By now, many of you have likely read the first article in our OCPA Series and determined that your organization is not exempt from the Oregon Consumer Privacy Act (OCPA). The next step for businesses that collect information on Oregon consumers is to determine whether the volume of data collection meets the minimum threshold requirements for the OCPA to apply to your organization.
To fall under the OCPA’s scope, an entity must control or process, in a calendar year: (1) the personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction, or (2) the personal data of 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal data.
So the question then becomes: how does an organization determine whether it meets that numerical data threshold? It’s trickier than it would seem. But don’t worry, we’re here to help.
In order for data to count against the numerical threshold, an entity must either control or process it. Due to the broad definition of the term control or process, most companies will process data that they come into contact with. For explanation, the OCPA lists the following actions that would be considered processing: collecting, using, storing, disclosing, analyzing, deleting, or modifying the personal data. As our readers can see, it doesn’t take a lot to process data under the OCPA.
The OCPA governs the controlling or processing of data on “consumers,” which the act defines as “a natural person who resides in this state and acts in any capacity other than in a commercial or employment context.”
Many of the key terms implicated in this analysis are undefined, leaving the OCPA susceptible to a wide range of interpretation. Here are some interesting considerations:
Natural Person: It is unclear whether the OCPA applies to deceased individuals or unborn individuals. Although this question can seem esoteric, it has been subject to guidance with respect to the GDPR.
Residing in Oregon: The ambiguity here is determining whether someone who is in Oregon temporarily is “residing” in Oregon and, if not, where that line is drawn.
Commercial Context: The lack of definition of “commercial” leaves it subject to a fairly wide berth of interpretation. At its narrowest interpretation, the term commercial would appear to cover an actual commercial transaction and information related to that sale (e.g., shipping and payment information necessary to complete an online purchase). Due to the vagueness of this definition, entities are best left using a narrow meaning of the term commercial when determining data collection amounts.
Remember that certain data does not fall under the OCPA and therefore falls outside of this numerical analysis. For example, data that is processed under federal statutes such as FERPA, HIPAA, and GLBA do not count towards the numerical threshold for determining the applicability of the OCPA.
The OCPA is not limited to data that is collected electronically. Therefore, manual collection, control, or processing of data would count towards the minimum thresholds under the OCPA.
The OCPA does not have an explicit exception for information that is transferred from business to business. In fact, some business-to-business transactions are explicitly covered under the OCPA – e.g., when one company processes consumer-related data on behalf of another outside of a commercial or employment context. Therefore, entities in the B2B world must look at the data that they handle, determine whether it meets the above standards (e.g., it is about a “consumer” outside of the employment or commercial context), and does not otherwise fall under a data exception (e.g., HIPAA).
If your organization is not generally exempt from the OCPA, we recommend that you take the following steps with respect to data (1) outside of the commercial or employment context and that (2) it does not fall into another exemption (e.g., data processed pursuant to HIPAA):
For more information, contact Rishi Puri or Parisa Zarelli, or visit our firm’s Privacy & Data Security Team page. Keep up-to-date by subscribing to Lane Powell’s Legal Updates.
These materials have been prepared by the law firm of Lane Powell for informational purposes only. They are not intended to be and should not be considered legal advice. Transmission of the information is not intended to create, and receipt does not constitute an attorney-client relationship. The information contained in this website is provided only as general information, which may or may not reflect the most current legal developments, as the OCPA is subject to considerable change through regulation and case law.
Before proceeding, please note: If you are not a current client of Lane Powell PC, please do not include any information in this email that you or someone else considers to be confidential or secret in nature. Prior to the establishment of a lawyer-client relationship, unsolicited emails from non-clients containing confidential or secret information cannot be protected from disclosure.