The Oregon Consumer Privacy Act (“OCPA”): What Businesses Need to Know

Oregon recently joined several other states that have heightened individual privacy rights when it enacted the Oregon Consumer Privacy Act (“OCPA”). The OCPA applies to all for-profit business immediately and to applicable charitable organizations as of July 1, 2025.

The OCPA introduces new rules relating to a business’s collection, use, and sharing of personal data of Oregon residents. The OCPA provides Oregon residents with a number of new rights regarding their  personal data, including the right to access a copy of their personal data, and the right to opt out of data collection. The OCPA also requires businesses to provide Oregon residents with clear notices and disclosures regarding how their personal data is collected, used, and shared and how Oregon residents can exercise their new OCPA rights regarding their personal data.

What businesses does the OCPA apply to?

The OCPA applies to any business that: (1) provides goods and services to Oregon residents and processes the personal data of 100,000 resident consumers or more per year; or (2) earns more than 25% of their annual gross revenue from the sale of personal data and processes the personal data of more than 25,000 Oregon resident consumers. 

While the OCPA is similar to privacy laws in other states, it differs as follows in these material respects:

• Unlike the California Consumer Privacy Act (California CCPA) and a number of privacy laws of other states, the OCPA does not automatically exempt all nonprofit organizations; and
• The OCPA does not include data collected by employers from employees when measuring personal data (unlike the California CCPA).

Is your business exempt from the OCPA?

The following businesses are exempt from the OCPA:

• Nonprofit organizations established to detect and prevent fraudulent acts in connection with insurance;
• Financial institutions, insurers, insurance producers, or insurance consultants; and
• Government entities or public corporations.

While the OCPA does not exempt covered businesses regulated by HIPAA from an obligation to comply with the OCPA, the OCPA does exempt “protected health information” (“PHI”) that is regulated by HIPAA. This means that HIPAA-covered entities must still comply with the OCPA with regard to any non-PHI personal data of an Oregon resident.

What notice and disclosures does your business have to make to Oregon residents under the OCPA?

• Provide notice and disclosures to Oregon residents under your privacy policy, including specifying the categories of personal data being collected, the purposes for collection, and the categories of third parties with which the personal data is being shared.
• Notify Oregon residents of their rights under the OCPA and provide information on how to exercise those rights. Under the OCPA, Oregon residents have various rights, such as accessing their personal data, confirming whether their personal data has been processed, making corrections or requesting the deletion of their data, and obtaining a copy of their data in a portable format. They can also opt out of processing personal data for targeted advertising, the sale of personal data, and profiling based on their personal data

Why does my business need to worry about the OCPA?

The Oregon Attorney Generalhas the right to enforce the OCPA and can take action against businesses that violate it, such as serving an investigative demand upon a business that possesses personal data, or bringing an action to seek a civil penalty of up to $7,500 per violation of the OCPA.

Recommended Next Steps for your business to comply with the OCPA.

• Update your privacy policy in order to comply with the new notices and disclosures to Oregon residents mandated by the OCPA (as noted above).
• Update your security measures, including internal policies and compliance programs regarding data security and breaches, to meet OCPA standards.
• Modify your third-party contracts regarding the sharing and use of any personal data of an Oregon resident.  The OCPA requires processors and controllers to enter into agreements that set clear instructions on what personal data may be collected and how data is used or otherwise processed.

If you have follow-up questions on the OCPA, please contact Frank X. Curci or Leah Lively

This communication is not intended to create or constitute, nor does it create or constitute, an attorney-client or any other legal relationship. No statement in this communication constitutes legal advice nor should any communication herein be construed, relied upon, or interpreted as legal advice. This communication is for general information purposes only regarding recent legal developments of interest, and is not a substitute for legal counsel on any subject matter. No reader should act or refrain from acting on the basis of any information included herein without seeking appropriate legal advice on the particular facts and circumstances affecting that reader. For more information, visit www.buchalter.com.