If your company does business in Oregon, get ready to comply with a new data privacy law.
In this guide, learn all about the new privacy law in Oregon, including its business obligations, consumer rights, penalties for violating the law, and more.
- What Is the Oregon Consumer Privacy Act (OCPA)?
- OCPA Key Terms and Definitions
- What Does the Oregon Consumer Privacy Act Cover?
- Requirements of the Oregon Consumer Privacy Act
- Oregon’s Data Privacy Law vs. Other States: Similarities and Differences
- How Will Consumers Be Impacted by the OCPA?
- Who Does the OCPA Apply To?
- How Will Businesses Be Impacted by the OCPA?
- Who Must Comply With Oregon’s New Data Privacy Law?
- How Can Businesses Prepare for the OCPA?
- How Will the OCPA Be Enforced?
- Fines and Penalties Under the Oregon Consumer Protection Act
- How Will Termly Help with OCPA Compliance?
- Are There Other Privacy Related Laws in Oregon?
What Is the Oregon Consumer Privacy Act (OCPA)?
Originally called Oregon Bill 619, the Oregon Consumer Privacy Act or OCPA is a new law that passed in the U.S. state of Oregon.
It describes obligations for persons who collect and process personal information about Oregon consumers and grants those consumers rights and control over how that data gets used.
The OCPA also outlines penalties for entities that violate any portion of the law.
OCPA Effective Date
Most portions of the OCPA will enter into force on July 1, 2024. However, the stipulations regarding nonprofit organizations enter into force on July 1, 2025.
The requirement for entities to honor and recognize opt-out preference signals via user’s browsers becomes enforceable on January 1, 2026.
On this same date, the OCPA 30-day cure period ends.
OCPA Key Terms and Definitions
To comply with the OCPA, you must understand some key terms used throughout the law.
To help simplify your compliance process, I’ve included the relevant definitions exactly as they appear in Section 1 of Oregons’ new data privacy law for you below:
What Does the Oregon Consumer Privacy Act Cover?
Oregon’s new data privacy law covers the personal information of natural persons who reside in the state, except for anyone acting in a commercial or employment context.
A natural person in a legal context refers to a living human, regardless of citizenship status.
Requirements of the Oregon Consumer Privacy Act
The OCPA outlines several legal requirements all entities under the law must comply with, which I will outline in more detail in this next section.
Legal Basis for Processing Personal Information
Under Section 5 of the OCPA, entities can only process personal information that is “adequate, relevant, and reasonably necessary” for the purposes described in their privacy notice.
However, nothing in the act prohibits controllers or processors from:
- Preventing, detecting, responding to, and investigating cybersecurity threats, like identity theft, fraud, harassment, or other illegal activities
- Identifying technical errors within information systems that impair functionality
- Conducting internal research to develop new services or technology
- Investigating establishing, initiating, or defending legal claims
- Performing internal operations that are reasonably aligned with consumers’ expectations, which the consumer may anticipate based on their existing relationship with the controller
It also doesn’t prohibit controllers or processors from complying with state or federal laws.
To process personal data that falls outside the scope of what is considered reasonably necessary, entities must obtain active, opt-in consent from consumers.
The same consent guidelines apply if you want to collect and process any sensitive information.
The OCPA clearly describes what is and is not consent in Section 1 of the law:
- The consumer needs to provide a clear, affirmative action
- The consent must be unambiguous and informed
- The consent mechanism cannot obscure, subvert, or impair their decision-making
- You must provide an easy, similar way to withdraw their consent at any time
Inaction by the consumer does not constitute consent.
You also must obtain active consent from a legal guardian to process data about children under the age of thirteen, including for targeted advertising or the sale of their information.
Personal Data and Security Obligations
Another requirement outlined by the OCPA involved adequately protecting the integrity, confidentiality, and security of the collected personal data, as described in Section 5, Part 1 (c).
Specifically, data controllers under this law must establish, implement, and maintain security practices that meet the standards described in the Oregon Revised Statute Chapter 646A.622.
It outlines administrative, organizational, and physical safeguards that you should apply to consumer personal information to keep it safe from unauthorized access or breaches.
Contractual Obligations With Third-Party Processors
Data controllers and processors must enter legal contracts with specific guidelines and clauses.
The law explains that nothing in Section 6 relieves the controller or processor from liabilities arising under Sections 1 through 9 of the OCPA.
Data Protection Assessments
You must perform Data Protection Assessments to conduct certain data processing activities that present a heightened risk to consumers, as explained in Section 8 of the OCPA.
