Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Oregon - Data Protection Overview
May 2024
1. Governing Texts
1.1. Key acts, regulations, directives, bills
On July 18, 2023, the Oregon State Governor signed the Oregon Consumer Privacy Act (OCPA) into law. The OCPA will enter into force on July 1, 2024, except for non-profit entities, for which the OCPA will enter into force on July 1, 2025. In addition, the requirement to recognize and process universal opt-out preference signals will commence on January 1, 2026, which also marks the date on which the 30-day cure period for violations will sunset.
1.2. Guidelines
The Attorney General of Oregon (AG) has not yet issued any guidance. However, the Oregon Department of Justice published Privacy Laws FAQs for businesses.
1.3. Case law
Not applicable.
2. Scope of Application
2.1. Personal scope
The OCPA applies to any person who conducts business in Oregon or who provides products or services to residents of Oregon (§2(1) of the OCPA). In addition, such entities must also satisfy at least one of two outlined additional requirements, namely that during a calendar year, they control or process (§2(1) of the OCPA):
- the personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or
- the personal data of 25,000 or more consumers, while deriving 25% or more of the annual gross revenue from selling personal data.
In addition, the OCPA expressly lists several entities to which its provisions would not apply, namely public corporations or bodies, financial institutions or a financial institutions' affiliate or subsidiary that is only and directly engaged in financial activities, as well as an insurer other than a person that, alone or in combination with another person, establishes and maintains a self-insurance program and that does not otherwise engage in the business of entering into policies of insurance, an insurance producer, a person that holds a third party administrator license, and a non-profit organization that is established to detect and prevent fraudulent acts in connection with insurance (§2(2) of the OCPA).
2.2. Territorial scope
The OCPA applies to persons that conduct business in Oregon, or that provide products or services to residents of Oregon (§2(1) of the OCPA).
2.3. Material scope
The OCPA applies to the 'personal data' of 'consumers'. Personal data is defined as data, derived data, or any unique identifier that is linked to or is reasonably linkable to one or more consumers in a household with the exclusion of de-identified data, among other types of data; whereas consumer refers to a natural person who resides in Oregon and acts in any capacity other than in a commercial or employment context (§1(13) and (7) of the OCPA, respectively).
Additionally, the OCPA outlines what is outside of its material scope of application, including, among other things, protected health information processed in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations, patient identifying information in certain circumstances, information processed or maintained solely in connection with, and for the purpose of, enabling an individual's employment or application for employment, and information collected, processed, sold, or disclosed under and in accordance with the Gramm-Leach-Bliley Act of 1999 (GLBA) and its implementing regulations, the Drivers Privacy Protection Act of 1994 (18 U.S.C. § 2721), and the Family Educational Rights and Privacy Act of 1974, 20 U.S.C. 1232g (FERPA) (§2(2) of the OCPA).
3. Data Protection Authority | Regulatory Authority
3.1. Main regulator for data protection
The AG is the regulator within Oregon.
3.2. Main powers, duties and responsibilities
The AG has exclusive authority to enforce the OCPA (§9(8) of the OCPA). In particular, the AG may serve an investigative demand upon any person that possesses, controls, or has custody of any information, document or other material that the AG determines is relevant to an investigation of a violation of §§1 to 9 of the OCPA or that could lead to a discovery of relevant information (§9(1) of the OCPA).
4. Key Definitions
Data controller: 'Controller' means a person that, alone or jointly with another person, determines the purposes and means for processing personal data (§1(8) of the OCPA).
Data processor: 'Processor' means a person that processes personal data on behalf of a controller (§1(15) of the OCPA).
Personal data: Means data, derived data, or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to, or is reasonably linkable to one or more consumers in a household. However, 'personal data' does not include de-identified data or data that is lawfully available through federal, state, or local government records or through widely distributed media, or that a controller reasonably has understood to have been lawfully made available to the public by a consumer (§1(13) of the OCPA).
