Oregon OCPA Compliance Guide | Blue Frog Docs

Oregon OCPA Compliance Guide

Comprehensive guide to the Oregon Consumer Privacy Act (OCPA), featuring unique nonprofit coverage and the nation's strictest employee data provisions.

Overview

The Oregon Consumer Privacy Act (OCPA) stands out as one of the most consumer-protective state privacy laws, notably extending coverage to nonprofit organizations and including unique provisions for employee data.

Full Name and Description

Oregon Consumer Privacy Act (OCPA): Signed into law on July 18, 2023, the OCPA becomes effective July 1, 2024. It grants Oregon consumers comprehensive data rights and imposes obligations on controllers and processors, including nonprofit organizations.

Enforcement Date

  • Effective Date: July 1, 2024
  • Nonprofit Compliance Date: July 1, 2025 (one year delayed for nonprofits)
  • Cure Period Expires: January 1, 2026

Governing Body

  • Oregon Attorney General: Exclusive enforcement authority
  • Oregon Department of Justice: Primary enforcement unit
  • No Private Right of Action: Consumers cannot sue directly

Primary Purpose

The OCPA aims to:

  • Provide Oregon consumers comprehensive data protection rights
  • Extend privacy obligations to nonprofit organizations
  • Establish enhanced protections beyond other state laws
  • Create accountability for high-risk data processing

Applicability

Who Needs to Comply?

The OCPA applies to persons that:

  1. Conduct business in Oregon or provide products/services to Oregon consumers, AND
  2. Control or process personal data of:
    • 100,000+ Oregon consumers per year (excluding payment-only data), OR
    • 25,000+ Oregon consumers while deriving 25%+ gross revenue from selling personal data

Unique: Nonprofit Inclusion

Oregon is one of the few states to include nonprofit organizations in its privacy law. While enforcement against nonprofits is delayed until July 1, 2025, they must ultimately comply with the same requirements as for-profit entities.

Key Exemptions

Entity-Level Exemptions:

  • Government bodies (state, local, federal)
  • HIPAA-covered entities and business associates
  • Financial institutions subject to GLBA
  • Certain insurance-related entities
  • Entities subject to FCC regulations

Data-Level Exemptions:

  • Employment data (but with important limitations)
  • B2B contact information
  • Data subject to HIPAA, GLBA, FCRA, FERPA, COPPA
  • Publicly available information

Employee Data - Partial Coverage

Unlike most state laws, Oregon provides limited exemptions for employee data:

  • Employment records are exempt
  • Job applicant data has limited exemption
  • But employee data used for non-employment purposes (like marketing or profiling) may be covered

What the OCPA Governs

Types of Data Covered

Personal Data - Information linked or reasonably linkable to a consumer or consumer's device.

Sensitive Data (requires opt-in consent):

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health condition
  • Sexual orientation
  • Citizenship or immigration status
  • Genetic data
  • Biometric data for identification
  • Personal data of a known child
  • Precise geolocation data
  • National origin (unique to Oregon)
  • Status as transgender or nonbinary (unique to Oregon)

Oregon includes the most comprehensive list of sensitive data categories among U.S. state privacy laws.

Consumer Rights Under OCPA

Oregon consumers have six core rights:

  1. Right to Access: Confirm processing and access personal data
  2. Right to Correct: Request correction of inaccurate data
  3. Right to Delete: Request deletion of personal data
  4. Right to Portability: Obtain data in a portable format
  5. Right to Opt-Out: Decline sale, targeted advertising, and profiling
  6. Right to Know Third Parties: Request list of specific third parties receiving data

Unique: Right to Third-Party Information

Oregon grants consumers the right to obtain a list of specific third parties (not just categories) to which the controller has disclosed personal data. This goes beyond other state laws that only require disclosure of categories.

Compliance Requirements

Key Obligations for Controllers

1. Privacy Notice Requirements

Controllers must provide reasonably accessible privacy notices including:

  • Categories of personal data processed
  • Purposes for processing
  • Consumer rights and how to exercise them
  • Categories of third parties with whom data is shared
  • Categories of data disclosed to third parties
  • Information about third-party list requests

2. Purpose Limitation and Data Minimization

  • Process only data adequate, relevant, and reasonably necessary
  • Do not process for incompatible purposes without consent
  • Obtain consent before processing for materially different purposes

3. Security Requirements

  • Implement reasonable administrative, technical, and physical safeguards
  • Safeguards must be appropriate to volume and sensitivity of data

4. Consumer Request Handling

Requirement Timeframe
Initial Response 45 days
Extension (reasonably necessary) Additional 45 days
Appeals Response 45 days
Third-Party List Response 45 days

5. Opt-In Consent for Sensitive Data

Consent must be:

  • Freely given
  • Specific
  • Informed
  • Unambiguous
  • Obtained through clear affirmative action

Prohibited practices for obtaining consent:

  • Using dark patterns
  • Presenting opt-out as more burdensome than opt-in
  • Manipulating design elements to influence choice

Data Protection Assessments

Required for:

  • Processing for targeted advertising
  • Sale of personal data
  • Processing for profiling with significant effects
  • Processing sensitive data
  • Any processing presenting heightened risk

Assessment requirements:

  • Identify and weigh benefits to controller, consumer, and public
  • Identify potential risks to consumers
  • Evaluate whether risks are mitigated by safeguards
  • Document and maintain for AG inspection

Third-Party Disclosure Lists

Controllers must be prepared to provide:

  • Specific names of third parties (not just categories)
  • This requires detailed records of all data sharing
  • Response within 45 days of verified request

Nonprofit Compliance

Delayed Enforcement

Nonprofits have until July 1, 2025 to comply, giving them one year beyond the general effective date.

