Skip to Main Content
Main Menu
Search Opener
Search Close
Contact us
Regulation

Oregon Consumer Data Protection Act

The Oregon Consumer Data Protection Act (effective July 1, 2024) empowers Oregon consumers with control over their personal information while imposing data privacy responsibilities on organizations entrusted with handling their personal information. This legislation amends ORS 180.095, known as the Department of Justice Protection and Education Revolving Account and outlines the obligations and standards of privacy protection that apply to covered entities.

Are you subject to the Oregon Consumer Data Protection Act?

The Oregon Consumer Data Protection Act applies to any organizations who do business in Oregon or provide products or services to Oregon residents and meet any of the following criteria during a calendar year:

  • The personal information of 100,000 or more consumers, other than personal information controlled or processed solely for the purpose of completing a payment transaction
  • The personal information of 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal information.

Obligations & Rights under the Oregon Consumer Data Protection Act

This data privacy and protection law requires organizations to provide control and transparency to Oregon consumers on how their personal information is collected, sold, and disclosed.
  • Consents & Opt-outs

    Consumers’ consent must be obtained before data processing and allow the consent to be revoked as easily as it was given. Consumers must be presented with a clear and conspicuous link to a webpage or by other means where they may opt out of targeted advertising, the sale of personal information, and profiling.

  • Policies & Notices

    Organizations must provide consumers with a reasonably accessible, clear, and meaningful privacy notice, that includes the categories of personal information and sensitive personal information collected and shared with third parties, the purposes of data processing, and the instructions for consumers to exercise their rights. If the organization engages in the sale of personal information or processes personal information for targeted advertising purposes, the privacy notice must include opt-out methods for such purposes.

  • Data Subject Rights & Requests

    Consumers have the right to access, correct, delete, opt out of processing, and exercise data portability rights concerning their personal information. Businesses must be able to fulfill and address these requests without undue delay and within 45 days of receiving the request.

  • Vendor Management

    Under this data privacy act, organizations must execute vendor contracts and conduct and document a data protection assessment for each of their processing activities that pose a heightened risk of harm to consumers.

Handbook

US Consumer Privacy Handbook

From California to Maine, the flurry of US privacy laws makes managing a privacy program increasingly complex.

Achieve compliance

FAQs

  • Does the Oregon Consumer Data Protection Act require data protection assessments?

    The Act requires a data protection assessment to be conducted prior to any of the following high-risk processing activities

    • Processing information for targeted advertising
    • The processing of sensitive information
    • The sale of personal information
    • Profiling that could lead to harm
  • Are there limitations to the collection of personal information under the Oregon Consumer Data Protection Act?

    Organizations need to limit the collection of personal information to what is adequate, relevant, and reasonably necessary in relation to its specified processing purpose. This is a common requirement across U.S. consumer and global national privacy laws.

  • What is personal information and sensitive personal information under the Oregon Consumer Data Protection Act?

    Personal information refers to data, derived data, or any distinctive identifier that is associated with or can reasonably be linked to a consumer or a device that identifies, is associated with, or can reasonably be linked to one or more consumers within a household. It specifically exempts de-identified data or data that is legally accessible through federal, state, or local government records, widely distributed media, as well as data lawfully made available to the public by a consumer.

    Sensitive personal information refers to data that reveals (a) racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or nonbinary, status as a victim of crime, citizenship or immigration status; (b) personal information of a child, (c) accurate identification within a radius of 1,750 feet of a consumer; (d) genetic or biometric data. It excludes the content of communications, as well as any data generated by or associated with advanced utility metering infrastructure systems or equipment intended for utility use. Under this data privacy law, consent is required before processing sensitive personal information.

Related Resources

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top