With its passage of Oregon Consumer Data Privacy Act (“OCDPA”), Oregon became one of 16 states to pass comprehensive data privacy laws.
Regulated Entities and Data
The OCDPA generally applies to any person who meets two requirements:
- conducts business in the state, or “provides” products or services to Oregon’s residents; and
- within a calendar year, controls or processes personal data of
- 100,000 or more consumers, or
- 25,000 or more consumers and also derives at least 25 percent of its gross revenue from selling personal data.
“Personal data” regulated by the Act broadly includes any “derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household.”
The OCDPA imposes additional requirements for personal data that is considered “sensitive data.” Such data includes children’s data; genetic or biometric data; precise geolocation data; or data that “reveals a consumer’s” national origin, citizen or immigration status, racial or ethnic background, religious beliefs, mental or physical condition/diagnosis, sexual orientation, transgender or non-binary status, or status as a victim of crime. This definition of sensitive data is more expansive that other privacy statutes with its inclusion of categories such as transgender or non-binary status.
To read the full post, please visit our Biometric Privacy Insider blog.