On June 23, 2023, Oregon Governor Tina Kotek signed the Oregon Consumer Privacy Act (OCPA) into law. The OCPA took effect on July 1, 2024, granting Oregonians basic rights about how companies collect, use, and sell their data and imposing obligations on organizations that meet certain data-collection and sales thresholds.

 

Some provisions of the OCPA will not be enforced until July 1, 2025, and January 1, 2026.

 

Companies that are already complying with data privacy laws in Connecticut, Colorado, and Virginia—states the Oregon law is largely modeled on—should be well-positioned to comply with the OCPA, but it also has a few unique provisions that businesses should be aware of. Here’s what you need to know as you prepare your compliance strategy. 

 

Summary

 

 


 

What is the Oregon Consumer Privacy Act (OCPA)?

 

The OCPA represents four years of work from the Attorney General’s Consumer Privacy Task Force, a group of 150 consumer privacy experts and stakeholders from a variety of sectors who, according to the AG’s office, convened in June 2019 to “answer the growing call for comprehensive state consumer privacy legislation.” 

 

Four years later, that call was answered when the state legislature passed Senate Bill 619—better known as the Oregon Consumer Privacy Act. At the time, Attorney General Ellen F. Rosenblum called the OCPA “the best comprehensive consumer privacy law in the nation.”

 

Bloomberg Law and Husch Blackwell agree that the Oregon law is one of the strongest passed to date. Meanwhile, U.S. PIRG gives the OCPA a C- privacy law grade for how well it protects consumers, saying that much of the burden is on consumers to exercise their data rights rather than companies minimizing their data collection by default. On the plus side, U.S. PIRG says Oregon residents benefit from the inclusion of a universal opt-out mechanism. 

 

BSA puts the OCPA in the “Greater Substantive Protections” category—a step above baseline but a step below the California model, which experts still regard as being in a class of its own. 

 

Does the Oregon privacy law apply to you?

 

Individuals and entities that meet the following criteria are subject to the OCPA: 

 

  1. Conducts business in Oregon or provides products or services to Oregon’s residents; and

  2. During a calendar year, controls or processes personal data of:

    • 100,000 or more consumers; or

    • 25,000 or more consumers and derives more than 25% of its gross revenue from personal data sales. 

Businesses satisfying these conditions are called “controllers” in the OCPA:

 

  • A controller, the law states, “determines the purpose and means for processing personal data.” 

  • A controller is distinguished from a “processor” under the law.

  • A processor (i.e., a vendor or service provider) can only process data at the request, and under the direction, of a controller. 

  • The OCPA requires controllers and processors to sign a contract governing their relationship. Processors are contractually bound by what controllers say they must—and may—do with consumer personal data. 

 

Husch Blackwell estimates that, given the OCPA’s 100,000 threshold and Oregon’s 4.24 million people, the law is expected to cover approximately 2.35% of Oregonians. 

 

OCPA scope and application

 

Like other privacy laws, the OCPA runs to 21 pages and is packed with legalese that were not written with business owners in mind. To simplify matters, below are some of the main requirements imposed on businesses subject to the Oregon privacy law: 

 

OCPA applies to Oregonians’ “personal data” created online and at physical locations like stores. However, it does not exempt “pseudonymous” data or data that does not contain a consumer’s name but is still easily linked to them from protection, a notable departure from other state privacy laws. 


Oregon’s law contains heightened protections requiring affirmative “opt-in” consent for two special data categories: sensitive data and child data:

 

  • Unique to Oregon, the definition of sensitive data covers “transgender or nonbinary” status and “crime victim” status, as well as biometric, genetic, and geolocation data.

  • Opt-in consent is also required for targeted advertising, the sale of personal data, and profiling involving 13- to 15-year-olds. Controllers must additionally follow COPPA rules when processing the data of children younger than 13. 


The OCPA provides several data and entity-level exemptions, including: 

 

  • “Deidentified data” or data that is publicly available through government records or “widely distributed media”

  • Data of those engaged in “commercial activity” (i.e., operating a business)

  • Data already regulated by federal laws like HIPAA, the FCRA, the Gramm-Leach-Bliley Act, and the Family Educational Rights and Privacy Act

  • Employee and employer data, including job applicant data

  • Financial institutions subject to the Oregon Bank Act

  • Some insurers, insurance producers, and insurance consultants

  • Federal, state, and local governments

  • Certain non-profits

 

An important date to monitor is January 1, 2026, when Oregon requires controllers to recognize universal opt-out mechanisms such as the Global Privacy Control

 

Other obligations the OCPA places on controllers are:

 

  • Providing a clear and accessible privacy policy that lists the types of personal data they collect and process, the purposes for which they are collecting and processing that information, how to exercise consumer rights, and the controller’s contact info.

  • Obtaining consent to process data beyond the purposes specified in the privacy notice.

  • Limiting data collection only to what is “adequate, relevant, and reasonably necessary” to fulfill the purposes defined in the privacy policy.

  • Making sure deidentified data remains unidentified

  • Conducting data privacy assessments for activities that present a “heightened risk of harm” to consumers, such as targeted advertising, selling consumer data, profiling that poses a risk of unfair treatment, and processing sensitive data. 

 

Controllers and processors can learn more about the OCPA's key terms and requirements at the Oregon DOJ’s Privacy Law FAQs for Business page. 

