2023

Oregon Senate Bill 619, the Oregon Consumer Privacy Act (“OCPA”), was signed into law on July 18, 2023 by Governor Tina Kotek.

2024

On July 1, 2024, the OCPA went into effect.

Amendments

Who

The OCPA is intended to protect personal data of consumers, meaning people who reside in Oregon and act in an individual or household context rather than a commercial or employment one.¹

The OCPA applies to persons that conduct business in Oregon or produce or deliver commercial products or services that are targeted to residents of Oregon and that do one or both of the following²:

• control or process personal data of at least 100,000 consumers in a year, or
• control or process personal data or at least 25,000 consumers per year and derive 25% or more of annual gross revenue from the sale of personal data.

The OCPA also applies, regardless of threshold numbers, to any motor vehicle manufacturer or their affiliate that controls or processes personal data obtained from an Oregon resident’s use of a motor vehicle or any component of a motor vehicle.³

The OCPA distinguishes between controllers and processors.⁴ A controller is an entity that alone, or jointly with others, determines the purposes and means for processing personal data.⁵ A processor is an entity that processes personal data on behalf of a controller. ⁶

Processing means the collection, use, sale, storage, disclosure, analysis, deletion, or modification of personal data.⁷

The OCPA imposes restrictions and obligations on the relationship between controllers and processors, requiring that processors follow the controller’s instructions on how personal data may be processed.⁸ Contracts between controllers and processors must include the following⁹:

• instructions for processing the personal data,
• the type(s) of personal data and the duration of processing,
• the purpose for processing personal data,
• a duty of confidentiality, meaning the data is protected from disclosure to or access by unauthorized parties,
• the obligation to delete or return data upon the controller’s request,
• the ability to provide evidence to demonstrate compliance with contractual obligations,
• an obligation that the processor have agreements in place with any subcontractors of the processor and that subcontractors have controls to protect personal data that are at least as protective as the obligations in the agreement between the controller and the processor, and 
• the right for the controller, their designee, or a qualified third party engaged by the processor to conduct audits of the processor’s technical and organizations measures related to the protection of personal data.

What

Personal Data

The OCPA regulates how companies can collect, use, and share personal data. “Personal data” means information that is linked or reasonably linkable to an identified or identifiable person, subject to some exceptions and with some particular types of personal data (such as sensitive or deidentified data) receiving more or fewer protections.¹⁰

Sensitive Data

The OCPA provides additional guidance around a subcategory of personal data: sensitive data.¹¹ The OCPA provides heightened protections for sensitive data based on the assumption that misuse, loss, or unauthorized disclosure of the data can have a more significant impact on data subjects than with other types of personal data. For example, this data can lead to discrimination, financial loss, identity theft, or reputational damage.

Sensitive data includes:¹²

• racial or ethnic origin,
• national origin,
• religious beliefs,
• mental or physical health condition or diagnosis,
• sexual orientation,
• status as transgender or nonbinary,
• status as a victim of a crime,
• citizenship or immigration status,
• personal data of children (someone younger than 13 years of age),
• genetic or biometric data, and
• precise geolocation data that identifies an individual within 1,750 feet.

Exemptions

Exempt Entities

The OCPA does not apply to the following entities¹³:

• public corporations, including Oregon Health and Science University and the Oregon State Bar,
• public bodies as defined in Or. Rev. Stat. § 174.109, including state government bodies, local government bodies, and special government bodies,
• financial institutions or their affiliates as defined in Or. Rev. Stat. § 706.008,
• insurers, as defined in Or. Rev. Stat. §731.106, other than entities that establish and maintain self-insurance programs that do not otherwise engage in the business of entering into policies of insurance,
• insurance producers, as defined in Or. Rev. Stat. § 731.104 and insurance consultants, as defined in Or. Rev. Stat. § 744.602,
• entities that hold a third party administrator license under Or. Rev. Stat. §744.710,
• nonprofit organizations established to detect and prevent fraud in connection with insurance,
• noncommercial activities of publishers, editors, reporters, or other entities connected with or employed by a newspaper, magazine, periodical, newsletter, pamphlet, report, or other publication in general circulation,
• noncommercial activities of radio or television stations that hold a license issued by the Federal Communications Commission,
• noncommercial activities of nonprofit organizations that provide programming to radio or television networks, and
• noncommercial activities of entities that provide information services, such as a press association or wire service.

