By now, many of you have likely read the first article in our OCPA Series and determined that your organization is not exempt from the Oregon Consumer Privacy Act (OCPA). The next step for businesses that collect information on Oregon consumers is to determine whether the volume of data collection meets the minimum threshold requirements for the OCPA to apply to your organization.
To fall under the OCPA's scope, an entity must control or process, in a calendar year: (1) the personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction, or (2) the personal data of 25,000 or more consumers, while deriving 25 percent or more of the person's annual gross revenue from selling personal data.
So the question then becomes: how does an organization determine whether it meets that numerical data threshold? It's trickier than it would seem. But don't worry, we're here to help.
Controlling or Processing
In order for data to count against the numerical threshold, an entity must either control or process it. Due to the broad definition of the term control or process, most companies will process data that they come into contact with. For explanation, the OCPA lists the following actions that would be considered processing: collecting, using, storing, disclosing, analyzing, deleting, or modifying the personal data. As our readers can see, it doesn't take a lot to process data under the OCPA.
The Data Must Be of Natural Persons Who Live in Oregon
The OCPA governs the controlling or processing of data on "consumers," which the act defines as "a natural person who resides in this state and acts in any capacity other than in a commercial or employment context."
Many of the key terms implicated in this analysis are undefined, leaving the OCPA susceptible to a wide range of interpretation. Here are some interesting considerations:
Natural Person: It is unclear whether the OCPA applies to deceased individuals or unborn individuals. Although this question can seem esoteric, it has been subject to guidance with respect to the GDPR.
Residing in Oregon: The ambiguity here is determining whether someone who is in Oregon temporarily is "residing" in Oregon and, if not, where that line is drawn.
Commercial Context: The lack of definition of "commercial" leaves it subject to a fairly wide berth of interpretation. At its narrowest interpretation, the term commercial would appear to cover an actual commercial transaction and information related to that sale (e.g., shipping and payment information necessary to complete an online purchase). Due to the vagueness of this definition, entities are best left using a narrow meaning of the term commercial when determining data collection amounts.
Data That Is Exempt From the OCPA Does Not Count Towards This Threshold
Remember that certain data does not fall under the OCPA and therefore falls outside of this numerical analysis. For example, data that is processed under federal statutes such as FERPA, HIPAA, and GLBA do not count towards the numerical threshold for determining the applicability of the OCPA.
Non-Electronic Data
The OCPA is not limited to data that is collected electronically. Therefore, manual collection, control, or processing of data would count towards the minimum thresholds under the OCPA.
Implications for B2B Businesses
The OCPA does not have an explicit exception for information that is transferred from business to business. In fact, some business-to-business transactions are explicitly covered under the OCPA – e.g., when one company processes consumer-related data on behalf of another outside of a commercial or employment context. Therefore, entities in the B2B world must look at the data that they handle, determine whether it meets the above standards (e.g., it is about a "consumer" outside of the employment or commercial context), and does not otherwise fall under a data exception (e.g., HIPAA).
Next Steps
If your organization is not generally exempt from the OCPA, we recommend that you take the following steps with respect to data (1) outside of the commercial or employment context and that (2) it does not fall into another exemption (e.g., data processed pursuant to HIPAA):
- Determine how much consumer data your organization stores;
- Determine how much data your organization is likely to collect in an annual year;
- Determine, on an ongoing basis, whether new business initiatives would likely result in an increase in data storage or collection;
- Review, update, and enforce data retention policies to keep the level of stored data to a minimum to avoid crossing the minimum threshold; and
- Engage counsel to understand how regulations define key terms in this analysis.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
