Oregon
Summary
Law: Oregon Consumer Privacy Act (OCPA)
Regulator: The Oregon Attorney General (AG)
Summary: Sections 1-9 of the OCPA entered into effect on July 1, 2024, following its enactment on July 18, 2023, with other provisions related to charitable organizations entering into effect on July 1, 2025, and other amendments becoming operative on January 1, 2026.
In line with other US State privacy laws, the OCPA introduces requirements related to the processing of personal data and establishes definitions including biometric data, the sale of personal data, as well as sensitive data. The OCPA also provides consumers with several rights including the right of access, the right to opt-out of targeted advertising, and the sale of personal data, among other things. Furthermore, the OCPA outlines various obligations for organizations within its scope and provides the AG with enforcement powers; although not providing a private right of action. The Oregon legislature has also passed legislation relating to data brokers, namely House Bill 2052 Relating to the registration of business entities qualifying as data brokers, which entered into effect on July 27, 2023.
In addition, Oregon joined many other US States in updating its data breach notification law in 2019, which was originally the Oregon Consumer Identity Theft Protection Act under §646A.600 et seq. of the Oregon Revised Statutes, and has now become the Oregon Consumer Information Protection Act (OCIPA). Substantive changes to the OCIPA include the expansion of the definition of a breach of security and the creation of new obligations for vendors, including a requirement to notify the applicable covered entity within ten days of discovery of a breach. Among the aforementioned sector-specific laws, Oregon law specifically regulates the use, disclosure, and processing of student data, in addition to disclosures of non-public financial information.