To commemorate the six months since the Oregon Consumer Privacy Act (“OCPA”) became effective, Oregon Attorney General Dan Rayfield released earlier this month a Report summarizing complaints received from consumers about alleged violations of the law and the Oregon Department of Justice Privacy Unit’s initial enforcement efforts.
The OCPA took effect on July 1, 2024, and made Oregon the twelfth state with a comprehensive consumer privacy law intended to give Oregon consumers more control over their personal data. As the Report notes, the OCPA differs in some important ways from other state comprehensive privacy laws, including in that it:
- provides consumers with the right to obtain a list of specific third parties to whom their personal data was disclosed (rather than just the categories of third parties provided for under other states’ laws);
- includes an expanded definition of sensitive data that encompasses things like gender identity and crime victim status;
- expands protections for personal data from children under age 13, as well as teens ages 13-15; and
- has more limited exemptions as compared to other states’ laws, which causes the law to be more broadly applicable to businesses.
While the Report is worth a read for any business subject to the OCPA, below we offer some key takeaways.
Consumer Rights Requests Drive Consumer Complaints
In the OCPA’s first six months, the Privacy Unit within the Attorney General’s Office received 110 consumer complaints. The Report notes that the majority of the complaints were received via the “Privacy Complaint Portal” that permits consumers to report suspected OCPA violations directly to the Privacy Unit.
The most common complaints from the Report are about data brokers, specifically background check websites and “social media/technology platforms.” Those complaints, the Report explains, focus on denials of consumer rights requests in general, and denials of the right to delete in particular. Those findings offer two important lessons for businesses subject to the OCPA.
First, Oregon consumers are aware of their rights, are seeking to exercise them, and notifying the Oregon Attorney General when their requests aren’t fulfilled. To that end, the Report notes the 110 complaints received by the Privacy Unit in the last six months are a “significant number compared to other similarly sized states.”
Second, the complaint data suggests that implementing a consumer-friendly and timely process to receive and respond to consumer requests is an effective way to reduce consumer complaints—and enforcement risk.
Mind your Privacy Notice
The Privacy Unit primarily enforces the OCPA through cure notice letters, which provide businesses the opportunity to cure asserted violations within 30 days. The Report states that using cure notices, the Privacy Unit opened and closed 21 enforcement matters and an unspecified number of additional “light” cure letters that did not cite specific deficiencies but asked businesses to incorporate OCPA requirements in their online privacy notices.
The Report lists the most common privacy notice deficiencies to include:
- Failures to include content required by the OCPA (e.g., failure to incorporate consumer rights or to sufficiently inform Oregon consumers of their rights under the OCPA in the online privacy notice);
- Confusing privacy notices (e.g., not listing Oregon under “your state rights” in the online privacy notice); and
- Lacking or burdensome rights mechanisms (e.g., failure to include a clear and conspicuous link or difficult authentication requirements).
It is unsurprising that the Report calls out lacking or inadequate disclosures of consumer rights under the OCPA and confusing privacy notices. As we previously noted, a similar report from the Connecticut AG’s office on the 6-month anniversary of that state’s law also highlighted businesses’ privacy notice deficiencies. As with consumer rights requests, therefore, ensuring that your privacy notice include all content required under state law is an effective way to reduce the likelihood of falling within the Privacy Unit’s enforcement crosshairs.
An Eye to the Future
While the Report is primarily focused on past events, it also notes several areas of future focus and enforcement efforts of the OCPA. To that end, the Report notes that when the OCPA’s notice-and-cure provisions sunset on January 1, 2026, the Privacy Unit will focus on enforcing the OCPA’s universal opt-out mechanism requirements. Until that time, says the Report, the Privacy Unit will continue its community outreach efforts with a focus on qualifying nonprofits.
