Skip to Main Content
Main Menu

Oregon Consumer Data Protection Act

The Oregon Consumer Data Protection Act (effective July 1, 2024) empowers Oregon consumers with control over their personal information while imposing data privacy responsibilities on organizations entrusted with handling their personal information. This legislation amends ORS 180.095, known as the Department of Justice Protection and Education Revolving Account and outlines the obligations and standards of privacy protection that apply to covered entities.

Are you subject to the Oregon Consumer Data Protection Act?

The Oregon Consumer Data Protection Act applies to any organizations who do business in Oregon or provide products or services to Oregon residents and meet any of the following criteria during a calendar year:

  • The personal information of 100,000 or more consumers, other than personal information controlled or processed solely for the purpose of completing a payment transaction
  • The personal information of 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal information.

Obligations & Rights under the Oregon Consumer Data Protection Act

This data privacy and protection law requires organizations to provide control and transparency to Oregon consumers on how their personal information is collected, sold, and disclosed.

US Consumer Privacy Handbook

From California to Maine, the flurry of US privacy laws makes managing a privacy program increasingly complex.


  • Does the Oregon Consumer Data Protection Act require data protection assessments?

    The Act requires a data protection assessment to be conducted prior to any of the following high-risk processing activities

    • Processing information for targeted advertising
    • The processing of sensitive information
    • The sale of personal information
    • Profiling that could lead to harm
  • Are there limitations to the collection of personal information under the Oregon Consumer Data Protection Act?

    Organizations need to limit the collection of personal information to what is adequate, relevant, and reasonably necessary in relation to its specified processing purpose. This is a common requirement across U.S. consumer and global national privacy laws.

  • What is personal information and sensitive personal information under the Oregon Consumer Data Protection Act?

    Personal information refers to data, derived data, or any distinctive identifier that is associated with or can reasonably be linked to a consumer or a device that identifies, is associated with, or can reasonably be linked to one or more consumers within a household. It specifically exempts de-identified data or data that is legally accessible through federal, state, or local government records, widely distributed media, as well as data lawfully made available to the public by a consumer.

    Sensitive personal information refers to data that reveals (a) racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or nonbinary, status as a victim of crime, citizenship or immigration status; (b) personal information of a child, (c) accurate identification within a radius of 1,750 feet of a consumer; (d) genetic or biometric data. It excludes the content of communications, as well as any data generated by or associated with advanced utility metering infrastructure systems or equipment intended for utility use. Under this data privacy law, consent is required before processing sensitive personal information.

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top