The Oregon Consumer Privacy Act (OCPA) is a comprehensive Oregon privacy law designed to give consumers more control over their personal information. Passed in 2023, it imposes strict requirements on businesses that handle consumer data, making compliance a top priority for organizations operating in or targeting Oregon.
With the Oregon privacy law effective date set for July 1, 2024, businesses have limited time to implement compliance measures.
What Is the Oregon Consumer Privacy Act (OCPA)?
The Oregon Consumer Privacy Act regulates the collection, processing, and sharing of personal data for Oregon residents. Its purpose is to increase transparency in data processing while empowering consumers with meaningful rights.
OCPA shares similarities with Colorado and Connecticut laws, but it introduces unique obligations for organizations. It also builds on existing frameworks such as the Oregon Consumer Information Protection Act, which addresses data security and breach notifications.
You can review the full text of the law on the Oregon State Legislature website.
Who Must Follow the OCPA? Applicability & Scope
The OCPA applies to businesses that:
- Control or process personal data of at least 100,000 Oregon residents annually, or
- Process personal data of 25,000 or more residents while deriving 25% or more of gross revenue from selling personal data.
Exemptions include:
- State and local government entities.
- Nonprofits until July 1, 2025.
- HIPAA- and GLBA-regulated data.
- Publicly available or de-identified data.
For comparison, the OCPA’s thresholds are similar to the Connecticut Data Privacy Act but differ from stricter laws like California’s CCPA.
Consumer Data Rights Under the Oregon Privacy Law
The Oregon Consumer Privacy Act grants residents several rights over their personal information, including:
- Access: Consumers can confirm whether their personal data is being processed and access it.
- Correction: Fix inaccuracies in personal information.
- Deletion: Request deletion of data collected about them.
- Portability: Obtain their data in a structured, machine-readable format.
- Opt-Out: Refuse data processing for targeted advertising, sale of data, or profiling for significant decisions.
“Consumers have the right to opt out of targeted advertising and data sales using a clear and accessible method.” (Usercentrics)
Controllers must respond to requests within 45 days, with one 45-day extension permitted. Businesses must also implement an appeals process for denied requests.
Business Requirements for OCPA Compliance
To comply with the Oregon data privacy law, businesses must implement the following:
- Transparent Privacy Notices: Explain what data is collected, why, and how it’s shared.
- Consent for Sensitive Data: Explicit consent is required for processing sensitive information, including race, ethnicity, biometric data, precise geolocation, and children’s data.
- Universal Opt-Out Mechanisms (UOOMs): Recognize browser-based tools such as Global Privacy Control (GPC) to respect consumer opt-out preferences.
- Data Protection Assessments (DPIAs): Conduct risk assessments for high-impact activities like targeted advertising and profiling (IAPP Analysis).
- Data Minimization and Security: Limit collection to necessary data and implement reasonable security measures to reduce the risk of breaches.
Businesses should also note the Oregon data breach notification law, which requires timely disclosure to consumers and the Attorney General in case of a security incident.
OCPA Enforcement and Fines
The Oregon Department of Justice enforces the OCPA, and there is no private right of action for consumers.
- Cure Period: Businesses have 30 days to remedy violations after receiving notice, though this provision sunsets on January 1, 2026.
- Penalties: Civil fines of up to $7,500 per violation (Osano).
- The AG may also seek injunctive relief for persistent non-compliance.
For official enforcement details, visit the Oregon DOJ Consumer Protection page.
Comparing OCPA to Other State Laws
- Thresholds: Similar to Connecticut and Colorado, but higher than Utah.
- Sensitive Data Rules: Requires opt-in consent, aligning with Maryland and Colorado.
- Universal Opt-Out Compliance: Businesses must recognize GPC, similar to California and Colorado.
- Temporary Cure Period: Unlike Nebraska (permanent cure period), Oregon sunsets its cure period in 2026.
To understand how these differences impact multi-state compliance, check our Colorado Privacy Act analysis and Maryland Online Data Privacy Act guide.
FAQ
What thresholds trigger OCPA compliance?
Processing data for 100,000+ consumers or 25,000 consumers when 25%+ of revenue comes from data sales.
What is the penalty for OCPA violations?
Up to $7,500 per violation, enforced by the Oregon Attorney General (IAPP).
Can Oregon residents access or delete their data?
Yes, consumers can request access, correction, deletion, and data portability.
Are there OCPA exemptions?
Yes,government entities, nonprofits (until July 1, 2025), HIPAA and GLBA data, and publicly available information.
What makes OCPA unique?
It combines strict consent rules with DPIA obligations and mandates universal opt-out compliance via tools like GPC.
Final Thoughts
The Oregon Consumer Privacy Act creates a demanding compliance landscape for businesses handling personal data. With the Oregon privacy law effective date quickly approaching, organizations should:
- Audit data collection practices.
- Update privacy notices to meet OCPA standards.
- Implement opt-out tools, including Global Privacy Control recognition.
- Prepare Data Protection Assessments for high-risk processing activities.
For official resources, consult the Oregon Legislature’s law text, the Oregon DOJ Privacy Compliance page, and compliance insights from Usercentrics.
Disclaimer: This article is provided for informational purposes only and does not constitute legal advice. Reading this content does not create an attorney-client relationship. A qualified legal professional should be consulted for guidance specific to your organization’s situation and compliance obligations.
