Some help with legal information about GDPR and other privacy laws

Privacy laws

Oregon Consumer Privacy Act OCPA

Oregon Consumer Privacy Act Explained

On June 23, 2023, Oregon Governor Tina Kotek signed the Oregon Consumer Privacy Act (OCPA) into law. The act ended four years of work by the Attorney General’s Consumer Privacy Task Force, a group of 150 consumer privacy experts and stakeholders from a variety of sectors.

Oregon Consumer Privacy Act, or Senate Bill 619, took effect on July 1, 2024. It aims to protect consumers’ personal data and imposes duties upon businesses. 

This article summarizes key provisions of the OCPA.

What Is the Oregon Consumer Privacy Act?

Oregon Consumer Privacy Act (OCPA) is the data privacy law of Oregon that protects the privacy rights of Oregon residents and establishes data privacy responsibilities for businesses operating in the state or offering goods or services to Oregon residents.

The law requires businesses to get explicit user consent for the sale or profiling of user data and targeted advertisement of children between 13 and 15 years of age.

OCPA requires businesses to disclose in their cookie banners the categories of third parties involved in processing personal data and how these third parties process the data.

The effective date of the OCPA: July 1, 2024.

Who does Oregon Consumer Privacy Act Apply to?

Oregon Consumer Privacy Act applies to businesses in Oregon and businesses outside Oregon that provide their products or services to residents of Oregon and meet the following criteria:

  • Control or process personal data of 100,000 or more consumers for any purpose other than for completing a payment transaction.
  • Control or process the personal data of 25,000 or more consumers and generates 25% or more of its gross revenue from the sale of personal data.

Businesses satisfying these conditions are called controllers in the OCPA.

As defined by the law, a controllerdetermines the purpose and means for processing personal data.”

A processor (i.e., a service provider) is a business that only processes data at request, and under the direction of a controller.

The OCPA requires controllers and processors to sign a contract governing their relationship and engaging commitment to comply with the law. The contract must define what controllers and processors can do with consumer personal data.

Exemptions to OCPA

The OCPA provides several data and entity-level exemptions.  

Data-level exemptions include:

  • “Deidentified data” or data that is publicly available through government records or “widely distributed media”.
  • Data of those engaged in “commercial activity” (i.e., operating a business)
  • Data already regulated by federal laws like HIPAA, the FCRA, the Gramm-Leach-Bliley Act, and the Family Educational Rights and Privacy Act.
  • Employee and employer data, including job applicant data.

 

Entity-level exemptions include:

  • Financial institutions subject to the Oregon Bank Act.
  • Some insurers, insurance producers, and insurance consultants.
  • Federal, state, and local governments.
  • Entities engaged in non-commercial activities like radio or television.
  • Certain non-profit organizations.
  • Non-commercial activities of publishers, editors, reporters, or other persons related to newspapers, magazines, and similar publications.

In contrast to other US privacy laws like CCPA, OCPA does not exempt all non-profit organizations from its scope.

Consumer Rights under the OCPA

Consumers have these rights under the OCPA:

  • Right to know: Consumers have the right to know that a controller is processing or has processed their personal data and access that information.
  • Right to obtain: Consumers have the right to obtain a copy of the personal data a controller has on them or is processing.
  • Right to correct: Consumers have the right to correct any inaccurate or outdated information the controller has that was provided by the consumer.
  • Right to delete: Consumers have the right to delete personal data provided by or obtained about the consumer.
  • Right to opt out: Consumers have the right to opt out of the processing of their personal data for targeted advertising, sales, or profiling of the consumer using automated decisions that produce legal effects or other effects of similar significance.
  • Right to data portability: Consumers have the right to obtain a portable and readily usable copy of their personal data.

In addition to these standard rights, OCPA also provides consumers with the following rights:

  • Universal opt-out mechanisms: OCPA allows consumers to use a universal opt-out mechanism, such as Global Privacy Control. However, this OCPA provision will take effect only on January 1, 2026
  • Right to obtain a list of specific third parties. Oregon residents can obtain a list of specific third parties to which the controller has disclosed their data, not just the categories of third parties. The law says that this allows consumers to effectively exercise their rights because they can “track their data downstream.”

Consumers may exercise any of their rights by submitting a request to the controller using the method the controller specifies in their privacy notice.

Controllers must implement a process for responding to consumer requests for exercising their rights.

Controllers must respond to consumer requests in 45 days from the date the request is received.

Enforcement of OCPA and Penalties

Like most state-level privacy laws, the OCPA does not have a private right of action. The OCPA is enforced solely by the Attorney General’s Office.

When the Attorney General (AG) receives a complaint against the business, the following will happen:

  • Notification. The AG must notify a controller of an alleged violation.
  • Cure period. The controller has 30 days, known as a cure period, to address the alleged violation.
  • Penalties. If the controller fails to remedy the issue within 30 days, the Attorney General may consider several factors for the alleged violation, and then seek a civil penalty. The cure period ends on January 1, 2026.
  • Statute of limitations. The AG has five years to bring a civil action against a controller.

Civil penalties for violation of the OCPA may reach up to $7,500 per violation

Although the Oregon Attorney General has exclusive authority to enforce the OCPA and assess penalties, the AG has no rulemaking authority.

How to Comply with the Oregon Consumer Privacy Act?

Controller responsibilities under the Oregon Consumer Privacy Act are quite standard and follow those required in other states. To comply with the OCPA, follow these recommendations: 

Privacy Policy. Provide consumers with a clear, accessible, and up-to-date Privacy Policy. Privacy Policy should list what personal data your business collects and processes, the purposes for which you are collecting and processing that information, what are consumer rights, how to exercise these rights, and the controller’s contact info. CookieScript Privacy Policy Generator can help you create a professional and compliant Privacy Policy for your website or company.

