All Blog Posts

Oregon Consumer Privacy Act – an overview

With the Oregon Consumer Privacy Act in effect since July 1, 2024, companies doing business in the state need to comply with its provisions regarding the processing of Oregon residents’ personal data.

Jul 19, 2024

Oregon became the twelfth state in the United States to enact comprehensive data privacy legislation when Governor Tina Kotek signed SB 619 into law on July 18, 2023. The Oregon Consumer Privacy Act (OCPA) took effect for most organizations on July 1, 2024. Nonprofits, however, have until July 1, 2025, to ensure they meet the law’s requirements.

We look at the Oregon privacy law, who it protects, and what it means for businesses that do business in the state and collect personal data.

What is the Oregon Consumer Privacy Act?

Oregon’s consumer privacy law protects the privacy and personal data of over 4.2 million residents of the state, who are defined as consumers under the law. These protections apply when individuals are acting in personal or household contexts, not in their roles as employees. The law establishes data privacy obligations for businesses operating within Oregon or those offering goods and services to its residents.

Like other US state-level data privacy laws, the OCPA adopts an opt-out consent model by which organizations can collect personal data without prior consent from consumers in most cases. Companies that gather personal data must inform data subjects about their data collection and processing practices, typically through a privacy policy on their website. This policy must detail the types of data collected, how it’s used, who it’s shared with, and the rights of consumers, among other information.

Who must comply with the Oregon Consumer Privacy Act?

The OCPA sets compliance thresholds for organizations that are similar to those found in several other US consumer privacy laws. In line with the more recent state-level US privacy laws, however, Oregon’s does not include a compliance threshold based only on revenue.

The Oregon data privacy law applies to organizations that, over the course of a calendar year, control or process the personal data of either:

  • 100,000 consumers, excluding those involved solely in payment transactions

or

  • 25,000 consumers, if 25 percent or more of the organization’s annual gross revenue is derived from the sale of personal data

Exemptions to Oregon CPA compliance

The OCPA distinguishes itself from other data privacy laws by including exemptions related to specific types of data and processing activities in addition to the exemptions for entities. For instance, unlike many regulations that directly reference the Health Insurance Portability and Accountability Act (HIPAA), the OCPA specifically applies to protected health information that is collected and processed in compliance with HIPAA.

Exempted organizations and their activities include:

  • government agencies and public bodies
  • consumer reporting agencies
  • financial institutions as well as their entities and affiliates, subject to the Gramm-Leach-Bliley Act (GLBA)
  • insurance companies
  • nonprofit organizations established to detect and prevent insurance fraud
  • press, wire, or other information service and non-commercial activities of media entities

Exempted regulations and data processed relevant to them include:

  • Health Insurance Portability and Accountability Act (HIPAA)
  • Health Care Quality Improvement Act
  • Airline Deregulation Act
  • Driver’s Privacy Protection Act
  • Fair Credit Reporting Act (FCRA)
  • Family Educational Rights and Privacy Act (FERPA)

Definitions in the Oregon Consumer Privacy Act

The Oregon privacy law defines some key terms related to types of data, processing activities, and entities that process them.

What is personal data under the OCPA?

The law defines personal data as “data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household.”

It specifically excludes:

  • deidentified data
  • data that is publicly available through government records or widely distributed media
  • data that the consumer has made available to the public

What is sensitive data under the OCPA?

Sensitive data includes personal data that requires special handling as its unlawful access or misuse could cause harm to consumers. It includes personal data that would reveal the consumer’s:

  • racial or ethnic background
  • national origin
  • religious beliefs
  • mental or physical condition or diagnosis
  • sexual orientation
  • status as transgender or non-binary
  • status as a victim of crime
  • citizenship or immigration status

Additionally, genetic or biometric data and data that identifies the consumer’s precise present or past geolocation (within 1,750 feet or 533.4 meters) is also considered sensitive data. Biometric data does not include facial geometry or mapping, except when used specifically for identifying an individual.

