Oregon Consumer Data Privacy Act (OCDPA) Compliance
Pandectes GDPR Compliance helps Shopify stores meet OCDPA requirements by scanning for cookies, generating reports, and ensuring data privacy compliance.
What is OCDPA?
The Oregon Consumer Data Privacy Act (OCDPA) provides Oregon residents with certain rights pertaining to their data and imposes obligations on those who control and process data. It shares some similarities with other state laws such as the California Privacy Rights Act (CPRA) and Virginia’s Consumer Data Protection Act (CDPA), as well as draws inspiration from the EU’s General Data Protection Regulation (GDPR).
While there are resemblances, such as the inclusion of opt-out provisions for data collection and processing, safeguards for sensitive data, and the integration of privacy-by-design principles, the significant divergences lie in the specific details. This insight comes from Kirk Nahra, a seasoned privacy attorney and co-chair at Wilmer Hale.
For instance, the CPRA (California) and OCDPA (Oregon) diverge in their definitions of “sensitive data.” As Nahra pointed out, complying with the law will require careful consideration of these distinctions. In the following discussion, we will delve into the definition of sensitive data under the OCDPA, along with its other stipulations.
Who does the OCDPA apply to?
The Oregon Consumer Data Privacy Act (OCDPA) applies to βcontrollersβ that conduct business in Oregon or produce or deliver commercial products or services that are intentionally targeted to Oregon residents.
What happens if I don't comply with the OCDPA?
The OCDPA doesnβt specify the penalties or fines that violators will have to pay. However, violations of the regulation are considered a deceptive trade practice. This means that violations will be dealt with as per the Oregon Unlawful Trade Practices Act.
Fines per violation can vary based on the specifics of the violation. OCDPA violations could also result in criminal charges.
Enforcement of the OCDPA is entrusted to the Oregon Attorney General and district attorneys, who bear the responsibility of implementing injunctions, penalties, and settlements. It is important to note, however, that the OCDPA does not provide a private right of action, meaning that individuals cannot file lawsuits against businesses for violating their rights.
Before the Attorney General or district attorneys can initiate any enforcement measures, they are obliged to issue a notice of violation to the relevant business. This notice grants the violators a 60-day cure period, during which they can rectify the violations.
If the business remains non-compliant after the cure period, the district attorneys or Attorney General can proceed with enforcement actions.
As of January 1, 2025, the 60-day cure period will no longer be in effect. Instead, violators will have the option to request interpretative guidance and opinion letters from the office of the Attorney General.
When will the OCDPA go into effect?
The OCDPA tasks the Oregon Attorney General with implementing and enforcing the OCDPA, including adopting new rules. The OCDPA is a part of the State of Oregon’s Unlawful Trade Practices Act and goes into effect on July 1, 2025.
Complying with the OCDPA
The OCDPA stands as one of the comprehensive data privacy laws, and other states, such as Indiana, Iowa, Tennessee, and Colorado, are also introducing their own privacy bills. As businesses operate across multiple states, it becomes increasingly difficult to navigate and adhere to the intricate network of state data privacy laws.
Maintaining compliance begins with staying informed about the evolving legislation that may impact your company. Keeping track of these laws as they progress through state legislatures is essential. Subscribing to relevant newsletters and resources can be helpful.
When a new law is enacted but not yet in effect, it is advisable to review its text in collaboration with legal counsel. They can assess your compliance status and provide guidance on necessary actions.
To streamline the data compliance process, consider utilizing a Consent Management Platform (CMP) like Pandectes GDPR Compliance. A CMP relieves the burden on your team by offering customizable consent management, automation of data subject access requests, and tools for cookie & vendor management. Pandectes GDPR Compliance is specifically designed for Shopify Stores and is ready to assist you in achieving and maintaining compliance within the ever-changing landscape of data privacy.