Sensitive data: 'Sensitive data' is defined as personal data that (§1(18) of the OCPA:
- reveals a consumer's racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or non-binary, status as a victim of crime or citizenship or immigration status;
- is a child's personal data;
- accurately identifies within a radius of 1,750 feet a consumer's present or past location, or the present or past location of a device that links or is linkable to a consumer by means of technology that includes, but is not limited to, a global positioning system that provides latitude and longitude coordinates; or
- is genetic or biometric data.
However, sensitive data under the OCPA does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility (§1(18)(b) of the OCPA).
Data Subject: A 'consumer' means a natural person who resides in Oregon and acts in any capacity other than in a commercial or employment context (§1(7) of the OCPA).
Biometric data: 'Biometric data' means personal data generated by automatic measurements of a consumer's biological characteristics, such as the consumer's fingerprint, voiceprint, retinal pattern, iris pattern, gait, or other unique biological characteristics that allow or confirm the unique identification of the consumer (§1(3)(a) of the OCPA).
However, 'biometric data' does not include (§1(3)(b) of the OCPA);
- a photograph recorded digitally or otherwise;
- an audio or video recording;
- data from a photograph or from an audio or video recording, unless the data were generated for the purpose of identifying a specific consumer or were used to identify a particular consumer; or
- facial mapping or facial geometry, unless the facial mapping or facial geometry was generated for the purpose of identifying a specific consumer or was used to identify a specific consumer.
Pseudonymization: Not applicable.
5. Legal Bases
A controller may process personal data in accordance with §2(3) of the OCPA only to the extent that the processing is adequate and reasonably necessary for, relevant to, proportionate in relation to, and limited to the purposes set forth. In addition, a controller that claims that their processing of personal data is exempt based on §2(3) of the OCPA has the burden of demonstrating that their processing qualifies for the exemption and complies with the applicable requirements (§2(7) of the OCPA).
5.1. Consent
The OCPA defines 'consent' as an affirmative act by means of which a consumer clearly and conspicuously communicates their freely given, specific, informed, and unambiguous assent to another person's act or practice under the following conditions (§1(6) of the OCPA):
- the user interface by means of which the consumer performing the act does not have any mechanism that has the purpose or substantial effect of obtaining consent by obscuring, subverting, or impairing the consumer's autonomy, decision-making, or choice; and
- the consumer's inaction does not constitute consent.
In terms of consent as a legal basis for processing, the OCPA establishes that a controller must not process personal data for purposes that are not reasonably necessary for and compatible with the purposes the controller specified in the privacy notice, unless the controller obtains the consumer's consent, and must not process sensitive data about a consumer without first obtaining their consent or, if the controller knows the consumer is a child, without processing the sensitive data in accordance with the Children's Online Privacy Protection Act of 1998 (COPPA)and its rules (§5(2)(a) and 5(2)(b) of the OCPA).
Withdrawal of Consent
Moreover, the OCPA provides that controllers must provide an effective means by which a consumer may revoke consent to the controller's processing of the consumer's personal data. The means must be at least as easy as the method by which the consumer provided consent. Once the consumer revokes consent, the controller shall cease the personal data as soon as is practicable. The OCPA provides 15 days to comply with such requests (§5(1)(d) of the OCPA). Except as otherwise provided in the OCPA, in responding to a request under §4(1) of the OCPA), a controller must comply with a request under §3(1)(d) of the OCPA to opt out of the controller's processing of the consumer's personal data without requiring authentication, except that (§4(5)(e) of the OCPA):
- the controller may ask for additional information necessary to comply with the request, such as information that is necessary to identify the consumer that requested to opt out; and
- the controller may deny a request to opt out where the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If the controller denies a request, the controller must notify the consumer that the controller believes the request is fraudulent, stating in the notice that the controller will not comply with the request.
5.2. Contract with the data subject
The OCPA does not prohibit a controller or processor from negotiating, entering into, or performing a contract with a consumer, including fulfilling the terms of a written warranty, nor from performing internal operations that are reasonably aligned with a consumer's expectations, that the consumer may reasonably anticipate based on the consumer's existing relationship with the controller or that is otherwise compatible with processing data for the purpose of providing a product or service the consumer specifically requested or for the purpose of performing a contract to which the consumer is a party (§2(3)(h) and 2(3)(l) of the OCPA).
