What is the Oregon Consumer Privacy Act (OCPA)?

The Oregon State Government passed Senate Bill 619, also known as the Oregon Consumer Privacy Act (OCPA), in July 2023. The OCPA will become effective on July 1, 2024, the same day the Texas Data Privacy and Security Act will also impose obligations on data controllers and processors. 

Oregon’s privacy legislation follows the structure of several other US data privacy laws, including the Colorado Privacy Act, the Virginia Consumer Data Protection Act, and the Montana Consumer Privacy Act. Using these previous regulations as a roadmap, the Oregon Attorney General’s Consumer Privacy Task Force created the OCPA over four years of work.

This article provides an overview of the scope, obligations, and rights of the Oregon Consumer Privacy Act. Keep reading to learn if your organization needs to comply with the OCPA, primarily if you process consumer data or target Oregon residents for the sale of your products or services.

Eliminate the hassle of compliance management with UpGuard>

Who must comply with the OCPA?

The Oregon Consumer Privacy Act applies to data controllers and processors who conduct business in Oregon or target state residents to sell products or services. However, like many other state privacy laws, the OCPA only applies to organizations that meet either of the regulation’s processing thresholds: 

• Processing: Entities that process the personal data of more than 100,000 consumers in a calendar year, excluding data collected solely for the processing of payment transactions
• Revenue and processing: Entities that process the personal data of more than 25,000 consumers AND generate 25% of their annual gross revenue from the sale of consumer data

Unlike some privacy regulations, like the Tennessee Information Protection Act, the OCPA doesn’t require entities to meet a revenue threshold to be considered a covered entity. However, the OCPA does outline exemptions for various categories of organizations. 

OCPA exemptions

The Oregon Consumer Privacy Act does not apply to government entities, including state, local, and special government agencies and bodies, financial institutions under Oregon Revised Statutes section 706.008, or radio or TV stations with licenses from the Federal Communications Commission. The OCPA also does not apply to de-identified data, publicly available information, or data protected by the following regulations: 

• HIPAA
• The Fair Credit Reporting Act
• Gramm-Leach-Bliley Act
• Driver’s Privacy Protection Act
• Family Educational Rights and Privacy Act
• The Airline Deregulation Act

It’s important to note that the OCPA's exemptions are far more restrictive than those outlined by other US state privacy laws. In particular, many other state privacy acts provide a general exemption for organizations subject to the Health Insurance Portability and Accountability Act or GLBA. The Oregon Consumer Privacy Act only excludes data governed by these acts, requiring HIPAA or GLBA-regulated entities to comply with the OCPA when processing other types of consumer data.

Important note: The OCPA does not exclude non-profit organizations from its scope. However, nonprofits have an extra year to comply (July 1, 2025).

What rights does the OCPA grant to consumers?

The Oregon Consumer Privacy Act provides rights to resident consumers acting in an individual context or on their household's behalf. The OCPA does not apply to individuals fulfilling their responsibilities as an employee. Under the OCPA, protected individuals have the following consumer rights:

• Confirmation: The OCPA grants consumers the right to confirm if a controller is processing or has previously processed their data.
• Access: The OCPA grants consumers the right to access the data a controller has previously processed.
• Knowledge: The OCPA grants consumers the right to know to what specific third parties a controller is disclosing their data.
• Correction: The OCPA grants consumers the right to request a controller to correct inaccuracies in their collected data.
• Deletion: The OCPA grants consumers the right to request that a controller delete their data after it is collected, regardless of how the controller obtained it.
• Data portability: The OCPA grants consumers the right to obtain a portable copy of all the data a controller has collected.
• Opt-out: The OCPA grants consumers the right to opt out of data collection for targeted advertising, the sale of personal data, or profiling.

Consumers must submit an authenticated request to exercise their rights under the OCPA. After a consumer submits a request, controllers have up to 45 days to respond, with an additional 45-day extension granted to consumers on a conditional basis. Controllers who receive an extension must notify the consumer of it and why it is necessary. In addition, if a controller rejects a consumer’s request, they must also explain why they denied the request and how the consumer can appeal the decision.

What obligations does the OCPA impose on controllers?

The Oregon Consumer Privacy Act imposes regulations on data controllers who control a consumer’s personal or sensitive data. Under the OCPA, personal and sensitive data are defined as:

• Personal data: Data and information that could be reasonably linked to an identified or identifiable natural person
• Sensitive data: The OCPA defines sensitive data as any type of information that includes the personal data of a child, an individual’s genetic information or biometric data, identifies a consumer’s precise geolocation (radius of 1,750 feet), or reveals an individual’s racial or ethnic background, national origin, religious beliefs, mental or physical condition, health diagnosis, sexual orientation, transgender or non-binary status, status as a victim of a crime, citizenship or immigration status. 

