USA - Oregon: Revenue-Based Applicability
Oregon Jurisdiction: Revenue-Based Applicability in the Oregon Consumer Privacy Act
The Oregon Consumer Privacy Act (OCPA) uses a revenue-based applicability criterion to determine the scope of the law, particularly targeting businesses that derive a significant portion of their income from the sale of personal data.
Text of Relevant Provisions
OCPA Sec.2(1)(b):
"(1) Sections 1 to 9 of this 2023 Act apply to any person that conducts business in this state, or that provides products or services to residents of this state, and that during a calendar year, controls or processes: (b) The personal data of 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal data."
Analysis of Provisions
- OCPA Sec.2(1)(b) outlines the applicability of the Oregon Consumer Privacy Act by specifying that it applies to entities that both control or process the personal data of 25,000 or more consumers and derive at least 25% of their gross revenue from the sale of such data. This provision clearly ties the scope of the law to businesses that engage in significant data processing activities combined with data monetization.
- The threshold of 25,000 consumers ensures that the law targets businesses with a considerable reach within Oregon, ensuring that entities of substantial operational scale are held accountable. The revenue threshold of 25% directly ties the law's applicability to companies that rely heavily on the sale of personal data, thus focusing the law on those entities that pose the greatest risk to consumer privacy due to their business models.
Implications
- Businesses that meet these criteria must comply with the provisions of the OCPA, including requirements related to consumer rights, data security, and transparency. For example, a company that derives a significant portion of its revenue from targeted advertising or data brokerage would be directly affected by this law.
- The revenue-based applicability factor requires businesses to carefully assess their revenue streams and data processing practices to determine if they fall within the scope of the OCPA. This approach ensures that the law is appropriately targeted at companies where the sale of personal data is a central component of their revenue model, thereby aligning regulatory efforts with the level of risk to consumer privacy.
Jurisdiction Overview
Gavel Factors: (14)
🎯 Exemption for Specific Purposes of Processing👮🏼 National Security and Law Enforcement Exemption Judicial Proceedings and Court Records Exemption 📍 Processing by Local Establishment🏛️ Government and Public Agency Exemption🏦 Central Bank and Financial Institutions Exclusion⛑️ Nonprofit Organization Exemption🛍️ Offering Goods and Services to Data Subjects in Jurisdiction💵 Revenue-Based Applicability Sale of Personal Data Criterion⚖️ Sectoral Exceptions Regulated by Other Laws🧮 Number of Data Subjects👴🏿 Benefit administration data👇🏿 Statutory Requirement Processing Exception