Oregon Consumer Privacy Act (OCPA)

    Overview

    The Oregon Consumer Privacy Act (OCPA), passed in 2023, grants Oregon residents greater control over their personal data and imposes specific obligations on businesses that process or sell such data. This law establishes comprehensive privacy rights and sets clear guidelines for businesses operating in the state. 

     

     

    Regulation Summary

    Timeline
    • June 20-22, 2023: OCPA passed in the Oregon Senate and House.
    • July 1, 2024: Law becomes effective.
    • January 1, 2026: Specific provisions, including data protection assessments, become enforceable.
    What Businesses Are Affected
    • Businesses processing data of 100,000 or more consumers annually.
    • Businesses deriving at least 25% of annual revenue from selling the personal data of 25,000 or more consumers.
    Exemptions
    • Nonprofit organizations under section 501(c)(3) of the Internal Revenue Code (until July 1, 2025).
    • Entities governed by specific federal laws, such as:
      • HIPAA, GLBA, and FERPA.
      • Fair Credit Reporting Act compliance.
      • Driver’s Privacy Protection Act of 1994.
    Responsibilities for Businesses
    • Data Minimization: Limit data collection to what is relevant and necessary for stated purposes.
    • Transparency: Provide a clear privacy notice detailing data practices, consumer rights, and contact methods.
    • Opt-Out Rights: Offer mechanisms for consumers to opt out of data sales, targeted advertising, or profiling.
    • Sensitive Data Consent: Obtain explicit consent before processing sensitive personal data.
    • Data Security: Implement safeguards to protect personal data.
    Specific Responsibilities for Website Owners
    • Establish a designated request address for consumer inquiries and opt-out requests.
    • Respond to verified consumer requests within 45 days, with a possible extension of another 45 days.
    • Clearly disclose data collection and sharing practices in privacy notices.
    Additional Requirements
    • Data Protection Assessments: Required for high-risk activities, including:
      • Targeted advertising.
      • Sale of personal data.
      • Profiling that could lead to legal or significant effects on individuals.
    • Deidentified Data Management: Ensure deidentified data is not reidentified and maintain contractual safeguards for shared data.
    Data Subject Rights
    • Access: Request confirmation of data processing and obtain copies of personal data.
    • Correction: Rectify inaccuracies in personal data.
    • Deletion: Request deletion of personal data.
    • Opt-Out: Refuse the sale, targeted advertising, or profiling of personal data.
    Enforcement
    • Enforced by the Oregon Attorney General.
    • Cure Period: 30 days to address violations before enforcement.
    • Penalties: Up to $7,500 per violation.
    • No private right of action for individuals.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you..

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596