The Oregon Consumer Privacy Act (OCPA) incorporates exemptions for specific purposes of processing as a factor in determining the law's applicability. This factor significantly limits the scope of the law's application based on certain processing purposes, types of entities, and data categories.

Text of Relevant Provisions

OCPA Section 2(1)(a) states:

"The personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction;"

OCPA Section 2(2)(i) states:

"Information processed or maintained solely in connection with, and for the purpose of, enabling: (A) An individual's employment or application for employment; (B) An individual's ownership of, or function as a director or officer of, a business entity; (C) An individual's contractual relationship with a business entity; (D) An individual's receipt of benefits from an employer, including benefits for the individual's dependents or beneficiaries; or (E) Notice of an emergency to persons that an individual specifies;"

Analysis of Provisions

The OCPA includes specific exemptions that limit its scope of application:

1. Payment Transactions: The law explicitly excludes "personal data controlled or processed solely for the purpose of completing a payment transaction" from the consumer count threshold. This means that if a company processes data for 100,000 consumers, but some of this data is used solely for payment transactions, those consumers are not counted towards the 100,000 threshold.
2. Employment-Related Data: The law exempts information processed for various employment-related purposes, including job applications, employment, and employee benefits. This provision recognizes the necessity of processing employee data without subjecting it to the full range of consumer data protection requirements.
3. Business Relationships: The exemption extends to data processed for an individual's ownership or function as a director or officer of a business entity, as well as contractual relationships with business entities.
4. Emergency Contact Information: Similar to other state laws, the OCPA exempts information used for "notice of an emergency to persons that an individual specifies".
5. Specific Entities and Data Types: The law also provides extensive exemptions for various types of entities (e.g., public corporations, financial institutions) and data categories (e.g., HIPAA-protected health information, FCRA-regulated credit information) that are already subject to other regulatory frameworks.

These exemptions reflect a nuanced approach to data protection, acknowledging that certain types of data processing are either necessary for basic operations, serve important safety purposes, or are already adequately regulated by other laws.

Implications

1. Threshold Calculations: When determining whether they meet the 100,000 or 25,000 consumer thresholds for OCPA applicability, businesses must carefully assess which consumer data falls under these exemptions. This may require detailed data mapping and categorization processes.
2. Employment and Business Relationship Data: Organizations can process a wide range of employment-related and business relationship data without being subject to the full requirements of the OCPA for this specific data. This is particularly relevant for businesses with a significant workforce or those dealing with numerous business partners.
3. Emergency Contacts: Organizations can maintain emergency contact information without being subject to the full requirements of the OCPA for this specific data.
4. Sector-Specific Exemptions: Certain sectors, such as healthcare providers, educational institutions, and financial services, may find significant portions of their data processing activities exempt from the OCPA due to the prevalence of other applicable regulations.
5. Partial Applicability: It's important to note that these exemptions are purpose-specific or entity-specific. If a company processes data for multiple purposes, including but not limited to those exempted, the law may still apply to the non-exempt processing activities.
6. Compliance Strategy: Businesses operating in Oregon need to develop a nuanced compliance strategy that accounts for these exemptions. This may involve segregating data processing activities based on their exempt or non-exempt status.
7. Burden of Proof: The law explicitly places the burden of demonstrating that processing qualifies for an exemption on the controller claiming the exemption. This requires businesses to maintain clear documentation and justification for their exempt processing activities.
8. Data Minimization and Security: Even for exempt processing, the law requires that the processing be limited to what is necessary for the exempt purpose and that appropriate security measures be implemented. This encourages a "privacy by design" approach even for exempt data processing activities.