Oregon Sets the Bar: Landmark Consumer Data Privacy Bill Becomes the Strongest in the Nation

It’s been a busy legislative season for consumer data privacy. Six states have passed legislation empowering consumers with control over their data, effectively doubling the number of states with such laws. Okay, so only 11 out of 50 states have passed such laws, it’s still progress.

Of the six states, one stands out: Oregon. On June 22, 2023, the Oregon state legislature passed Oregon Consumer Privacy Act (OCPA) (SB 619). It is the eleventh state in the US to do so and the sixth this year. The Oregon Consumer Privacy Act (OCPA) is notable because it’s the strongest bill passed to date.

With the exception of California, all other US privacy regulations are modeled on the Washington Privacy Act, which was drafted by the Washington State Senate Ways & Means Committee. This bill is limited to companies (data controllers to be exact) that “control or process personal data of 100,000 consumers or more; or derive over 50 percent of gross revenue from the sale of personal data; and processes or controls personal data of twenty-five thousand consumers or more.” For many people, the WPA lacks teeth.

Unique to OCPA

OCPA differs from most other State privacy laws in a few ways. First, it requires opt-in consent for Oregonians aged 13 to 15. 

If signed by the Governor, the law would protect sensitive data that goes above and beyond other privacy laws. First, it requires all data controllers to obtain consent before collecting sensitive data. And it expands the definition of sensitive data to cover such things as national origin, status as transgender or nonbinary, and whether or not the consumer has been the victim of crime. 

Additionally, it would broaden the definition of biometric data to include any data used to identify a resident, not just data collected or used for identification. In other words, scraping social media platforms for consumer photos will be illegal in Oregon if this bill passes.

Civil Penalties on Employees for Violations

The Act gives data controls new incentives to respect the consumer’s privacy, including holding employees personally accountable for any violations. It specifically states,”If a court finds that a director, member, officer, employee or agent of a controller violated sections 1 to 10 of this 2023 Act through an act or omission, the court may find that the controller committed the violation or the court may find that both the controller and the director, member, officer, employee or agent committed the violation and may impose separate civil penalties on each.”

“What I consider the most significant part of the Act is the potential for officers, directors, and employees to be personally liable for violations.  I have not seen a provision like this in any other privacy law,” said Wayne Matus, Co-Founder, General Counsel & EVP at SafeGuard Privacy, a privacy compliance platform.

Data Minimization a New Wrinkle for ID Matching?

OCPA’s data minimization requirements could be challenging for some marketers. For example, those who want to use customer emails to match their IDs to reach them on their CTV devices. The law says that businesses may not process personal data for purposes that are not reasonably necessary unless they obtain consumer consent.

At issue: OCPA explicitly defines personal data to include derived data and device data that can link one or more consumers in a household. In other words, the law recognizes that personal data goes beyond direct or explicit information and includes data derived from other sources or devices that can be connected to individuals or their households. 

While the law doesn’t mention universal ID matching specifically, it requires all companies to obtain opt-in consent from consumers before collecting or selling their personal information, including data that could potentially link their mobile device to a household CTV.

“The data minimization is huge.  It is one of the biggest issues the trade groups have against the draft federal privacy law.  It has the potential to minimize not only data but the value of data. And it hurts creating a profile,” said Matus.

Finally, the bill establishes minimal transparency requirements. For example, if requested, businesses must provide consumers with a list of third parties with whom they’ve shared their personal data. And that’s not all, they must also explain the categories of companies that those third parties fall into so that the consumer can understand the types of entities involved and how they process their data.