Oregon Consumer Privacy Act (OCPA)

Senate Bill 619, or the Oregon Consumer Privacy Act (OCPA), was passed on August 1, 2023. The law goes into effect January 1, 2024.

This article will cover everything you need to know about the Oregon Consumer Privacy Act (OCPA) including who it applies to, how to comply with the law, and penalties for noncompliance.

What is the Oregon Consumer Privacy Act (OCPA)?

The Oregon Consumer Privacy Act (OCPA) is Oregon's main data protection law. It outlines Oregon residents' privacy rights and explains the steps applicable organizations need to take to protect those rights.

Who Does the Oregon Consumer Privacy Act (OCPA) Apply to?

The Oregon Consumer Privacy Act (OCPA) applies to:

• Anyone who does business in the state of Oregon, or

• Anyone who provides products or services to Oregon residents and meets the following criteria over the course of a calendar year:

  • Controls or processes personal data belonging to 100,000 or more consumers (excepting data that is controlled or processed only for the purpose of completing a payment transaction), or
  • Controls or processes personal data belonging to 25,000 or more consumers and gets 25% or more of their annual gross revenue from selling personal data

Section 2 of the Oregon OCPA describes who the law applies to, including businesses based in Oregon and anyone who offers goods or services to Oregon residents and fulfills its criteria:

Who is Exempt from the Oregon Consumer Privacy Act (OCPA)?

The Oregon OCPA does not apply to any of the following organizations:

• Public corporations (such as the Oregon State Bar)
• Public bodies (such as local or state government bodies)
• Certain financial institutions
• Insurance producers and consultants
• Publishers, nonprofits, and TV and radio stations involved in noncommercial activities

What Rights Does the Oregon Consumer Privacy Act (OCPA) Give to Oregon Residents?

The Oregon Consumer Privacy Act (OCPA) gives Oregon residents the following rights:

• The right to know if their personal data has been or is being processed by a data controller
• The right to know what types of personal data a data controller has processed or is processing
• The right to obtain a list of third parties their personal data has been shared with
• The right to obtain a portable (easy to access and transmit) copy of their personal data
• The right to request that inaccuracies within their personal data be corrected
• The right to request their personal data be deleted
• The right to opt out of the processing of their personal data for targeted advertising or profiling purposes
• The right to opt out of the sale of their personal data
• The right to be free of discrimination for exercising their rights

Section 3 of the Oregon OCPA describes Oregon residents' rights under the law, including their rights to obtain a list of third parties their personal data has been disclosed to and request that their personal data be edited or deleted:

Definitions in the Oregon Consumer Privacy Act (OCPA)

Here are some relevant definitions that apply under the Oregon Consumer Privacy Act (OCPA).

What is a Consumer Under the Oregon Consumer Privacy Act (OCPA)?

According to Section 1 of the Oregon OCPA, a consumer is any Oregon resident who is not acting in a "commercial or employment context."

What is Personal Data Under the Oregon Consumer Privacy Act (OCPA)?

The Oregon OCPA defines personal data as any information that can be used to identify a consumer or is linked to a device that could be used to gain information about a consumer.

Section 1 (13)(a) of the Oregon OCPA defines personal data as information that is linked to a consumer or a device that could be used to identify them, and explains what doesn't count as personal data under the law:

What is Sensitive Data Under the Oregon Consumer Privacy Act (OCPA)?

The Oregon OCPA defines sensitive data is a special category of personal data that includes:

• Race
• Ethnicity
• National origin
• Religious beliefs
• Health diagnoses
• Sexual orientation
• Transgender or nonbinary status
• Crime victim status
• Citizenship or immigration status
• Personal data of children
• Certain geolocation data
• Genetic or biometric data

Section 1 (18) of the OCPA explains what counts as sensitive data under the law, including race, ethnicity, sexual orientation, health information, data of children, and biometric data:

Sensitive data doesn't include communications content or data used in connection with utility systems.

What is Biometric Data Under the Oregon Consumer Privacy Act (OCPA)?

Under Oregon, OCPA, biometric data is data that includes information about an individuals' biological characteristics, including:

• Fingerprints
• Voiceprints
• Retinal patterns
• Iris patterns
• Gait

There are a few types of information that don't count as biometric data under the OCPA (unless the data is used to identify a specific individual), including:

• Photographs
• Audio or video recordings
• Facial mapping (facial recognition systems)

Section 1 (3) of the OCPA describes what is defined as biometric data, including fingerprints and iris patterns, and what is excluded from the definition, including photographs and video recordings:

What is Data Processing Under the Oregon Consumer Privacy Act (OCPA)?