5.3. Legal obligations
The OCPA states that it does not prohibit a controller or processor from (§§2(3)(a)-2(3)(e) and 2(3)(j) of the OCPA):
- complying with federal, state, or local statutes, ordinances, rules, or regulations;
- complying with a federal, state, or local governmental inquiry, investigation, subpoena, or summons related to a civil, criminal, or administrative proceeding;
- cooperating with a law enforcement agency concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local statutes, ordinances, rules, or regulations;
- investigating, establishing, initiating, or defending legal claims; and
- effectuating a product recall.
5.4. Interests of the data subject
The OCPA states that it does not prohibit a controller or processor from providing a product or service that a consumer specifically requests from the controller or processor or requests as the parent or guardian of a child on the child's behalf or as the guardian or conservator of a person subject to a guardianship, conservatorship, or other protective arrangement on the person’s behalf (§2(3)(g) of the OCPA).
In addition, the OCPA states that it does not prohibit a controller or processor from protecting any person's health and safety (§2(3)(i) of the OCPA).
5.5. Public interest
The OCPA does not address processing for the public interest.
5.6. Legitimate interests of the data controller
The OCPA does not explicitly address the legitimate interest of the controller as a legal basis for processing, but provides that it does not prohibit a controller or processor from (§§2(3)(e), 2(3)(f), 2(3)(k)-2(3)(m) of the OCPA):
- preventing, detecting, protecting against, or responding to, and investigating, reporting, or prosecuting persons responsible for, security incidents, identity theft, fraud, harassment, or malicious, deceptive, or illegal activity or preserving the integrity or security of systems;
- identifying and repairing technical errors in a controller or processor's information systems that impair existing or intended functionality;
- conducting internal research to develop, improve, or repair products, services, or technology;
- performing internal operations that are reasonably aligned with a consumer's expectations, that the consumer may reasonably anticipate based on the consumer's existing relationship with the controller, or that are otherwise compatible with processing data for the purpose of providing a product or service the consumer specifically requested or for the purpose of performing a contract to which the consumer is a party; or
- assisting another controller or processor with any of the activities set forth in this subsection.
In regard to points one and two, the collection, use, and retention of personal data must, where applicable, take into account the nature and purpose of the collection, use, or retention. The personal data must be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and security of the personal data and reduce reasonably foreseeable risks of harm to consumers from the collection, use, or retention (§2(6) of the OCPA).
5.7. Legal bases in other instances
The OCPA does not apply to the extent that a controller or processor's compliance with it would violate an evidentiary privilege under the laws of Oregon, and, in any case, a controller or processor may provide personal data about a consumer in a privileged communication to a person that is covered by an evidentiary privilege under the laws of Oregon (§2(4) of the OCPA).
6. Principles
The controller must limit their collection of personal data to only personal data that is adequate, relevant, and reasonably necessary to serve the purposes of the controller (§5(1)(b) of the OCPA). In addition, controllers must implement, and maintain the same safeguards that are required for protecting personal information under the Oregon Revised Statutes (Or. Rev. Stat.) Chapter 646A.622 'requirement to develop safeguards for personal information,' such that the controller's safeguards protect the confidentiality, integrity, and accessibility of the personal data to the extent appropriate for the volume and nature of the personal data (§5(1)(c) of the OCPA).
7. Controller and Processor Obligations
De-identified data
A controller that possesses deidentified data shall (§7(1)(a) of the OCPA):
- take reasonable measures to ensure that the deidentified data cannot be associated with an individual;
- publicly commit to maintaining and using deidentified data without attempting to reidentify the deidentified data; and
- enter into a contract with a recipient of the deidentified data and provide in the contract that the recipient must comply with the controller's obligations under §§1-9 of the OCPA.