Oregon’s privacy law sets a precedent among US consumer privacy laws by categorizing transgender or non-binary gender expressions and the status as a victim of a crime as sensitive data.

All personal data belonging to children under 13 years of age is also considered sensitive data under the Oregon privacy law.

The law’s definition of sensitive data excludes “the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.”

What is consent under the OCPA?

Like many other data privacy laws in the US and worldwide, the Oregon CPA takes the European Union’s General Data Protection Regulation (GDPR)’s lead in defining valid consent: “an affirmative act by means of which a consumer clearly and conspicuously communicates the consumer’s freely given, specific, informed and unambiguous assent to another person’s act or practice.”

There are two explicitly excluding conditions for valid consent:

  • inaction on the consumer’s part does not constitute consent
  • the user interface through which consent is solicited must not attempt to obscure, subvert, or impair the consumer’s choice

These conditions reflect a broader trend against the use of dark patterns by websites, which are increasingly being prohibited by data protection authorities due to their manipulative nature.

Who is a controller under the OCPA?

A controller under the law is “a person that, alone or jointly with another person, determines the purposes and means for processing personal data.”

Although the Oregon privacy law uses the term “person” in its definition of controller, businesses and other entities that collect and process personal data will likely be considered controllers due to their role in determining how and why personal data is processed.

Who is a processor under the OCPA?

Similar to the definition of a controller, the Oregon CPA uses the term “person” to define a processor. In practice, this often refers to companies or other organizations. A processor under the law is “a person that processes personal data on behalf of a controller.” This can include third parties such as advertising partners or fulfillment companies.

What is processing under the OCPA?

Processing under the Oregon data privacy law refers to any action or set of actions performed on personal data, whether automatically or manually. This includes the following activities performed on personal data:

  • collection
  • use
  • storage
  • disclosure
  • analysis
  • deletion
  • modification

What is profiling under the OCPA?

The Oregon data privacy law defines profiling as “an automated processing of personal data for the purpose of evaluating, analyzing or predicting an identified or identifiable consumer’s economic circumstances, health, personal preferences, interests, reliability, behavior, location or movements.”

Profiling is now a common element in data privacy laws, particularly because it often involves “automated decision-making”, which can include the use of AI technologies.

What is targeted advertising under the OCPA?

The law defines targeted advertising as advertising that is “selected for display to a consumer on the basis of personal data obtained from the consumer’s activities over time and across one or more unaffiliated websites or online applications and is used to predict the consumer’s preferences or interests.”

The definition excludes:

  • ads based on activities within a controller’s own websites or online applications
  • ads based on the context of a consumer’s current search query, visit to a specific website or use of an online application
  • ads directed to a consumer in response to their request for information or feedback
  • processing of personal data solely for the purpose of measuring or reporting an ad’s frequency, performance, or reach

The inclusion of targeted advertising in data privacy laws is also becoming more common, as targeted advertising can involve the use of advanced technologies like AI tools.

What is a sale under the OCPA?

Sale under the Oregon privacy law means “the exchange of personal data for monetary or other valuable consideration by the controller with a third party.”

The definition excludes disclosures of personal data:

  • to a processor
  • to a controller’s affiliate or to a third party for the purpose of enabling the controller to provide a product or service that the consumer
  • to a third party as part of a proposed or completed merger, acquisition, bankruptcy or other transaction in which the third party assumes control of all or part of the controller’s assets, including the personal data, as well as the transfer of personal data in this circumstance
  • that occur because a consumer:
    • directs a controller to disclose the personal data
    • intentionally discloses in the course of directing a controller to interact with a third party
    • intentionally discloses the personal data to the public by means of mass media, if the disclosure is not restricted to a specific audience

Consumers’ rights under the Oregon consumer protection law

Consumers in Oregon have the following rights, which are mostly in line with other data privacy laws in the US.