Under Oregon OCPA, data processing is any action you take on personal data, including:

• Collection
• Use
• Storage
• Disclosure
• Analysis
• Deletion
• Modification

Section 1 (14) of the Oregon OCPA describes the different types of activities that count as data processing, including using, storing, deleting, and editing personal data.

What is a Data Controller Under the Oregon Consumer Privacy Act (OCPA)?

Section 1 (8) of the Oregon OCPA defines a data controller as anyone who decides why and how to process consumers' personal data:

What is a Data Processor Under the Oregon Consumer Privacy Act (OCPA)?

Section 1 (15) of the Oregon OCPA defines a data processor as anyone who processes personal data for a data controller:

Data processors in a contract with data controllers must abide by the same rules as data controllers.

What is Targeted Advertising Under the Oregon Consumer Privacy Act (OCPA)?

Under Oregon OCPA, targeted advertising is when a company uses a consumer's personal data to create advertisements based on their interests.

For example, a company might use cookies to track a user's online activities to determine what kind of content they prefer. The company could then create personalized marketing based on those preferences.

This definition is relevant when it comes to getting consent and allowing opt-outs, both of which are discussed further on in this article.

There are a few different types of advertising that don't count as targeted advertising under the Oregon OCPA, including:

• Ads based on customer behavior that is tracked on a data controller's own website or app
• Ads based on a consumer's current search, website visit, or use of an app
• Ads that are in response to a consumer's feedback or request for information

Section 1 (19) of the Oregon OCPA defines targeted advertising as a way to create customized ads based on consumers' online behavior, and explains what doesn't count as targeted advertising under the law:

The processing of personal data only for the purpose of analyzing an ad's performance, frequency, or reach does not count as targeted advertising.

What Data is Exempt From the Oregon Consumer Privacy Act (OCPA)?

The Oregon Consumer Privacy Act (OCPA) doesn't cover the following types of data:

• Protected health information processed in accordance with laws including HIPAA and the Federal Policy for the Protection of Human Subjects
• Data used for public health activities (such as disease prevention measures)
• Employment information
• Data used in the context of a contract with or ownership of a business entity
• Emergency contact information
• Information subject to certain other laws, including the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act

Section 2 (2) of the Oregon OCPA lists the organizations and types of data that are exempt from the law, including public corporations and health information processed in compliance with HIPAA:

How Do You Comply With the Oregon Consumer Privacy Act (OCPA)?

There are several steps you should take to comply with the Oregon Consumer Privacy Act (OCPA), including responding to consumer requests, only collecting relevant and necessary information, keeping data secure, getting consent, giving consumers a way to opt-out of data processing, conducting data protection assessments, and maintaining a clearly written Privacy Policy.

Let's take a deeper look at what each of these steps requires.

Respond to Consumer Rights Requests

The Oregon OCPA requires applicable organizations to respond to consumer requests regarding their data rights in a timely manner.

You should provide consumers with their first information request in a 12-month period free of charge. You can charge an administration fee for additional requests made within the same year.

To comply with this section of the Oregon OCPA law, you will need to:

• Maintain a Privacy Policy that includes a method for consumers to submit their requests
• Provide a way for consumers to opt out of the processing of their personal data
• Respond to requests within 45 days of receiving them (you can extend this period by an additional 45 days as long as you notify the consumer within the initial 45 days of your reasons for the extension)
• Include a means for a consumer to appeal your decision if you notify them that you have denied their request
• If you deny an appeal, you must inform the consumer of your decision within 45 days of receiving the appeal, and provide them with the Attorney General's contact info in case they want to submit a complaint

Section 4 of the Oregon OCPA explains how data controllers should respond to consumer requests, including having a method for submitting information requests within your Privacy Policy and the timeline during which they should respond to consumer requests:

Only Collect Necessary Information

You should only collect personal data that is necessary for the purposes you have provided (and consumers have consented to).

