Oregon Consumer Privacy Act (OCPA)
The Oregon Consumer Privacy Act grants Oregon residents acting in an individual capacity, and not in a commercial or employment context ("consumers"), certain access and control rights concerning their personal data.
Is Complying with OCPA Mandatory?
The Oregon Consumer Privacy Act imposes transparency and disclosure obligations on a "controller" (an individual or legal entity who, "alone or jointly with another person, determines the purposes and means for processing personal data") who either:
conducts business in Oregon; or
produces products or services that are targeted to the residents of Oregon;
and that during a calendar year:
controls or processes personal data of not less than 100,000 Oregon residents, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
controls or processes personal data of not less than 25,000 Oregon residents and derives more than 25 percent of its gross revenue from the sale of personal data.
What are the penalties for not complying with OCPA?
The Oregon Consumer Privacy Act does not provide for a private right of action. The Oregon Office of the Attorney General has exclusive authority to enforce violations. However, the Oregon Attorney General must issue a notice of violation to the controller prior to initiating any action. A controller will then have 30 days to cure the noticed violation. Importantly, the cure provision will terminate on January 1, 2026. The Oregon Attorney General may seek civil penalties of $7,500 per violation.