Oregon Consumer Privacy Act: First Look & Summary

If your company does business in Oregon, get ready to comply with a new data privacy law.

The Oregon Consumer Privacy Act (OCPA) is similar to other recently passed US state laws but differs in that it applies to some nonprofit organizations.

In this guide, learn all about the new privacy law in Oregon, including its business obligations, consumer rights, penalties for violating the law, and more.

Table of Contents

What Is the Oregon Consumer Privacy Act (OCPA)?
OCPA Key Terms and Definitions
What Does the Oregon Consumer Privacy Act Cover?
Requirements of the Oregon Consumer Privacy Act
Oregon’s Data Privacy Law vs. Other States: Similarities and Differences
How Will Consumers Be Impacted by the OCPA?
Who Does the OCPA Apply To?
How Will Businesses Be Impacted by the OCPA?
Who Must Comply With Oregon’s New Data Privacy Law?
How Can Businesses Prepare for the OCPA?
How Will the OCPA Be Enforced?
Fines and Penalties Under the Oregon Consumer Protection Act
How Will Termly Help with OCPA Compliance?
Are There Other Privacy Related Laws in Oregon?
Summary

What Is the Oregon Consumer Privacy Act (OCPA)?

Originally called Oregon Bill 619, the Oregon Consumer Privacy Act or OCPA is a new law that passed in the U.S. state of Oregon.

It describes obligations for persons who collect and process personal information about Oregon consumers and grants those consumers rights and control over how that data gets used.

The OCPA also outlines penalties for entities that violate any portion of the law.

OCPA Effective Date

Most portions of the OCPA will enter into force on July 1, 2024. However, the stipulations regarding nonprofit organizations enter into force on July 1, 2025.

The requirement for entities to honor and recognize opt-out preference signals via user’s browsers becomes enforceable on January 1, 2026.

On this same date, the OCPA 30-day cure period ends.

OCPA Key Terms and Definitions

To comply with the OCPA, you must understand some key terms used throughout the law.

To help simplify your compliance process, I’ve included the relevant definitions exactly as they appear in Section 1 of Oregons’ new data privacy law for you below:

Consent: An affirmative act by means of which a consumer clearly and conspicuously communicates the consumer’s freely given, specific, informed, and unambiguous assent to another person’s act or practice under the following conditions: the user interface by means of which the consumer performs the act does not have any mechanism that has the purpose or substantial effect of obtaining consent by obscuring, subverting or impairing the consumer’s autonomy, decision-making or choice.
- The consumer’s inaction does not constitute consent.
Consumer: A natural person who resides in this state and acts in any capacity other than in a commercial or employment context.
Controller: A person that, alone or jointly with another person, determines the purposes and means for processing personal data.
Personal data: Data, derived data, or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to, or is reasonably linkable to one or more consumers in a household.
- It does not include de-identified data or data that (A) Is lawfully available through federal, state, or local government records or through widely distributed media; or (B) A controller reasonably has understood to have been lawfully made available to the public by a consumer.
Processing: An action, operation, or set of actions or operations that is performed, automatically or otherwise, on personal data or on sets of personal data, such as collecting, using, storing, disclosing, analyzing, deleting, or modifying the personal data.
Processor: A person that processes personal data on behalf of a controller.
Sale/sell: The exchange of personal data for monetary or other valuable consideration by the controller with a third party.
- It does not include a disclosure of personal data to a processor; A disclosure of personal data to an affiliate of a controller or to a third party for the purpose of enabling the controller to provide a product or service to a consumer that requested the product or service; A disclosure or transfer of personal data from a controller to a third party as part of a proposed or completed merger, acquisition, bankruptcy or other transaction in which the third party assumes control of all or part of the controller’s assets, including the personal data; or A disclosure of personal data that occurs because a consumer: Directs a controller to disclose the personal data; Intentionally discloses the personal data in the course of directing a controller to interact with a third party; or Intentionally discloses the personal data to the public by means of mass media, if the disclosure is not restricted to a specific audience.
Sensitive data: Personal data that reveals a consumer’s racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or nonbinary, status as a victim of crime or citizenship or immigration status; Is a child’s personal data; Accurately identifies within a radius of 1,750 feet a consumer’s present or past location, or the present or past location of a device that links or is linkable to a consumer by means of technology that includes, but is not limited to, a global positioning system that provides latitude and longitude coordinates; or Is genetic or biometric data.
- It does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.

What Does the Oregon Consumer Privacy Act Cover?

Oregon’s new data privacy law covers the personal information of natural persons who reside in the state, except for anyone acting in a commercial or employment context.

A natural person in a legal context refers to a living human, regardless of citizenship status.

