Skip to Navigation Skip to Content

🔥 BLACK FRIDAY: 30% off everything. Use code BLKFRI24 at checkout 🔥

The Oregon Consumer Privacy Act (OCPA), passed in 2023 and effective from July 2024, introduces a comprehensive framework for protecting personal data in Oregon. This legislation is designed to give consumers more control over their personal information and to ensure businesses handle data responsibly. Understanding the OCPA is crucial for businesses and consumers alike. 

This article breaks down the key components of the OCPA, detailing the rights it grants consumers, the obligations it imposes on businesses, and the penalties for non-compliance.

Generate your own Privacy Policy in under 5 minutes

Get Started

What Is the Oregon Consumer Privacy Act (OCPA)?

The OCPA is Oregon’s primary data protection law, aimed at safeguarding personal data and giving consumers specific rights over how their information is collected, processed, and shared. The law applies to businesses operating in Oregon or targeting Oregon residents, establishing clear guidelines for data handling practices.

OCPA Consumer Rights

The OCPA grants Oregon residents a range of rights designed to protect their privacy and give them control over their personal data. Businesses must provide easy ways for consumers to exercise these rights and respond to requests promptly.

  1. Right to Know
    Consumers have the right to know whether a business is processing their personal data. This includes access to information about what data is being processed, the categories of data, and the identities of third parties who have access to this information. This right also allows consumers to obtain a copy of their personal data.
  2. Right to Correct
    Consumers can request corrections to any inaccuracies in their personal data. The nature of the data and its intended use will guide businesses in making these corrections.
  3. Right to Delete
    The right to delete gives consumers the power to request that businesses delete their personal data. This applies to data provided directly by the consumer, collected from other sources, or derived from other data.
  4. Right to Opt-Out
    Consumers can opt out of having their data used for targeted advertising, profiling, or being sold to third parties. Businesses must provide a convenient and accessible method for opting out.
  5. Right to Data Portability
    This right enables consumers to request that their personal data be transferred to them in a portable, easily accessible, and usable format.

Privacy Notice Requirements

Under the OCPA, businesses are required to provide a clear and accessible privacy notice. This notice must include:

  • Categories of personal data collected
  • Purpose for data processing
  • Methods for exercising consumer rights
  • Categories of data shared with third parties
  • Categories of third parties with access to the data
  • Business contact information
  • Description of any data processing activities (e.g., targeted advertising)
  • Instructions for submitting consumer requests and opting out

This privacy notice must be conspicuously available to consumers, ensuring transparency in how their data is handled.

OCPA Consent Requirements

Consent plays a critical role in the OCPA, particularly concerning sensitive data and children’s data. Businesses must obtain opt-in consent for collecting and processing sensitive data, which includes information related to health, biometric data, sexual orientation, and more.

For the consent to be valid, it must be freely given, specific, informed, and unambiguous. The OCPA explicitly states that inaction cannot be considered consent. For example, if a consumer ignores or closes a cookie banner, it does not indicate agreement. Consumers also have the right to withdraw their consent at any time, and businesses must cease data processing within two weeks of consent withdrawal.

Penalties for Non-Compliance

The OCPA is enforced by the Oregon Attorney General (AG), who has the authority to investigate and penalize businesses that violate the law. Penalties can be steep, with fines of up to $7,500 per violation. However, businesses are granted a 30-day cure period to rectify any issues before penalties are enforced. If the issue is not resolved within this period, the AG may proceed with legal action.

The statute of limitations for enforcement is five years, meaning that the AG can only take action within five years of a violation. However, for continuous violations, this period extends from the last date of the violation. Notably, the OCPA does not provide a private right of action, meaning consumers cannot sue businesses directly for violations.

Security & Data Protection Obligations

OCPA places a strong emphasis on the security of personal data. Businesses are required to implement and maintain robust security measures to protect data from unauthorized access, breaches, or theft. This includes administrative, organizational, and physical safeguards.

Contractual Obligations with Third-Party Processors

If a business shares or processes personal data with third-party processors, the OCPA mandates that they enter into legally binding contracts. These contracts must outline:

  • Instructions for data processing
  • Purpose and duration of processing
  • Confidentiality obligations
  • Procedures for data deletion or return after contract termination
  • Provisions for verifying compliance with OCPA

These contracts ensure that both parties are accountable and that personal data is handled responsibly.

