Applicability of Oregon Consumer Privacy Act Based on Number of Data Subjects

The factor "Number of Data Subjects" is explicitly used in the Oregon Consumer Privacy Act (OCPA) to determine the scope of the law's applicability. This factor establishes thresholds for the number of consumers whose personal data is controlled or processed, impacting whether a business is subject to the OCPA regulations.

Text of Relevant Provisions

Referenced Provision(s):

"Oregon CDPA Sec.2(1) Sections 1 to 9 of this 2023 Act apply to any person that conducts business in this state, or that provides products or services to residents of this state, and that during a calendar year, controls or processes: (a) The personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or (b) The personal data of 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal data."

Original (Language):

"Oregon CDPA Sec.2(1) Sections 1 to 9 of this 2023 Act apply to any person that conducts business in this state, or that provides products or services to residents of this state, and that during a calendar year, controls or processes: (a) The personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or (b) The personal data of 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal data."

Analysis of Provisions

The Oregon Consumer Privacy Act (OCPA) uses specific thresholds to determine the applicability of its provisions based on the number of data subjects whose personal data is controlled or processed by a business.

Breakdown and Explanation:

• Oregon CDPA Sec.2(1)(a):
  • "The personal data of 100,000 or more consumers": This clause sets a threshold that requires a business to control or process personal data for at least 100,000 consumers within a calendar year to be subject to the OCPA.
  • "other than personal data controlled or processed solely for the purpose of completing a payment transaction": This exclusion ensures that routine payment processing activities do not count towards the 100,000-consumer threshold. This delineates the scope to more substantive data processing activities rather than transactional data handling.
• Oregon CDPA Sec.2(1)(b):
  • "The personal data of 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal data": This provision applies to businesses that control or process the personal data of at least 25,000 consumers if they also derive a significant portion (more than 25%) of their gross revenue from selling personal data. This dual criterion captures entities with substantial data processing activities and a business model reliant on data sales.

Implications

Implications for Business:

• Scope Limitation: The OCPA’s applicability thresholds exclude smaller businesses that do not meet the 100,000 or 25,000 consumer thresholds, focusing regulatory efforts on larger entities or those heavily involved in data trading.
• Targeted Compliance: Companies approaching or exceeding these thresholds must invest in compliance infrastructure to align with the OCPA requirements. This includes implementing robust data protection practices, consumer rights management, and transparent data handling procedures.
• Revenue Model Consideration: Businesses deriving substantial revenue from the sale of personal data (over 25% of gross revenue) are specifically targeted by Sec.2(1)(b). This means that even smaller entities with a heavy reliance on data sales must comply with the OCPA if they meet the 25,000-consumer threshold.
• Exclusion of Payment Data: By excluding data processed solely for payment transactions, the OCPA narrows its focus to data processing activities that have broader privacy implications, ensuring that transactional data handling does not inadvertently trigger compliance requirements.

Examples:

• Applicable: A large online retailer operating in Oregon that processes personal data of 120,000 consumers annually is subject to the OCPA.
• Not Applicable: A small local service provider processing data for 15,000 consumers annually without significant revenue from data sales remains outside the scope of the OCPA.

These thresholds ensure that the law targets entities with significant data processing activities or business models heavily dependent on data, thereby focusing regulatory oversight where it is most needed.