Requirements of the Oregon Consumer Privacy Act

The OCPA outlines several legal requirements all entities under the law must comply with, which I will outline in more detail in this next section.

Legal Basis for Processing Personal Information

Under Section 5 of the OCPA, entities can only process personal information that is “adequate, relevant, and reasonably necessary” for the purposes described in their privacy notice.

However, nothing in the act prohibits controllers or processors from:

Preventing, detecting, responding to, and investigating cybersecurity threats, like identity theft, fraud, harassment, or other illegal activities
Identifying technical errors within information systems that impair functionality
Conducting internal research to develop new services or technology
Investigating establishing, initiating, or defending legal claims
Performing internal operations that are reasonably aligned with consumers’ expectations, which the consumer may anticipate based on their existing relationship with the controller

It also doesn’t prohibit controllers or processors from complying with state or federal laws.

Consent

To process personal data that falls outside the scope of what is considered reasonably necessary, entities must obtain active, opt-in consent from consumers.

The same consent guidelines apply if you want to collect and process any sensitive information.

The OCPA clearly describes what is and is not consent in Section 1 of the law:

The consumer needs to provide a clear, affirmative action
The consent must be unambiguous and informed
The consent mechanism cannot obscure, subvert, or impair their decision-making
You must provide an easy, similar way to withdraw their consent at any time

Inaction by the consumer does not constitute consent.

You also must obtain active consent from a legal guardian to process data about children under the age of thirteen, including for targeted advertising or the sale of their information.

Personal Data and Security Obligations

Another requirement outlined by the OCPA involved adequately protecting the integrity, confidentiality, and security of the collected personal data, as described in Section 5, Part 1 (c).

Specifically, data controllers under this law must establish, implement, and maintain security practices that meet the standards described in the Oregon Revised Statute Chapter 646A.622.

It outlines administrative, organizational, and physical safeguards that you should apply to consumer personal information to keep it safe from unauthorized access or breaches.

Contractual Obligations With Third-Party Processors

Data controllers and processors must enter legal contracts with specific guidelines and clauses.

According to Section 6, Part 2 of the law, contracts must include all of the following:

Be binding and valid for both parties.
Provide clear instructions for processing data, the purpose for the processing, the type of information that gets processed, and the duration of the processing.
Explain both party’s rights and obligations.
Obligate anyone processing the data to a duty of confidentiality.
Require the processor to delete or return the data at the controller’s direction or the end of the contract unless retention is required by law.
Obligate the processor to make data available to the controller to verify that the processor complies with all OCPA obligations at the controller’s direction.
Require the processor to enter into a subcontract with any person the processor engages with to assist with processing on the controller’s behalf that meets all processor contractual obligations outlined by the OCPA.
Allow the controller, a designee, or a qualified independent person to assess the processor’s policies and technical and organizational measures for complying with the OCPA and, at the controller’s request, report the results to the controller.

The law explains that nothing in Section 6 relieves the controller or processor from liabilities arising under Sections 1 through 9 of the OCPA.

Data Protection Assessments

You must perform Data Protection Assessments to conduct certain data processing activities that present a heightened risk to consumers, as explained in Section 8 of the OCPA.

According to the law, all of the following present that heightened risk:

Processing data for targeted advertising
Processing sensitive data
Selling personal data
Using personal data for the purposes of profiling that presents foreseeable risks such as unfair treatment, injury to the customers, or invasion of privacy.

You can use a single data protection assessment if the activities present similar levels of risk of harm to consumers.

It should identify and weigh how processing data may benefit the controller, consumer, other stakeholders, and the public against the possible risks to the consumer.

It should also consider:

Any security measures or safeguards in place
How deidentified data may reduce the risks
The reasonable expectations of the consumers
The context in which you process the data
The relationship between the controller and the consumers whose personal data the controller will process

Recognition of Universal Opt-Out Mechanisms

Entities under the OCPA need to recognize browser extensions and global privacy device settings as a consumer’s designated, authorized agent concerning their privacy rights, as explained in Section 4, Part 4 of the law.

Universal opt-out mechanisms like Global Privacy Control (GPC) let consumers communicate opt-out preferences on their browsers automatically.

As long as it’s commercially feasible, this technology must be honored.

Even though most of the OCPA enters into action in 2024, this section of the text becomes enforceable in 2026.

