Oregon Consumer Privacy Act (OCPA): An Overview

Oregon was the twelfth state in the United States to pass comprehensive data privacy legislation with SB 619. Of note, Florida’s law is not universally considered “comprehensive” due to some scope restrictions, so Texas and Oregon are noted as being the 10th and 11th states to pass such laws, respectively.

The governor signed the bill into law on July 18, 2023, and the regulation goes into effect for most organizations on July 1, 2024. Nonprofits have an extra year to prepare, with their compliance required as of July 1, 2025.

2023 has seen unprecedented change in the US on the data privacy front, and while the country still does not have a federal data privacy law, eight US states have passed such laws between March and July 2023, with Iowa, Indiana, Tennessee, Montana, Florida, Texas and Oregon passing laws and receiving governors’ signatures. Delaware also passed the Delaware Personal Data Privacy Act (DPDPA) on June 30th, though as of early August it still awaits the governor’s signature to be finalized.

Additionally affecting the US, a new adequacy agreement with the EU-U.S. Data Privacy Framework was agreed upon and came into effect on July 10, 2023. The European Union and United States had been without such an agreement since 2020.

Oregon’s law follows other comprehensive state-level privacy laws fairly closely, and there are no big surprises, though it does reflect the evolution of technology and data privacy thought in some of its unique stipulations, particularly around definitions of personal data and related handling requirements.

The state of Oregon Consumer protection law protects the privacy and personal data rights of the state’s 4.2 million-plus residents acting in individual or household contexts, though not acting their capacity as employees. It establishes data privacy responsibilities for companies doing business in the state or providing goods and services targeted to Oregon residents.

Consistent with the other US state-level data privacy laws, the Oregon consumer protection law requires organizations that collect personal data to notify data subjects about data collection and processing, e.g. on a privacy policy page on the website. Notification requirements include what data is collected, how it’s used, if it’s shared and with whom, rights information, etc.

The Oregon privacy law uses an opt-out consent model, so organizations don’t have to obtain consumers’ consent before collecting personal data. They do have to provide the option for consumers to opt out of personal data sale, targeted advertising, or profiling “in furtherance of decisions that produce legal effects or effects of similar significance”. As is also standard with many data protection laws, organizations must enact and maintain reasonable security measures and protections for data they handle.

Refers to “data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household.”

It should be noted that personal data (also called personal information) and personally identifiable data are not always the same thing, and distinctions are often made in data privacy laws.

Sensitive data is a category that includes types of personal data that could be embarrassing or used to do harm if unlawfully accessed or misused, and thus requires special handling. It refers to personal data that would reveal:

• racial or ethnic background
• national origin
• religious beliefs
• mental or physical condition or diagnosis
• genetic or biometric data
• sexual orientation
• status as transgender or non-binary
• status as a victim of crime
• citizenship or immigration status
• a child’s personal data
• precise present or past geolocation (within 1,750 feet or 533.4 meters)

Oregon’s law is the first of the US privacy laws to include transgender or non-binary gender expression as sensitive data, as well as status as a victim of crime. The definition of biometric data excludes facial geometry or mapping unless done for the purpose of identifying an individual.

An exception to the law’s definition of sensitive data includes “the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.”

Like many other data privacy laws, the Oregon data privacy law follows the European Union’s General Data Protection Regulation (GDPR) with regards to the definition of valid consent: “an affirmative act by means of which a consumer clearly and conspicuously communicates the consumer’s freely given, specific, informed and unambiguous assent to another person’s act or practice.”

The definition also includes conditions for validity:

• the consumer’s inaction does not constitute consent
• the user interface used to request consent does not attempt to obscure, subvert, or impair the consumer’s choice

These conditions are highly relevant to consumers online and reflect that the use of manipulative dark patterns are increasingly frowned upon by data protection authorities, and more often specifically prohibited.

Refers to “a natural person who resides in this state and acts in any capacity other than in a commercial or employment context.”

Businesses and other organizations that collect and use personal data will likely qualify as controllers, though the law uses the word “person”. Controller is defined as “a person that, alone or jointly with another person, determines the purposes and means for processing personal data.”

Like controller, while the law references a person, in most cases this is likely to be done by a company or other organization. Processor is defined as “a person that processes personal data on behalf of a controller.” It could include third parties like advertising partners or fulfillment companies.

Profiling is increasingly becoming a standard inclusion in data privacy laws, particularly as it can relate to “automated decision-making” or the use of AI technologies. The Oregon data protection law defines profiling as “an automated processing of personal data for the purpose of evaluating, analyzing or predicting an identified or identifiable consumer’s economic circumstances, health, personal preferences, interests, reliability, behavior, location or movements.”

