6-Step OCPA Compliance Requirements Checklist

Josh Langeland, CIPM

by Josh Langeland, CIPM

June 25, 2024

Generate a Free OCPA Privacy Policy

Does your business need to follow the Oregon Consumer Privacy Act (OCPA)? Oregon’s new consumer privacy law enters into force on July 1, 2024.

Use my easy six-step checklist to help simplify compliance with the OCPA.

Table of Contents
  1. OCPA Compliance Checklist: Step-by-Step
  2. OCPA Requirements FAQ
  3. Summary

OCPA Compliance Checklist: Step-by-Step

To meet the requirements outlined by the OCPA, follow these six easy steps.

  Part 1: Perform a Privacy Audit

To comply with any data privacy law, you must know what personal information your business collects from users, why, and how it’s used.

To determine this, perform a privacy audit, also called a data inventory, by using one of the following methods:

Part 2: Privacy Notification Requirements

The OCPA requires businesses to present Oregon consumers with a privacy policy that includes the following information:

  • What categories of personal data you collect.
  • Your purpose for processing the data.
  • How consumers can exercise their privacy rights and appeal your decision.
  • What categories of data you share with third parties, if any, including categories of sensitive data.
  • What categories of third parties you share personal data with, if any, and, to the extent possible, how each third party processes personal data.
  • An active email address or other online method for consumers to contact you.
  • Any business name under which you are registered with the Secretary of State and any assumed business names used.
  • A description of any processing of data for targeted ads or profiling users and how users can opt-out.

Part 3: Consent Management for Specific Data Processing

The OCPA impacts businesses’ consent management because it gives consumers the right to opt out of certain types of data processing, including:

  • Targeted advertising
  • The sale of data
  • Profiling the consumer

If you process data for any of the above purposes, you must provide your users with a consent banner or other system that allows them to easily exercise these rights.

Part 4: Contractual Obligations for Sharing or Selling Personal Data

Under the OCPA, data controllers and processors must enter into contractual agreements that outline all of the following guidelines:

  • Include instructions for the data processing, its nature, and purpose.
  • List the type of data being processed and for how long.
  • Outline the rights of each party and their obligations.
  • Require a duty of confidentiality concerning the personal data.
  • Require the processor to demonstrate compliance with the OCPA.
  • Require the processor to delete or return all data at the end of the contract.
  • Require the processor to cooperate with reasonable assessments by the controller.
  • Require any subcontractors to sign a contract outlining the same obligations.
  • Allow the controller or a designated independent person assess the processor’s policies and technical and organization controls for complying with the processor’s obligations.

Part 5: Consumer Rights and Verifiable Consumer Requests

The OCPA requires businesses to present Oregon consumers with two or more ways to follow through on their rights to:

  • Confirm if you’re processing their data.
  • Obtain a list of third parties their data is disclosed to (at the controller’s discretion)
  • Request access to their data
  • Correct inaccuracies in their data.
  • Obtain a portable copy when possible.
  • Request to delete their data.
  • Opt out of having their data sold or processed for targeted advertising.
  • Opt out of profiling.

Your website must also honor universal opt-out mechanisms (UOOMs) as a verified consumer request to follow through on their opt-out rights by January 1, 2026.

Consider using a combination of the following methods to meet this legal requirement:

  • Use a Data Subject Access Request (DSAR) form.
  • Provide an email address where users can submit requests.
  • Publish a cookie policy if you deploy cookies that collect sensitive data, data you sell, or data used for targeted advertising.
  • Use a Consent Banner so consumers can follow through on opt-out rights.

Part 6: Security Procedures and Practices

The OCPA requires covered businesses to establish, implement, and maintain security practices that safeguard personal data as described in the following ways:

  • Protects its confidentiality
  • Protects its integrity
  • Protects its accessibility

Some standard data security techniques include:

  • Anonymizing and de-identifying the data
  • Encrypting the information
  • Access controls
  • Creating a data backup or recovery plan

OCPA Requirements FAQ

Below, read through some of the most frequently asked questions about the OCPA.

Does the OCPA apply to my business?

The OCPA applies to your business if you work in Oregon or target goods and services to residents of the state and meet either of the following thresholds:

  • Controls or processes the personal data of 100,000 or more consumers, excluding data processes solely to complete a payment transaction.
  • Controls or processes the personal data of 25,000 or more consumers and derives 25% or more gross annual revenue from the sale of personal data.

When does the OCPA take effect?

The OCPA officially takes effect on July 1, 2024, but the stipulations relating to nonprofits become enforceable on July 1, 2025.

Who enforces the OCPA?

The OCPA is enforced by the Oregon attorney general.

What are the penalties for violating the OCPA?

Fines for violating the OCPA can reach as high as $7,500 per incident.

Can Termly help with OCPA compliance?

Termly can help businesses with OCPA compliance by providing our Privacy Policy Generator, which includes all necessary notification requirements addressed in the OCPA.

We also offer a Consent Management Platform (CMP) configurable to help you provide users with a way to follow through on their opt-out rights.

It comes with a free DSAR form you can post to your website, allowing your Oregon users to securely submit requests to follow through on their new privacy rights.


Businesses that must follow Oregon’s new privacy law, the OCPA, can use this easy six-step checklist for help simplifying compliance:

  • Perform a data inventory to determine all personal data your business collects, why, and how it’s used.
  • Present Oregon consumers with a compliant privacy policy.
  • Use a consent management platform to present your users with a consent banner to follow through on their opt-out rights.
  • If working with any data processors, make and both sign compatible contracts meeting all obligations outlined by the law.
  • Provide Oregon consumers with two or more ways to reliably submit requests to follow through on their new privacy rights.
  • Implement proper security protocols to protect the personal data you collect from unauthorized access and other harm.

Make it extra easy on your business and use solutions like Termly’s privacy policy generator and CMP to meet the requirements outlined by laws like the OCPA and more.

Josh Langeland, CIPM
More about the author

Written by Josh Langeland, CIPM

Hi, I’m Josh! I am a Privacy Engineer passionate about using technology to respect user privacy. I thrive at the intersection of complex technology and ever-changing privacy law. If I’m not drafting a design review or re-architecting a system, you might find me reading a biography or hiking at the closest national park. More about the author

Related Articles

Explore more resources