Data Protection Assessments

Businesses must conduct Data Protection Assessments (DPAs) for certain data processing activities that pose a heightened risk to consumers. These activities include:

  • Targeted advertising
  • Processing sensitive data
  • Selling personal data
  • Profiling that could lead to discrimination or harm

DPAs should evaluate the benefits of processing against the potential risks to consumers, considering factors such as security measures, consumer expectations, and the context of data processing.

Universal Opt-Out Mechanisms

Starting in 2026, businesses must recognize universal opt-out mechanisms, such as browser extensions or device settings that signal a consumer’s preference to opt out of data processing activities. This includes honoring Global Privacy Control (GPC) signals that communicate a consumer’s desire to opt out of targeted advertising and data sales.

Impact on Businesses

Businesses that fall under the scope of OCPA must make significant adjustments to their data-handling practices. This includes updating privacy policies, implementing data protection assessments, and ensuring that contracts with third-party processors are in line with OCPA requirements.

Moreover, businesses must prepare to recognize global opt-out mechanisms by 2026 and ensure that their websites are equipped to honor these preferences. Failure to comply with these requirements could result in hefty fines and legal action from the Attorney General’s office.

Who Must Comply?

The OCPA applies to businesses that:

  1. Process personal data of 100,000 or more consumers in a year (excluding data for payment transactions).
  2. Process personal data of 25,000 or more consumers and derive 25% or more of their gross annual revenue from the sale of personal data.

This broad scope ensures that both large and medium-sized businesses handling consumer data are covered under the law.

OCPA Exemptions

While the OCPA applies to most businesses, there are notable exemptions. Nonprofits focused on detecting and preventing fraud or those involved in TV and radio programming are exempt. 

The OCPA does not apply to public corporations like Oregon Health and Science University, entities governed by HIPAA, financial institutions under GLBA, or businesses solely processing data for employment purposes.

How to Prepare for Compliance?

For businesses, preparing for OCPA compliance involves several key steps:

  1. Update Privacy Policies: Ensure that your privacy notice includes all the required elements under the OCPA, such as categories of data collected, the purpose of processing, and methods for consumers to exercise their rights.
  2. Implement Opt-Out Mechanisms: Provide consumers with easy ways to opt out of data processing activities. This includes adding opt-out options to your consent banner and making Data Subject Access Request (DSAR) forms available.
  3. Conduct Data Protection Assessments: For activities that present a heightened risk to consumers, perform thorough assessments to evaluate the potential risks and benefits of data processing.
  4. Enter Legally Sound Contracts: Ensure that contracts with third-party processors meet OCPA requirements, including data deletion provisions and confidentiality obligations.
  5. Recognize Global Opt-Outs: Prepare your systems to recognize and honor global opt-out signals, such as GPC, by 2026.
  6. Strengthen Data Security: Implement and maintain strong security measures to protect consumer data from breaches and unauthorized access.

Frequently Asked Questions (FAQs)

  1. Does Oregon have a privacy law?
    Yes, the Oregon Consumer Privacy Act (OCPA) is the primary data privacy law in Oregon, set to be enforced from July 2024.
  2. What are the penalties for violating the OCPA?
    Businesses can face fines of up to $7,500 per violation. The Attorney General enforces the law, and businesses have a 30-day period to correct any issues before penalties are imposed.
  3. What does “universal opt-out” mean under OCPA?
    Universal opt-out mechanisms allow consumers to signal their preference to opt out of data processing activities, such as targeted advertising, through browser settings or other tools. Businesses must honor these signals by 2026.
  4. Who does the OCPA apply to?
    The OCPA applies to businesses that process personal data of 100,000 or more consumers or those that process data of 25,000 or more consumers while earning 25% or more of their revenue from selling personal data.
  5. Is there a private right of action under the OCPA?
    No, the OCPA does not provide consumers with a private right of action. Enforcement is handled by the Oregon Attorney General.

Wrapping Up

The Oregon Consumer Privacy Act (OCPA) is a significant step toward enhancing consumer privacy rights in the digital age. For businesses, compliance is not just a legal obligation but an opportunity to build trust with consumers by demonstrating a commitment to data protection. As the July 2024 enforcement date approaches, businesses must act swiftly to align their practices with OCPA requirements. By doing so, they can avoid penalties, safeguard consumer trust, and stay ahead of the curve in a rapidly evolving regulatory landscape.

Generate your own Privacy Policy in under 5 minutes

Get Started