November 5, 2024
How Long Can Businesses Keep Personal Data?
Some privacy laws require businesses to create data retention policies, but figuring out the maximum amount of time you can hold on to data can be complicated.
In a continuing trend, the Oregon legislature has passed its own privacy law, further extending the reach of data protection rules in the United States. The new law is based closely on the Virginia model, but also deviates in some important ways. Most notably, the Oregon law applies to nonprofit organizations as well as for-profit businesses.
Here are the essential facts organizations should know about the Oregon Consumer Privacy Act (OCPA).
For businesses, the Oregon Consumer Privacy Act will go into effect on July 1, 2024.
Nonprofits are given a little more time—they must be in compliance by July 1, 2025.
The OCPA applies to any person (including nonprofit organizations) that does business in the state or offers its products or services to Oregon residents AND meets at least one of these two conditions:
Organizations covered by the OCPA must extend the following privacy rights to Oregonians:
As with other state laws, the OCPA defines “personal data” quite broadly. It means:
Data, derived data, or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household.
An interesting addition not included in other state privacy laws so far is the language about devices; i.e., if data is linkable to a specific device (such as a cell phone or smart tv) which is itself linkable to an individual or household, it is considered personal data. Such data is likely already covered by other laws, but Oregon lawmakers appear to have intended to close any potential loopholes.
Yes, the Oregon Consumer Privacy Act does require organizations to perform data protection assessments for certain types of processing activities that are deemed to present a heightened risk of harm to consumers. An assessment is required for:
In a data protection assessment, organizations are required to provide detailed information about a particular processing activity, and weigh the benefits it provides against the risks to consumers. These assessments are internal documents that are not made public, but must be made available to the Oregon Attorney General’s Office upon request.
Courts may impose fines of up to $7,500 per violation per consumer. Additionally, the Oregon Attorney General’s Office can recover attorney fees and other costs related to the investigation.
The OCPA does not grant a private right of action to consumers, meaning they cannot sue over alleged violations. Only the state attorney general can enforce the law.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.