According to the law, all of the following present that heightened risk:
- Processing data for targeted advertising
- Processing sensitive data
- Selling personal data
- Using personal data for the purposes of profiling that presents foreseeable risks such as unfair treatment, injury to the customers, or invasion of privacy.
You can use a single data protection assessment if the activities present similar levels of risk of harm to consumers.
It should identify and weigh how processing data may benefit the controller, consumer, other stakeholders, and the public against the possible risks to the consumer.
It should also consider:
- Any security measures or safeguards in place
- How deidentified data may reduce the risks
- The reasonable expectations of the consumers
- The context in which you process the data
- The relationship between the controller and the consumers whose personal data the controller will process
Recognition of Universal Opt-Out Mechanisms
Entities under the OCPA need to recognize browser extensions and global privacy device settings as a consumer’s designated, authorized agent concerning their privacy rights, as explained in Section 4, Part 4 of the law.
Universal opt-out mechanisms like Global Privacy Control (GPC) let consumers communicate opt-out preferences on their browsers automatically.
As long as it’s commercially feasible, this technology must be honored.
Even though most of the OCPA enters into action in 2024, this section of the text becomes enforceable in 2026.
Oregon’s Data Privacy Law vs. Other States: Similarities and Differences
The OCPA is among the following U.S. state data privacy laws in force or recently passed:
- California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) — currently in force
- Colorado Privacy Act (CPA) — currently in force
- Connecticut Data Privacy Act (CTDPA) — currently in force
- Delaware Personal Data Privacy Act (DPDPA) — effective January 1, 2025
- Florida Digital Bill of Rights (FDBR) — effective July 1, 2024
- Indiana Consumer Data Protection Act (Indiana CDPA) — effective January 1, 2026
- Iowa Consumer Data Protection Act (Iowa CDPA) — effective January 1, 2025
- Montana Consumer Data Privacy Act (MCDPA) — effective October 1, 2024
- Tennessee Information Protection Act (TIPA) — effective July 1, 2025
- Texas Data Privacy And Security Act (TDPSA) — effective July 1, 2024
- Utah Consumer Privacy Act (UCPA) — currently in force
- Virginia Consumer Data Protection Act (VCDPA) — currently in force
You can compare these laws to the OCPA in the table below.
|Opt-in consent for certain types of data processing
|Opt-out consent for certain types of data processing
|Requires Data Protection Assessments
|Outlines Contractual Obligation with Third-Party Processors
|Allows for civil lawsuits or private right of action
|Must honor Global Privacy Controls/browser privacy settings
How Will Consumers Be Impacted by the OCPA?
Under the OCPA, consumers have new rights and control over how entities process and use their personal information.
According to Section 3 of the text, consumers may:
- Confirm if a controller is processing or has processed personal information about them and the categories of data.
- A list of the specific third parties the data is shared with.
- A copy of all personal data processed or being processed.
- Correct inaccuracies in their personal data.
- Require a controller to delete their personal data, including data the consumer provided to the controller and data obtained from another source.
- Opt out of targeted advertising, the sale of their data, or profiling.
Who Does the OCPA Apply To?
The OCPA applies to natural persons in Oregon who are there for commercial or household purposes only.
It does not apply to individuals in the state for commercial or employment purposes.
How Will Businesses Be Impacted by the OCPA?
Oregon’s new consumer privacy law impacts businesses in several ways beyond the security requirements, contractual obligations, and privacy assessment standards previously mentioned.
According to Section 5, Part 4 of the Oregon Consumer Privacy Act, controllers must present consumers with a “reasonably accessible, clear and meaningful privacy notice” that includes specific information:
- A list of the categories of personal data, including any sensitive data processed
- A description of the controller’s purposes for processing the information
- An explanation of how consumers can exercise their rights and how to appeal a controller’s denial of those requests
- A list of all categories of personal data shared with third parties, including sensitive data
- Description of the categories of third parties you share personal data with
- An active email address or online method that consumers can use to contact the controller
- Any business name under which the controller is registered with the Secretary of State, as well as any assumed business names the controller uses in the state
- A description of any processing of personal data for targeted advertising or profiling by which a consumer may opt out of
- A description of the method or methods established by the controller for consumers to submit requests to follow through on their rights
Under the OCPA, consumers have the right to opt out of having their information used in either of those ways.
Who Must Comply With Oregon’s New Data Privacy Law?
