Law: Oregon Consumer Privacy Act (OCPA)
Regulator: The Oregon Attorney General (AG)
Summary: On July 18, 2023, the Oregon State Governor signed the OCPA into law. The provisions of the OCPA will enter into effect over time with Sections 1-9 coming into effect on July 1, 2024, and a yearlater in 2025 for charitable organisations, with certain amendments becoming operative on January 1, 2026.
In line with other US State privacy laws, the OCDPA introduces requirements related to the processing of personal data, establishes definitions including in relation to biometric data, the sale of personal data, as well as sensitive data. The OCDPA also provides consumers with several rights including the right of access, the right to opt-out of targeted advertising, and the sale of personal data, among other things. Furthermore, the OCDPA outlines various obligation for organisations within scope and provides the AG with enforcement powers.
In addition, Oregon joined many other US States in updating its data breach notification law in 2019, which was originally the Oregon Consumer Identity Theft Protection Act under §646A.600 et seq. of the Oregon Revised Statutes, and has now become the Oregon Consumer Information Protection Act (OCIPA). Substantive changes to the OCIPA include the expansion of the definition of a breach of security and the creation of new obligations for vendors, including a requirement to notify the applicable covered entity within ten days of discovery of a breach. Among the aforementioned sector-specific laws, Oregon law specifically regulates the use, disclosure, and processing of student data, in addition to disclosures of non-public financial information.