Privacy notice requirements. Controllers must provide consumers with privacy notices that are accessible, clear, and meaningful. The privacy notice must include information about the controller’s data processing operations and purposes, categories of personal data collected and processed, categories of personal data shared with third parties, reveal third parties, and provide means for consumers to exercise their data privacy rights.

User consent. Obtain consent before processing sensitive data or data of a known child. Controllers are prohibited from processing data for targeted advertising or selling of personal data without the consent of a known child ages 13 to 15. 

Universal opt-out mechanisms. Recognize universal opt-out mechanisms such as Global Privacy Control. However, this OCPA provision takes effect only on January 1, 2026.

Data minimization. Limit data collection to what is “adequate, relevant, and reasonably necessary” in relation to the purposes for which such data is processed, as disclosed to the consumer.

Maintain data security practices. Controllers must implement adequate safety and security means to protect the personal data of consumers.

Unidentified data. Make sure deidentified data remains unidentified, so the consumer can’t be identified.

Don’t discriminate against consumers. Controllers shouldn’t discriminate against consumers if they exercise their rights.

Consent revocation. Provide an effective mechanism for consumers to revoke consent. Consumers should be able to revoke their consent at any time and without providing any explanation to the controller.  

Conduct data protection impact assessments. Controllers must conduct a DPIA for each processing activity that presents a heightened risk of harm to a consumer, including:

  • The processing of personal data for the purpose of targeted advertising.
  • The sale of personal data.
  • The processing of sensitive data.
  • The processing of personal data for profiling, where profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of consumers, unlawful disparate impact, or undue intrusion upon solitude or seclusion.
  • Targeted advertising.

Sign contracts with data processors. Controllers must ensure that processors comply with the OCPA and should assist controllers in meeting their obligations by specifying the elements contained in contracts between processors and controllers.

Respond to a consumer’s privacy rights requests within 45 days, with an additional 45-day extension “if reasonably necessary.”

Provide contact info. Implement at least two ways for Oregon consumers to submit requests to exercise their rights.

Notify data breaches. The Oregon data breach notification laws require businesses to inform consumers in the event of a data breach, if it affects more than 250 consumers. Data breaches should be notified within 45 days of discovery.

How Can CookieScript Help?

Use a professional Consent Management Platform (CMP) to comply with the OCPA and other data privacy laws.

CookieScript Consent Management Platform (CMP) comes with a Cookie Banner, Cookie Scanner, Privacy Policy Generator, script manager, and user consent manager.  It recognizes a Global Privacy Controls signal, detects and categorizes cookies, local storage, session storage, and other trackers, and automatically blocks Third-Party Cookies, so you can be sure your website is compliant with the OCPA and other privacy regulations 100%!

In 2024, CookieScript CMP was ranked by users as the best CMP on a peer-review site G2.
It also received a GOLD Tier in the New Google Tiering System.

CookieScript CMP can help you comply with the OCPA and avoid violating the Law.

Try a free 14-day trial of CookieScript CMP.

Register for free Show pricing plans

Frequently Asked Questions

Does Oregon have a consumer privacy act?

Oregon Consumer Privacy Act, or Senate Bill 619, took effect on July 1, 2024. It aims to protect consumers’ personal data and imposes duties upon businesses. CookieScript CMP can help you to comply with the OCPA.

What is the Oregon Consumer Privacy Act?

Oregon Consumer Privacy Act (OCPA) is the data privacy law of Oregon that protects the privacy rights of residents of Oregon and establishes data privacy responsibilities for businesses operating in the state or offering goods or services to Oregon residents. Use CookieScript to comply with the OCPA and other privacy laws.

How to Comply with the Oregon Consumer Privacy Act (OCPA)?

To comply with the OCPA, follow these recommendations: provide a Privacy Policy and accessible, clear, and meaningful privacy notice, get user consent, recognize universal opt-out mechanisms such as Global Privacy Control, limit data collection, maintain data security practices, and others. Use CookieScript CMP to comply with the OCPA and other privacy laws.

What are the penalties for violation of the Oregon Consumer Privacy Act?

Civil penalties for violation of the OCPA may reach up to $7,500 per violation. Use CookieScript CMP to comply with the OCPA and other privacy laws and avoid penalties.

What happens if I breach the Oregon Consumer Privacy Act?

The OCPA is enforced by the Attorney General’s Office. When the AG’s office receives a complaint against the business, it must notify the controller of an alleged violation. The controller has 30 days, known as a cure period, to address the alleged violation. If the controller fails to remedy the issue within 30 days, the Attorney General may consider several factors for the alleged violation, and then seek a civil penalty. CookieScript CMP can help you to comply with the OCPA and avoid penalties.

Is the Oregon Consumer Privacy Act the same as the CCPA?

The Oregon Consumer Privacy Act, in effect since July 1, 2024, protects the privacy rights of residents of the state and establishes data privacy responsibilities for businesses, like the CCPA. However, there are some differences, such as the requirement for consent to process sensitive data and the absence of a private right of action. CookieScript CMP can help you to comply with privacy laws.

ON THIS PAGE

New to CookieScript?

CookieScript helps to make the website ePrivacy and GDPR compliant.

We have all the necessary tools to comply with the latest privacy policy regulations: third-party script management, consent recording, monthly website scans, automatic cookie categorization, cookie declaration automatic update, translations to 34 languages, and much more.