What Nonprofits Must Do

Despite the delay, nonprofits should:

  1. Conduct data inventory to determine applicability
  2. Assess whether thresholds are met
  3. Develop compliance roadmap
  4. Implement required disclosures and mechanisms

Types of Nonprofits Potentially Affected

  • Large membership organizations
  • Healthcare nonprofits not covered by HIPAA
  • Educational organizations not covered by FERPA
  • Advocacy organizations with extensive donor databases
  • Religious organizations processing significant consumer data

Consequences of Non-Compliance

Enforcement Process

  1. Investigation: AG may investigate potential violations
  2. Notice of Violation: Written notice of alleged violation
  3. Cure Period: 30 days to cure (until January 1, 2026)
  4. Enforcement: Civil action if not cured

Penalties and Fines

  • Up to $7,500 per violation
  • Civil penalties as provided by Oregon law
  • Investigative costs and attorney fees
  • Injunctive relief available

Cure Period Sunset

The 30-day cure period expires on January 1, 2026, after which the AG may proceed directly to enforcement without offering opportunity to cure.

Why the OCPA Exists

Historical Background

  • 2023 Legislative Session: Oregon legislature passes SB 619
  • July 18, 2023: Governor Kotek signs OCPA into law
  • July 1, 2024: OCPA takes effect for businesses
  • July 1, 2025: Nonprofits must comply

Distinctive Features

Oregon's OCPA is notable for:

  1. Nonprofit coverage: One of few states to include nonprofits
  2. Third-party disclosure right: Specific names, not just categories
  3. Expanded sensitive data: Includes national origin, transgender/nonbinary status
  4. Limited employee data exemption: Some employee data may be covered
  5. Dark patterns prohibition: Explicit ban in consent contexts

Comparison with Other Laws

Feature OCPA VCDPA CPA CTDPA
Nonprofit Coverage Yes No No No
Third-Party List Right Yes No No No
National Origin as Sensitive Yes No No No
Dark Patterns Ban Yes No Yes Yes
Cure Period Sunset 1/1/26 1/1/25 1/1/25 12/31/24

Implementation & Best Practices

How to Become Compliant

Step 1: Applicability Assessment

  • Count Oregon consumers in your systems
  • Calculate percentage of revenue from data sales
  • Determine if nonprofit status affects timeline
  • Document threshold analysis

Step 2: Comprehensive Data Mapping

  • Inventory all Oregon consumer data
  • Identify sensitive data categories (including expanded Oregon categories)
  • Map all third-party sharing with specific party names
  • Document processing purposes

Step 3: Third-Party Tracking System

  • Implement system to track specific third parties receiving data
  • Maintain records sufficient to respond to consumer requests
  • Update records when sharing arrangements change

Step 4: Privacy Notice Updates

  • Include all required disclosures
  • Explain right to third-party lists
  • Describe consumer rights clearly
  • Address sensitive data handling

Step 5: Consumer Rights Infrastructure

  • Build request intake mechanisms
  • Implement 45-day response workflows
  • Create appeals process
  • Establish third-party list generation capability

Step 6: Sensitive Data Consent

  • Implement opt-in consent for all sensitive data categories
  • Include Oregon's unique categories (national origin, transgender/nonbinary status)
  • Avoid dark patterns in consent interfaces

For Nonprofits

Timeline for nonprofit compliance (by July 1, 2025):

  • Now: Assess applicability and start planning
  • Q1 2025: Complete data mapping
  • Q2 2025: Implement required mechanisms
  • July 1, 2025: Full compliance required

Ongoing Compliance Maintenance

  • Quarterly Third-Party Audits: Keep sharing records current
  • Annual DPA Reviews: Update risk assessments
  • Consumer Request Tracking: Monitor response times
  • Privacy Notice Reviews: Reflect any processing changes
  • Staff Training: Ensure understanding of Oregon-specific requirements

Additional Resources

Official Documentation

Industry Guidance

  • IAPP Oregon Privacy Law Analysis
  • Nonprofit Privacy Compliance Framework
  • Third-Party Data Sharing Management Guide

Conclusion

The Oregon Consumer Privacy Act represents one of the most consumer-protective state privacy laws enacted to date. Its inclusion of nonprofits, expanded sensitive data categories, and unique right to specific third-party information set it apart from other state laws.

Organizations should pay particular attention to:

  • The requirement to provide specific third-party names (not just categories)
  • Oregon's unique sensitive data categories including national origin and transgender/nonbinary status
  • The limited employee data exemption that may capture some employee information
  • The nonprofit compliance deadline of July 1, 2025

Proper third-party tracking systems are essential for Oregon compliance given the specific disclosure requirements.

↑ Back to top
// SYS.FOOTER