Senior Content Marketing Manager II
May 9, 2024â˘4 min read
Passed on July 18, 2023, Oregonâs new privacy law - the Oregon Consumer Data Privacy Act (OCDPA) - will go into effect on July 1, 2024.
Designed to give Oregon consumers new privacy rights, the OCDPA created new requirements for businesses collecting and processing personal data within the state.Â
With only a few months to go before enforcement begins, itâs critical businesses understand what Oregonâs privacy law requires and steps they can take to comply.Â
Oregon's privacy law applies to businesses that conduct operations in Oregon or provide products/services to Oregon residents. To fall under the law's purview, a company must meet one of the following thresholds during a calendar year:
Businesses that do fall under this scope should start working towards compliance now.
Businesses subject to Oregon's privacy law are required to:
Complying with these requirements means Oregon businesses should start looking for next generation privacy tools that save time and money, while streamlining compliance. Keep reading to learn how Oregon's privacy law is different from other state laws, plus a checklist for easy OCDPA compliance.
Similar to Texas and New Jersey, Oregon's privacy law lacks a revenue threshold. Instead, it focuses on data collection thresholds, with an exception for data processed solely for payment transactions.
One fully unique component of the OCDPA is that it gives consumers the right to request a list of third parties to which a business has disclosed personal data. Complying with this requirement means companies will need to keep a list of these third parties, whereas in the past, they only had to disclose the categories of third parties that may have access to a consumerâs data.
Oregonâs privacy law has a different rule for financial institutions compared to other states (except California). Most other state privacy laws exempt financial institutions based on the federal Gramm-Leach-Bliley Act (GLBA). But in Oregon, this exemption is narrowerâso even if a financial institution follows GLBA rules, they may still fall under the scope of the OCDPA.
Starting January 1, 2026, businesses under the OCDPA will need to recognize universal opt-out mechanisms. While the majority of state laws donât require this, it is becoming more commonplaceâOregon is joining the ranks of Colorado, California, Montana, Connecticut, and Texas by including this requirement.Â
Oregonâs privacy law has a broader definition of "sensitive data" compared to privacy laws in other statesâcovering information about consumersâ race, ethnicity, nationality, religion, health conditions, sexual orientation, transgender or non-binary status, victim status of a crime, citizenship, and immigration status. It also covers specific location details, children's information, and genetic or biometric data.
Begin by conducting a thorough assessment of your company's data collection and processing practices to determine if the law applies to your business. Evaluate whether you meet the thresholds for data processing outlined in the legislation. This assessment will serve as a foundation for designing and implementing compliance measures.
Create a comprehensive data map that outlines the flow of personal data within your organization. Identify the types of personal data collected, processed, and stored, along with the purposes and legal basis for each processing activity. A detailed data inventory will facilitate an effective gap analysis and compliance risk assessment.
Establish mechanisms for consumers to exercise their rights under the law, such as requests for access, correction, deletion, and data portability. Implement procedures for verifying consumer identity and responding to requests within the mandated time frame. A next-generation solution like Transcend DSR Automation can help streamline this process.Â
Compliant consent management under any state privacy law, including Oregonâs, requires that businesses collect consent and enforcement consent preferences across every digital interface, from websites to mobile apps. Implementing a full-stack consent solution like Transcend Consent Management will help your teams ensure compliance with the OCDPAâs requirements around obtaining opt-in consent before collecting and processing sensitive data.Â
Oregon's privacy law requires that companies conduct data protection assessments (DPAs) before engaging in high-risk processing activities, such as selling personal data, automated profiling, or targeted advertising. Document the results of DPAs, including risk assessments and mitigating measures, to demonstrate compliance with the law. A centralized, collaborative tool like Transcend Assessments can helpâgiving your teams a unified view to proactively manage data processing risk across your organization.
Develop clear and concise privacy notices that inform consumers about your data processing practices, including the purposes of data collection, categories of personal data processed, and their rights under the law. Ensure transparency and accessibility of these notices to foster trust and compliance.
Prepare to recognize and honor universal opt-out signals, including those for targeted advertising, data sales, and profiling. Update your systems and processes to accommodate these opt-out preferences, ensuring seamless implementation by the enforcement deadline.
Oregon's privacy law sets a high standard for data protection and consumer rights. By aligning with emerging privacy trends and empowering regulatory oversight, the legislation aims to safeguard personal information in an increasingly digital world. Businesses operating in Oregon should prioritize compliance, exploring next-generation privacy solutions as a key way to save time and resources, avoid penalties, and uphold consumer trust.
Senior Content Marketing Manager II