In addition, a controller that discloses deidentified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the deidentified data is subject and shall take appropriate steps to address any breaches of the contractual commitments (§7(1)(b) of the OCPA). However, §7 of the OCPA does not prohibit a controller from attempting to reidentify deidentified data solely for the purpose of testing the controller's methods for deidentifying data (§7(1)(c) of the OCPA).
Furthermore, the OCPA does not require a controller or processor to:
- reidentify de-identified data; or
- associate a consumer with personal data in order to authenticate the consumer's request under §4 of the OCPA by:
- maintaining data in an identifiable form; or
- collecting, retaining, or accessing any particular data or technology.
7.1. Data processing notification
Not applicable.
7.2. Data transfers
The OCPA does not address data transfers but defines the sale of personal information as the exchange of personal data for monetary or other valuable consideration by the controller with a third party (§1(17)(a) of the OCPA). In addition, the sale of personal information does not include (§1(17)(a) of the OCPA):
- disclosure of personal data to a processor;
- disclosure of personal data to an affiliate of a controller or to a third party for the purpose of enabling the controller to provide a product or service to a consumer that requested the product or service;
- disclosure or transfer of personal data from a controller to a third party as part of a proposed or completed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets, including the personal data; or
- a disclosure of personal data that occurs because a consumer:
- directs a controller to disclose personal data;
- intentionally discloses personal data in the course of directing a controller to interact with a third party; or
- intentionally discloses personal data to the public by means of mass media, if the disclosure is not restricted to a specific audience.
7.3. Data processing records
The OCPA does not provide general provisions on data processing records.
7.4. Data protection impact assessment
Controllers must conduct and document a Data Protection Assessment (DPA) for each of the controller's processing activities that present a heightened risk of harm to the consumer (§8(1)(a) of the ODPA).
Processing activities that present a heightened risk of harm to a consumer include (§8(1)(b) of the ODPA):
- processing personal data for the purpose of targeted advertising;
- processing sensitive data;
- selling personal data; and
- using the personal data for purposes of profiling, if the profiling presents a reasonably foreseeable risk of:
- unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
- financial, physical, or reputational injury to consumers;
- physical or other types of intrusion upon a consumer's solitude, seclusion, or private affairs or concerns, if the intrusion would be offensive to a reasonable person; or
- other substantial injury to consumers.
DPAs under the OCPA must identify and weigh how processing personal data may directly or indirectly benefit the controller, the consumer, other stakeholders, and the public against potential risks to the consumer, taking into account how safeguards the controller employs can mitigate the risks. Controllers must consider how de-identified data might reduce risks, the reasonable expectations of consumers, the context in which the data is processed, and the relationship between the controller and the consumers whose personal data the controller will process (§8(2) of the OCPA).
The AG may require a controller to provide the AG with any DPAs the controller has conducted if the DPA is relevant to an investigation the AG conducts (§8(3) of the OCPA). The AG may evaluate a DPA for the controller's compliance with the requirements of the OCPA. A single DPA can address a comparable set of processing operations that present a similar heightened risk of harm (§8(1)(c) of the OCPA). In addition, a DPA that a controller conducts to comply with another applicable law or regulation may satisfy the requirement of the OCPA if the DPA is reasonably similar in scope and effect (§8(4) of the OCPA).
However, the requirement to conduct a DPA only applies to processing activities that occur on or after July 1, 2024, and are not retroactive (§8(5) of the OCPA). Uniquely the OCPA clarifies that a DPA must be retained for at least five years all DPAs the controller conducts (§8(6) of the OCPA).
7.5. Data protection officer appointment
The OCPA does not address the appointment of data protection officers.
7.6. Data breach notification
There is a requirement to notify data breaches pursuant to the Oregon Consumer Identity Theft Protection Act under Or. Rev. Stat. Chapter 646A.600 et seq. as amended by the Act Relating to actions with respect to a breach of security that involves personal information; creating new provisions, among others (the Amendment Act). The amendments entered into effect on January 1, 2020.
For further information see Oregon - Data Breach.