Oregon’s Data Privacy Law vs. Other States: Similarities and Differences

The OCPA is among the following U.S. state data privacy laws in force or recently passed:

California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) — currently in force
Colorado Privacy Act (CPA) — currently in force
Connecticut Data Privacy Act (CTDPA) — currently in force
Delaware Personal Data Privacy Act (DPDPA) — effective January 1, 2025
Florida Digital Bill of Rights (FDBR) — effective July 1, 2024
Indiana Consumer Data Protection Act (Indiana CDPA) — effective January 1, 2026
Iowa Consumer Data Protection Act (Iowa CDPA) — effective January 1, 2025
Montana Consumer Data Privacy Act (MCDPA) — effective October 1, 2024
Tennessee Information Protection Act (TIPA) — effective July 1, 2025
Texas Data Privacy And Security Act (TDPSA) — effective July 1, 2024
Utah Consumer Privacy Act (UCPA) — currently in force
Virginia Consumer Data Protection Act (VCDPA) — currently in force

You can compare these laws to the OCPA in the table below.

State Law	Opt-in consent for certain types of data processing	Opt-out consent for certain types of data processing	Must present users with a privacy policy (or notice)	Requires Data Protection Assessments	Outlines Contractual Obligation with Third-Party Processors	Allows for civil lawsuits or private right of action	Must honor Global Privacy Controls/browser privacy settings
OCPA		✓	✓	✓	✓		✓
CCPA/CPRA	✓	✓	✓	✓	✓	✓	✓
CPA		✓	✓	✓	✓		✓
CTDPA		✓	✓	✓	✓		✓
DPDPA	✓	✓	✓	✓	✓		✓
FDBR		✓	✓	✓	✓
Indiana CDPA		✓	✓	✓	✓
Iowa CDPA		✓	✓		✓
MCDPA		✓	✓	✓	✓		✓
TIPA	✓	✓	✓	✓	✓
TDPSA		✓	✓	✓	✓		✓
UCPA		✓	✓		✓
VCDPA		✓	✓	✓	✓

How Will Consumers Be Impacted by the OCPA?

Under the OCPA, consumers have new rights and control over how entities process and use their personal information.

According to Section 3 of the text, consumers may:

Confirm if a controller is processing or has processed personal information about them and the categories of data.
A list of the specific third parties the data is shared with.
A copy of all personal data processed or being processed.
Correct inaccuracies in their personal data.
Require a controller to delete their personal data, including data the consumer provided to the controller and data obtained from another source.
Opt out of targeted advertising, the sale of their data, or profiling.

Who Does the OCPA Apply To?

The OCPA applies to natural persons in Oregon who are there for commercial or household purposes only.

It does not apply to individuals in the state for commercial or employment purposes.

How Will Businesses Be Impacted by the OCPA?

Oregon’s new consumer privacy law impacts businesses in several ways beyond the security requirements, contractual obligations, and privacy assessment standards previously mentioned.

The OCPA also impacts your privacy policy and may affect your use of internet cookies.

How Will the OCPA Affect My Privacy Policy?

According to Section 5, Part 4 of the Oregon Consumer Privacy Act, controllers must present consumers with a “reasonably accessible, clear and meaningful privacy notice” that includes specific information:

A list of the categories of personal data, including any sensitive data processed
A description of the controller’s purposes for processing the information
An explanation of how consumers can exercise their rights and how to appeal a controller’s denial of those requests
A list of all categories of personal data shared with third parties, including sensitive data
Description of the categories of third parties you share personal data with
An active email address or online method that consumers can use to contact the controller
Any business name under which the controller is registered with the Secretary of State, as well as any assumed business names the controller uses in the state
A description of any processing of personal data for targeted advertising or profiling by which a consumer may opt out of
A description of the method or methods established by the controller for consumers to submit requests to follow through on their rights

How Will the OCPA Affect My Cookie Policy?

Oregon’s new data privacy law may affect your cookie policy, particularly if you sell information about consumers gathered through cookies or use them for targeted advertising.

Under the OCPA, consumers have the right to opt out of having their information used in either of those ways.

If you use cookies for either of those purposes, you must clearly inform your consumers and provide them with a simple means for withdrawing from such processing activities.

Who Must Comply With Oregon’s New Data Privacy Law?

According to Section 2(1) of the OCPA, you must comply with this law if you conduct business in Oregon or provide products or services to residents of the state and meet either of the following within a calendar year:

Controls or processes personal data of 100,000 or more consumers, excluding data controlled or processed solely to complete payment transactions
Controls or processes personal data of 25,000 or more consumers while deriving 25% or more of your gross annual revenue from the sale of personal data

Who Is Exempt From the OCPA?

The only nonprofits exempt from following the OCPA are organizations that specifically detect and prevent fraudulent activities or provide programming to television or radio networks, including the noncommercial activity of:

Journalists
FCC-licensed radio or television stations
Entities that provides an information service such as a press association or wire service

Further, it also does not apply to:

Public corporations as defined by the Oregon Revised Statutes, including the Oregon Health and Science University and the Oregon State Bar
Protected health information and covered entities under the Health Insurance Portability and Accountability Act (HIPAA)
Information used only for public health activities and purposes
Financial institutions or their affiliates or subsidiaries under the Gramm Leach Bliley Act (GLBA)
Insurers and insurance producers other than a person who, alone or with others, establishes and maintains a self-insurance program and does not otherwise engage in the business of entering into insurance policies
Information processed or maintained solely for an individual’s employment or business relationship

How Can Businesses Prepare for the OCPA?

