Oregon: Sectoral Exceptions Regulated by Other Laws

Sectoral exceptions in the Oregon Consumer Privacy Act (OCPA) aim to prevent duplicative regulation by exempting entities and data types already governed by stringent federal or sectoral laws. This ensures that industries such as healthcare, finance, and education are not overburdened with overlapping compliance requirements.

Text of Relevant Provisions

Oregon CDPA Sec.2(2)(k)(C)

"(2) Sections 1 to 9 of this 2023 Act do not apply to: (k) Information collected, processed, sold or disclosed under and in accordance with the following federal laws, all as in effect on the effective date of this 2023 Act: (C) The Family Educational Rights and Privacy Act, 20 U.S.C. 1232g and regulations adopted to implement that Act;"

Oregon CDPA Sec.2(2)(d)(D)

"(2) Sections 1 to 9 of this 2023 Act do not apply to: (d) Information that identifies a consumer in connection with: (D) Research conducted in accordance with the requirements set forth in subparagraphs (A) to (C) of this paragraph or otherwise in accordance with applicable law;"

Oregon CDPA Sec.2(2)(d)(C)

"(2) Sections 1 to 9 of this 2023 Act do not apply to: (d) Information that identifies a consumer in connection with: (C) Activities that are subject to the protections provided in 21 C.F.R. parts 50 and 56, as in effect on the effective date of this 2023 Act;"

Oregon CDPA Sec.2(2)(j)(A)

"(2) Sections 1 to 9 of this 2023 Act do not apply to: (j) Any activity that involves collecting, maintaining, disclosing, selling, communicating or using information for the purpose of evaluating a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living if done strictly in accordance with the provisions of the Fair Credit Reporting Act, 15 U.S.C. 1681 et seq., as in effect on the effective date of this 2023 Act, by: (A) A consumer reporting agency, as defined in 15 U.S.C. 1681a(f), as in effect on the effective date of this 2023 Act;"

Oregon CDPA Sec.2(2)(L)

"(2) Sections 1 to 9 of this 2023 Act do not apply to: (L) A financial institution, as defined in ORS 706.008, or a financial institution’s affiliate or subsidiary that is only and directly engaged in financial activities, as described in 12 U.S.C. 1843(k), as in effect on the effective date of this 2023 Act;"

Oregon CDPA Sec.2(2)(m)

"(2) Sections 1 to 9 of this 2023 Act do not apply to: (m) Information that originates from, or is intermingled so as to be indistinguishable from, information described in paragraph (k)(A) of this subsection and that a licensee, as defined in ORS 725.010, collects, processes, uses or maintains in the same manner as is required under the laws and regulations specified in paragraph (k)(A) of this subsection;"

Oregon CDPA Sec.2(2)(k)(B)

"(2) Sections 1 to 9 of this 2023 Act do not apply to: (k) Information collected, processed, sold or disclosed under and in accordance with the following federal laws, all as in effect on the effective date of this 2023 Act: (B) The Driver’s Privacy Protection Act of 1994, 18 U.S.C. 2721 et seq.;"

Oregon CDPA Sec.2(2)(k)(D)

"(2) Sections 1 to 9 of this 2023 Act do not apply to: (k) Information collected, processed, sold or disclosed under and in accordance with the following federal laws, all as in effect on the effective date of this 2023 Act: (D) The Airline Deregulation Act, P.L. 95-504, only to the extent that an air carrier collects information related to prices, routes or services and only to the extent that the provisions of the Airline Deregulation Act preempt sections 1 to 9 of this 2023 Act;"

Oregon CDPA Sec.2(2)(k)(A)

"(2) Sections 1 to 9 of this 2023 Act do not apply to: (k) Information collected, processed, sold or disclosed under and in accordance with the following federal laws, all as in effect on the effective date of this 2023 Act: (A) The Gramm-Leach-Bliley Act, P.L. 106-102, and regulations adopted to implement that Act;"

Oregon CDPA Sec.2(2)(j)

"(2) Sections 1 to 9 of this 2023 Act do not apply to: (j) Any activity that involves collecting, maintaining, disclosing, selling, communicating or using information for the purpose of evaluating a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living if done strictly in accordance with the provisions of the Fair Credit Reporting Act, 15 U.S.C. 1681 et seq., as in effect on the effective date of this 2023 Act, by: (A) A consumer reporting agency, as defined in 15 U.S.C. 1681a(f), as in effect on the effective date of this 2023 Act; (B) A person who furnishes information to a consumer reporting agency under 15 U.S.C. 1681s-2, as in effect on the effective date of this 2023 Act; or (C) A person who uses a consumer report as provided in 15 U.S.C. 1681b(a)(3);"

Oregon CDPA Sec.2(2)(h)

"(2) Sections 1 to 9 of this 2023 Act do not apply to: (h) Information that originates from, or that is intermingled so as to be indistinguishable from, information described in paragraphs (b) to (g) of this subsection that a covered entity or business associate, or a program of a qualified service organization, as defined in 42 C.F.R. 2.11, as in effect on the effective date of this 2023 Act, creates, collects, processes, uses or maintains in the same manner as is required under the laws, regulations and guidelines described in paragraphs (b) to (g) of this subsection;"

Oregon CDPA Sec.2(2)(a)

"(2) Sections 1 to 9 of this 2023 Act do not apply to: (a) A public corporation, including the Oregon Health and Science University and the Oregon State Bar, or a public body, as defined in ORS 174.109;"

Oregon CDPA Sec.2(2)(b)

"(2) Sections 1 to 9 of this 2023 Act do not apply to: (b) Protected health information that a covered entity or business associate processes in accordance with, or documents that a covered entity or business associate creates for the purpose of complying with, the Health Insurance Portability and Accountability Act of 1996, P.L. 104-191, and regulations promulgated under the Act, as in effect on the effective date of this 2023 Act;"

