Oregon Consumer Privacy Act
Data privacy and customer trust go hand-in-hand. A law recently passed in Oregon that goes into effect later this summer – the Oregon Consumer Privacy Act (OCPA) – is set to impact how some businesses protect customers’ information. Understanding this new law and its influence on your operations will be key to communicating that trust is a priority at your company.
What is the OCPA?
The OCPA outlines the responsibilities of businesses that collect and process personal information about Oregon consumers and gives those consumers rights and control over how their data is used.
Most parts of the OCPA will take effect on July 1, 2024. Provisions regarding nonprofit organizations take effect on July 1, 2025.
What types of businesses are impacted by the OCPA?
The OCPA applies to you if you conduct business in Oregon or provide products or services to Oregon residents and meet one of these thresholds:
- Control or process the personal data of 100,000+ Oregon residents annually (excluding payment transaction data)
- Control or process the personal data of 25,000+ consumers and derive 25% or more of annual revenue from selling personal data
What rights does the OCPA give consumers?
Under the OCPA, Oregonians have the right to:
- Ask businesses how they collect, use, and share their personal information
- Correct any wrong or incomplete personal information that a business has about them
- Request that a business erase their personal information
- Opt out of the sale and processing of their personal information when it is used for targeted advertising or automated decision-making
- Request that a business give them a copy of their personal information in a format they can take with them
What does the OCPA mean for my business?
If your business handles or uses personal data from Oregon consumers and meets the criteria outlined above, it should think about taking the following actions to stay in line with the OCPA rules:
- Make your privacy practices clear. Is your privacy policy transparent and easy to understand? It should tell consumers how you collect, use, and share personal information, and state their rights under the OCPA. Also, your privacy notice should list the types of data processed, the reasons for processing the data, the types of data shared with third parties, and the types of third parties that get data.
- Design a way to handle consumer requests. Under the OCPA, you will need to have a way to handle consumer requests for information, correction, deletion, opt-out, and data portability.
- Use security measures. You will need to use sufficient security measures to protect customers’ personal information from unauthorized access, modification, or loss.
- Train your team. Your staff should know the OCPA and how to follow the law. You should train your staff on the OCPA and your company's privacy policies and procedures.
Let's work together to protect consumer privacy and maintain trust in the marketplace.
For more information about legislation and updates, visit the Oregon Department of Justice Website:
To help you communicate these changes with your customers, we have included a letter template you can customize. Feel free to edit and customize as needed.
Please note: This article contains general information and should not be construed as legal advice. For legal advice specific to your business, consult a qualified legal professional.