Under the OCPA, organizations that collect the personal or sensitive information of resident consumers must comply with the following obligations:

• Limited collection: The OCPA requires data controllers to limit their collection of a consumer’s personal data to what is reasonably adequate, relevant, and necessary for the disclosed data processing purposes.‍
• Data security controls: The OCPA requires data controllers to establish and maintain reasonable administrative, technical, and physical data security practices to safeguard the confidentiality and integrity of consumer data.‍
• Customer consent: The OCPA requires data controllers to obtain consumer consent before they process the consumer’s sensitive data.‍
• Privacy notice: The OCPA requires data controllers to provide a clear and accessible privacy policy. The notice must include the types of personal data they will collect and process, the purpose for this collection and processing, the categories of personal information they will share with third-party vendors and service providers, the categories of third parties that will receive the data, contact information, and an explanation of how data subjects can exercise the rights granted to them by the OCPA. ‍
• Sale of personal data: The OCPA requires data controllers to disclose if they intend to sell personal information to third parties or participate in targeted advertising.‍
• Universal opt-out mechanism: The OCPA requires data controllers to allow consumers to opt out of the sale or processing of their data for targeted advertising.‍
• Data protection assessment: The OCPA requires data controllers to conduct a data protection impact assessment on processing activities that present privacy risks to consumers, including targeted advertising, the sale of data, and the processing of sensitive data. Data controllers must also conduct impact assessments on any profiling activities.‍
• De-identified data: The OCPA requires data controllers who have collected de-identified data to take reasonable security measures to ensure the data cannot be re-identified or connected to an individual in the future. Data controllers must also contractually obligate any third parties or other recipients of the data to comply with the OCPA.‍
• Data of a known child: The OCPA aligns with the Children’s Online Privacy Protection Act (COPPA) and requires data controllers to obtain parental consent before processing the data of any child under 13 years of age.

The Oregon Consumer Privacy Act primarily imposes obligations on data controllers. However, the act also applies a few specific obligations to data processors. 

What obligations does the OCPA impose on processors?

Entities that process consumer data on behalf of a data controller must also comply with several compliance requirements included throughout the OCPA. In particular, the Oregon Consumer Privacy Act requires data processors to help data controllers meet their compliance obligations, including collaborating to process consumer requests. 

OCPA penalties, fines, and enforcement

The Oregon Consumer Privacy Act does not afford consumers the private right of action. Instead, enforcement authority lies solely with the Oregon Attorney General. If the Attorney General’s office determines an entity is violating the OCPA, it must notify the entity of the violation. The attorney general may also grant offenders a 30-day grace period to fix their violations. However, this grace period provision is only valid through January 1, 2026. 

Entities that do not comply with the OCPA may receive civil penalties of up to $7,500 per violation and be liable for attorney fees, expert witness fees, and investigation costs if the attorney general prevails in court. 

List of US state privacy regulations

• California Privacy Rights Act
• Colorado Privacy Act
• Connecticut Personal Data Privacy and Online Monitoring Act
• Delaware Personal Data Privacy Act
• Indiana Consumer Data Protection Act
• Iowa Consumer Data Protection Act
• Kentucky Consumer Data Protection Act
• Montana Consumer Data Privacy Act
• New Hampshire Senate Bill 255
• New Jersey Senate Bill 332
• Oregon Consumer Privacy Act
• Tennessee Information Protection Act
• Texas Data Privacy and Security Act
• Utah Consumer Privacy Act
• Virginia Consumer Data Protection Act

Achieve comprehensive OCPA compliance with UpGuard

If achieving OCPA compliance seems overwhelming for you or your organization, consider utilizing a comprehensive cybersecurity solution, like UpGuard, to streamline compliance management across your first and third-party ecosystems. 

UpGuard offers organizations across industries robust third-party risk management (TPRM) and compliance management tools that help identify, assess, remediate, and document third-party compliance risks, all in one intuitive software. 

Here’s how UpGuard has helped organizations similar to yours with TPRM and compliance management:

• Mattress Firm: “When I add a new vendor in UpGuard, I see their ratings and download the report to keep as a baseline. I can also identify any outstanding remediation issues on existing vendors and ensure they’re resolved.”
• Rimi Baltic: “Before UpGuard, conducting proper research for each vendor would eat up a lot of time – Does it comply with our requirements? Where is their data located? Do they have privacy policies? UpGuard has saved us a significant amount of time with its automation process. I would say it definitely saves us a few days per month. For example, in initial research that would have taken me 1-2 hours, I can get that answer in 5-10 minutes.” 
• Wesley Mission Queensland: “One of the best features of the platform is being able to bring all our vendors into one place and manage it from there. We can also set reassessment dates, which means we don’t have to manage individual calendar reminders for each vendor.”

These and other UpGuard customers have elevated their TPRM programs with UpGuard Vendor Risk’s powerful features and tools: 

• Vendor risk assessments: Fast, accurate, and comprehensive view of your vendors’ security posture‍
• Security ratings: Objective, data-driven measurements of an organization’s cyber hygiene‍
• Security questionnaires: Flexible questionnaires that accelerate the assessment process and provide deep insights into a vendor’s security‍
• Reports library: Tailor-made templates that support security performance communication to executive-level stakeholders  ‍
• Risk mitigation workflows: Comprehensive workflows to streamline risk management measures and improve overall security posture‍
• Integrations: Application integrations for Jira, Slack, ServiceNow, and over 4,000 additional apps with Zapier, plus customizable API calls‍
• Data leak protection: Protect your brand, intellectual property, and customer data with timely detection of data leaks and avoid data breaches‍
• 24/7 continuous monitoring: Real-time notifications and new risk updates using accurate supplier data‍
• Attack surface reduction: Reduce your attack surface by discovering exploitable vulnerabilities and domains at risk of typosquatting‍
• Shared Profile: Eliminate having to answer security questionnaires by creating an UpGuard Shared Profile‍
• Intuitive design: Easy-to-use first-party dashboards‍‍
• World-class customer service: Plan-based access to professional cybersecurity personnel that can help you get the most out of UpGuard

Streamline compliance with UpGuard Vendor Risk today. The OCPA goes into effect on July 1, 2025.