Oregon governor Tina Kotek signed Senate Bill 619 on July 18, enacting the Oregon Consumer Privacy Act (OCPA). The OCPA goes into effect on July 1, 2024, and will be solely enforced by the Oregon Attorney General.

The scope of application resembles Connecticut’s CTDPA, covering any entities that conduct business in the state of Oregon and control or process personal information of 1) at least 100,000 Oregon residents or 2) at least 25,000 Oregon residents while deriving over 25% of revenue from the sale of personal information, with no revenue thresholds.

The OCPA confers similar rights on consumers as other privacy laws, including the right to know, view, correct, and delete their data, the right to opt out of sale, and the right to request information on how data is being processed by the controller and third parties. The OCPA also provides consumers the right to request data from specific third parties that have access to it, a right absent in other states’ laws. Businesses are required to obtain explicit, unambiguous consent prior to processing personal data. The act excludes data collected in a business context and does not provide for private right of action.

As with other states, businesses are required to publish a privacy policy, though Oregon notably requires comprehensive detail on categories of third parties, and how they may process personal data. Businesses are also required to put in place data protection addendums (DPAs) with each third party, maintain agreements with any subcontractors, and compile data protection impact assessments for certain activities. The OCPA provides businesses a right to cure within a limit of 30 days, though this provision is set to expire in 2026.

Unlike most other states, Oregon does not exempt organizations subject to HIPAA or the Gramm-Leach-Bliley Act on an entity level, but provides exemptions for the specific data covered under the regulations. Non-profit organizations will also not permanently be excluded under the OCPA, remaining exempt for a year.