Oregon CDPA Sec.2(2)(c)

"(2) Sections 1 to 9 of this 2023 Act do not apply to: (c) Information used only for public health activities and purposes described in 45 C.F.R. 164.512, as in effect on the effective date of this 2023 Act;"

Oregon CDPA Sec.2(2)(d)(A)

"(2) Sections 1 to 9 of this 2023 Act do not apply to: (d) Information that identifies a consumer in connection with: (A) Activities that are subject to the Federal Policy for the Protection of Human Subjects, codified as 45 C.F.R. part 46 and in various other federal regulations, as in effect on the effective date of this 2023 Act;"

Oregon CDPA Sec.2(2)(d)(B)

"(2) Sections 1 to 9 of this 2023 Act do not apply to: (d) Information that identifies a consumer in connection with: (B) Research on human subjects undertaken in accordance with good clinical practice guidelines issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use;"

Oregon CDPA Sec.2(2)(e)

"(2) Sections 1 to 9 of this 2023 Act do not apply to: (e) Patient identifying information, as defined in 42 C.F.R. 2.11, as in effect on the effective date of this 2023 Act, that is collected and processed in accordance with 42 C.F.R. part 2;"

Oregon CDPA Sec.2(2)(g)

"(2) Sections 1 to 9 of this 2023 Act do not apply to: (g) Information and documents created for the purposes of the Health Care Quality Improvement Act of 1986, 42 U.S.C. 11101 et seq., and implementing regulations, both as in effect on the effective date of this 2023 Act;"

Oregon CDPA Sec.2(2)(f)

"(2) Sections 1 to 9 of this 2023 Act do not apply to: (f) Patient safety work product, as defined in 42 C.F.R. 3.20, as in effect on the effective date of this 2023 Act, that is created for purposes of improving patient safety under 42 C.F.R. part 3;"

Analysis of Provisions

The Oregon Consumer Privacy Act (OCPA) outlines specific exemptions based on existing sector-specific regulations that govern personal data protection and processing. These exemptions ensure that entities already subject to stringent federal regulations are not subjected to overlapping state laws, which would otherwise create duplicative compliance burdens.

Education (Oregon CDPA Sec.2(2)(k)(C))

The exemption for data regulated by the Family Educational Rights and Privacy Act (FERPA) recognizes the robust protections FERPA already provides for student education records. This ensures educational institutions comply with FERPA without additional state-level requirements.

Research and Clinical Practices (Oregon CDPA Sec.2(2)(d)(D) and Sec.2(2)(d)(C))

Exempting data used in research conducted under federal guidelines, such as 21 C.F.R. parts 50 and 56, ensures that research entities follow established federal protocols for human subjects' protection, which are designed to safeguard the privacy and ethical treatment of research participants.

Consumer Credit (Oregon CDPA Sec.2(2)(j)(A))

Activities conducted in compliance with the Fair Credit Reporting Act (FCRA) are exempt, acknowledging that FCRA already imposes comprehensive requirements on consumer reporting agencies and users of consumer credit data to protect consumer information and ensure its accuracy.

Financial Institutions (Oregon CDPA Sec.2(2)(L) and Sec.2(2)(k)(A))

Financial institutions governed by the Gramm-Leach-Bliley Act (GLBA) are exempt, as GLBA provides extensive data protection requirements for financial data, ensuring consumers' financial information is securely handled and disclosed.

Health Information (Oregon CDPA Sec.2(2)(b) and Sec.2(2)(e))

Protected health information governed by HIPAA is exempt to avoid conflicts with HIPAA's stringent privacy and security rules. This ensures that healthcare providers and associates adhere to a consistent federal standard for handling health data.

Public Health (Oregon CDPA Sec.2(2)(c))

Exempting information used solely for public health activities under 45 C.F.R. 164.512 ensures that public health authorities can collect and use health data for vital public health purposes without additional state-imposed restrictions.

Insurance (Oregon CDPA Sec.2(2)(n), Sec.2(2)(o), Sec.2(2)(r), and Sec.2(2)(q))

Insurance-related data exemptions acknowledge the existing comprehensive regulatory framework governing insurers, insurance producers, and related entities, ensuring these entities comply with sector-specific privacy and data protection laws without additional state-level regulations.

Implications

For Financial Institutions

• Streamlined Compliance: Allows financial institutions to focus on GLBA compliance without additional state regulations.
• Operational Efficiency: Reduces the administrative burden of complying with multiple regulatory frameworks.

For Healthcare Providers

• Unified Regulatory Framework: Ensures consistent application of HIPAA standards across state and federal levels.
• Reduced Compliance Costs: Eliminates the need to navigate multiple, potentially conflicting, regulatory requirements.

For Educational Institutions

• FERPA Compliance: Ensures educational institutions continue to follow FERPA without added state-level mandates.
• Clear Data Handling Standards: Maintains clarity in data protection responsibilities, avoiding duplication of regulatory efforts.

For Research Entities

• Consistent Ethical Standards: Ensures research involving human subjects adheres to established federal ethical guidelines.
• Facilitates Research Activities: Avoids additional regulatory burdens, allowing research to proceed efficiently under federal standards.

For Consumer Reporting Agencies

• Adherence to FCRA: Ensures compliance with FCRA without conflicting state requirements.
• Focus on Federal Standards: Provides a clear, unified framework for consumer credit information protection.

These sectoral exemptions provide clarity and efficiency in regulatory compliance, enabling entities to focus on adhering to comprehensive federal standards without the added complexity of state-specific requirements. This approach benefits both the entities involved and the consumers whose data is being protected.