🆕  Is “dirty data” silently harming your AI initiatives? Read our new report!

Oregon Consumer Privacy Act (OCPA): What businesses need to know

Last updated
January 18, 2025

The Oregon Consumer Privacy Act (OCPA), established under Senate Bill 619 (SB 619) and signed into law on March 8, 2023, introduces comprehensive data privacy rights for Oregon residents and new obligations for businesses, effective July 1, 2024.

https://ketch.wistia.com/medias/fdoq6fvn4h

What Is the Oregon Consumer Privacy Act (OCPA)?

Why was the OCPA passed?

What makes the OCPA unique?

Need an easy-to-use consent management solution?
Book a 30 min Demo

Key Definitions in the OCPA

The Oregon Consumer Privacy Act (OCPA) includes key definitions that establish its scope and application. These definitions are detailed in Senate Bill 619 (SB 619), Section 1, providing clarity on terms such as personal data, sensitive data, controllers, processors, and the sale of data, ensuring businesses understand their compliance obligations.

Key definitions in this Oregon privacy law include:

  • Personal Data: Information linked to an identifiable individual, excluding publicly available or de-identified data.
  • Sensitive Data: Includes racial or ethnic origin, religious beliefs, health data, genetic or biometric information, sexual orientation, and precise geolocation.
  • Consumer: An Oregon resident acting in a personal, family, or household context, excluding individuals in a business or employment role.
  • Controller: An entity determining the purpose and means of processing personal data.
  • Processor: An entity processing personal data on behalf of a controller.
  • Sale of Data: The exchange of personal data for monetary or other valuable consideration.
  • De-identified Data: Information that cannot reasonably be linked to an individual.

Who Must Comply with the OCPA?

The OCPA applies to businesses that:

  • Process personal data of 100,000 or more Oregon consumers annually.
  • Process personal data of 25,000 or more Oregon residents and derive more than 25% of their annual gross revenue from selling personal data.

The OCPA also applies to certain nonprofit organizations. This makes the OCPA broader than many other state privacy laws. Nonprofits have until July 1, 2025, to meet compliance requirements.

“Consumer” means a natural person who resides in this state and acts in any capacity other than in a commercial or employment context.

Section 1(7) of Senate Bill 619 (SB 619)

OCPA Exemptions

The OCPA exempts specific entities, including:

  • Government agencies
  • Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
  • Healthcare organizations covered by HIPAA
  • Nonprofits dedicated to fraud prevention in insurance.

Businesses that fall under these thresholds must comply with the OCPA's requirements, including transparency, consent, and data protection standards.

Read further: Who does the OCPA apply to?

Key provisions of the OCPA

1. Consumer rights

  • Access: Consumers can confirm whether a business is processing their personal data and access that data.
  • Correction: Consumers can correct inaccuracies in their personal data.
  • Deletion: Consumers can request the deletion of their personal data.
  • Data portability: Consumers can obtain a copy of their personal data in a portable format.
  • Opt-out: Consumers can opt out of the processing of their personal data for targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects.
The Oregon Consumer Privacy Act defines personal and biometric data broadly, protects consumer data rights holistically, and holds companies that have access to our data to high standards. This is a huge win for Oregonians and sets a high-water mark for consumer data privacy nationwide.

Oregon Attorney General Ellen Rosenblum

Is the OCPA opt-in or opt-out?

The Oregon Consumer Privacy Act (OCPA) primarily operates on an opt-out model, meaning consumers must take action to opt out of:

  • Targeted advertising.
  • The sale of personal data.
  • Profiling decisions that produce significant effects.

However, for sensitive data, the OCPA requires an opt-in model, where businesses must obtain explicit consumer consent before processing sensitive data, such as health information, genetic or biometric data, precise geolocation, or racial/ethnic origin.

This dual approach balances consumer rights with business flexibility.

2. Sensitive data protections

Businesses must obtain explicit consent to process sensitive data, which includes:

  • Biometric or genetic data.
  • Health-related data.
  • Precise geolocation.
  • Sexual orientation or religious beliefs.
  • Data about racial or ethnic origin.