Section 5 of the Oregon OCPA states that data controllers must explain their reasons for collecting and processing personal data in their Privacy Policy, and must only collect information necessary to fulfill those purposes:

Keep the Data You Collect or Process Secure

You must take steps to ensure that the personal data you collect or process is safe. To comply with the Oregon OCPA, you should implement the following safeguards:

• Designate an employee to be in charge of your security program
• Audit your security practices regularly to identify and manage potential risks
• Train employees on best practices for data security
• Only contract with service providers that have adequate safeguards and security practices in place
• Regularly monitor and update technological safeguards, software, and systems
• Regularly monitor physical safeguards (such as security cameras or locking systems)
• Dispose of personal data as soon as it has fulfilled its purpose in such a way that it cannot be reconstructed

Section 5 (c) of the OCPA explains that data controllers must follow the security practices outlined in Oregon's Identity Theft Prevention law ORS 646A.622 to protect personal data:

Oregon law ORS 646A.622 describes the safety measures that applicable organizations must take to protect personal information:

oregon-identity-theft-prevention-law-ors-646a-622-information-security-program-section
Oregon's Identity Theft Prevention law ORS 646A 622: Information security program section

Get Consent For Certain Data Processing Activities

You should get consent from consumers before taking part in the following data processing activities:

• Processing consumers' personal data for purposes other than those they initially consented to
• Processing sensitive data (including data belonging to a child)
• Processing personal data for targeted advertising purposes
• Processing personal data for profiling purposes that could potentially produce legal (or similar) effects
• Selling personal data

In other scenarios than the ones listed above, the Oregon OCPA works under an opt-out consent model, which means it doesn't require consent, but does require that you allow for users to opt out of things like having their data processed for marketing purposes.

Section 5 (2) of the Oregon OCPA explains that data controllers must get consent before processing sensitive data, or processing personal data for targeted advertising or certain profiling purposes:

When obtaining consent, make sure to get active, clear consent such as that obtained when someone checks a box next to a statement that shows consent is being given.

Here's an example of how to get consent to place cookies on someone's computer. When the user clicks "I agree," consent will be obtained:

And here's how you can obtain consent to use someone's personal data for marketing purposes:

Provide Consumers With a Way to Opt Out

You will need to give consumers an easy and accessible method for opting out of the processing or sale of their personal data.

Once a consumer has opted out of the processing of their personal data, you have 15 days to stop processing the data but should strive to stop processing the data as soon as possible.

Section 5 (1)(d) of the Oregon OCPA explains that data controllers must give consumers a means of opting out of the processing of their personal data that is as easy as the method the consumer used to originally provide consent:

Here's an example of how you can provide consumers with an easy way to opt out by providing instructions and information:

Here's an example that uses a checked box that users must uncheck to show they are opting out:

Conduct Data Protection Assessments

Data protection assessments are audits of your data privacy practices that you conduct that can help you identify and manage risks.

The Oregon OCPA requires data controllers to regularly conduct data protection assessments for data processing activities that increase the risk of harm to a consumer, including:

• Processing personal data for targeted advertising purposes
• Processing sensitive personal data
• Selling personal data
• Processing personal data for profiling purposes that could result in harm to the consumer

You should keep records of all data protection assessments you conduct for at least five years from the time of the assessment, in case the Attorney General asks to review the assessments for an investigation.

Section 8 of the Oregon OCPA describes the types of data processing activities that require you to conduct a data protection assessment, including processing sensitive personal data and selling personal data:

Maintain a Privacy Policy That's Compliant With the Oregon Consumer Privacy Act (OCPA)

To comply with the Oregon OCPA, your Privacy Policy should include clauses explaining the types of personal data you collect and process and why, how consumers can exercise their rights, the third parties you share personal data with, and how consumers can contact you.

Section 5 (4) of the OCPA explains its Privacy Policy requirements, including describing your reasons for processing personal data, letting consumers know how they can exercise their rights, and listing the categories of third parties with whom you share personal data:

Let's take a look at the clauses you should include in your Privacy Policy to make it Oregon OCPA-compliant.

The Types of Personal Data You Process

This clause explains the types of personal data you process, such as names, addresses, phone numbers, and financial information.

Zoominfo's Privacy Policy lists the types of personal data it may collect, including contact info, social media URLS, and IP addresses:

Your Reasons for Processing Personal Data

You should explain the purposes for which you process personal data. Common reasons for processing personal data include to fulfill orders and communicate with customers, and for marketing purposes.

Edward Jones' Privacy Policy explains its reasoning for collecting personal information (PI), including for communications purposes, to enhance the customer experience, and to respond to customer requests:

How Consumers Can Exercise Their Rights

This section of your Privacy Policy should explain how consumers can exercise their rights and include a method for submitting consumer requests (and a similar method for submitting appeals).

