The Oregon Consumer Privacy Act (OCPA), established under Senate Bill 619 (SB 619) and signed into law on March 8, 2023, introduces comprehensive data privacy rights for Oregon residents and new obligations for businesses, effective July 1, 2024.
The Oregon Consumer Privacy Act (OCPA) is similar to other comprehensive US state laws like those in Colorado (CPA) and Connecticut (CTDPA). However, it uniquely offers consumers the right to know a list of the specific third parties that have received their personal data or any personal data from a controller.
Also notably, it does not have a revenue threshold for businesses subject to regulations. Subjectivity relies on the number of consumers: processing at consumer data of at least 100,000 Oregon residents, OR at least 25,000 residents and 25% of revenue derived from collection of personal data.
The Oregon Consumer Privacy Act (OCPA) includes key definitions that establish its scope and application. These definitions are detailed in Senate Bill 619 (SB 619), Section 1, providing clarity on terms such as personal data, sensitive data, controllers, processors, and the sale of data, ensuring businesses understand their compliance obligations.
Key definitions in this Oregon privacy law include:
Personal Data: Information linked to an identifiable individual, excluding publicly available or de-identified data.
Sensitive Data: Includes racial or ethnic origin, religious beliefs, health data, genetic or biometric information, sexual orientation, and precise geolocation.
Consumer: An Oregon resident acting in a personal, family, or household context, excluding individuals in a business or employment role.
Controller: An entity determining the purpose and means of processing personal data.
Processor: An entity processing personal data on behalf of a controller.
Sale of Data: The exchange of personal data for monetary or other valuable consideration.
De-identified Data: Information that cannot reasonably be linked to an individual.
Who must comply with the OCPA?
The OCPA applies to businesses that:
Process personal data of 100,000 or more Oregon consumers annually.
Process personal data of 25,000 or more Oregon residents and derive more than 25% of their annual gross revenue from selling personal data.
The OCPA also applies to certain nonprofit organizations. This makes the OCPA broader than many other state privacy laws. Nonprofits have until July 1, 2025, to meet compliance requirements.
“Consumer” means a natural person who resides in this state and acts in any capacity other than in a commercial or employment context.
Nonprofits dedicated to fraud prevention in insurance.
Businesses that fall under these thresholds must comply with the OCPA's requirements, including transparency, consent, and data protection standards.
Key provisions of the OCPA
1. Consumer rights
Access: Consumers can confirm whether a business is processing their personal data and access that data.
Correction: Consumers can correct inaccuracies in their personal data.
Deletion: Consumers can request the deletion of their personal data.
Data portability: Consumers can obtain a copy of their personal data in a portable format.
Opt-out: Consumers can opt out of the processing of their personal data for targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects.
The Oregon Consumer Privacy Act defines personal and biometric data broadly, protects consumer data rights holistically, and holds companies that have access to our data to high standards. This is a huge win for Oregonians and sets a high-water mark for consumer data privacy nationwide.
The Oregon Consumer Privacy Act (OCPA) primarily operates on an opt-out model, meaning consumers must take action to opt out of:
Targeted advertising.
The sale of personal data.
Profiling decisions that produce significant effects.
However, for sensitive data, the OCPA requires an opt-in model, where businesses must obtain explicit consumer consent before processing sensitive data, such as health information, genetic or biometric data, precise geolocation, or racial/ethnic origin.
This dual approach balances consumer rights with business flexibility.
2. Sensitive data protections
Businesses must obtain explicit consent to process sensitive data, which includes:
Biometric or genetic data.
Health-related data.
Precise geolocation.
Sexual orientation or religious beliefs.
Data about racial or ethnic origin.
3. Business obligations
Transparency: Businesses must provide clear privacy notices detailing data collection and processing practices.
Data Minimization: Limit data collection to what is necessary for the specified purpose.
Security Measures: Implement reasonable administrative, technical, and physical safeguards to protect personal data.
Consent for Sensitive Data: Obtain explicit consent before processing sensitive data.
Data Protection Assessments: Conduct assessments for processing activities that present a heightened risk of harm, such as targeted advertising or the sale of personal data.
4. No Private Right of Action
The OCPA does not allow individuals to sue for violations, relying solely on enforcement by the Oregon Attorney General.
Requirements for businesses under the OCPA
The Oregon Consumer Privacy Act (OCPA) mandates that businesses:
Provide clear privacy notices: Inform consumers about data collection and processing practices Limit data collection: Gather only data necessary for specified purposes
Implement data security measures: Protect personal data from unauthorized access Obtain consent for sensitive data: Secure explicit consent before processing sensitive information
Facilitate consumer rights requests: Enable consumers to access, correct, delete, and obtain their data, and opt out of data sales or targeted advertising
These requirements aim to enhance consumer privacy and data protection in Oregon.
Penalties for non-compliance
The Oregon Consumer Privacy Act (OCPA) is enforced exclusively by the Oregon Attorney General. Upon identifying a violation, the Attorney General will notify the business, granting a 30-day period to rectify the issue.
