Laws & Regulations
/
State Privacy Laws: Oregon

State Privacy Laws: Oregon

Oregon Consumer Privacy Act (OCPA)

Overview

The Oregon Consumer Privacy Act (OCPA) is the result of the efforts of the Oregon Attorney General’s Consumer Privacy Task Force. The law defines personal and biometric data broadly, protects consumer data rights holistically, and holds companies that have access to personal data to high standards. The law also gives consumers control over how businesses use their personal data. It guarantees Oregonians affirmative rights to manage and safeguard their personal data.

Key Dates

  • Signed into law: July 18, 2023
  • Effective date: July 1, 2024
  • For nonprofit entities covered by OCPA, the law takes effect July 1, 2025.

Thresholds

OCPA applies to any individual or entity that conducts business in Oregon or that provides products or services to Oregon residents if, during a calendar year, that individual or entity controls or processes the personal data of:

  • at least 100,000 consumers; or
  • 25,000 or more consumers and derives over 25% of annual gross revenue from the sale of personal data.

Consumer Rights

  • The right to know/confirm — consumers can get a list of the specific entities that received their personal data.
  • The right to correct any inaccuracies in the data about them.
  • The right to delete the data a business has about them.
  • The right to opt out of the selling, profiling, or otherwise use of their data for targeted advertising.
  • The right to data portability, enabling consumers to get a copy of the personal and sensitive data a business has about them.
  • The right to sensitive data protections — consumers have heightened (“opt in” consent) protections when personal data reveals racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or nonbinary, crime victim status, or citizenship or immigration status; genetic or biometric data; and precise geolocation data.
  • Special protections for youth — businesses must follow the requirements of the federal Children’s Online Privacy Protection Act (COPPA) when processing data of children under 13 years old, and “opt in” consent is required for targeted advertising, profiling, or sale of the personal data of a youth 13 to 15 years old.

Sensitive Data

  • Any data revealing an individual’s racial or ethnic background, national origin, religious beliefs, mental or physical health conditions or diagnoses, sexual orientation, citizenship or immigration status, status as transgender or nonbinary, or status as a crime victim.
  • Genetic data, or biometric data that could be used to identify an individual.
  • Personal data of a child under the age of 13.
  • Information about an individual’s specific past or present location.

Penalties

Up to $7,500 per violation.

Configure Your Consent Banner for OCPA

Regions are used to customize the behavior and experience based on an individual user’s location. As an example, this allows you to provide different experiences to users based on regional differences (like GDPR in the EU vs. OCPA in Oregon). When a user visits your site, we will automatically determine their location and will match them to the most granular region rule that you have setup in Concord. This can go down to the state/province level, which allows for different experiences for different laws (like OCPA in Oregon).

Recommended Consent Settings

Based on the current laws, we recommend the following regional settings:

  • Consent Mode: Implied
  • Blocking Mode: Strict
  • Google Consent Mode V2: Basic
  • Consent Duration: 12 months
  • Enable Limit Sensitive Information: Enabled
  • Enable Do Not Sell Consent: Enabled
  • Enable Global Privacy Control: Enabled

For step-by-step instruction on how to configure your consent banner for different geographical regions within the Concord app, see our help document https://www.concord.tech/docs/configure-consent-banner-difference-regions.

Important Note: While you can get as granular as you want, we typically recommend a single global policy that meets the strictest guidelines across regions, or higher splits (like separate GDPR and United States regions). If you have any questions on how and why to configure your regions in certain ways, please reach out to our support team.

Topics

Product
Consent ManagementPrivacy RequestsData MappingIntegrationsSign InSign Up
Solutions
SoftwareE-CommerceFinancial ServicesGovernmentHealthcare
Resources
PricingHelp DocsBlogRoadmapContact UsBook MeetingAffiliate Program
Your Privacy Choices
Support CommitmentLeadershipMerch
Social
Concord Logo Blue Logo White Text
© 2024 Concord Technologies Inc | All Rights Reserved | Website Privacy Policy | Disclaimer | SaaS Agreement | Data Protection Agreement | Affiliates Agreement