Oregon’s Consumer Privacy Act: The A to Z of the OCPA

Oregon has joined the ranks of states to pass a comprehensive consumer privacy act. Senate Bill 619 (SB 619), also known as the Oregon Consumer Privacy Act or OCPA, is the culmination of four years of work by the Oregon Attorney General’s Consumer Privacy Task Force.  

We’ll outline the law’s provisions, notable differences between the OCPA and other state laws, and considerations if you’re a company trying to navigate the complex and piecemeal data privacy landscape in the U.S. 

What Is the Oregon Consumer Privacy Act?  

Without a federal privacy law in place, the OCPA serves as Oregon’s approach to addressing consumer privacy for its more than 4.2 million residents. The law establishes responsibilities for entities that do business in the state and penalties for violations.  

Oregon modeled the OCPA after other similar laws, including the Connecticut Data Privacy Act, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Utah Consumer Privacy Act, and the California Consumer Privacy Act. The regulation applies to consumers acting in individual or household contexts, but not as employees.   

Signed by Governor Tina Kotek in July 2023, OCPA takes effect July 1, 2024—the same day as Texas’s privacy law. An important note is that not-for-profit businesses are not exempt from the law, but they have until July 1, 2025, to comply. 

The Scope of the OCPA—Who Must Comply? 

Like a number of other data privacy laws, the OCPA applies to companies based on how much data they control and process or how much revenue they generate from the sale of personal data.  

Oregon’s law applies to any person who conducts business in Oregon or who provides products or services to residents of the state and controls or processes:  

• The personal data of 100,000 or more consumers in a calendar year, other than personal data controlled or processed solely for the purpose of completing a payment transaction, or 
• The personal data of 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal data. 

Exemptions to SB 619 

Oregon’s privacy law carves out some exemptions both for certain types of data and certain entities.  

The act does not apply to public corporations or bodies (including state, local, and special government bodies), to protected health information processed in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), information used only for public health activities, and other health- and medical research-related uses.  

It’s an important distinction that the OCPA doesn’t provide a general exemption for entities subject to HIPAA or the Gramm-Leach-Bliley Act (GLBA), but to data governed by those acts. Most other states exempt both entities and data subject to HIPAA or the GLBA from their local privacy regulations. As a result, these entities usually don’t have to worry about state privacy law compliance. That’s not the case under the OCPA; organizations subject to HIPAA or the GLBA must still comply with the OCPA when it comes to data they process that is not covered by HIPAA or the GLBA. 

Data collected or processed in accordance with the following federal regulations is exempt, including:  

• HIPAA. 
• The Fair Credit Reporting Act. 
• Gramm-Leach-Bliley Act. 
• Driver’s Privacy Protection Act. 
• Family Educational Rights and Privacy Act. 

• The Airline Deregulation Act, in certain circumstances. 

As is common with many state privacy laws, the act excludes de-identified data and publicly available data from its definition of personal data. 

Lastly, there are a number of additional exemptions for entities, including various entities defined or regulated at the state level, radio and TV stations that hold an FCC license, and more. 

Consumer Rights Granted by the Oregon Consumer Privacy Act 

The OCPA gives consumers the right to obtain:  

• Confirmation as to whether a controller is processing or has processed their personal data and the categories of personal data the controller is processing or has processed. 
• A list of third parties to which the controller has disclosed the consumer’s personal data. 
• A copy of the personal data the controller has processed or is processing. 

They also may:  

• Require the controller to correct inaccuracies in personal data about the consumer. 
• Require a controller to delete personal data about the consumer, regardless of whether the consumer provided the personal data or it was obtained from another source. 
• Opt-out of processing personal data for targeted advertising, selling personal data, or profiling the consumer to support legally significant decisions. 

Controllers have up to 45 days to respond to a consumer’s request, with an additional 45-day extension, if needed, based on the complexity of the request and the number of requests the consumer makes. The controller must notify the consumer of an extension and the reason it is needed. If the controller rejects a request, they must also explain the justification for not taking action and provide instructions for appealing the decision. 

Other Controller Obligations Outlined in SB 619 

Under the law, controllers—which are defined as a person who acts alone or in concert with another person to determine purposes and means for processing personal data—must specify in their privacy notice the purposes for which they are collecting and processing personal data. Furthermore, the collection should be limited to personal data that is “adequate, relevant, and reasonably necessary to serve the purposes the controller specified.”  