If the violation remains unaddressed after this period, the Attorney General may impose civil penalties of up to $7,500 per violation. It's important to note that the provision allowing a 30-day cure period is set to expire on January 1, 2026. After this date, the Attorney General may proceed directly with enforcement actions without offering a cure period.
Additionally, the OCPA does not provide a private right of action, meaning consumers cannot sue businesses directly for violations; enforcement is solely the responsibility of the Attorney General's office.
To avoid these penalties, businesses should ensure compliance with the OCPA's requirements, including transparency in data practices, honoring consumer rights, and implementing robust data security measures.
The impact of the OCPA on businesses
Businesses must evaluate and adjust their data processing activities to comply with the OCPA. This includes updating privacy policies, implementing data protection measures, and establishing processes to respond to consumer rights requests.
1. Compliance obligations
Data protection assessments: Businesses must conduct assessments for processing activities that present a heightened risk of harm to consumers, such as targeted advertising, sale of personal data, or profiling.
Consumer rights requests: Businesses are required to establish processes to respond to consumer requests to access, correct, delete, or obtain a copy of their personal data, and to opt out of the sale of their data, targeted advertising, or profiling.
2. Operational adjustments
Data minimization: Businesses must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the specified purposes.
Security measures: Implementing reasonable administrative, technical, and physical safeguards to protect personal data is mandatory.
3. Enforcement and penalties
Attorney general enforcement: The Oregon Attorney General has exclusive authority to enforce the OCPA.
Civil penalties: Non-compliance can result in civil penalties of up to $7,500 per violation.
4. Exemptions
Certain entities: The OCPA does not apply to specific entities, including state, local, and tribal governments; financial institutions as defined in ORS 706.008; and certain insurers, insurance producers, and insurance consultants defined in Oregon laws.
Businesses should review the OCPA's provisions carefully to ensure compliance and avoid potential penalties. Consulting with legal counsel is advisable to navigate the complexities of the law.
The impact of the OCPA on consumers
The Oregon Consumer Privacy Act (OCPA) enhances consumer data privacy rights and imposes new obligations on businesses operating within the state.
Key impacts on consumers also include:
1. Increased transparency
Businesses are required to provide clear and accessible privacy notices, informing consumers about data collection, usage, and sharing practices.
2. Greater control over sensitive data
The OCPA requires businesses to obtain explicit consent before processing sensitive personal data, such as information revealing racial or ethnic origin, religious beliefs, health conditions, or precise geolocation.
3. Protection for minors
The OCPA includes specific provisions to protect the personal data of minors, requiring parental consent for children under 13 and consent from teenagers aged 13 to 15 for certain data processing activities.
These provisions empower Oregon consumers with greater control over their personal data, enhancing privacy and fostering trust in how businesses handle their information.
How the OCPA compares to other U.S. data privacy laws
The OCPA aligns with privacy laws in states like California, Colorado and Virginia but is notable for its broad applicability, including certain nonprofit organizations, and its specific requirements for data protection assessments.
State
Scope
Effective Date
Key Features
Penalties for Non-Compliance
Connecticut (CTDPA)
Connecticut residents
July 1, 2023
Similar to GDPR; right to access and correct data
$5,000 per violation
Colorado (CPA)
Colorado residents
July 1, 2023
Opt-out for targeted advertising; sensitive data consent
Up to $20,000 per violation
California (CCPA/CPRA)
California residents
January 1, 2023
Right to access, delete, opt-out; data protection assessments
Up to $7,500 per violation
Virginia (VCDPA)
Virginia residents
January 1, 2023
Opt-out rights, data protection assessments, consumer rights
Up to $7,500 per violation
Texas (TDPSA)
Texas residents
July 1, 2024
Consumer rights, data protection, opt-out of data sales
Up to $7,500 per violation
Oregon (OCPA)
Oregon residents
July 1, 2024
Strong consumer rights, opt-out options, data minimization
Up to $7,500 per violation
Iowa (ICDPA)
Iowa residents
January 1, 2025
Data protection, opt-out of data sharing
Up to $7,500 per violation
Minnesota (MCDPA)
Minnesota residents
July 31, 2025
Consumer data rights, opt-out options
TBD
What makes the OCPA stand out?
While the OCPA shares commonalities with other state privacy laws, its unique provisions—particularly the right to request third parties list, broad definition of sensitive data, inclusion of nonprofits, specific protections for minors, and the absence of a revenue threshold—set it apart, reflecting Oregon's commitment to comprehensive consumer data protection:
Right to request third parties: The OCPA gives consumers the right to know a list of the specific third parties that have received their personal data or any personal data from a controller.
Broad Definition of sensitive data: The OCPA defines "sensitive data" more expansively than many other state laws, including information about an individual's status as transgender or non-binary, status as a victim of crime, and citizenship or immigration status. This comprehensive definition ensures enhanced protection for vulnerable populations.
Applicability to nonprofits: Unlike several state privacy laws that exempt nonprofit organizations, the OCPA includes them within its scope, with limited exceptions. This inclusion broadens the act's applicability and ensures a wider range of organizations adhere to data privacy standards.