The method for submitting a request should be designed in such a way that it is secure and that enables you to authenticate the consumer, and should take into account the ways in which consumers normally interact with you.

The Oregon Clinic's Privacy Policy explains the options consumers have to control their data, such as correcting, editing, and deleting their information. It includes a link to an email address that consumers can contact if they wish to exercise their rights or opt out of receiving communications from the organization:

Disclose How Users Can Opt Out

This section of your Privacy Policy should clearly describe what targeted advertising or profiling purposes you use personal data for, and include a link to a website where consumers (or their agents) can opt out of the processing of their personal data for those purposes.

If opting out will affect the customers' experience, you can either opt the consumer out, or notify them about the conflict and ask them if they are sure they want to opt out.

First Tech Federal Credit Union's Privacy Statement explains how consumers can opt out of tracking by first- and third-party cookies, and includes links to its Opt Out page for consumers who don't want their personal data used for third party advertising or don't wish to receive promotional communications from the company:

The Types of Personal Data You Share With Third Parties

You will need to disclose the categories of personal data you share with third parties.

Fisher Investments' Privacy and Cookie Policy lists the types of personal information it collects and what it uses it for, including sharing it with third parties:

The Third Parties You Share Personal Data With

This clause lists the third parties you share consumers' personal data with, such as service providers, parent companies, and affiliates.

Dutch Bros Coffee's Privacy Policy lists the types of third parties it shares personal data with, including service providers, business partners, and ownership entities if the business changes hands:

Your Contact Information

The Oregon OCPA specifies that your contact information must identify your business name and be available in an online format, such as an email address or website contact form.

Comcasts' Privacy Statement includes an email address consumers can use to contact it with questions or concerns:

After you create your Privacy Policy, make sure to display it and get users to agree to it. Learn more about that in our feature articles, here:

• Where Should I Place My Privacy Policy?
• How to Get Consent for Legal Agreements

What are the Penalties for Not Complying With the Oregon Consumer Privacy Act (OCPA)?

The Attorney General is responsible for enforcing the Oregon Consumer Privacy Act (OCPA). There is no private right of action with this law.

If you are found to be in violation of the Oregon OCPA, the Attorney General will notify you of the violation(s), and you will have 30 days within receiving the notice to cure the violation(s).

If you do not cure the violations within the 30 day time period, the Attorney General can take action against you, with civil penalties of up to $7,500 per violation, plus legal fees.

Section 9 (4)(a) of the OCPA explains that the Attorney General will notify an organization if they are found to be in violation of the law, and will have 30 days to cure the violation:

Summary

The Oregon Consumer Privacy Act (OCPA) is Oregon's primary data protection law. It provides consumers with rights regarding their personal data and outlines the steps applicable organizations need to take in order to comply with the law.

The Oregon OCPA applies to data controllers (those who decide how and why to process personal data) and data processors (those who process (use) personal data) that do business in Oregon or provide goods and services to Oregon residents and meet the following criteria within a one-year period:

• Control or process personal data belonging to 100,000 or more consumers, or
• Control or process personal data belonging to 25,000 or more consumers and get 25% or more of their annual gross revenue from selling personal data

Certain types of data (including employment and emergency contact information) and the following entities are exempt from the Oregon OCPA:

• Public corporations
• Public bodies
• Certain financial institutions
• Insurance companies
• Publishers, nonprofits, and TV and radio stations involved in noncommercial activities

To comply with Oregon's OCPA, you should take the following steps:

1. Respond to consumer rights requests in a timely manner
2. Only collect necessary information that fulfills the purposes disclosed to consumers
3. Keep the personal data you collect and process secure
4. Get consent before processing certain types of personal data, including sensitive data
5. Give consumers a way to opt out of the processing and/or sale of their personal data
6. Regularly conduct data protection assessments
7. Maintain and display a clearly written and regularly updated Privacy Policy

An Oregon OCPA-compliant Privacy Policy should contain relevant clauses, including:

• What personal data you process
• Why you process personal data
• How consumers can exercise their rights (including how they can opt out of the processing of their personal data)
• What personal data you share with third parties
• What third parties you share personal data with
• Your contact information

If you are found in violation of the OCPA and do not cure the violation(s) within 30 days of receiving notification from the Attorney General, you can be charged a civil penalty of up to $7,500 per violation.