markdown The Oregon Consumer Privacy Act (OCPA) uses the "Processing by Local Establishment" factor to determine its applicability to businesses operating in Oregon or providing services to Oregon residents. ## Text of Relevant Provision OCPA Section 2(1) states: "Sections 1 to 9 of this 2023 Act apply to any person that conducts business in this state, or that provides products or services to residents of this state, and that during a calendar year, controls or processes: (a) The personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or (b) The personal data of 25,000 or more consumers, while deriving 25 percent or more of the person's annual gross revenue from selling personal data." ## Analysis of Provisions The OCPA applies to entities based on two main criteria: 1. Local establishment or service provision: - Entities that "conduct business in this state" - Entities that "provide products or services to residents of this state" 2. Data processing thresholds: - Processing personal data of 100,000 or more consumers (excluding payment transaction data) - Processing personal data of 25,000 or more consumers while deriving 25% or more of annual gross revenue from selling personal data The law uses a broad definition of local establishment, encompassing both physical presence ("conducts business in this state") and virtual presence ("provides products or services to residents of this state"). This approach ensures that the OCPA covers both traditional brick-and-mortar businesses and online services targeting Oregon residents. The inclusion of thresholds for data processing volume and revenue derived from selling personal data aims to focus the law's application on entities handling significant amounts of consumer data or those whose business models rely heavily on data monetization. ## Implications 1. Broad applicability: The OCPA potentially applies to businesses without a physical presence in Oregon, as long as they provide products or services to Oregon residents and meet the data processing thresholds. 2. Threshold considerations: Companies must carefully monitor their data processing activities to determine if they meet the OCPA's thresholds, particularly if they are close to the 100,000 or 25,000 consumer limits. 3. Revenue assessment: Businesses deriving revenue from selling personal data need to calculate whether this revenue constitutes 25% or more of their annual gross revenue, as it affects the applicable threshold. 4. Exemption for payment transactions: The exclusion of personal data processed solely for payment transactions from the 100,000 consumer threshold provides some relief for businesses primarily engaged in financial transactions. 5. Compliance obligations: Entities meeting these criteria must ensure compliance with the OCPA's requirements, including implementing data protection measures and honoring consumer rights. 6. Cross-border considerations: Out-of-state businesses targeting Oregon consumers must be aware of their potential obligations under the OCPA, even if they don't have a physical presence in the state.