The Oregon Consumer Privacy Act (OCPA) employs a financial institution exemption to limit its scope of applicability, excluding certain financial entities from the law's requirements.

Text of Relevant Provisions

OCPA Sec.2(2)(L):

"(2) Sections 1 to 9 of this 2023 Act do not apply to: (L) A financial institution, as defined in ORS 706.008, or a financial institution's affiliate or subsidiary that is only and directly engaged in financial activities, as described in 12 U.S.C. 1843(k), as in effect on the effective date of this 2023 Act;"

Analysis of Provisions

The OCPA explicitly exempts financial institutions and their affiliates or subsidiaries from its scope. This exemption applies to:

1. "A financial institution, as defined in ORS 706.008": This refers to the definition provided in Oregon's banking laws, which likely includes banks, credit unions, and other regulated financial entities.
2. "A financial institution's affiliate or subsidiary": The exemption extends to companies related to financial institutions, but only if they meet a specific criterion.
3. "Only and directly engaged in financial activities": This phrase is crucial as it limits the exemption to affiliates and subsidiaries that exclusively perform financial activities. The law references 12 U.S.C. 1843(k) for the definition of these activities, which typically includes lending, insurance underwriting, and securities dealing.

The rationale behind this exemption is likely twofold:

1. Financial institutions are already subject to stringent regulatory frameworks, including federal laws like the Gramm-Leach-Bliley Act, which address data privacy and security.
2. Lawmakers aim to avoid regulatory overlap and potential conflicts between state and federal requirements for financial entities.

Implications

This exemption has significant implications for businesses operating in Oregon:

1. Financial institutions and their qualifying affiliates/subsidiaries are relieved from complying with OCPA's requirements, potentially reducing their regulatory burden.
2. However, the exemption is narrow for affiliates and subsidiaries. If they engage in any non-financial activities, they may still fall under OCPA's purview.
3. Companies that partner with financial institutions but are not affiliates or subsidiaries (e.g., fintech startups) would likely still be subject to OCPA if they meet the law's general applicability thresholds.
4. Businesses must carefully assess their activities to determine if they qualify for this exemption. Those straddling financial and non-financial services may need to segment their operations to benefit from the exemption partially.
5. The reference to federal law (12 U.S.C. 1843(k)) means that changes in federal definitions of financial activities could impact the scope of this exemption over time.