Applicability of the Oregon Consumer Privacy Act to Nonprofit Organizations

The Nonprofit Organization Exemption under the Oregon Consumer Privacy Act (OCPA) is used to limit the scope of the law's applicability by exempting certain nonprofit entities and activities from the data protection obligations imposed by the Act. The OCPA specifically excludes nonprofit organizations engaged in particular activities, which narrows the law's coverage.

Text of Relevant Provisions

Oregon CDPA Sec.2(2)(r):

"(2) Sections 1 to 9 of this 2023 Act do not apply to: (r) A nonprofit organization that is established to detect and prevent fraudulent acts in connection with insurance;"

Oregon CDPA Sec.2(2)(s)(B):

"(2) Sections 1 to 9 of this 2023 Act do not apply to: (s) Noncommercial activity of: (B) A radio or television station that holds a license issued by the Federal Communications Commission;"

Oregon CDPA Sec.2(2)(s)(C):

"(2) Sections 1 to 9 of this 2023 Act do not apply to: (s) Noncommercial activity of: (C) A nonprofit organization that provides programming to radio or television networks;"

Oregon CDPA Sec.2(2)(s)(D):

"(2) Sections 1 to 9 of this 2023 Act do not apply to: (s) Noncommercial activity of: (D) An entity that provides an information service, including a press association or wire service."

Analysis of Provisions

The OCPA includes multiple exemptions for nonprofit organizations, but these are limited to specific types of activities or organizational purposes:

1. Oregon CDPA Sec.2(2)(r) provides an exemption for "a nonprofit organization that is established to detect and prevent fraudulent acts in connection with insurance." This exemption is narrowly tailored to nonprofit entities that focus on fraud prevention in the insurance sector, recognizing their unique role and potentially different data handling practices compared to commercial entities.
2. Oregon CDPA Sec.2(2)(s)(B) exempts "noncommercial activity of a radio or television station that holds a license issued by the Federal Communications Commission." This exemption likely reflects the public interest in allowing licensed broadcasters to operate without the additional regulatory burden imposed by the OCPA, especially when they engage in noncommercial activities.
3. Oregon CDPA Sec.2(2)(s)(C) further exempts "noncommercial activity of a nonprofit organization that provides programming to radio or television networks." This provision similarly aims to protect nonprofit media organizations that contribute to public broadcasting from the full scope of the OCPA, as these entities often operate with different objectives and resources than commercial businesses.
4. Oregon CDPA Sec.2(2)(s)(D) extends the exemption to "noncommercial activity of an entity that provides an information service, including a press association or wire service." This exemption recognizes the vital role that press associations and wire services play in the dissemination of information and ensures that their noncommercial activities are not hindered by the OCPA's requirements.

These provisions collectively illustrate that the OCPA's nonprofit exemptions are not blanket exemptions but are instead specific to certain types of nonprofit organizations and activities. The law's drafters appear to have considered the particular functions and societal roles of these organizations in deciding to exclude them from the Act's applicability.

Implications

For nonprofit organizations in Oregon, these exemptions mean that if they fall under one of the specified categories, they are not subject to the OCPA's data protection obligations. This can significantly reduce compliance burdens for these organizations, particularly those involved in media, information services, or fraud prevention in the insurance industry. However, nonprofit organizations not covered by these specific exemptions would still need to comply with the OCPA if they meet the general applicability thresholds.