7.7. Data retention
Not applicable.
7.8. Children's data
The OCPA defines 'child' as an individual under the age of 13 (§1(5) of the OCPA). Furthermore, the OCPA provides under the definition of 'sensitive data' that a child's personal data is sensitive data (§1(18)(a) of the OCPA).
A controller may not process sensitive data about a consumer without first obtaining the consumer's consent or, if the controller knows the consumer is a child, without processing the sensitive data in accordance with the COPPA, and the regulations, rules, and guidance adopted under the OCPA (§5(2)(b) of the OCPA).
7.9. Special categories of personal data
A controller may not process sensitive data about a consumer without first obtaining the consumer's consent or (§5(2)(b) of the OCPA).
7.10. Controller and processor contracts
The OCPA requires the controller to enter into a contract with the processor that governs how the processor processes personal data on the controller's behalf, which must (§6(2) of the OCPA):
- be valid and binding on both parties;
- set forth clear instructions for processing data, the nature and purpose of the processing, the type of data that is subject to processing, and the duration of the processing;
- specify the rights and obligations of both parties with respect to the subject matter of the contract;
- ensure that each person who processes personal data is subject to a duty of confidentiality with respect to the personal data;
- require the processor to delete the personal data or return the personal data to the controller at the controller's direction or at the end of the provision of services, unless a law requires the processor to retain the personal data;
- require the processor to make available to the controller, at the controller's request, all information the controller needs to verify that the processor has complied with all obligations the processor has under the OCPA;
- require the processor to enter into a subcontract with a person the processor engages to assist with processing personal data on the controller's behalf and in the subcontract require the subcontractor to meet the processor's obligations under the processor's contract with the controller; and
- allow the controller, the controller's designee, or a qualified and independent person the processor engages, in accordance with an appropriate and accepted control standard, framework, or procedure, to assess the processor's policies and technical and organizational measures for complying with the processor's obligations under the OCPA, and require the processor to cooperate with the assessment and, at the controller's request, report the results of the assessment to the controller.
In addition, the OCPA requires a processor to adhere to a controller's instructions and assist the controller in meeting their obligations under the OCPA, whereby the processor must (§6(1) of the OCPA):
- enable the controller to respond to requests from consumers under §4 of the OCPA by means that take into account how the processor processes personal data and the information available to the processor and that use appropriate technical and organizational measures to the extent reasonably practicable;
- adopt administrative, technical, and physical safeguards that are reasonably designed to protect the security and confidentiality of the personal data the processor processes, taking into account how the processor processes the personal data and the information available to the processor; and
- provide information reasonably necessary for the controller to conduct and document DPAs.
8. Data Subject Rights
A parent or legal guardian may exercise the rights described in §3 of the OCPA on behalf of the parent's child or on behalf of a child for whom the guardian has legal responsibility. A guardian or conservator may exercise the rights described in §4(1) of the OCPA on behalf of a consumer that is subject to a guardianship, conservatorship, or other protective arrangement (§4(3) of the OCPA).
Except as otherwise provided in the OCPA, in responding to a request under §4(1) of the OCPA), a controller shall (§4(5) of the OCPA):
- respond to a request from a consumer without undue delay and not later than 45 days after receiving the request. The controller may extend the period within which the controller responds by an additional 45 days if the extension is reasonably necessary to comply with the consumer's request, taking into consideration the complexity of the request and the number of requests the consumer makes. A controller that intends to extend the period for responding must notify the consumer within the initial 45-day response period and explain the reason for the extension;
- notify the consumer without undue delay and not later than 45 days after receiving the consumer's request if the controller declines to take action on the request. The controller in the notice must explain the justification for not taking action and include instructions for appealing the controller's decision;
- provide information the consumer requests once during any 12-month period without charge to the consumer. A controller may charge a reasonable fee to cover the administrative costs of complying with a second or subsequent request within the 12-month period, unless the purpose of the second or subsequent request is to verify that the controller corrected inaccuracies in, or deleted, the consumer's personal data in compliance with the consumer's request; and
- notify the consumer if the controller cannot, using commercially reasonable methods, authenticate the consumer's request without additional information from the consumer. A controller that sends a notification in relation to customer requests does not have to comply with the request until the consumer provides the information necessary to authenticate the request.
