Oregon Jurisdiction: Revenue-Based Applicability in the Oregon Consumer Privacy Act

The Oregon Consumer Privacy Act (OCPA) uses a revenue-based applicability criterion to determine the scope of the law, particularly targeting businesses that derive a significant portion of their income from the sale of personal data.

Text of Relevant Provisions

OCPA Sec.2(1)(b):

"(1) Sections 1 to 9 of this 2023 Act apply to any person that conducts business in this state, or that provides products or services to residents of this state, and that during a calendar year, controls or processes: (b) The personal data of 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal data."

Analysis of Provisions

• OCPA Sec.2(1)(b) outlines the applicability of the Oregon Consumer Privacy Act by specifying that it applies to entities that both control or process the personal data of 25,000 or more consumers and derive at least 25% of their gross revenue from the sale of such data. This provision clearly ties the scope of the law to businesses that engage in significant data processing activities combined with data monetization.
• The threshold of 25,000 consumers ensures that the law targets businesses with a considerable reach within Oregon, ensuring that entities of substantial operational scale are held accountable. The revenue threshold of 25% directly ties the law's applicability to companies that rely heavily on the sale of personal data, thus focusing the law on those entities that pose the greatest risk to consumer privacy due to their business models.

Implications

• Businesses that meet these criteria must comply with the provisions of the OCPA, including requirements related to consumer rights, data security, and transparency. For example, a company that derives a significant portion of its revenue from targeted advertising or data brokerage would be directly affected by this law.
• The revenue-based applicability factor requires businesses to carefully assess their revenue streams and data processing practices to determine if they fall within the scope of the OCPA. This approach ensures that the law is appropriately targeted at companies where the sale of personal data is a central component of their revenue model, thereby aligning regulatory efforts with the level of risk to consumer privacy.