Oregon’s Data Privacy Law is Around the Corner: July 1, 2024

By Hao Nguyen, Esq.

On July 18, 2023, Governor Tina Kotek signed the Oregon Consumer Data Privacy Act (OCDPA) grants consumers specific rights and responsibilities over their personal data. OCDPA has placed numerous requirements on Oregon dealers ranging from updated privacy policies, cookie consent functionality, and contracts with third parties. Here is a brief summary of what Oregon dealers need to do prior to the effective date of July 1, 2024.

Controller (i.e. Dealership) Requirements:

Requirement #1: Cookie Consent Banner

Dealerships will also need to clearly and conspicuously disclose whether they sell or use a consumer’s personal data for “targeted advertising”. “Targeted advertising” means displaying advertisements to consumers based on personal information obtained from that consumer’s activities over time and across non-affiliated websites or online appli

cations to predict the consumer’s preferences or interests. 

Practically speaking, this can all be easily achieved by using a cookie consent banner that blocks very specific cookies and related website technology from loading on a consumer’s device until the consumer consents. 

Requirement #2: Privacy Policy and Other Disclosures

Dealerships will need to update their existing privacy policies to reflect certain information in regard to the consumer personal information that they collect. Specifically, the privacy policy needs to state the following: 

1. a description of the Data Subject Access Request (DSAR) portal – more about this below; 
2. the categories of personal data it processes;
3. the purpose for which the personal data is collected and processed;
4. instructions on how consumers may exercise their consumer rights;
5. the categories of personal data that are shared with third parties; and
6. the categories of third parties with whom the consumer’s personal data is shared

In addition, dealers will need to obtain consumer consent before processing “sensitive data,” which includes racial or ethnic background information, status as transgender or nonbinary, and citizenship and immigration status. 

Requirement #3: Contracts with Data Processors

All of a dealership’s processors must sign a binding contract with the dealership that provides for each of the following:

1. instructions for processing personal data, 
2. the nature and purpose of processing personal data, 
3. the type of personal data subject to processing; 
4. the duration of processing; 
5. the rights and obligations of both parties;
6. reasonable risk assessments by the dealership; and 
7. contractually require subcontractors to meet the same obligations as the processor with respect to personal data.

These contracts must also ensure that the processor is subject to a duty of confidentiality with respect to the personal data and, at the controller’s direction, the processor must delete or return all personal data to the dealership as requested at the end of the provision of services unless its retention is required by law.

Requirement #4: Securing Your Data by Reinforcing Cybersecurity Protocols

Dealerships must establish, implement, and maintain reasonable technical and physical security practices to protect the confidentiality, integrity, and accessibility of consumer personal data. We believe the intent is for dealerships to adopt security measures that are similar to the data protection and cybersecurity standards as required by the Safeguards Rule. Meaning, if you fulfill the Safeguards Rule, you will more than likely meet the threshold that is required by the OCDPA.

Consumer Rights:

Types of Requests

Under the OCDPA, consumers will have the right to do each of the following:

1. confirm whether or not the dealership is processing the consumer’s personal data and accessing such data;
2. request the dealership correct inaccurate information about the consumer that was previously provided to the dealership (other than Iowa);
3. request the dealership delete personal data about the consumer;
4. request from the dealership a copy or summary of the consumer’s personal data; and
5. request to opt out of the processing of the consumer’s personal data for the purposes of targeted advertising, the sale of personal data or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. (“Selling” includes exchanging personal information for money and also exchanging for valuable consideration, which encompasses more than strictly monetary exchanges.)

Time to Respond to Requests

The dealership has forty-five (45) days after the receipt of the consumer’s request to either fulfill or deny the consumer’s request (and extend another 45 days) after it has authenticated the request. If the consumer’s request is denied, the dealership must provide instructions for how to appeal the decision. The appeal process must be conspicuously available and similar to the process for submitting requests.  

Authorized Agents

A consumer may designate another person to serve as their authorized agent and act on their behalf to submit opt-out requests. The dealership must comply with an authorized agent’s opt-out request as long as the dealership is able to properly verify the identity of the consumer and the authorized agent’s authority to act on the consumer’s behalf. Dealerships must provide a clear and conspicuous link on their website that allows the consumer, or an authorized agent of the consumer, to submit opt-out requests. 

Oregon views a consumer’s global device settings or controls on their device (GPC) as a valid opt-out request from an authorized agent that dealerships must fulfill. Meaning, dealerships’ websites must be able to respond to these universal opt-out signals accordingly. 

Enforcement:

The Oregon Attorney General maintains exclusive authority to enforce their respective personal data laws and may seek an injunction against any business that violates the OCDPA as well as levy a civil penalty of no more than $7,500 per violation. 

Need Help?

ComplyAuto has built a solution to meet each of these comprehensive requirements and is backed by the industry’s only $1M compliance guarantee. If you are interested in achieving compliance with the OCDPA, please contact us at info@complyauto.com for more information.