In addition, a controller shall establish a process by means of which a consumer may appeal the controller's refusal to take action on a request under §4(1) of the OCPA, which must include (§4(6) of the OCPA):
- allow a reasonable period of time after the consumer receives the controller's refusal within which to appeal;
- be conspicuously available to the consumer;
- be similar to the manner in which a consumer must submit a request under §4(1) of the OCPA; and
- require the controller to approve or deny the appeal within 45 days after the date on which the controller received the appeal and to notify the consumer in writing of the controller's decision and the reasons for the decision. If the controller denies the appeal, the notice must provide or specify information that enables the consumer to contact the AG to submit a complaint.
Furthermore, a consumer may exercise the rights described in §3 of the OCPA by submitting a request to a controller using the method that the controller specifies in the privacy notice described in §5 of the OCPA (§4(1) of the OCPA). However, a controller may not require a consumer to create an account for the purpose described in (§4(1) of the OCPA, but the controller may require the consumer to use an account the consumer created previously.
Exemptions
Moreover, the OCPA does not require a controller or processor to comply with a consumer's request under §4 of the OCPA if the controller (§7(2)(b) of the OCPA):
- cannot reasonably associate the request with personal data or if the controller's attempt to associate the request with personal data would be unreasonably burdensome;
- does not use personal data to recognize or respond to the specific consumer who is the subject of the personal data or associate the personal data with any other personal data about the specific consumer; and
- does not sell or otherwise voluntarily disclose personal data to a third party, except as otherwise provided in the OCPA.
Controllers may not discriminate against a consumer who exercises a right provided to the consumer under §§1-9 of the OCPA by means such as denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality or selection of goods or services to the consumer (§5(2)(d) of the OCPA).
8.1. Right to be informed
The OCPA stipulates that a controller must provide consumers a reasonably accessible, clear, and meaningful privacy notice that (§5(4) of the OCPA):
- lists the categories of personal data, including the categories of sensitive data, that the controller processes;
- describes the controller's purposes for processing the personal data;
- describes how a consumer may exercise the consumer's rights, including how a consumer may appeal a controller's denial of a consumer's request;
- lists all categories of personal data, including the categories of sensitive data, that the controller shares with third parties;
- describes all categories of third parties with which the controller shares personal data at a level of detail that enables the consumer to understand what type of entity each third party is and, to the extent possible, how each third party may process personal data;
- specifies an electronic mail address or other online methods by which a consumer can contact the controller that the controller actively monitors;
- identifies the controller, including any business name under which the controller registered with the Secretary of State and any assumed business name that the controller uses in this state;
- provides a clear and conspicuous description of any processing of personal data in which the controller engages for the purpose of targeted advertising or for the purpose of profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance, and a procedure by which the consumer may opt-out of this type of processing; and
- describes the method or methods the controller has established for a consumer to submit a request under §4(1) of the OCPA.
The OCPA further specifies that controllers must specify in the privacy notice, the express purposes for which the controller is collecting and processing personal data (§5(1)(a) of the OCPA) and provide OCPA the method or methods for submitting a consumer, taking into account (§5(5)(a) of the OCPA):
- ways in which consumers normally interact with the controller;
- a need for security and reliability in communications related to the request; and
- the controller's ability to authenticate the identity of the consumer that makes the request.
The controller must provide a clear and conspicuous link to a webpage where the consumer or an authorized agent may opt out of processing OCPA or, solely where the controller does not have the capacity needed for linking to a webpage, provide another method the consumer can use to opt-out (§5(5)(b) of the OCPA).
8.2. Right to access
The OCPA provides a consumer with the right to confirm whether the controller is processing or has processed the consumer's personal data and the categories of personal data the controller is processing or has processed (§3(1)(a)(A) of the OCPA).
