.

Obligations for businesses

The article states that the OCPA requires covered businesses to:

• appropriately limit their collection of personal data;
• be transparent about how they use and secure that data and obtain consumer consent before collecting sensitive information - such as precise location data, biometric data, and certain health information; and
• protect the personal data of children and teens. In addition to permitting a child's parent or legal guardian to exercise privacy rights on the child's behalf, businesses must obtain consent before selling the personal data of a consumer under 16 years old or using the consumer's data for targeted ads or certain types of profiling.

However, the article notes that the OCPA has threshold requirements that not all businesses meet, and exempts certain industries and data regulated by other privacy frameworks.

You can read the article here.