The key provisions of the Oregon Consumer Privacy Act (the OCPA) will take effect on July 1, 2024, and the Oregon Department of Justice published two FAQs: one for consumers and one for businesses.

The OCPA provides Oregonians with a number of important privacy rights with regard to their data, and sets forth specific obligations for organizations, including nonprofits. Oregon’s Attorney General (AG) will enforce the OCPA, which has a five-year statute of limitations, and can seek up to $7,500 per violation or other equitable relief. Organizations notified by the AG of noncompliance will have 30 days to cure violations, though the cure period will expire in 2026.

Who does the OCPA apply to?

The OCPA applies to any organization that conducts business in Oregon, or that provides products or services to residents of Oregon, and, during a calendar year, processes either:

  • The personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or
  • The personal data of 25,000 or more consumers, while deriving 25 percent or more of the organization’s annual gross revenue from selling personal data.

Unlike other U.S. data privacy laws, this one includes an exception for nonprofit organizations that expires July 1, 2025. The OCPA has several other exceptions, which are notably more narrow for highly regulated businesses than those in other state privacy laws. The exceptions include: (1) employee data, (2) business-to-business data, (3) public entities, (4) insurers, (5) financial institutions subject to the Oregon Bank Act, (6) Protected Health Information subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), (7) data subject to Gramm-Leach-Bliley Act (GLBA), and (8) data subject to the Fair Credit Reporting Act (FCRA).

What consumer rights does the OCPA specify?

The OCPA restates many consumer rights cited in other U.S. data privacy laws, such as the:

  • Right to Know: Consumers have the right to know that an organization is processing or has processed their personal data; the categories of such personal data; and the specific third parties to whom data has been disclosed. Consumers can also obtain a copy of all such personal data.
  • Right to Correct: Consumers have the right to correct inaccuracies in their personal data.
  • Right to Delete: Consumers have the right to delete their personal data, including data the organization obtained or derived from another source.
  • Right to Opt-Out: Consumers have the right to opt out of the processing of their personal data for targeted advertising, sales, or profiling in furtherance of decisions that produce legal or similarly significant effects. Also note that starting January 1, 2026, the OCPA requires those subject to the law to honor universal opt-out signals from consumers (the Global Privacy Control) for any sale of personal data or targeted advertising.
  • Right to Data Portability: Consumers have the right to obtain a portable and readily usable copy of their personal data.
  • Right of Non-Discrimination: The OCPA prohibits organizations from discriminating against consumers for exercising their rights; and
  • Right to Opt In to the Collection and Use of Sensitive Data. The OCPA requires opt-in consent for any processing of sensitive data, which is defined broadly as (1) data that reveals a consumer’s racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or non-binary, status as a victim of crime, or citizenship or immigration status; (2) data belonging to a child under the age of 13; (3) specified precise geolocation data; and (4) genetic or biometric data.
  • Rights for Children and Teens. Opt-in consent is required before engaging in targeted advertising, profiling, or sale of personal data related to an individual between the ages of 13 and 15, and organizations must comply with the Children’s Online Privacy Protection Act (COPPA) to process children’s data.

What else should organizations consider under the OCPA?

The OCPA imposes the following obligations on organizations, or “controllers”:

  • Comprehensive Privacy Notice. Organizations must provide consumers with a comprehensive privacy notice that includes:
    • The categories of personal data processed
    • The purposes for processing personal data, including description of any targeted advertising, sales, and/or profiling
    • The categories of personal data shared with third parties
    • The categories of third parties that receive such data
    • Information on exercising consumers’ rights
    • The organization’s contact information
  • Purpose Limitation. Organizations must limit the collection of personal data to data that is adequate, relevant, and reasonably necessary to serve the purposes specified in their privacy notice.
  • Security. Organizations must implement and maintain reasonable security safeguards to protect the confidentiality, integrity, and accessibility of the personal data.
  • Consent. Organizations must obtain prior consent for:
    • The processing of sensitive data, as described above;
    • Secondary uses of personal data, or for purposes that are not reasonably necessary for and compatible with the purposes the organization specified in its privacy notice; and
    • Targeted advertising, profiling, or sale of personal data of an individual between the ages of 13 and 15, as described above.

Consumers must have the ability to revoke such consent, which would require the organization to stop such processing within 15 days.

  • Data Protection Risk Assessments. Organizations must conduct data protection assessments for each processing activity that presents a heightened risk of harm to a consumer, including the processing of sensitive data and targeted advertising, sales, and profiling, if the profiling presents a reasonably foreseeable risk of substantial injury to consumers.
  • Agreements with Processors. The OCPA requires organizations to have contracts in place with data processors that specify how the processor will process personal data on the organization’s behalf. Such processors must assist organizations in meeting their obligations.

This article summarizes aspects of the law and does not constitute legal advice. For legal advice for your situation, you should contact an attorney.

Sign up

Ideas & Insights