Oregon Consumer Data Privacy Act (Part One) — An Overview For Businesses featured image

Oregon Consumer Data Privacy Act (Part One) — An Overview For Businesses

by John DiGiacomo

Partner

Internet Law

In mid-summer 2023, Oregon joined the list of U.S. states that have enacted consumer data protection statutes. The Oregon version is called the Oregon Consumer Data Privacy Act (“OCDPA”). The OCDPA is similar to every other consumer data protection act that has been enacted in the U.S.

The basic framework identifies “controllers” and “processors” of consumer data and requires them to provide notices to consumers and, under some circumstances, to obtain consent from consumers for the processing of their personal data. Consumers are given certain “rights” vis-a-vis the controllers — such as the right to know what data is possessed by the controller. Enforcement powers are given to the Oregon Attorney General’s Office and punishments are in line with punishments set forth in similar statutes — a $7,500 civil fine per violation.

Like the most recent versions of these statutes, the OCDPA is narrow in scope covering consumer data and specifically excluding data collected and processed when a person is acting in an employment or commercial capacity. Further, there are dozens of excluded types of organizations — such as government entities, insurance companies, and more — and dozens of excluded types of data. One significant difference between the OCDPA and other data protection statutes is that the OCDPA does NOT exempt nonprofit organizations from coverage. It seems that the OCDPA is the first consumer privacy statute to apply to nonprofit entities. Presumably, consumer privacy advocates are pleased with this development and will push for the trend to continue.

Which businesses are covered by the OCDPA?

As with similar statutes, the OCDPA has certain thresholds so that coverage applies to large businesses that collect and process consumer personal data. The OCDPA applies to businesses (or persons) that:

  • Conduct business in Oregon OR provide products/services to residents of Oregon AND
  • that control or process personal data of at least 100,000 Oregon consumers OR
  • that control or process personal data of at least 25,000 Oregon consumers and derive over twenty-five percent (25%) of their annual gross revenue from the sale of personal data

Note that this definition excludes data that is “controlled or processed solely for the purpose of completing a payment transaction.” Note also that the OCDPA specifically applies to businesses/persons providing goods and services to Oregon consumers. Other data protection statutes use the word “target” instead of “provide.” See, for example, the recent Kentucky statute, section 2(1).

What obligations are imposed by the OCDPA?

The OCDPA imposes many of the same obligations that are imposed by similar statutes. There are, however, some nuances. For example, all of these statutes require controllers to identify the business purpose or purposes for which the data is being collected. However, the OCDPA adds the word “express.” Thus, under the OCDPA, a business must disclose the “express purpose” for which data is being collected (emphasis added). The OCDPA imposes the following obligations:

  • Controllers must provide a privacy notice that is “reasonably accessible, clear and meaningful”
  • Limit collection of personal data to only the personal data that is adequate, relevant and reasonably necessary to serve the purposes specified
  • Obtain consumer consent before processing sensitive data about a consumer
  • Obtain consumer consent before processing personal data for the purposes of (i) targeted advertising, (ii) profiling the consumer in furtherance of decisions that produce legal effects, or (iii) selling the consumer’s personal data
  • Provide an easy and accessible online means for consumers to revoke consent
  • Provide an easy online method for consumers to exercise their rights under the OCDPA including an appeal process
  • Abide by a consumer’s global or universal choice apps or software choices — effective in 2025
  • Provide consumers with an easily-located online email address or another method of contact
  • For contracts with processors and third parties, written contracts are required and must include provisions and safeguards must be included obligating the contracting parties to comply with the OCDPA and to assist the controller in complying with the OCPDA
  • Conduct and document data protection assessments when certain data is processed for certain purposes
  • For deidentified data, controllers must take reasonable measures to ensure that such data cannot be associated with an individual, must via contract obligate any recipients of deidentified data to comply with the OCDPA, and must “publicly commit” not to re-identify de-identified data

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

Extra, Extra!
Recent Posts

Worrying About SaaS Agreements and Cross-Border Data Transfers

Worrying About SaaS Agreements and Cross-Border Data Transfers

Internet Law

When your business is contemplating a software-as-a-service (“SaaS”) agreement, there are a large number of considerations. An SaaS agreement is, of course, a subscription service where a software package is centrally hosted and accessed by a SaaS company’s customers. Issues to be aware of include: As important as the foregoing issues are, one often overlooked […]

Read more about Worrying About SaaS Agreements and Cross-Border Data Transfers

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Internet Law

If you are serious about your career as a social media influencer, blogger, and/or online content creator, you ARE going to need legal services at some point. Online creation is big business now, and big business means the need for legal services. The Internet and Social Media Attorneys at Revision Legal are here to help. […]

Read more about FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Take it Down Act: Ban on “Revenge Porn” Goes National

Take it Down Act: Ban on “Revenge Porn” Goes National

Internet Law

Congress recently passed the Take It Down Act (“TIDA”), and the law was signed by the President in mid-May 2025. See AP media report here. Interestingly enough, “Take It Down” is an acronym for “Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act.” TIDA prohibits what is commonly called “revenge […]

Read more about Take it Down Act: Ban on “Revenge Porn” Goes National

Put Revision Legal on your side

Let's Discuss Your Case