Last updated: January 2025

Please note this is a highlighted overview and not a complete overview of privacy laws for this state. If you would like a complete review of this state's privacy laws or a multi-state privacy compliance cheat sheet on specific topics, please contact Vivien Peaden at vpeaden@bakerdonelson.com.

Disclaimer: These materials do not constitute legal advice and should not be substituted for the advice of legal counsel.

The Oregon Consumer Privacy Act (OCPA)

Effective Date: July 1, 2024, (except for non-profit organizations, whose effective date is July 1, 2025).

1. Applicability Thresholds:

Subject to certain entity-level and data-level exemptions, the OCPA applies to an individual or legal entity conducting business in Oregon or producing products or services targeted to Oregon residents (other than in a commercial or employment context) (consumer), and, during a calendar year, controlling or processing either:

• 100,000+ Oregon consumers' personal data (excluding personal data solely for the completion of payment transactions); or
• 25,000+ Oregon consumers' personal data and derives more than 25 percent of its revenue from the sale of personal data.

2. Key Definitions:

Sales of Personal Data: Similar to California, "Sale of Personal Data" is broadly defined to include the sharing, disclosing, or transferring of personal data for not only monetary compensation but also "other valuable consideration," subject to certain exemptions.

3. Business Obligations:

The OCPA imposes additional obligations on persons who, alone or jointly with others, determine the purpose and means of processing personal information (Controller):

• Heightened Protection for Children Under the Age of 15: Teenagers who are at least 13 but younger than 15 years of age and children under the age of 13 are afforded heightened protection under the OCPA.
• Data Processing Agreement (DPA): Processing activities by a third party on the Controller's behalf (Processor) shall be governed by a DPA between the Controller and Processor.
• Data Protection Assessment. Yes, where processing activities present a heightened risk of harm to consumers, including targeted advertising, sales of personal data, certain high-risk profiling activities, and processing of sensitive data.
• Privacy Notice: Required. Controllers must provide consumers with a privacy notice.
• Universal Opt-out Mechanism: Effective January 1, 2026, a Controller must allow a consumer to opt-out of any personal data processing for targeted advertising or any personal data sales, through "a platform, technology or mechanism" that meets certain criteria.

4. Consumer Rights:

Subject to certain exceptions, an Oregon consumer has the right to:

• Confirm whether a Controller is processing its personal data and access the categories of data being processed.
• Correct inaccuracies in the consumer's personal data.
• Delete personal data about the consumer (including data provided by the consumer and those obtained from a third-party source).
• Obtain a copy of their personal data processed by the Controller, including a list of specific third parties, to which the Controller has disclosed personal data.
• Opt-out of data processing for targeted advertising, sales of personal data, and profiling for solely automated decisions producing legal or similarly significant effects.

5. Enforcement and Penalties:

Private Right of Action: None.

Penalties: Up to $7,500 per violation in civil penalties. The Oregon attorney general has five years to bring an action against a Controller for violating the OCPA.

Cure Period: A 30-day cure period following receipt of the notice of violation by the Oregon attorney general. This grace period is only available until December 31, 2025.