3. Business obligations

  • Transparency: Businesses must provide clear privacy notices detailing data collection and processing practices.
  • Data Minimization: Limit data collection to what is necessary for the specified purpose.
  • Security Measures: Implement reasonable administrative, technical, and physical safeguards to protect personal data.
  • Consent for Sensitive Data: Obtain explicit consent before processing sensitive data.
  • Data Protection Assessments: Conduct assessments for processing activities that present a heightened risk of harm, such as targeted advertising or the sale of personal data.

4. No Private Right of Action

The OCPA does not allow individuals to sue for violations, relying solely on enforcement by the Oregon Attorney General.

Requirements for businesses under the OCPA

The Oregon Consumer Privacy Act (OCPA) mandates that businesses:

  • Provide clear privacy notices: Inform consumers about data collection and processing practices
    Limit data collection: Gather only data necessary for specified purposes
  • Implement data security measures: Protect personal data from unauthorized access
    Obtain consent for sensitive data: Secure explicit consent before processing sensitive information
  • Facilitate consumer rights requests: Enable consumers to access, correct, delete, and obtain their data, and opt out of data sales or targeted advertising

These requirements aim to enhance consumer privacy and data protection in Oregon.

Read further: What are the requirements for the OCPA?

Penalties for non-compliance

The Oregon Consumer Privacy Act (OCPA) is enforced exclusively by the Oregon Attorney General. Upon identifying a violation, the Attorney General will notify the business, granting a 30-day period to rectify the issue. 

If the violation remains unaddressed after this period, the Attorney General may impose civil penalties of up to $7,500 per violation. It's important to note that the provision allowing a 30-day cure period is set to expire on January 1, 2026. After this date, the Attorney General may proceed directly with enforcement actions without offering a cure period. citeturn0search2

Additionally, the OCPA does not provide a private right of action, meaning consumers cannot sue businesses directly for violations; enforcement is solely the responsibility of the Attorney General's office. 

To avoid these penalties, businesses should ensure compliance with the OCPA's requirements, including transparency in data practices, honoring consumer rights, and implementing robust data security measures. 

The impact of the OCPA on businesses

Businesses must evaluate and adjust their data processing activities to comply with the OCPA. This includes updating privacy policies, implementing data protection measures, and establishing processes to respond to consumer rights requests.

1. Compliance obligations

  • Data protection assessments: Businesses must conduct assessments for processing activities that present a heightened risk of harm to consumers, such as targeted advertising, sale of personal data, or profiling.
  • Consumer rights requests: Businesses are required to establish processes to respond to consumer requests to access, correct, delete, or obtain a copy of their personal data, and to opt out of the sale of their data, targeted advertising, or profiling.

2. Operational adjustments

  • Data minimization: Businesses must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the specified purposes.
  • Security measures: Implementing reasonable administrative, technical, and physical safeguards to protect personal data is mandatory.

3. Enforcement and penalties

  • Attorney general enforcement: The Oregon Attorney General has exclusive authority to enforce the OCPA.
  • Civil penalties: Non-compliance can result in civil penalties of up to $7,500 per violation.

4. Exemptions

  • Certain entities: The OCPA does not apply to specific entities, including state, local, and tribal governments; financial institutions as defined in ORS 706.008; and certain insurers, insurance producers, and insurance consultants defined in Oregon laws.

Businesses should review the OCPA's provisions carefully to ensure compliance and avoid potential penalties. Consulting with legal counsel is advisable to navigate the complexities of the law.

Read further: What is the impact of the OCPA on businesses?

The impact of the OCPA on consumers

The Oregon Consumer Privacy Act (OCPA) enhances consumer data privacy rights and imposes new obligations on businesses operating within the state. 

Key impacts on consumers also include:

1. Increased transparency

Businesses are required to provide clear and accessible privacy notices, informing consumers about data collection, usage, and sharing practices.

