Oregon Jurisdiction: Sale of Personal Data Criterion in the Oregon Consumer Privacy Act

The Oregon Consumer Privacy Act (OCPA) utilizes the sale of personal data criterion as a key factor in determining the law's applicability. Specifically, this criterion applies to entities that derive a significant portion of their revenue from selling personal data, thereby extending the law's reach to businesses that monetize personal information.

Text of Relevant Provisions

OCPA Sec. 2(1)(b):

"(1) Sections 1 to 9 of this 2023 Act apply to any person that conducts business in this state, or that provides products or services to residents of this state, and that during a calendar year, controls or processes: (b) The personal data of 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal data."

Analysis of Provisions

• Threshold for Applicability: The provision establishes that the law applies to entities that handle the personal data of at least 25,000 consumers and derive at least 25% of their annual gross revenue from selling personal data. This dual threshold serves as a trigger for the law’s applicability, ensuring that only those entities with significant data monetization activities fall under the OCPA’s regulatory scope.
• "Selling Personal Data": The phrase emphasizes the commercial aspect of data processing activities. By focusing on entities that make a substantial portion of their revenue from selling personal data, the law targets businesses that are heavily invested in data monetization, reflecting a clear intent to regulate the most impactful players in the data economy.
• Revenue-Based Criterion: The revenue-based threshold of 25% is a material factor that differentiates this law from others that may apply more broadly. This criterion ensures that small businesses or those with minimal data sales activities may not be unnecessarily burdened by the law's requirements.
• Combined Criteria: The law applies only when both the data volume and revenue criteria are met. This limits the scope of the law to entities with a significant presence in the data market, balancing regulatory oversight with the need to avoid overreach.

Implications

• For Businesses Selling Personal Data: Entities operating in Oregon that derive significant revenue from selling personal data and process the data of a large number of consumers must comply with the OCPA. This includes adhering to all data protection obligations set forth in the law.
• Revenue Impact Considerations: Businesses must assess their revenue streams to determine whether 25% or more comes from selling personal data. This assessment is crucial for determining whether the OCPA applies to their operations.
• Operational Scope: Companies may need to implement or adjust compliance programs if they meet the threshold criteria. This might involve reassessing data processing practices, especially for those companies nearing the 25% revenue threshold.
• Limitation for Smaller Entities: The OCPA’s threshold effectively exempts smaller businesses or those with limited involvement in data sales from the law's scope. This targeted approach minimizes the regulatory burden on entities that do not significantly engage in the monetization of personal data.