Protections for minors: The OCPA requires parental consent for processing the personal data of children under 13 and mandates obtaining consent from teenagers aged 13 to 15 for certain data processing activities, such as targeted advertising and profiling. This provision offers robust safeguards for minors' data.
Absence of revenue threshold: The OCPA applies to businesses based on the number of consumers whose data they process, without setting a minimum revenue threshold. This criterion ensures that even smaller businesses with significant data processing activities are subject to the law's requirements.
How Ketch can simplify OCPA compliance
Complying with the OCPA and other state privacy laws can be simpler than you think. The Ketch data permissioning platform helps businesses stay compliant by:
Third parties list export: Ketch makes it easy to export and send consumers a list of third parties with which you process personal data.
OCPA policy template: Ketch Consent Management includes a pre-built policy template for the Oregon Consumer Privacy Act, with ability to customize rights as desired, no coding required to make changes.
Right for Consumers to Opt Out: The law permits consumers to opt out of the processing of personal data for the sale of personal data or for targeted advertisements. With Ketch Consent Management, businesses can offer clear privacy notices with this option specific to Oregon residents.
Requirement to respect universal opt-out mechanisms (UOOMs): UOOMs are tools that a consumer can use to opt out of online personal data processing. The most well-known and recognized example is the Global Privacy Control (GPC). Ketch makes it easy for companies to comply with GPC signals, enabling automatic recognition of GPC in the consumer’s browser. OCPA requires UOOM compliance by Jan 1, 2026.
Data subject rights: The law provides consumers with right to access, correct, delete, and obtain a copy of their personal data. Ketch enables end-to-end DSR fulfillment with capabilities like drag-and-drop workflow builder, smart routing, and task-level automation.
Preparing your business for OCPA compliance
The OCPA represents a significant advancement in consumer data protection in Oregon. Businesses should act promptly to align their practices with the new requirements, ensuring compliance and building consumer trust.
Contact Ketch today to streamline your compliance and future-proof your privacy strategy.
This a sample accordion element needed for script above to work
Ketch supports compliance with major privacy laws, including GDPR, CCPA, CPRA, and various emerging US state laws, ensuring businesses meet global and local data privacy requirements.
What is the OCPA's stance on data minimization? The OCPA mandates that businesses collect only personal data that is adequate, relevant, and reasonably necessary for the specified purposes disclosed to consumers. This principle of data minimization ensures that organizations do not gather excessive information beyond what is required for their operations.
How does the OCPA address data protection assessments? Businesses are required to conduct Data Protection Assessments (DPAs) before engaging in processing activities that present a heightened risk of harm to consumers. This includes processing personal data for targeted advertising, sale, profiling, and any processing of sensitive data. DPAs help identify and mitigate potential risks associated with data processing activities.
Does the OCPA apply to data collected for employment purposes? No, the OCPA does not apply to data maintained for employment records purposes. The term "consumer" refers to an individual acting in a personal context and does not include individuals in a commercial or employment context.
Are there specific requirements for businesses regarding privacy notices under the OCPA? Yes, businesses must provide a privacy notice that includes information on the types of personal data processed, the purposes for processing, any sharing of personal data with third parties, and instructions on how consumers can exercise their rights under the OCPA. The notice should also provide a way for consumers to contact the business regarding privacy-related issues.
How does the OCPA define a "sale" of personal data? A "sale" is defined as the exchange of personal data for monetary or other valuable consideration between a controller and a third party. This could include activities like exchanging customer lists. There are specific exceptions to this definition outlined in the law.
What obligations do processors have under the OCPA Processors, or vendors and service providers that maintain or provide services involving personal data on behalf of a controller, must process data only at the request and under the direction of the controller. They are contractually bound by the controller’s instructions and are obligated to assist the controller in fulfilling their duties regarding personal data.
Does the OCPA require businesses to obtain consent for processing personal data of teenagers? Yes, if a business knows that a consumer is at least 13 years old but less than 16 years old, it must obtain consent to process the consumer’s personal data for purposes of sale, targeted advertising, or profiling. For children under 13, parental consent is required.
How should businesses authenticate consumer requests under the OCPA? Businesses should use commercially reasonable methods to authenticate consumers when they make rights requests. The method should consider factors such as the type and sensitivity of personal data involved, the potential harm from improper access, and the cost of authentication. Methods should not place an unreasonable burden on the consumer.
Does the OCPA apply to small businesses? The Oregon Consumer Privacy Act (OCPA) applies to businesses that meet specific thresholds:
Processing personal data of 100,000 or more Oregon consumers annually
Processing personal data of 25,000 or more Oregon consumers and deriving over 25% of annual gross revenue from the sale of personal data
Small businesses that do not meet these criteria are generally exempt from the OCPA's requirements.
Matt George is the Data Protection Officer at Ketch. A seasoned privacy attorney with a strong IT and data management background, he is also CIPP/US and CIPP/A certified from IAPP.
Automate your privacy compliance with Ketch
Risk of regulatory action or fine is no longer an unlikely, empty threat—regulators across Europe and now the United States are charging brands with irresponsible handing of consumer data.
Your knowledge of the regulations and requirements for your business may be the difference maker in ensuring your brand reputation stays intact. Ketch can help.
.webp)