According to Section 2(1) of the OCPA, you must comply with this law if you conduct business in Oregon or provide products or services to residents of the state and meet either of the following within a calendar year:
- Controls or processes personal data of 100,000 or more consumers, excluding data controlled or processed solely to complete payment transactions
- Controls or processes personal data of 25,000 or more consumers while deriving 25% or more of your gross annual revenue from the sale of personal data
Who Is Exempt From the OCPA?
The only nonprofits exempt from following the OCPA are organizations that specifically detect and prevent fraudulent activities or provide programming to television or radio networks, including the noncommercial activity of:
- FCC-licensed radio or television stations
- Entities that provides an information service such as a press association or wire service
Further, it also does not apply to:
- Public corporations as defined by the Oregon Revised Statutes, including the Oregon Health and Science University and the Oregon State Bar
- Protected health information and covered entities under the Health Insurance Portability and Accountability Act (HIPAA)
- Information used only for public health activities and purposes
- Financial institutions or their affiliates or subsidiaries under the Gramm Leach Bliley Act (GLBA)
- Insurers and insurance producers other than a person who, alone or with others, establishes and maintains a self-insurance program and does not otherwise engage in the business of entering into insurance policies
- Information processed or maintained solely for an individual’s employment or business relationship
How Can Businesses Prepare for the OCPA?
Provide multiple easy ways for Oregon consumers to act on their privacy rights and submit requests, like giving an opt-out feature on your consent banner and adding Data Subject Access Request forms to your platform.
Ensure you’re using contracts that meet the details explained in Section 6 of the law.
For entities that want to process information that presents a reasonable risk of harm to the consumers, perform adequate Data Protection Assessments as outlined in Section 8.
Finally, before 2026, your website must honor browser privacy settings, as these qualify as recognized verifiable requests for consumer opt-out rights.
How Will the OCPA Be Enforced?
The Oregon Attorney General (AG) is responsible for enforcing the OCPA, as explained in Section 9 of the law.
The AG can serve a demand to anyone who possesses, controls, or stores information relevant to an investigation.
There is a 30-day cure period to correct the violation after receiving a notice, and failing to follow through within that time frame may lead to action without any further notice.
However, the OCPA’s cure period terminates on January 1, 2026.
Fines and Penalties Under the Oregon Consumer Protection Act
Entities that violate the OCPA could receive fines of up to $7,500 per violation.
However, as described in Section 11, there is a five-year statute of limitations on any penalties, and consumers do not have a private right of action.
How Will Termly Help with OCPA Compliance?
Termly offers legal policies and consent management solutions vetted by our legal team and data privacy experts to help businesses simplify the compliance process.
See what it looks like below.
We also provide a Consent Management Platform (CMP) that offers a consent banner you can configure to meet opt-out requirements as outlined by laws like the OCPA.
Below, check out a screenshot of our CMP.
Are There Other Privacy Related Laws in Oregon?
While the Oregon Consumer Privacy Act is the first law in the state that protects the personal information of consumers online, other privacy-related pieces of legislation are in place, like the:
- Oregon Consumer Identity Theft Protection Act: Gives residents more tools and resources to help them protect themselves from identity theft and other similar cybercrimes.
- Oregon Student Information Protection Act: Prohibits educational websites and platforms from sharing students’ personal data in the state for non-educational purposes.
You can read more about these and other privacy-related legislation in Oregon at their Department of Justice website.
What Does the Future of Data Privacy Look Like in America?
With the number of U.S. states passing data privacy laws reaching double digits, there seems to be a focus on privacy legislation nationwide. Should we expect a federal law anytime soon?
The American Data Privacy and Protection Act (ADPPA) is a proposed bill gaining some bipartisan support.
It currently sits in the House Energy and Commerce Committee after being placed on the Union Calendar at the end of 2022 — Calendar number 488.
While there’s little to report on at the moment, we’ll keep watching the progress of this bill and provide an update as soon as anything changes.
The Oregon Consumer Privacy Act enters into force next year and won’t be the last state law to pass in the U.S.
If your business falls under the scope of the OCPA, make sure you prepare to:
- Update your privacy and cookie policies
- Add opt-out options for consumers to act on their rights
- Perform adequate Data Protection Assessments
- Add a DSAR form or other mechanism to your platform so users can request to follow through on their rights
- Use legally-sound contracts with any third-party processors
- Ensure that your website honors GPCs before 2026
Compliance can get confusing, but not with Termly in your toolbox — we’ve got your back.