Exempt Data

The following types of data are exempt from the OCPA¹⁴:

• protected Health Information under the Health Insurance Portability and Accountability Act (HIPAA) that is collected, stored, and processed by a covered entity or their business associates,
• Patient identifying information for the purposes of 42 U.S.C. § 290dd-2, which covers confidentiality of records related to substance abuse and mental health services,
• identifiable private information for purposes of the federal policy for the protection of human subjects under 45 C.F.R. Part 46, which governs research involving human subjects,
• identifiable private information that is collected as part of human subjects research pursuant to the “Good Clinical Practice” guidelines issued by The International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use or for the protection of human subjects under 21 C.F.R. Parts 6, 50, and 56, which govern research involving human subjects,
• patient safety work product for purposes of the federal Patient Safety and Quality Improvement Act (42 U.S.C. § 299b-21 et seq.),
• information used for public health activities and purposes as authorized by HIPAA,
• information and documents created for the purposes of the Health Care Quality Improvement Act of 1986, (42 U.S.C. §11101 et seq.),
• data processed or maintained for applications for employment or employment purposes,
• data processed or maintained for the purposes of an individual’s ownership or function as a director or officer of a business,
• data processed or maintained for an individual’s contractual relationship with a business,
• data necessary to administer benefits from an employer,
• emergency contact information used for emergency contact purposes,
• personal data collected, maintained, disclosed, sold, communicated, or used in a manner that has bearing on a consumer's credit worthiness to the extent that such activity is regulated by and authorized under the federal Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.),
• personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994 (18 U.S.C. § 2721 et seq.),
• personal data regulated by the federal Family Educational Rights and Privacy Act (20 U.S.C. § 1232g et seq.),
• data subject to the Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.), and
• personal data collected, processed, sold or disclosed in relation to price, route or service, as such terms are used in the Federal Aviation Act of 1958 (49 U.S.C. § 40101 et seq.) and the Airline Deregulation Act of 1978 (49 U.S.C. § 41713).

Deidentified Data

The OCPA includes an exemption for deidentified data.¹⁵

Deidentified data is data that cannot reasonably be used to infer information about or be linked to an identified individual or a device linked to such individual.¹⁶ Deidentified data also includes data that has been deidentified in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).¹⁷ Controllers processing deidentified data must¹⁸:

• take reasonable measures to ensure that the data is deidentified and cannot be associated with an individual,
• publicly commit to not attempt to reidentify the data, and
• contractually obligate recipients of deidentified data to take measures to ensure the data cannot be associated with an individual and not attempt to reidentify the data.

Publicly Available Data

The OCPA does not apply to publicly available information.¹⁹ Publicly available information is information that²⁰:

• is lawfully available through federal, state, or local government records or widely distributed media, or
• the controller has a reasonable basis to believe the consumer has lawfully made available to the public.

Consumers have several rights under the OCPA²¹:

• right of access,
• right to correct,
• right to delete,
• right to opt out,
• right to opt into the processing of sensitive data,
• right to not be discriminated against, and
• minors’ rights.

Right to Access

Consumers have the right to know whether a controller is processing their personal data and what personal data is being processed about them.²² This includes the right to obtain a copy of their data in a format that is portable such that the consumer can transmit the data to another controller.²³

This right also appears in the disclosures businesses must make in their privacy notice. The notice must include²⁴:

• the categories of personal data processed by the controller,
• the purpose for processing personal data,
• how consumers can exercise their rights,
• the categories of personal data that the controller shares with third parties,
• the categories of third parties with whom the controller shares personal data,
• an e-mail address or other online method by which an individual may contact the controller, and
• a description of processing of personal data for the purposes targeted advertising or profiling.