2. Greater control over sensitive data

The OCPA requires businesses to obtain explicit consent before processing sensitive personal data, such as information revealing racial or ethnic origin, religious beliefs, health conditions, or precise geolocation.

3. Protection for minors

The OCPA includes specific provisions to protect the personal data of minors, requiring parental consent for children under 13 and consent from teenagers aged 13 to 15 for certain data processing activities.

These provisions empower Oregon consumers with greater control over their personal data, enhancing privacy and fostering trust in how businesses handle their information.

How the OCPA compares to other U.S. data privacy laws

The OCPA aligns with privacy laws in states like California, Colorado and Virginia but is notable for its broad applicability, including certain nonprofit organizations, and its specific requirements for data protection assessments.

Feature ICDPA VCDPA (Virginia) CPA (Colorado) CCPA/CPRA (California)
Consumer Rights Access, Correct, Delete, Portability Access, Correct, Delete, Portability Access, Correct, Delete, Portability Access, Correct, Delete, Portability, Opt-out of automated decisions
Threshold for Applicability 100,000 consumers or 50% revenue from sales 100,000 consumers or 50% revenue from sales 100,000 consumers or 25,000 with sales $25 million revenue or data of 100,000+ consumers
Data Protection Assessment Required No Yes Yes Yes
Enforcement Attorney General Attorney General Attorney General Attorney General + Private Right of Action
Private Right of Action No No No Yes

What makes the OCPA stand out?

While the OCPA shares commonalities with other state privacy laws, its unique provisions—particularly the right to request third parties list, broad definition of sensitive data, inclusion of nonprofits, specific protections for minors, and the absence of a revenue threshold—set it apart, reflecting Oregon's commitment to comprehensive consumer data protection:

  • Right to request third parties: The OCPA gives consumers the right to know a list of the specific third parties that have received their personal data or any personal data from a controller. 
  • Broad Definition of sensitive data: The OCPA defines "sensitive data" more expansively than many other state laws, including information about an individual's status as transgender or non-binary, status as a victim of crime, and citizenship or immigration status. This comprehensive definition ensures enhanced protection for vulnerable populations.
  • Applicability to nonprofits: Unlike several state privacy laws that exempt nonprofit organizations, the OCPA includes them within its scope, with limited exceptions. This inclusion broadens the act's applicability and ensures a wider range of organizations adhere to data privacy standards.
  • Protections for minors: The OCPA requires parental consent for processing the personal data of children under 13 and mandates obtaining consent from teenagers aged 13 to 15 for certain data processing activities, such as targeted advertising and profiling. This provision offers robust safeguards for minors' data.
  • Absence of revenue threshold: The OCPA applies to businesses based on the number of consumers whose data they process, without setting a minimum revenue threshold. This criterion ensures that even smaller businesses with significant data processing activities are subject to the law's requirements. 

Read further: Oregon’s OCPA: sensitive data, non-profits and minors

How Ketch can simplify OCPA compliance

Complying with the OCPA and other state privacy laws can be simpler than you think. The Ketch data permissioning platform helps businesses stay compliant by:

  • Third parties list export: Ketch makes it easy to export and send consumers a list of third parties with which you process personal data. 
  • OCPA policy template: Ketch Consent Management includes a pre-built policy template for the Oregon Consumer Privacy Act, with ability to customize rights as desired, no coding required to make changes. 
  • Right for Consumers to Opt Out: The law permits consumers to opt out of the processing of personal data for the sale of personal data or for targeted advertisements. With Ketch Consent Management, businesses can offer clear privacy notices with this option specific to Oregon residents. 
  • Requirement to respect universal opt-out mechanisms (UOOMs): UOOMs are tools that a consumer can use to opt out of online personal data processing. The most well-known and recognized example is the Global Privacy Control (GPC). Ketch makes it easy for companies to comply with GPC signals, enabling automatic recognition of GPC in the consumer’s browser. OCPA requires UOOM compliance by Jan 1, 2026. 
  • Data subject rights: The law provides consumers with right to access, correct, delete, and obtain a copy of their personal data. Ketch enables end-to-end DSR fulfillment with capabilities like drag-and-drop workflow builder, smart routing, and task-level automation. 