  • Right to access: consumers can request confirmation as to whether the controller is processing the consumer’s personal information or has processed it, the categories the controller is processing or has processed, and access to that data, with exceptions
  • Right to know: consumers can request a list of the specific third parties the controller has disclosed personal data to, excluding natural persons
  • Right to correction: consumers can require controllers to correct any inaccurate personal data the controller has about them
  • Right to delete: consumers can require controllers to delete any personal data the controller has about or from the consumer, with some exceptions
  • Right to portability: consumers can request a copy of their personal data in a readily usable format, with some exceptions
  • Right to opt out: consumers can opt out of the processing of their personal data for the purposes of its sale, use in targeted advertising, or profiling in furtherance of “decisions that produce legal or similarly significant effects”

Consumers can authorize an agent to manage their data privacy preferences, including opting out through electronic means or a universal signal.

The “right to know” under Oregon’s data privacy law introduces a distinct requirement where controllers must keep a precise list of third parties with whom they’ve shared personal data, rather than just outlining types or categories of recipients. This means that, upon request, controllers must be able to specify by name which third parties have received consumer data.

Parents or guardians can exercise privacy rights on behalf of children under the age of 13 years. The OCPA treats data related to children as sensitive data, affording it additional protections. For adolescents between 13 and 15, however, consent must be explicitly granted by each person (opt-in) for certain data uses.

In addition to requesting a copy of their personal data, consumers can request that companies provide either a list of specific third parties who have received their data or a list of parties with whom the data is shared. Companies must respond to these requests within 45 days, with an option to extend the period by another 45 days if necessary. If the company needs to extend the period, they must notify the consumer during the first 45-day period.

Organizations can deny requests for various reasons, such as if they can’t reasonably verify the consumer’s identity or if the consumer has made too many requests in a 12-month period.

Unlike California, Oregon does not provide consumers with a private right of action to sue for violations of the privacy law, restricting them to seeking regulatory enforcement instead.

What are the requirements for the Oregon Consumer Privacy Act?

The Oregon data privacy law places several obligations on controllers to protect the personal data it collects from consumers.

Purpose limitation under the OCPA

Controllers must limit the personal data they collect to only what is “adequate, relevant and reasonably necessary to serve the purposes the controller specified.” If there is a change in the purposes for processing, the controller must inform the data subjects and, when applicable, obtain their new consent.

Data security under the OCPA

The law requires controllers to establish, implement, and maintain safeguards to protect personal data they collect and process, including deidentified data, to protect its confidentiality, integrity, and accessibility.

Oregon’s established privacy laws remain in force. These cover a range of protections, such as requiring necessary administrative, technical, and physical measures for storing and managing data, security requirements for IoT devices, and the obligation to provide truthful privacy and consumer protection notifications.

Data protection assessments (DPA) under the OCPA

Controllers must conduct and document data protection assessments (DPA), also known as data protection impact assessments (DPIA), when they undertake processing activities that present “a heightened risk of harm“ to a consumer, such as:

  • processing for the purposes of targeted advertising
  • processing sensitive data
  • selling personal data
  • processing for the purposes of profiling if there is a reasonably foreseeable risk of:
    • unfair or deceptive treatment or impact on consumers
    • financial, physical, or reputational injury
    • offensive physical or other intrusion into consumers’ private affairs
    • other substantial injury to consumers

The Attorney General may require a controller to perform a DPA or share its findings during an investigation.

Consent requirements under the OCPA

Oregon’s data privacy law operates on an opt-out model in many cases, meaning controllers aren’t required to obtain user consent before collecting or processing personal data unless it is sensitive data. To help consumers make informed consent decisions, controllers must inform them about what personal data collected and processed, the purposes of processing, who the data is shared with, and consumers’ rights and how those rights can be exercised.

Controllers must provide consumers with clear and accessible information on how to opt out of data processing, and enable them to withdraw consent at any time and as simply as they gave it. Once consent is withdrawn, data processing must cease promptly, and no later than 15 days from withdrawal.

Like many privacy laws in the US, the Oregon CPA follows the federal Children’s Online Privacy Protection Act (COPPA) and requires a parent or legal guardian to consent to the processing of personal data of children under 13, and opt-in consent from consumers aged 13 to 15.