This is also increasingly becoming a standard inclusion in data privacy laws, and can refer to the use of emerging technologies like AI tools. The Oregon data privacy law defines targeted advertising as that which is “selected for display to a consumer on the basis of personal data obtained from the consumer’s activities over time and across one or more unaffiliated websites or online applications and is used to predict the consumer’s preferences or interests.”

Excluded from the definition of targeted advertising are ads that are:

• based on activities within a controller’s own websites or online applications
• based on the context of a consumer’s current search query, visit to a specific website or use of an online application
• directed to a consumer in response to the consumer’s request for information or feedback
• processing of personal data solely for the purpose of measuring or reporting an advertisement’s frequency, performance or reach

Refers to “the exchange of personal data for monetary or other valuable consideration by the controller with a third party”.

Exclusions to the definition of sale include disclosures of personal data:

• [from a controller] to a processor
• to an affiliate of a controller or to a third party for the purpose of enabling the controller to provide a product or service to a consumer that requested the product or service
• or transfer of personal data from a controller to a third party as part of a proposed or completed merger, acquisition, bankruptcy or other transaction in which the third party assumes control of all or part of the controller’s assets, including the personal data
• occurs because a consumer:
  • directs a controller to disclose the personal data
  • intentionally discloses the personal data in the course of directing a controller to interact with a third party
  • intentionally discloses the personal data to the public by means of mass media, if the disclosure is not restricted to a specific audience

The OCPA is considered one of the US comprehensive data privacy laws, so it doesn’t have any significant or unusual restrictions or target groups regarding compliance. While it will mainly affect companies, it can potentially apply to any organization processing personal data that meets the compliance threshold criteria.

The OCPA has compliance thresholds for organizations that are comparable to those in many recent data privacy laws in the US. Oregon’s law also continues a trend seen in several of the recent US state-level privacy laws in that it has no revenue-only threshold for compliance.

The Oregon data privacy law’s compliance thresholds are for organizations that, during a calendar year, control or process the personal data of:

• 100,000 consumers, not including consumers only completing payment transactions

or

• 25,000 consumers if 25 percent or more of annual gross revenue comes from selling personal data

The OCPA is somewhat unique among data privacy laws in that many exemptions relate to types of data and processing activities, rather than just to entities that might process the data. For example, while many laws reference the Health Insurance Portability and Accountability Act (HIPAA) itself, the OCPA refers to protected health information that is collected/processed in accordance with HIPAA.

Exempted organizations and their services/activities include:

• governmental agencies
• consumer reporting agencies
• financial institutions (also entities and affiliates subject to the Gramm-Leach-Bliley Act)
• insurance companies
• nonprofit organizations
• press, wire, or other information service (and non-commercial activities of media entities)

Exempted regulations (and data processed relevant to them) include:

• Health Insurance Portability and Accountability Act (HIPAA)
• Health Care Quality Improvement Act
• Fair Credit Reporting Act (FCRA)
• Driver’s Privacy Protection Act
• Family Educational Rights and Privacy Act (FERPA)
• Airline Deregulation Act

Consumers’ rights under the OCPA are fairly standard compared to other comprehensive privacy laws in the US:

• Right to access: confirmation if the controller is processing the consumer’s personal information and access to that data and information about third parties it’s shared with, with exceptions
• Right to correction: any inaccurate or outdated information the controller has that was provided by the consumer
• Right to delete: any personal data the controller has about or from the consumer (with some exceptions)
• Right to portability: obtain a copy of the consumer’s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions
• Right not to be discriminated against: controllers cannot unlawfully discriminate against consumers, including for exercising their rights
• Right to opt out: of sale of personal data, targeted advertising, or profiling “in furtherance of decisions that produce legal or similarly significant effects”

A consumer can designate an authorized agent to opt out of personal data processing for them. This will be further relevant when the requirement to recognize the universal opt-out signal comes into effect.

Parents or legal guardians of children can exercise children’s rights regarding processing of personal information. Children are defined as people under the age of 13. Like some other recently passed US privacy laws, children’s data is categorized as sensitive personal data, and thus subject to the same requirements and protections. However, children between 13 and 15 years of age have opt-in rather than opt-out protection for certain data uses under the OCPA. Opt-in means that consent is required before the data can be used.

Regarding right of access, an organization can choose to provide a list of specific third parties that have received a consumer’s personal data, or a list of specific third parties with whom the business shares personal data. This would be in addition to providing the consumer with the requested copy of their personal data.

Consumers can make one free rights request every 12 months, to which an organization has 45 days to respond, with the option to extend that by another 45 days if reasonably necessary. Organizations can deny consumer requests for a number of reasons, including if the consumer’s identity cannot reasonably be verified, or if too many requests are received in a 12-month period.

