<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=5678177&amp;fmt=gif">

Oregon Consumer Privacy Act (OCPA)

Oregon's data privacy law.

Book a Demo

What is the Oregon Consumer Privacy Act?

The Oregon Consumer Privacy Act (OCPA), or Senate Bill 619 is the latest data privacy law passed in the United States. The law was signed by Oregon’s Governor, Tina Kotek, on July 18, 2023 and is set to become effective on July 1, 2024, with the exception of the universal opt out mechanism requirement which goes into effect as of January 1, 2026.  

 

Get Your Data Privacy Compliance Score for Free

Data Privacy Scanner Results Home Screen



What is Personal Information and what are other key definitions?

The Oregon Consumer Privacy Act (OCPA) defines ‘personal data’ as “data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household” which does not include deidentified data or “data that is lawfully available through federal, state or local government records or through widely distributed media; or that a controller reasonably has understood to have been lawfully made available to the public by a consumer.” 

‘Sensitive data’ according to Oregon privacy law is “personal data that:

  • reveals a consumer’s racial or ethnic background, national origin, religious beliefs,
  • mental or physical condition or diagnosis, sexual orientation, status as transgender or non-binary, status as a victim of crime or citizenship or immigration status;
  • is a child’s personal data;
  • accurately identifies within a radius of 1,750 feet a consumer’s present or past location, or the present or past location of a device that links or is linkable to a consumer by means of technology that includes, but is not limited to, a global positioning system that provides latitude and longitude coordinates; or
  • is genetic or biometric data.”

However, it does not include “the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.”

Oregon privacy law offers a similar definition for ‘biometric data’ to other laws, namely “personal data generated by automatic measurements of a consumer’s biological characteristics, such as the consumer’s fingerprint, voiceprint, retinal pattern, iris pattern, gait or other unique biological characteristics that allow or confirm the unique identification of the consumer,” which does not include “a photograph recorded digitally or otherwise; an audio or video recording; data from a photograph or from an audio or video recording, unless the data were generated for the purpose of identifying a specific consumer or were used to identify a particular consumer; or facial mapping or facial geometry, unless the facial mapping or facial geometry was generated for the purpose of identifying a specific consumer or was used to identify a specific consumer.”

A ‘child’ is “an individual under the age of 13,” and a ‘consumer’ is “a natural person who resides in this state and acts in any capacity other than in a commercial or employment context.” Similar to other consumer privacy laws across the United States, the Oregon Consumer Privacy Act distinguishes between a ‘controller,’ defined as “a person that, alone or jointly with another person, determines the purposes and means for processing personal data,” and a ‘processor,’ understood as “a person that processes personal data on behalf of a controller,” and the activity of ‘processing,’ is “an action, operation or set of actions or operations that is performed, automatically or otherwise, on personal data or on sets of personal data, such as collecting, using, storing, disclosing, analyzing, deleting or modifying the personal data.” 

When it comes to ‘consent’ the Oregon Consumer Privacy Act (OCPA) offers a definition similar to other laws, “an affirmative act by means of which a consumer clearly and conspicuously communicates the consumer’s freely given, specific, informed and unambiguous assent to another person’s act or practice,” but goes one step further to include conditions under which this applies; “the user interface by means of which the consumer performs the act does not have any mechanism that has the purpose or substantial effect of obtaining consent by obscuring, subverting or impairing the consumer’s autonomy, decision-making or choice; and the consumer’s inaction does not constitute consent.”

Last but not least, under the Oregon Consumer Privacy Act ‘sale’ or ‘sell’ refers to “the exchange of personal data for monetary or other valuable consideration by the controller with a third party,” but does not include the following: 

  • “a disclosure of personal data to a processor;
    a disclosure of personal data to an affiliate of a controller or to a third party for the
  • purpose of enabling the controller to provide a product or service to a consumer that requested the product or service;
  • a disclosure or transfer of personal data from a controller to a third party as part of a proposed or completed merger, acquisition, bankruptcy or other transaction in which the third party assumes control of all or part of the controller’s assets, including the personal data; or
  • a disclosure of personal data that occurs because a consumer:
    • directs a controller to disclose the personal data;
    • intentionally discloses the personal data in the course of directing a controller to
    • interact with a third party; or
    • intentionally discloses the personal data to the public by means of mass media, if the disclosure is not restricted to a specific audience.”