Nondiscrimination under the OCPA

The OCPA prohibits any discrimination against consumers and bars the processing of personal data in ways that breach state or federal anti-discrimination laws. Specifically, controllers cannot discriminate against consumers for exercising their rights under the law. For instance, if a consumer opts out of data processing on a website, they should not be prevented from using that website or any of its features.

Some website features and functions require the use of specific cookies or trackers to work properly. If a consumer chooses not to enable these technologies because they collect personal data, the website may not function optimally. This is not considered discrimination.

Website operators and other controllers can provide voluntary incentives to encourage consumers to participate in activities that involve the collection of personal data, such as signing up for newsletters, completing surveys, or joining loyalty programs. These incentives must be proportionate and reasonable to the type and amount of data collected, ensuring they do not appear as bribes or payments for consent, which are viewed unfavorably by data protection authorities.

Privacy notice requirement under the OCPA

The Oregon CPA requires controllers to publish a reasonably accessible, clear and meaningful privacy notice, which must include information on:

  • categories of personal data processed, including categories of sensitive data, if any
  • purpose(s) for processing personal data
  • categories of personal data shared with third parties, including categories of sensitive data, if any
  • categories of third parties with which the controller shares personal data, detailed enough for consumers to understand:
    • the type of entity each third party is
    • how each third party may process personal data
  • how consumers can exercise their rights under the law, including how to:
    • appeal a controller’s denial of a consumer request
    • opt out of processing of personal data for targeted advertising or profiling
    • submit a consumer rights request
  • active email address or other online method to contact the controller
  • identity of the controller, including any business name registered and/or used in Oregon
  • “clear and conspicuous description” of any processing of personal data for the purpose of targeted advertising or profiling “in furtherance of decisions that produce legal effects or effects of similar significance”

The privacy notice or privacy policy must be easy for consumers to access and is often linked in the footer of the controller’s website to ensure it is visible and reachable from any page on the site.

Third party contracts under the Oregon CPA

Controllers must enter into contracts with third-party processors before data processing begins. These legally binding contracts, referred to as “data processing agreements” in regulations like the GDPR, must clearly outline processing requirements, including:

  • clear instructions for processing data, including:
    • nature and purpose of the processing
    • type of data that is subject to processing
    • duration of the processing
  • duty of confidentiality
  • rights and obligations of both parties
  • the processor’s responsibility to:
    • delete or return the personal data to the controller upon termination of their services or at the controller’s request
    • at the controller’s request, provide all information necessary to demonstrate compliance with the contract
    • if subcontractors are involved, sign agreements with them that uphold the same data protection standards set in the contract with the controller
    • allow the controller, a person appointed by the controller or an independent person they engage to assess their compliance with the OCPA’s requirements

Universal opt-out mechanism

Starting January 1, 2026, organizations that fall under the purview of the Oregon CPA must accept a universal opt-out mechanism, known as a global opt-out signal. This includes the Global Privacy Control. This mechanism enables consumers to set their personal data processing preferences just once, often through a web browser plugin. These preferences are then automatically communicated to any website or platform that the individual visits, which detects the signal.

Recognizing a universal opt-out mechanism isn’t yet a standard requirement across all data privacy laws in the US or internationally, but it is becoming more common in newer legislation.

Enforcement of the Oregon Consumer Privacy Act

The enforcement of the Oregon Consumer Privacy Act, like US consumer privacy laws in most other states, falls under the jurisdiction of the Attorney General’s office. Consumers with complaints about how their data is processed or their requests have been handled can file complaints with the Attorney General. On receiving a complaint, the Attorney General’s office must notify the organization and inform them if an investigation is commenced. During the investigation, the Attorney General’s office may request data protection assessments and additional information from controllers. The time limit for initiating enforcement actions is five years from the last violation.

Controllers are entitled to legal representation and to decline answering questions during investigative interviews. The Attorney General’s office cannot have experts present at investigative interviews and cannot share any documents collected during investigations with experts who are not its employees.

