The Oregon Consumer Privacy Act

The OCPA, which took effect on July 1, 2024, strengthens consumer data privacy protections in Oregon. It grants Oregon residents significant rights regarding their personal information and imposes obligations on businesses that handle their data.

Key Provisions of the OCPA:

  • Consumer Rights:

    • Right to Access: Consumers can request access to their personal data.

    • Right to Correction: Consumers can request correction of inaccurate personal data.

    • Right to Deletion: Consumers can request deletion of their personal data.

    • Right to Opt-Out: Consumers can opt-out of the sale of their personal data, targeted advertising, and profiling.

    • Right to Data Portability: Consumers can request a copy of their personal data in a portable format.

  • Business Obligations:

    • Provide a Privacy Notice: Clearly inform consumers about your data practices.

    • Respond to Consumer Requests: Respond to consumer requests within 45 days.

    • Implement Reasonable Security: Protect personal data with appropriate security measures.

    • Conduct Data Protection Assessments: Assess risks for processing activities like targeted advertising and profiling.

    • Obtain Consent: Obtain consent for processing sensitive data and for processing the data of children.

  • Sensitive Data:

    • The OCPA provides heightened protection for sensitive data, including information about race, religion, health, sexual orientation, and precise geolocation. Businesses must obtain consent to process this type of data.

  • Universal Opt-Out:

    • Starting July 15, 2025, businesses must recognize a universal opt-out mechanism that allows consumers to opt-out of the sale or sharing of their personal data.

Who does the OCPA apply to?

The OCPA applies to businesses that conduct business in Oregon or provide products or services to Oregon residents and meet one of the following thresholds:

  • Control or process the personal data of at least 100,000 consumers.

  • Control or process the personal data of at least 25,000 consumers and derive over 25% of their annual revenue from selling personal data.

Why is the OCPA important?

The OCPA is a significant step in protecting consumer data privacy in Oregon. It's essential for businesses to understand and comply with the OCPA to avoid legal and financial risks, build trust with customers, and foster a culture of responsible data handling.

How Aetos Can Help:

Aetos Data Consulting provides expert guidance and support to help businesses navigate the complexities of the OCPA. Our services include:

  • OCPA compliance audits

  • Policy development and implementation

  • Training and awareness programs

  • Data subject request management

Contact us today to learn more about how we can help your business achieve and maintain OCPA compliance.

Check out other state laws