Additionally, consumers have the right to obtain a copy of all of the consumer’s personal data that the controller has processed or is processing in a portable and, to the extent technically feasible, readily usable format (§3(1)(a)(C) and §3(2) of the OCPA).
8.3. Right to rectification
Likewise, a consumer may require a controller to correct inaccuracies in personal data about the consumer, considering the nature of the personal data and the controller's purpose for processing the personal data (§3(1)(b) of the OCPA).
8.4. Right to erasure
A consumer may require a controller to delete personal data about the consumer, including personal data the consumer provided to the controller, and personal data the controller obtained from another source and derived data (§3(1)(c) of the OCPA).
A controller that obtains personal data about a consumer from a source other than the consumer complies with the consumer's request to delete the personal data if the controller (§4(7) of the OCPA):
- deletes the data but retains a record of the deletion request and a minimal amount of data necessary to ensure that the personal data remains deleted and does not use the minimal data for any other purpose; or
- opts the consumer out of the controller’s processing of the consumer’s personal data for any purpose other than a purpose that is exempt under §2 of the OCPA.
8.5. Right to object/opt-out
The OCDPA provides consumers with the right to opt-out from a controller's processing of their personal data that the controller processes for any of the following purposes ((§3(1)(d) of the OCPA):
- targeted advertising;
- selling the personal data; or
- profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance.
In addition, a consumer may designate another person to act on the consumer's behalf as the consumer's authorized agent for the purpose of opting out of a controller's processing of the consumer's personal data, as provided in §3(1)(d) of the OCPA (§4(4) of the OCPA). The consumer may designate an authorized agent by means of an internet link, browser setting, browser extension, global device setting, or other technology that enables the consumer to opt out of the controller's processing of the consumer's personal data. A controller must comply with an opt-out request from an authorized agent if the controller can verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf.
8.6. Right to data portability
A controller that provides a copy of personal data to a consumer under §(1)(a)(C) of the OCPA must provide the personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the personal data to another person without hindrance (§3(2) of the OCPA).
8.7. Right not to be subject to automated decision-making
The OCPA does not expressly provide for the right not to be subject to automated decision-making, however, it defines 'profiling' as means an automated processing of personal data for the purpose of evaluating, analyzing, or predicting an identified or identifiable consumer's economic circumstances, health, personal preferences, interests, reliability, behavior, location, or movements (§1(16) of the OCPA).
As such, as far as automated decision-making falls within the definition of 'profiling', consumers have the right to opt out of such a processing activity as mentioned in the section on the right to opt-out above.
8.8. Other rights
No further information.
9. Penalties
The AG has exclusive authority to enforce the OCPA, which does not create any private right of action (§9(8) of the OCPA). In particular, the AG may serve an investigative demand upon any person that possesses, controls, or has custody of any information, document or other material that the AG determines is relevant to an investigation of a violation of §§1-9 of the OCPA or that could lead to a discovery of relevant information (§9(1)(a) of the OCPA). The OCPA establishes a cure period of 30 days for controllers and processors found in breach of the OCPA. If the controller fails to cure the violation within 30 days after receiving the notice of the violation by the AG, the latter may bring the action without further notice. Importantly, under the OCPA, the right to cure will sunset on January 1, 2026.
The remedies available to the AG under §9(4) of the OCPA are in addition to and not in lieu of any other relief available to the AG or another person under other applicable provisions of law. A claim available under another provision of law may be joined to the AG's claim under §9(4) of OCPA (§9(7) of the OCPA).
In exercising its authority, the AG may bring an action to seek a civil penalty of not more than $7,500 for each violation of §§1-9 of the OCPA, to enjoin a violation, or obtain other equitable relief (§9(4)(a) of the OCPA). The OCPA also establishes a statute of limitations of five years for the AG to seek relief (§9(6) of the OCPA). The five-year period is counted from the date of the last act of a controller that constituted the violation for which the AG seeks relief.
9.1 Enforcement decisions
Not applicable.