Right to Correct

Consumers have the right to request that a controller correct inaccuracies in their personal data.²⁵

Right to Delete

Consumers have the right to request that a controller delete any personal data provided by the consumer or obtained about the consumer.²⁶

Right to Opt Out

Consumers have the right to opt out of a controller processing their personal data for the purpose of targeted advertising, the sale of personal data, or consumer profiling used to analyze individuals and make decisions about them that have legal consequences or have other serious impacts on their lives.²⁷ A controller must act on a consumer’s request to opt out without undue delay and no later than 45 days after receiving it.²⁸

Targeted advertising is advertising that a controller selects for a consumer based on the consumer’s personal data gathered over time and across nonaffiliated websites or online applications to predict the consumer’s preferences or interests.²⁹ Targeted advertising does not include³⁰:

• Advertisements based on activities within a controller's own websites or online applications,
• Advertisements based on the context of a consumer's current search query or current visit to a website or online application,
• Advertisements directed to a consumer in response to the consumer's request for information or feedback, or
• Personal data processed solely for measuring or reporting advertising performance.

Sale of data is a controller’s exchange of personal data with a third party for money or other valuable consideration.³¹ Sale does not include³²:

• The disclosure of personal data to a processor that processes the personal data on behalf of the controller,
• The disclosure of personal data to a third party at the direction of the data subject,
• The disclosure or transfer of personal data to an affiliate of the controller or that is made as part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets,
• The disclosure of information that the consumer intentionally made available to the general public.

The OCPA also prohibits controllers from selling personal data of data subjects under 16 years of age or that identifies the geolocation of a data subject within a radius of 1,750 feet.³³

Profiling is the automated processing of personal data to evaluate, analyze, or predict personal aspects of a consumer, such as economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.³⁴

Right to Opt In for Sensitive Data

Controllers may not process sensitive data without obtaining consent from the consumer.³⁵ A consumer therefore has the right not to have their sensitive data processed without first opting in.³⁶

Consent must be ³⁷:

• freely given, meaning the consent is given voluntarily,
• specific, meaning the consent is given for a clearly defined purpose and is not an acceptance of general or broad terms of use,
• informed, meaning the data subject is provided an explanation of how the data will be processed, and
• unambiguous, meaning it is clear the data subject has consented (e.g., by clicking “I agree”).

If a consumer rescinds their consent, such revocation of consent must be honored within 15 days.³⁸

Right to Not Be Discriminated Against

Consumers have the right to not be discriminated for exercising their rights to their personal data.³⁹

Minors’ Rights

Controllers may not process the sensitive data of a child under 13 without first obtaining consent in accordance with The Children’s Online Privacy Protection act of 1998.⁴⁰

Controllers also cannot use the personal data of minors under the age of 16 for the following purposes⁴¹:

• targeted advertising,
• sale of personal data, and
• profiling to analyze individuals and make decisions about them that have legal consequences or have other serious impacts on their lives.

Exercising Rights

A consumer may exercise their rights to access, correct, delete, or opt out under the OCPA by submitting a request to the controller that specifies the right they wish to invoke.⁴² Consumers may also assign another person, an authorized agent, to exercise opt-out rights on their behalf.⁴³

A controller must respond to the consumer’s request within 45 days of receipt indicating the actions taken.⁴⁴ The controller may request additional information needed to authenticate the consumer and their request.⁴⁵ If unable to reasonably authenticate the consumer, a controller may refuse the request.⁴⁶

If reasonably necessary due to the complexity or quantity of consumer requests, the controller may extend their response period by 45 days so long as the controller notifies the consumer within the initial 45-day period of such extension and provides a reason for the extension.⁴⁷

A controller must also provide information in response to a consumer request free of charge once every 12 months.⁴⁸ A controller may charge a reasonable fee for a second or subsequent request within a twelve-month period.⁴⁹ Controllers must also establish an appeals process for a consumer to appeal any refusal by the controller to take action on a request.⁵⁰

Universal Opt Out

Oregon is also one of several states that require that websites recognize a browser-based signal, known as a universal opt out mechanism, that opts users out of web tracking technologies and cross-site tracking that are commonly used in targeted advertising practices.⁵¹

The Attorney General of Oregon has the authority to enforce the provisions of the OCPA.⁵² The Attorney General may seek a civil penalty of up to $7,500 per violation or other equitable relief.⁵³ The Attorney General may also seek reasonable attorney fees, expert witness fees, and other costs of the investigation if the Attorney General prevails in an action under the OCPA.⁵⁴ Proceeds of recovery under the OCPA are deposited into the Department of Justice Protection and Education Revolving account.⁵⁵