From July 1, 2024, to January 1, 2026, the Attorney General must send a letter to the controller providing 30 days to cure a correctable violation. If the controller does not correct the violation within the 30-day cure period, the Attorney General may bring an action seeking civil penalties without any further notice. This letter is not required if the Attorney General finds that the violation cannot be corrected.

The 30-day right to cure the violation sunsets on January 1, 2026, after which date the Attorney General may initiate enforcement actions immediately.

Fines and penalties under the OCPA

If the controller does not correct the violation within the 30-day cure period, or if the cure period is not granted, the Attorney General may bring an action seeking civil penalties of up to USD 7,500 for each violation without any further notice. Beyond civil penalties, the Attorney General may also pursue additional remedies such as injunctive relief, restitution, or disgorgement.

If the Attorney General’s action is successful, a court may also award reasonable attorney’s fees, expert witness fees, and costs of the investigation to the Attorney General. However, if a court determines that the Attorney General lacked a reasonable basis for alleging a violation of the OCPA, it may grant reasonable attorney’s fees to the defendants.

The Oregon Consumer Privacy Act and consent management

Oregon’s privacy law operates on an opt-out consent model, meaning companies don’t need to obtain consent before they start collecting or processing personal data, unless it is sensitive data or belongs to a child.

However, consumers must be clearly informed about the types of data being collected, the purposes for its use, with whom the data is shared, and whether it will be sold or used for targeted advertising or profiling. Consumers must also be made aware of their rights under the OCPA and how to exercise them, including how to opt out of data processing or change previously made consent choices. This information is usually provided in a regularly updated privacy policy.

Starting in 2026, organizations will be required to recognize and respect consumer consent preferences that are communicated through a universal opt-out signal, such as Global Privacy Control.

To help users easily choose not to share their personal data through cookies and similar tools, or to stop data collection and processing, websites often display a cookie consent banner with a clear link or button for these actions. A consent management platform (CMP) like Cookiebot CMP can automatically identify and manage tracking technologies on these platforms and block their use until the user gives consent, or if a user has declined or revoked consent.

Scan your website for free with Cookiebot CMP to see what cookies and trackers it uses.

Scan now

Implementing a CMP also simplifies the process of providing detailed information about the types of data collected, the specific services the controller and/or processor(s) use, and the third parties that receive the data.

The United States does not have a unified federal privacy law, instead relying on a variety of state-level privacy laws. This means companies operating across the nation, or international organizations doing business in the US, may need to comply with data protection laws in multiple states. A CMP can simplify this process by enabling banner customization and geotargeting to tailor data processing and consent information based on a user’s location.

Preparing for the Oregon Consumer Privacy Act

As of July 1, 2024, organizations operating in Oregon must comply with the O CPA. Certain parts of the law, such as those affecting nonprofits or the adoption of the universal opt-out signal, will phase in over the following one to two years.

Companies that are already in compliance with state-level laws such as the Virginia Consumer Data Privacy Act (VCDPA) or the Texas Data Privacy and Security Act (TDPSA) may find they’ve covered much of the groundwork needed for the Oregon CPA. However, organizations must understand the specific requirements of each state’s laws and should seek advice from qualified legal counsel or their own data protection officers or privacy experts. Adopting a privacy by design approach can also enhance an organization’s operations beyond compliance with data privacy laws.

Taking proactive steps to protect user privacy can enhance user engagement and trust, improve the user experience, and strengthen long-term customer relationships, leading to the collection of higher quality data for marketing purposes and, potentially, a boost in revenue.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

    Stay informed

    Join our growing community of data privacy enthusiasts now. Subscribe to the Cookiebot™ newsletter and get all the latest updates right in your inbox.

    By clicking on “Subscribe” I confirm that I want to subscribe to the Cookiebot™ newsletter. I can easily cancel my Cookiebot™ newsletter subscription and revoke consent to use my data by clicking the unsubscribe link or I can write to [email protected] to make the request. Privacy policy.