To prepare your businesses for the OCPA, update your privacy policy to meet all notice obligations expressed in Section 5, Part 4 of the law.

Provide multiple easy ways for Oregon consumers to act on their privacy rights and submit requests, like giving an opt-out feature on your consent banner and adding Data Subject Access Request forms to your platform.

Ensure you’re using contracts that meet the details explained in Section 6 of the law.

For entities that want to process information that presents a reasonable risk of harm to the consumers, perform adequate Data Protection Assessments as outlined in Section 8.

Finally, before 2026, your website must honor browser privacy settings, as these qualify as recognized verifiable requests for consumer opt-out rights.

How Will the OCPA Be Enforced?

The Oregon Attorney General (AG) is responsible for enforcing the OCPA, as explained in Section 9 of the law.

The AG can serve a demand to anyone who possesses, controls, or stores information relevant to an investigation.

There is a 30-day cure period to correct the violation after receiving a notice, and failing to follow through within that time frame may lead to action without any further notice.

However, the OCPA’s cure period terminates on January 1, 2026.

Fines and Penalties Under the Oregon Consumer Protection Act

Entities that violate the OCPA could receive fines of up to $7,500 per violation.

However, as described in Section 11, there is a five-year statute of limitations on any penalties, and consumers do not have a private right of action.

How Will Termly Help with OCPA Compliance?

Termly offers legal policies and consent management solutions vetted by our legal team and data privacy experts to help businesses simplify the compliance process.

Our Privacy Policy Generator, for example, is easy to use and helps businesses make customized, comprehensive privacy notices for their platforms in minutes.

It asks simple questions about your data processing activities and creates a privacy policy based on your answers.

See what it looks like below.

Termly-Privacy-Policy-Generator

Generate a Free Privacy Policy

We also provide a Consent Management Platform (CMP) that offers a consent banner you can configure to meet opt-out requirements as outlined by laws like the OCPA.

Below, check out a screenshot of our CMP.

Termly-Consent-Management-Platform

While the Oregon Consumer Privacy Act is the first law in the state that protects the personal information of consumers online, other privacy-related pieces of legislation are in place, like the:

Oregon Consumer Identity Theft Protection Act: Gives residents more tools and resources to help them protect themselves from identity theft and other similar cybercrimes.
Oregon Student Information Protection Act: Prohibits educational websites and platforms from sharing students’ personal data in the state for non-educational purposes.

You can read more about these and other privacy-related legislation in Oregon at their Department of Justice website.

What Does the Future of Data Privacy Look Like in America?

With the number of U.S. states passing data privacy laws reaching double digits, there seems to be a focus on privacy legislation nationwide. Should we expect a federal law anytime soon?

The American Data Privacy and Protection Act (ADPPA) is a proposed bill gaining some bipartisan support.

It currently sits in the House Energy and Commerce Committee after being placed on the Union Calendar at the end of 2022 — Calendar number 488.

While there’s little to report on at the moment, we’ll keep watching the progress of this bill and provide an update as soon as anything changes.

Summary

The Oregon Consumer Privacy Act enters into force next year and won’t be the last state law to pass in the U.S.

If your business falls under the scope of the OCPA, make sure you prepare to:

Update your privacy and cookie policies
Add opt-out options for consumers to act on their rights
Perform adequate Data Protection Assessments
Add a DSAR form or other mechanism to your platform so users can request to follow through on their rights
Use legally-sound contracts with any third-party processors
Ensure that your website honors GPCs before 2026

Compliance can get confusing, but not with Termly in your toolbox — we’ve got your back.

More about the author

Written by Josh Langeland, CIPM

Hi, I’m Josh! I am a Privacy Engineer passionate about using technology to respect user privacy. I thrive at the intersection of complex technology and ever-changing privacy law. If I’m not drafting a design review or re-architecting a system, you might find me reading a biography or hiking at the closest national park. More about the author

What Is the IAB’s Global Privacy Platform (IAB GPP)?

American Privacy Rights Act (APRA): First Look & Summary

109 Biggest Data Breaches, Hacks, and Exposures as of 2024

New Zealand Data Privacy Act 2020 Explained

Cookie Walls: Are They GDPR Compliant?

Personal vs. Sensitive Personal Information

Privacy Policy for Hotel Websites

Privacy Policy for Gym Websites

Privacy Policy for Real Estate Websites