Unlocking Oregon's Privacy Law: Key Steps for Compliance

Oregon's privacy law at a glance

Passed on July 18, 2023, Oregon’s new privacy law - the Oregon Consumer Data Privacy Act (OCDPA) - will go into effect on July 1, 2024.

Designed to give Oregon consumers new privacy rights, the OCDPA created new requirements for businesses collecting and processing personal data within the state. 

With only a few months to go before enforcement begins, it’s critical businesses understand what Oregon’s privacy law requires and steps they can take to comply. 

Who’s subject to Oregon’s privacy law?

Oregon's privacy law applies to businesses that conduct operations in Oregon or provide products/services to Oregon residents. To fall under the law's purview, a company must meet one of the following thresholds during a calendar year:

• Control or process the personal data of 100,000 or more consumers, excluding data processed solely for payment transactions OR
• Control or process the personal data of 25,000 or more consumers and derive 25 percent or more of their annual gross revenue from selling personal data.

Businesses that do fall under this scope should start working towards compliance now.

Compliance requirements under Oregon’s privacy law

Businesses subject to Oregon's privacy law are required to:

• Provide privacy notices
• Respond to consumer requests for access, correction, deletion, and opt-out
• Provide a list of third-parties to whom personal data has been disclosed, upon a consumer’s request
• Respond to consumer appeals within 45 days
• Recognize universal opt-out signals by January 1, 2026
• Provide opt-out mechanisms for targeted advertising, data sales, and profiling
• Get opt-in consent before processing sensitive data, personal data for targeted ads, data sales, or profiling for consumers known to be 13-15 years old
• Conduct data protection assessments for targeted advertising, data sales, profiling, and sensitive data processing

Complying with these requirements means Oregon businesses should start looking for next generation privacy tools that save time and money, while streamlining compliance. Keep reading to learn how Oregon's privacy law is different from other state laws, plus a checklist for easy OCDPA compliance.

How Oregon’s privacy law compares to other state privacy laws

Applicability threshold

Similar to Texas and New Jersey, Oregon's privacy law lacks a revenue threshold. Instead, it focuses on data collection thresholds, with an exception for data processed solely for payment transactions.

New consumer right

One fully unique component of the OCDPA is that it gives consumers the right to request a list of third parties to which a business has disclosed personal data. Complying with this requirement means companies will need to keep a list of these third parties, whereas in the past, they only had to disclose the categories of third parties that may have access to a consumer’s data.

Narrower exemption for financial institutions

Oregon’s privacy law has a different rule for financial institutions compared to other states (except California). Most other state privacy laws exempt financial institutions based on the federal Gramm-Leach-Bliley Act (GLBA). But in Oregon, this exemption is narrower—so even if a financial institution follows GLBA rules, they may still fall under the scope of the OCDPA.

Universal opt-out mechanisms

Starting January 1, 2026, businesses under the OCDPA will need to recognize universal opt-out mechanisms. While the majority of state laws don’t require this, it is becoming more commonplace—Oregon is joining the ranks of Colorado, California, Montana, Connecticut, and Texas by including this requirement. 

Definition of sensitive data 

Oregon’s privacy law has a broader definition of "sensitive data" compared to privacy laws in other states—covering information about consumers’ race, ethnicity, nationality, religion, health conditions, sexual orientation, transgender or non-binary status, victim status of a crime, citizenship, and immigration status. It also covers specific location details, children's information, and genetic or biometric data.

Oregon privacy law compliance checklist

1. Conduct a compliance assessment

Begin by conducting a thorough assessment of your company's data collection and processing practices to determine if the law applies to your business. Evaluate whether you meet the thresholds for data processing outlined in the legislation. This assessment will serve as a foundation for designing and implementing compliance measures.

2. Complete a data inventory

Create a comprehensive data map that outlines the flow of personal data within your organization. Identify the types of personal data collected, processed, and stored, along with the purposes and legal basis for each processing activity. A detailed data inventory will facilitate an effective gap analysis and compliance risk assessment.

3. Establish mechanisms for DSR fulfillment 

Establish mechanisms for consumers to exercise their rights under the law, such as requests for access, correction, deletion, and data portability. Implement procedures for verifying consumer identity and responding to requests within the mandated time frame. A next-generation solution like Transcend DSR Automation can help streamline this process. 

4. Implement a consent management solution 

Compliant consent management under any state privacy law, including Oregon’s, requires that businesses collect consent and enforcement consent preferences across every digital interface, from websites to mobile apps. Implementing a full-stack consent solution like Transcend Consent Management will help your teams ensure compliance with the OCDPA’s requirements around obtaining opt-in consent before collecting and processing sensitive data. 

5. Conduct data protection assessments

Oregon's privacy law requires that companies conduct data protection assessments (DPAs) before engaging in high-risk processing activities, such as selling personal data, automated profiling, or targeted advertising. Document the results of DPAs, including risk assessments and mitigating measures, to demonstrate compliance with the law. A centralized, collaborative tool like Transcend Assessments can help—giving your teams a unified view to proactively manage data processing risk across your organization.

6. Implement privacy notices

Develop clear and concise privacy notices that inform consumers about your data processing practices, including the purposes of data collection, categories of personal data processed, and their rights under the law. Ensure transparency and accessibility of these notices to foster trust and compliance.

7. Honor universal opt-out mechanisms

Prepare to recognize and honor universal opt-out signals, including those for targeted advertising, data sales, and profiling. Update your systems and processes to accommodate these opt-out preferences, ensuring seamless implementation by the enforcement deadline.

Conclusion

Oregon's privacy law sets a high standard for data protection and consumer rights. By aligning with emerging privacy trends and empowering regulatory oversight, the legislation aims to safeguard personal information in an increasingly digital world. Businesses operating in Oregon should prioritize compliance, exploring next-generation privacy solutions as a key way to save time and resources, avoid penalties, and uphold consumer trust.