USA - Oregon: Offering Goods and Services to Data Subjects in Jurisdiction

The "Offering Goods and Services to Data Subjects in Jurisdiction" factor is used to determine the applicability of the Oregon Consumer Privacy Act (OCPA) to businesses that provide products or services to Oregon residents, even if they are not physically located in the state.

Text of Relevant Provision

OCPA Section 2(1) states:

"Sections 1 to 9 of this 2023 Act apply to any person that conducts business in this state, or that provides products or services to residents of this state, and that during a calendar year, controls or processes:"

Analysis of Provisions

The OCPA's scope of applicability is defined by two main criteria:

The entity's connection to Oregon:
- Conducting business in the state, or
- Providing products or services to Oregon residents
The volume of personal data processed:
- "(a) The personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or"
- "(b) The personal data of 25,000 or more consumers, while deriving 25 percent or more of the person's annual gross revenue from selling personal data."

The phrase "provides products or services to residents of this state" is crucial as it extends the law's reach beyond entities physically present in Oregon. This provision aims to protect Oregon residents' data regardless of where the business is located, as long as it targets Oregon consumers.

Implications

Extraterritorial application: Companies outside Oregon may be subject to the OCPA if they offer goods or services to Oregon residents and meet the data processing thresholds.
Online businesses: E-commerce platforms, digital service providers, and other online businesses targeting Oregon consumers could fall under the OCPA's jurisdiction, even without a physical presence in the state.
Threshold considerations: Businesses must carefully track the number of Oregon consumers whose data they process and their revenue from selling personal data to determine if they meet the OCPA's applicability thresholds.
Compliance requirements: Companies meeting these criteria must comply with the OCPA's provisions, including implementing data protection measures and honoring consumer rights.
Exemptions: The law provides numerous exemptions in Section 2(2), such as for certain types of health information, research activities, and financial institutions. Businesses should review these exemptions to determine if they apply to their operations.

By including this factor, the OCPA aims to ensure comprehensive protection for Oregon residents' personal data in an increasingly digital and globalized economy, where businesses can easily operate across state and national borders.

Jurisdiction Overview

USA - Oregon

🎯 Exemption for Specific Purposes of Processing 👮🏼 National Security and Law Enforcement Exemption Judicial Proceedings and Court Records Exemption 📍 Processing by Local Establishment 🏛️ Government and Public Agency Exemption 🏦 Central Bank and Financial Institutions Exclusion ⛑️ Nonprofit Organization Exemption 🛍️ Offering Goods and Services to Data Subjects in Jurisdiction 💵 Revenue-Based Applicability Sale of Personal Data Criterion ⚖️ Sectoral Exceptions Regulated by Other Laws 🧮 Number of Data Subjects 👴🏿 Benefit administration data 👇🏿 Statutory Requirement Processing Exception