 

Who has to comply with the Oregon Consumer Privacy Act?

The Oregon Consumer Privacy Act (OCPA) applies to any person that conducts business in the state of Oregon, or that provides products or services to residents of Oregon, and that during a calendar year, controls or processes:

  • the personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or
  • the personal data of 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal data.

Who is excluded from compliance with the Oregon Consumer Privacy Act? 

The Oregon Consumer Privacy Act (OCPA) exempts several entities and types of data as follows: 

  • state government bodies;
  • financial institutions and their affiliates;
  • specific types of nonprofit organizations “established to detect and prevent fraudulent acts in
  • connection with insurance;”
  • noncommercial activities of “a publisher, editor, reporter or other person who is connected with or employed by a newspaper, magazine, periodical, newsletter, pamphlet, report or other publication in general circulation;”
  • noncommercial activities of “a radio or television station that holds a license issued by the Federal Communications Commission;”
  • noncommercial activities of “a nonprofit organization that provides programming to radio or television networks;
  • noncommercial activities of “an entity that provides an information service, including a press association or wire service;”
  • insurers (producers, consultants, third party administrators);
  • protected health information processed in compliance with HIPAA;
  • information collected, processed, sold or disclosed under and in accordance with the Gramm-Leach-Bliley Act, the Driver’s Privacy Protection Act of 1994, the Family Educational Rights and Privacy Act, or the Airline Deregulation Act;
  • information related to human research;
  • patient identifying information and patient safety work processed in accordance with federal laws; 
  • information and documents created for the purposes of the HealthCare Quality Improvement Act of 1986;
  • information related to an individual’s employment, employment benefits, or employment benefits offered to the individual’s dependents or beneficiaries;
  • activities related to the evaluation of an individual’s creditworthiness or personal data processed in accordance with the provisions of Fair Credit Reporting Act.


How can I keep my organization compliant with the Oregon Consumer Privacy Act? 

Under the Oregon Consumer Privacy Act, same as with other US privacy laws, both controllers and processors have a series of obligations. As a controller you have to do the following: 

  • provide a “reasonably accessible, clear and meaningful privacy notice” in which you must specify the express purposes for which you are collecting and processing personal data that has to include the following: 
    • the categories of personal data, including the categories of sensitive data, that you process;
    • your purposes for processing the personal data;
    • how a consumer may exercise their consumer rights, including how they can appeal your denial of a consumer request;
    • all categories of personal data, including the categories of sensitive data, that you share with third parties;
    • all categories of third parties with which you share personal data at a level of detail that enables the consumer to understand what type of entity each third party is and, to the extent possible, how each third party may process personal data;
    • an electronic mail address or other online method by which a consumer can contact you that you actively monitor;
    • your details that identify you, including any business name under which you registered with the Secretary of State and any assumed business name that you use in the state of Oregon; 
    • a clear and conspicuous description of any processing of personal data in which you engage for the purpose of targeted advertising or for the purpose of profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance, and a procedure by which the consumer may opt out of this type of processing; 
    • the method/methods you have established for a consumer to submit a request, which must take into account ways in which consumers normally interact with you; a need for security and reliability in communications related to the request; and your ability to authenticate the identity of the consumer that makes the request, and has to provide a clear and conspicuous link to a webpage where the consumer or an authorized agent may opt out from your processing of the personal data or, if you do not have a capacity needed for linking to a webpage, provide another method the consumer can use to opt out.
  • limit your collection of personal data to only the personal data that is adequate, relevant and reasonably necessary to serve the purposes specified in the privacy notice; 
  • establish, implement and maintain for personal data safeguards required for protecting personal information, in order to protect the confidentiality, integrity and accessibility of the personal data to the extent appropriate for the volume and nature of the personal data; 
  • provide an effective means by which a consumer may revoke their consent to your processing of their personal data. The means must be at least as easy as the means by which the consumer provided consent. Once a consumer revokes consent, you have to stop processing the personal data as soon as is practicable, but not later than 15 days after receiving the revocation;
  • you are not allowed to process personal data for purposes that are not reasonably necessary for and compatible with the purposes you specified in your privacy notice, unless you obtain the consumer’s consent;
  • you cannot process sensitive data about a consumer without first obtaining their consent or, if you know the consumer is a child, without processing the sensitive data in accordance with the Children’s Online Privacy Protection Act of 1998;
  • you are not permitted to process a consumer’s personal data for the purposes of targeted advertising, of profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance or of selling the consumer’s personal data without the consumer’s consent if you have actual knowledge that, or willfully disregards whether, the consumer is at least 13 years of age and not older than 15 years of age; 
  • you cannot discriminate against a consumer that exercises their consumer right provided to them by this law “by means such as denying goods or services, charging different prices or rates for goods or services or providing a different level of quality or selection of goods or services to the consumer;”
  • as regards the opt out from the processing of personal data, Oregon’s law recognizes universal opt out mechanisms, which means you have to comply with an opt out request submitted via an authorized agent designated “by means of an internet link, browser setting, browser ex- tension, global device setting or other technology;”
  • if a consumer or authorized agent uses a method described in this law to opt out of your processing of a consumer’s personal data and the decision conflicts with a consumer’s voluntary participation in a bona fide reward, club card or loyalty program or a program that provides premium features or discounts in return for their consent to the processing of personal data, you can may either comply with the request to opt out or notify the consumer of the conflict and ask them to affirm that they intend to withdraw from the bona fide reward, club card or loyalty program or the program that provides premium features or discounts. If the consumer affirms that the consumer intends to withdraw, you have to comply with the request to opt out;
  • you have an obligation to conduct and document a data protection assessment for each of your processing activities that presents a heightened risk of harm to a consumer, understood as any of the following: 
  • “processing personal data for the purpose of targeted advertising;
  • processing sensitive data;
  • selling personal data; and
  • using the personal data for purposes of profiling, if the profiling presents a reasonably foreseeable risk of:
    • unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
    • financial, physical or reputational injury to consumers;
    • physical or other types of intrusion upon a consumer’s solitude, seclusion or private
    • affairs or concerns, if the intrusion would be offensive to a reasonable person; or
    • other substantial injury to consumers.”