1. Or. Rev. Stat. § 646A.570(7) (2025). ↩
2. Or. Rev. Stat. § 646A.572(1) (2025). ↩
3. Id. ↩
4. Or. Rev. Stat. § 646A.570 (2025). ↩
5. Or. Rev. Stat. § 646A.570(8) (2025). ↩
6. Or. Rev. Stat. § 646A.570(15) (2025). ↩
7. Or. Rev. Stat. § 646A.570(14) (2025). ↩
8. Or. Rev. Stat. § 646A.581 (2025). ↩
9. Or. Rev. Stat. § 646A.581(2) (2025). ↩
10. Or. Rev. Stat. § 646A.570(13)(a) (2025). ↩
11. Or. Rev. Stat. § 646A.578(2)(b) (2025). ↩
12. Or. Rev. Stat. § 646A.570(18) (2025). ↩
13. Or. Rev. Stat. § 646A.572(2) (2025). ↩
14. Id. ↩
15. Or. Rev. Stat. § 646A.570(13)(b) (2025). ↩
16. Or. Rev. Stat. § 646A.570(11) (2025). ↩
17. Id. ↩
18. Or. Rev. Stat. § 646A.583(1)(a) (2025). ↩
19. Or. Rev. Stat. § 646A.570(13)(b) (2025). ↩
20. Id. ↩
21. Or. Rev. Stat. §§ 646A.574(1), 646A.578(2) (2025). ↩
22. Or. Rev. Stat. § 646A.574(1)(a)(A) (2025). ↩
23. Or. Rev. Stat. § 646A.574(1)(a)(C), (2) (2025). ↩
24. Or. Rev. Stat. § 646A.578(4) (2025). ↩
25. Or. Rev. Stat. § 646A.574(1)(b) (2025). ↩
26. Or. Rev. Stat. § 646A.574(1)(c) (2025). ↩
27. Or. Rev. Stat. § 646A.574(1)(d) (2025). ↩
28. Or. Rev. Stat. § 646A.576(5)(a) (2025). ↩
29. Or. Rev. Stat. § 646A.570(19)(a) (2025). ↩
30. Or. Rev. Stat. § 646A.570(19)(b) (2025). ↩
31. Or. Rev. Stat. § 646A.570(17)(a) (2025). ↩
32. Or. Rev. Stat. § 646A.570(17)(b) (2025). ↩
33. Or. Rev. Stat. § 646A.578(2)(d) (2025). ↩
34. Or. Rev. Stat. § 646A.570(16) (2025). ↩
35. Or. Rev. Stat. § 646A.578(2)(b) (2025). ↩
36. Id. ↩
37. Or. Rev. Stat. § 646A.570(6) (2025). ↩
38. Or. Rev. Stat. § 646A.578(1)(d) (2025). ↩
39. Or. Rev. Stat. § 646A.578(2)(e) (2025). ↩
40. Or. Rev. Stat. § 646A.578(2)(b) (2025). ↩
41. Or. Rev. Stat. § 646A.578(2)(c)-(d) (2025). ↩
42. Or. Rev. Stat. § 646A.576(1) (2025). ↩
43. Or. Rev. Stat. § 646A.576(4) (2025). ↩
44. Or. Rev. Stat. § 646A.576(5)(a) (2025). ↩
45. Or. Rev. Stat. § 646A.576(5)(d) (2025). ↩
46. Id. ↩
47. Or. Rev. Stat. § 646A.576(5)(a) (2025). ↩
48. Or. Rev. Stat. § 646A.576(5)(c) (2025). ↩
49. Id. ↩
50. Or. Rev. Stat. § 646A.576(6) (2025). ↩
51. Or. Rev. Stat. § 646A.578(5)(c) (2025). ↩
52. Or. Rev. Stat. § 646A.589(7) (2025). ↩
53. Or. Rev. Stat. § 646A.589(4)(a) (2025). ↩
54. Or. Rev. Stat. § 646A.589(4)(b) (2025). ↩
55. Or. Rev. Stat. § 646A.589(4)(c) (2025). ↩