Oregon’s law does not include private right of action, so consumers cannot sue data controllers for violations. California remains the only state that allows this provision. Under Oregon’s Unlawful Trade Practices Act (UTPA), a private plaintiff is able to pursue certain enforcement. It is not only limited to the Attorney General. However, Oregon chose not to defer to the UTPA for Oregon Consumer Privacy Act enforcement.

The OCPA includes fairly standard privacy law requirements regarding notifications, data access, use, and security. Of note is that nonprofit organizations get an extra year before they are required to comply, so in 2025, but commercial entities have to comply as of July 2024.

Controllers must provide a clear and accessible privacy notice that includes information about the data collected; purpose(s) for which they are collecting and processing personal data; with whom the data is shared; if the data is used for sale, targeted advertising, or profiling; and information about consumers’ rights and how to exercise them. This information will often be provided on a privacy policy page on a company’s website.

Controllers can process personal data for the purpose(s) that they have communicated, as long as the processing is “adequate, relevant and reasonably necessary to serve the purposes the controller specified.” If the purposes for processing change, the controller must provide new notification, and, where relevant, obtain new data subject consent.

Controllers must enact and maintain reasonable safeguards for personal data under their control, including deidentified data, and “protect the confidentiality, integrity and accessibility of the personal data to the extent appropriate for the volume and nature of the personal data”.

Oregon’s existing laws about privacy practices remain in effect as well, like those requiring reasonable administrative, technical, and physical safeguards for data storage and handling, IoT device security features, and truth in privacy and consumer protection notices.

Controllers must perform data protection assessments (DPA), also known as data protection impact assessments, for “processing activities that presents a heightened risk of harm to
a consumer.” Activities presenting heightened risk include:

• processing for the purposes of targeted advertising
• processing sensitive data
• selling personal data
• processing for the purposes of profiling if there is a reasonably foreseeable or heightened risk of harm to consumers

The Attorney General may also require a data controller to conduct a DPA or share the results of one in the course of an investigation.

For many circumstances, Oregon’s data privacy law uses an opt-out model, so user consent is not required before personal data is collected or processed, unless it is categorized as sensitive. Controllers must provide notification about what data is collected and processed, purposes for use, who it’s shared with, consumers’ rights and how to exercise them, etc. to ensure that consumers are reasonably informed when making consent decisions.

Controllers must also provide clear, accessible information on how consumers can opt out of data processing. They must also be able to revoke consent previously given at any time, in a way that is as easily done as it was for them to provide consent. Data processing must stop after consent has been denied or withdrawn as soon as possible, but no later than 15 days after receiving the revocation.

As is typical among the US state-level privacy laws, the OCPA follows the federal Children’s Online Privacy Protection Act (COPPA). Consent from a parent or legal guardian is required before processing the personal data of any child under 13, and from the child if they are between 13 and 15.

Under the OPCA it is prohibited to discriminate against consumers, and to process personal data if doing so is in violation of state or federal laws governing discrimination. Controllers cannot discriminate against consumers for exercising their rights under the Oregon data privacy law. For example, if a consumer opts out of data processing on a website, that individual cannot be blocked from accessing that website or its functions.

There are some website features and functions that will not work without certain cookies or trackers being activated, so if a consumer does not opt in to their use because they collect personal information, the site may not work optimally. This is not discriminatory operation.

It is allowed for website operators and other controllers to offer voluntary incentives for consumers’ participation in activities where personal data is collected, e.g. newsletter signups, surveys, loyalty programs, etc. These offers must be proportionate and reasonable to the request and type and amount of data collected so as not to look like bribes or payments for consent, which data protection authorities frown upon.

Under the notification requirement of the Oregon data protection law, controllers are required to provide a clear and easily accessible privacy notice for consumers whose personal data they may process. They must communicate:

• purpose(s) for processing personal data
• categories of personal data processed, including the categories of sensitive data
• categories of personal data shared with third parties, including the categories of sensitive data
• categories of third parties with which the controller shares personal data
• how consumers can exercise their rights, including:
  • opting out of data processing via a “clear and conspicuous” link to a web page
  • submitting a request
  • appealing a controller’s denial of a rights-related request
• identity of the controller and at least one online contact method, e.g. email, that is secure and regularly monitored, which consumers can to contact the organization
• “clear and conspicuous description” for any processing of personal data for the purpose of targeted advertising or profiling of the consumer “in furtherance of decisions that produce legal effects or effects of similar significance”

Controllers must have contracts in place with third-party processors prior to any data processing getting started. These contracts are binding on both sides and must specify requirements for processing and responsibilities, including:

• duty of confidentiality
• clear instructions for processing data, including:
  • nature and purpose of the processing
  • type of data that is subject to processing
  • duration of the processing
• rights and obligations of both parties
• the processor must delete or return the personal data to the controller at the controller’s direction or at the end of the provision of services, unless there are superseding legal requirements for the processor
• the processor must provide the controller (upon request) all information needed to verify that the processor has complied with all of their contractual obligations to the controller
• if the processor engages any subcontractors, they must have contracts in place as well to ensure they comply with all requirements of the controller

Organizations that have to comply with the OCPA will have to accept a universal opt-out mechanism, also known as a global opt-out signal or Global Privacy Control, but not yet when the law comes into effect in 2024.