Read further: Your OCPA compliance checklist

Preparing your business for OCPA compliance

The OCPA represents a significant advancement in consumer data protection in Oregon. Businesses should act promptly to align their practices with the new requirements, ensuring compliance and building consumer trust.

Contact Ketch today to streamline your compliance and future-proof your privacy strategy. 

Read further: 2025 U.S. State Privacy Laws: what you need to know

FAQ

For more detailed information, refer to the Privacy Law FAQs for Businesses provided by the Oregon Department of Justice.

This a sample accordion element needed for script above to work

  1. ‍What is the OCPA's stance on data minimization?
    The OCPA mandates that businesses collect only personal data that is adequate, relevant, and reasonably necessary for the specified purposes disclosed to consumers. This principle of data minimization ensures that organizations do not gather excessive information beyond what is required for their operations. ‍
  2. How does the OCPA address data protection assessments?
    Businesses are required to conduct Data Protection Assessments (DPAs) before engaging in processing activities that present a heightened risk of harm to consumers. This includes processing personal data for targeted advertising, sale, profiling, and any processing of sensitive data. DPAs help identify and mitigate potential risks associated with data processing activities. ‍
  3. Does the OCPA apply to data collected for employment purposes?
    No, the OCPA does not apply to data maintained for employment records purposes. The term "consumer" refers to an individual acting in a personal context and does not include individuals in a commercial or employment context. ‍
  4. Are there specific requirements for businesses regarding privacy notices under the OCPA?
    Yes, businesses must provide a privacy notice that includes information on the types of personal data processed, the purposes for processing, any sharing of personal data with third parties, and instructions on how consumers can exercise their rights under the OCPA. The notice should also provide a way for consumers to contact the business regarding privacy-related issues. ‍
  5. How does the OCPA define a "sale" of personal data?
    A "sale" is defined as the exchange of personal data for monetary or other valuable consideration between a controller and a third party. This could include activities like exchanging customer lists. There are specific exceptions to this definition outlined in the law. ‍
  6. What obligations do processors have under the OCPA
    ‍
    Processors, or vendors and service providers that maintain or provide services involving personal data on behalf of a controller, must process data only at the request and under the direction of the controller. They are contractually bound by the controller’s instructions and are obligated to assist the controller in fulfilling their duties regarding personal data. ‍
  7. Does the OCPA require businesses to obtain consent for processing personal data of teenagers?
    Yes, if a business knows that a consumer is at least 13 years old but less than 16 years old, it must obtain consent to process the consumer’s personal data for purposes of sale, targeted advertising, or profiling. For children under 13, parental consent is required. ‍
  8. How should businesses authenticate consumer requests under the OCPA?
    Businesses should use commercially reasonable methods to authenticate consumers when they make rights requests. The method should consider factors such as the type and sensitivity of personal data involved, the potential harm from improper access, and the cost of authentication. Methods should not place an unreasonable burden on the consumer. ‍
  9. Does the OCPA apply to small businesses?
    The Oregon Consumer Privacy Act (OCPA) applies to businesses that meet specific thresholds:
    ‍
    • Processing personal data of 100,000 or more Oregon consumers annually
    • Processing personal data of 25,000 or more Oregon consumers and deriving over 25% of annual gross revenue from the sale of personal data

    Small businesses that do not meet these criteria are generally exempt from the OCPA's requirements. 
    ‍Read more: OCPA: What it means for small businesses‍
Automate your privacy compliance with Ketch
Risk of regulatory action or fine is no longer an unlikely, empty threat—regulators across Europe and now the United States are charging brands with irresponsible handing of consumer data.
Your knowledge of the regulations and requirements for your business may be the difference maker in ensuring your brand reputation stays intact. Ketch can help.