As a processor, you have an obligation to adhere to the controller’s instructions and to assist the controller in meeting their obligations, as outlined above. Any processing activity done by you on behalf of a controller has to be done based on a contract with the controller that governs how you process personal data on the controller’s behalf and has to meet the following requirements: 

  • it has to be valid and binding on both parties;
  • it has to set forth clear instructions for processing data, the nature and purpose of the processing, the type of data that is subject to processing and the duration of the processing;
  • it has to specify the rights and obligations of both parties with respect to the subject matter of the contract.

Oregon Consumer Privacy Act (OCPA) Compliance Checklist

 

Oregon Consumer Privacy Act (OCPA) Compliance Checklist

 

What data access rights does Oregon Consumer Privacy Act grant? 

Under the Oregon Consumer Privacy Act (OCPA) consumers have the following rights: 

  • The Right to Know
  • The Right to Correct
  • The Right to Delete
  • The Right to Data Portability
  • The Right to Opt Out of personal data processing for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

Oregon Consumer Privacy Act (OCPA) compliant website with Clym

Book a Demo

How to address data subject access requests under Oregon Consumer Privacy Act?

A consumer request has to be submitted by consumers using the method that you, as a controller, specified in your privacy notice. When providing consumers with a copy of their personal data this has to be done “in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the personal data to another person without hindrance.” A parent or legal guardian can exercise the consumer rights granted by the Oregon Consumer Privacy Act “on behalf of the parent’s child or on behalf of a child for whom the guardian has legal responsibility” and “a guardian or conservator may exercise the rights [...] on behalf of a consumer that is subject to a guardianship, conservatorship or other protective arrangement.”

A consumer request has to be responded to “without undue delay and not later than 45 days after receiving the request” and an extension by an additional 45 days is permitted, “if the extension is reasonably necessary to comply with the consumer’s request, taking into consideration the complexity of the request and the number of requests the consumer makes” but this has to be notified to the consumer within the first 45 days. As a controller you cannot require a consumer to create an account to exercise their consumer rights but you may require them to use an account that they created previously.

If you decline a consumer request, you have an obligation to “notify the consumer without undue delay and not later than 45 days after receiving the consumer’s request,” including in the notification the justification for not taking action and instructions for appealing your decision.