 

Consumer rights under the OCPA

 

Oregon is one of only a handful of states that will allow consumers to use a universal opt-out mechanism. However, this OCPA provision will not take effect until 2026. Oregon consumers have the right to opt out of data collection for targeted ads, profiling, and the sale of their personal data beginning on the law’s original effective date (July 1, 2024). 

 

Along with an opt-out right, consumers have these rights under the OCPA: 

 

  • The right to know whether controllers are processing their data, the categories of data being processed, and any third parties their data has been shared with. 

  • The right to obtain a copy of the personal data a controller has on them or is processing. 

  • The right to correct inaccuracies in a controller’s data files. 

  • The right to delete their personal data that a controller holds. 

  • The right to data portability or to have a copy of their personal data held by a controller provided to them in a portable, usable format. 

 

Another rule that sets the Oregon law apart from other privacy laws is that Oregon residents can obtain a list of specific third parties to which the controller has disclosed their data rather than just the categories of third parties. The Oregon AG explains that this allows consumers to effectively exercise their rights because they can “track their data downstream.” 

 

  • Consumers may exercise any of their rights by submitting a request to the controller using the method the controller specifies in their privacy notice. 

  • Accordingly, businesses must implement a process for responding to consumer requests for information, correction, deletion, opt-out, and data portability. 

 

The statutory deadline for controller responses to consumer requests is 45 days from the date the request is received. 

 

OCPA enforcement and penalties

 

Oregon does not have a private right of action. The OCPA is enforced solely by the Attorney General’s Office:

 

  • The AG must notify a controller of an alleged violation. 

  • The controller has 30 days, known as a “cure period,” to address the alleged violation. 

  • If the controller fails to fix the issue within 30 days, the AG can then seek a civil penalty of up to $7,500 per violation

  • The right to cure sunsets on January 1, 2026. 

  • The AG has five years to bring a civil action against a controller. 

 

Notably, although the Oregon Attorney General has exclusive authority to enforce the OCPA and assess penalties, the AG has no rulemaking authority. 

 

How Didomi can help with the Oregon privacy law

 

If it feels as though changes to U.S. privacy laws are never-ending—and only getting harder to keep up with—it’s because they are. In 2018, just 2 state privacy bills were considered. Five years later, that number had grown to 59. 

 

Oregon was the twelfth state to pass a consumer data privacy bill. In 2023 alone, nine states enacted data privacy laws. The OCPA is one of four consumer privacy laws to go into effect in 2024. Five new laws will be enacted in 2025 and one more in 2026. Barely halfway into 2024, six additional states have enacted comprehensive data privacy laws. More states are expected to adopt laws as the data privacy revolution continues to sweep across the country. 

 

Keeping up with the pace and scope of these changes adds another layer of complexity—and risk—to your business. However, as Oregon officials pointed out when they passed the OCPA, they responded to consumer demand for greater data security. Forward-thinking companies can seize on this demand and turn their privacy management challenges into a business opportunity using a multi-regulation Consent Management Platform (CMP) that covers privacy laws and regimes in the U.S. and worldwide. 

 

Spend less time on consumer compliance and more time on customer success. Get in touch with the Didomi team to learn more. 

 

Talk to an expert

 

Oregon Consumer Privacy Act: Frequently Asked Questions (FAQs)

 

Are nonprofits subject to the OCPA?

The OCPA does not exempt most nonprofit organizations, but it does exempt nonprofits engaged in:

 

  • The detection and prevention of insurance-related fraud; and

  • Noncommercial activity connected with publications like newspapers, magazines, and newsletters; radio and television programming; and information services (e.g., a press association or wire service). 

 

Non-exempt nonprofits have an extra year—until July 1, 2025—to prepare for the OCPA. 

 

What is profiling? 

The OCPA defines “profiling” as the automated processing of personal data for the purpose of “evaluating, analyzing, or predicting an identified or identifiable consumer’s economic circumstances, health, personal preferences, interests, reliability, behavior, location or movements.”

 

Controllers must conduct data privacy assessments for profiling activities that could lead to unfair treatment of, disparate impact or injury on, or financial, physical, or reputational injury to a consumer. 

 

Consumers have the right to opt out of an entity profiling them to make decisions related to financial and lending services, housing, insurance, education, employment, criminal justice, healthcare services, and essential goods and services. 

 

Are there any special rules for data protection assessments? 

Controllers that perform data protection assessments must hold on to them for five years. The Oregon AG also has the right to request a data protection assessment from a controller that is relevant to an investigation. Processors must cooperate with a controller’s request to cooperate with an assessment. 

 

Can a business deny an Oregon consumer privacy rights request? 

Yes, but only for reasons related to the restriction of business activities. For example, businesses may deny a privacy rights request if it restricts their ability to respond to a security incident or comply with a different law. 

 

Consumers have the right to appeal a denied request, and the business must respond to the appeal within 45 days of receiving it. Sometimes, the response period can be extended by 45 days, but a consumer must be notified of this extension and receive an explanation for the delay. 

 

Is a controller allowed to charge consumers for a privacy rights request?

Controllers must provide information to consumers, free of charge, for the first request they make in a 12-month period. 

 

Subsequent consumer requests made within a 12-month period may be charged a “reasonable fee” to cover administrative costs unless the request is to confirm that the controller complied with a request to correct personal data inaccuracies or delete personal data from a previous request. 

 

Does the OCPA mention data brokers? 

The term “data broker” does not appear in the text of the OCPA, but brokers must register with the Oregon Department of Business and Consumer Services so that consumers can contact them to make an opt-out request.