In addition to limiting the collection of data as defined above, controllers also must:  

• Maintain safeguards to protect the confidentiality, integrity, and accessibility of personal data.  
• Provide an effective means for a consumer to revoke consent that is “at least as easy as the means by which the consumer or authorized agent provided consent.” 
• Obtain consent to process sensitive data and process sensitive data of children in accordance with COPPA. The OCPA’s definition of sensitive data is broader than with other state laws and encompasses any personal data that reveals a consumer’s:  

• Racial or ethnic background.  

• National origin. 
• Religious beliefs.  
• Mental or physical condition or diagnosis.  
• Sexual orientation.  
• Status as transgender or nonbinary.  

• Status as a victim of a crime.  
• Citizenship or immigration status. 
• The personal data of a child. 
• Data that identifies a consumer’s present or past location within a radius of 1,750 feet.  
• Genetic or biometric data. 

• Conduct a data protection assessment for each of their processing activities that present a “heightened risk of harm to the consumer,” such as processing for targeted advertising, processing sensitive data, and so on. 
• Provide a reasonably accessible, clear, and meaningful privacy notice that lists information like the categories of collected personal data, the purposes for processing, and how consumers can exercise their rights, among other requirements. 

If your organization is a processor rather than a controller (i.e., an organization that processes personal data on behalf of a controller), then you must help controllers meet their obligations and enter into a contract that governs how you process personal data on the controller’s behalf.

How to Comply With the Oregon Privacy Law 

Businesses and nonprofit organizations subject to the OCPA should review the law with their legal team. Consider who your customers are and whether your processing activities fall within the legal framework of the OCPA.   

It’s important to understand the law and establish procedures that follow state laws, including creating and implementing the required privacy notices, developing a process for handling requests from consumers, reviewing any data transfers to third parties, and ensuring informed consent before collecting sensitive personal data.  

If this all seems overwhelming, it may be time to consider a data privacy platform like Osano. With Osano, you can manage the spectrum of data privacy tasks required by laws like the OCPA, such as automated subject rights requests, consent management, data mapping to track down personal information, and more. 

Enforcement of the OCPA 

The state attorney general has exclusive enforcement authority of the OCPA. Those in violation can be provided a 30-day right to cure, meaning violators may get a 30-day grace period to fix their violations (at the attorney general’s discretion). Note, however, that the grace period provision will sunset on January 1, 2026.   

Like other states, those who do not comply with the law can be fined up to $7,500 per violation.   

Unlike other state laws, though, Oregon’s privacy law includes a statute of limitations of five years after the date of the last violation. It also states that the court can award reasonable attorney fees, expert witness fees, and costs of investigation to the attorney general on top of the regular fines if the attorney general prevails in an action.  

FAQs About the Oregon Consumer Privacy Act 

What does the OCPA say about children’s personal data?  

A parent or legal guardian can exercise rights on behalf of their child, which the OCPA defines as an individual under the age of 13. Additionally, sensitive data of a child must be processed in accordance with the Children’s Online Privacy Protection Act of 1998 (COPPA). For children ages 13 to 15, opt-in consent is required to process personal data for targeted advertising or sale. 

Does the OCPA use an opt-in or opt-out consent model?  

Under most circumstances, the OCPA uses an opt-out model, which means explicit consent is not required prior to the collection of personal data—rather, consumers must be given the option to opt out of personal data collection. However, consumers must opt-in for the collection of sensitive data. 

What does the OCPA say about Global Privacy Control signals?  

A Global Privacy Control (GPC) signal can be used to automatically send a request to opt out of the collection of certain personal information. Starting January 1, 2026, controllers must recognize these universal opt-out methods. 

Does the Oregon Consumer Privacy Act have a private right of action?  

No, there is no private right of action granted by the OCPA. The state attorney general is the enforcement authority.  

What is the penalty for noncompliance?  

The attorney general may bring an action to seek a civil penalty of not more than $7,500 for each violation. A court may award reasonable attorney fees, expert witness fees, and costs of investigation to the attorney general if the attorney general prevails in an action.