This mechanism enables a consumer to set and communicate their preferences with regards to the processing of their personal data once, and then they are communicated to all websites or other platforms or services that the individual goes to that can detect the signal. This can be done with a web browser plugin, for example.

As of January 1, 2026, under the OCPA businesses will need to start accepting a global opt-out signal. The requirement to recognize such a signal is not yet a universal part of data privacy laws in the US or globally, but it is increasingly being included in new laws being passed.

Enforcement of the OCPA is set up in a fairly standard way compared to other American data privacy laws, though there are some unique elements with how investigations and enforcement are carried out.

Like other states’ laws, enforcement of the Oregon Consumer Privacy Act is under the Attorney General’s office. Some states’ laws place enforcement and penalties under their trade practices law, but investigation and enforcement are not under Oregon’s Unlawful Trade Practices Act (UTPA).

Consumer complaints about controllers’ data processing or denial of consumer requests can be submitted to the Attorney General. The AG’s office must notify an organization of any complaint and if an investigation is being launched. The AG’s office can require data protection assessments and other information from controllers in the course of investigation. The statute of limitations for pursuing enforcement is five years, beginning from the last date of violation.

Controllers have the right to have an attorney present during investigative interviews and can refuse to answer questions during such meetings. The Attorney General cannot have an expert present at investigative interviews, and can’t share documents obtained during investigations with any external (non-AG employee) experts.

The OCPA has a 30-day right to cure—to fix issues leading to a complaint or the cause of a violation—when the law comes into effect in 2024. That right sunsets January 1, 2026, after which the opportunity to cure will only be at the discretion of the Attorney General.

The Attorney General can seek civil penalties up to US $7,500 per violation.

Courts may also award reasonable attorney fees to defendants if the court finds the AG did not have a reasonable basis for pursuing a claim of violation of the OCPA.

Oregon’s law is based on an opt out consent model, so consent does not need to be obtained before collecting or processing personal data unless it is sensitive or belongs to a child.

Consumers do have to be informed about what data is collected and used and for what purposes, as well as with whom it is shared, and if it is to be sold or used for targeted advertising or profiling.

Consumers must also be informed of their rights regarding data processing and how to exercise them, including the ability for consumers to opt out of processing of their data or change their previous consent preferences. Typically, this information is presented on a privacy page, which must be kept up to date.

As of 2026, organizations must also recognize and respect consumers’ consent preferences as expressed via a universal opt-out signal.

The mechanism to inform consumers and enable them to opt out of data collection via cookies and other trackers on websites or apps can be presented in a banner and displayed, most commonly as a link or button. A consent management platform (CMP) like the Usercentrics CMP for website consent management or app consent management also helps to automate detection of the cookies and other tracking technologies in use on websites and apps.

Use of a CMP can streamline provision of information about categories of data and specific services in use by the controller and/or processor(s), and third parties with whom data is shared.

The United States still only has a patchwork of state-level privacy laws and not a single federal one, so many companies doing business across the country, or foreign organizations doing business in the US, may need to comply with a variety of state data protection laws. (Learn more: Comparing US state-level data privacy laws)

A CMP can make this easier by enabling banner customization and geotargeting. Data processing, consent information and choices for specific regulations can be presented based on specific user location. Geotargeting can also improve clarity and user experience by presenting this information in the user’s preferred language.

Check out our on-demand webinar: US Data Privacy Legislation

Organizations doing business in Oregon have until July 1, 2024 to prepare for compliance with the OCPA. There is another year or two for some statutes to come into effect, like those for nonprofits or recognizing the universal opt-out signal.

Companies that achieve compliance with other state-level regulations, like the Virginia Consumer Data Privacy Act (VCDPA) or the Texas Data Privacy and Security Act (TDPSA) have done much of the work toward OCPA compliance. Organizations always need to be clear on specific states’ laws’ unique stipulations and should always consult qualified legal counsel and/or their own data protection officer (DPO) or privacy expert. A privacy by design approach will also benefit an organizations’ operations beyond data privacy compliance.

Being proactive about protecting user privacy is valuable in business operations. It builds user engagement and trust, improves user experiences, and strengthens customer relationships long-term. These help produce more high-quality data for marketing operations and contribute to increased revenue.

If you have questions or interest in implementing a consent management platform to help achieve compliance with privacy laws in the United States and around the world, talk to one of our experts.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.