Once during any 12-month period, you have to provide information to the consumer requests  without charge to the consumer. However, you may charge a reasonable fee to cover the administrative costs of complying with a second or subsequent request within the 12-month period, unless the purpose of the second or subsequent request is to verify that you corrected inaccuracies in, or deleted, the consumer’s personal data in compliance with the consumer’s request.

If you are unable to authenticate the consumer’s request “using commercially reasonable methods,” without additional information from the consumer, you have to notify the consumer and you are under no obligation to comply with the request until the consumer provides the information necessary to authenticate the request. In the case of an opt out request, this has to be done without requiring authentication, unless the following apply: 

  • you may ask for additional information necessary to comply with the request, such as information that is necessary to identify the consumer that requested to opt out;
  • you may deny a request to opt out if you have a good-faith, reasonable and documented belief that the request is fraudulent. In such a case, you have to notify the consumer that you believe the request is fraudulent, stating in the notice that you will not comply with the request.

In the case of a refusal of a consumer request, you have to establish a process by means of which a consumer may appeal your refusal to take action on a request. This process has to meet the following conditions: 

  • it has to allow a reasonable period of time after the consumer receives your refusal within which to appeal;
  • it has to conspicuously available to the consumer;
  • it has to be similar to the manner in which a consumer must submit a consumer request; 
  • it has to require you to approve or deny the appeal within 45 days after the date on which you received the appeal and to notify the consumer in writing of your decision and the reasons for the decision. If you deny the appeal, the notice must provide or specify information that enables the consumer to contact the Attorney General to submit a complaint.

Enforcement and penalties

The Attorney General has enforcement powers under the Oregon Consumer Privacy Act and can conduct investigations of violations.  

Before bringing an action, the Attorney General will notify a controller of a violation if the Attorney General determines that the controller can cure the violation, and will allow for a 30 day cure period. If the controller fails to cure the violation within 30 days after receiving the notice of the violation, the Attorney General may bring the action without further notice.

Penalties under the Oregon Consumer Privacy Act consist of a civil penalty of not more than $7,500 for each violation. 

 

Data Subject Rights - GDPR vs. the Oregon Consumer Privacy Act 

 

How can Clym help?

Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:

  • All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
  • Seamless integration into your website;
  • Adaptability to your users’ location and applicable regulation;
  • Customizable branding;
  • ReadyCompliance™: Covering 30+ data privacy regulations;
  • Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.

You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.

FAQs about the Oregon Consumer Privacy Act

What does the Oregon Consumer Privacy Act apply to?

The Oregon Consumer Privacy Act applies to any person that conducts business in the state of Oregon, or that provides products or services to residents of Oregon, and that during a calendar year, controls or processes the personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or the personal data of 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal data.

What does the Oregon Consumer Privacy Act exempt?

The Oregon Consumer Privacy Act exempts several entities and types of data such as, for example, state government bodies, financial institutions and their affiliates, specific types of nonprofit organizations “established to detect and prevent fraudulent acts in connection with insurance;” insurers (producers, consultants, third party administrators), protected health information processed in compliance with HIPAA, or patient identifying information and patient safety work processed in accordance with federal laws.

What rights does the Oregon Consumer Privacy Act provide to Delaware residents?

Under the Oregon Consumer Privacy Act (OCPA), consumers have the following rights: 

  • Right to Know
  • Right to Correct
  • Right to Delete
  • Right to Data Portability
  • Right to Opt Out of personal data processing for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.
Who enforces the Oregon Consumer Privacy Act?

The Attorney General has enforcement powers under the Oregon Consumer Privacy Act and can conduct investigations of violations. Before bringing an action, the Attorney General will notify a controller of a violation if the Attorney General determines that the controller can cure the violation, and will allow for a 30 day cure period. If the controller fails to cure the violation within 30 days after receiving the notice of the violation, the Attorney General may bring the action without further notice.

What are the penalties for violations of the Oregon Consumer Privacy Act?

Penalties under the Oregon Consumer Privacy Act consist of a civil penalty of not more than $7,500 for each violation. 

illustration of means of contact

Questions?

If you would like to learn more, our compliance experts are happy to support you.

Leave us a Message
support@clym.io
+1 980 446 8535 +1 866 275 2596