Oregon Consumer Privacy Act

Oregon Senate Bill 619—the Oregon Consumer Privacy Act (OCPA)—entered into force on 1 July 2024. It applies to controllers conducting business in Oregon or targeting Oregon residents if they process personal data of 100,000 or more consumers (excluding data processed solely for payment transactions) or 25,000 consumers while deriving at least 25% of gross revenue from selling personal data. Non-profit teams are in scope beginning 1 July 2025, giving them a one-year extension. The statute mirrors elements of Colorado and Connecticut privacy laws but introduces unique requirements: mandatory honoring of universal opt-out mechanisms that the Attorney General will designate, sensitive data opt-in consent, explicit obligations around profiling and automated decision-making, and appeal processes that feed into the AG’s enforcement channel. Compliance teams must refresh inventories, upgrade consent tooling, and align processor contracts while building defensible audit evidence across privacy, security, and customer operations.

OCPA gives consumers rights to access, correction, deletion, portability, opt-outs of targeted advertising, sale, and profiling, plus the ability to appeal controller decisions. Controllers must respond within 45 days, with a single 45-day extension where reasonably necessary, and appeals must be resolved within 45 days. If an appeal is denied, controllers must provide the consumer with an online mechanism to contact the Attorney General.

Controllers must conduct data protection assessments for high-risk processing (targeted advertising, selling personal data, profiling that creates legal or similarly significant effects, processing sensitive data). Assessments must weigh the benefits of processing against risks to consumers and must be produced to the AG upon request. Violations fall under Oregon’s Unlawful Trade Practices Act, enabling civil penalties up to $7,500 per violation following a 30-day cure period (until 1 January 2026, after which cure is discretionary).

Detailed obligations

• Transparent notices. Privacy notices must enumerate processing purposes, categories of data, sharing practices, consumer rights, appeal mechanisms, and how to exercise opt-outs. Controllers must disclose whether they sell personal data or engage in targeted advertising and how consumers can opt out.
• Sensitive data governance. Explicit consent is required before processing sensitive data, including racial or ethnic origin, religious beliefs, health conditions, sexual orientation, transgender or nonbinary status, biometric identifiers, precise geolocation, and data of known children aged 13–15. Controllers must provide opt-out links for teen data used in targeted advertising or sale.
• Universal opt-out signals. Controllers must recognize universal opt-out mechanisms (for example, Global Privacy Control) once the Attorney General publishes technical specifications. Systems must propagate opt-out flags across web properties, data brokers, adtech, and downstream processors.
• Processor contracts. Contracts must specify processing instructions, data confidentiality, security controls, assistance with consumer rights requests, subcontractor approvals, and deletion or return of personal data at contract end. Controllers must ensure processors respond to audits and provide information necessary to show compliance.
• Profiling safeguards. When automated decision-making produces legal or similarly significant effects, controllers must provide meaningful information about logic, allow consumers to opt out, and offer human review.
• Children’s data. Controllers must comply with the federal Children’s Online Privacy Protection Act (COPPA) and, for teens 13–15, obtain opt-in consent for targeted advertising or sale.
• Security and minimization. OCPA requires reasonable security practices, data minimization aligned with disclosed purposes, and avoidance of processing beyond what is adequate, relevant, and reasonably necessary.

Control mapping and frameworks

• NIST Privacy Framework: Link inventory, data flow mapping, and residency tagging to ID.IM-P and ID.DP-P; align consent and opt-out processes with CT.PO-P; manage rights fulfillment through CM.AW-P and CM.DS-P.
• ISO/IEC 27701: Implement PIMS controls 7.3.5 (data subject rights), 7.3.6 (consent), 7.5.3 (contractual requirements for processors), and 7.4.6 (records of processing) specific to Oregon obligations.
• ISO/IEC 27001 and SOC 2: Map security safeguards and incident response obligations to Annex A controls (A.5.1 governance, A.8.8 technical vulnerabilities, A.8.15 event reporting) and SOC 2 CC6/CC7 to ensure privacy risks are integrated with security posture.
• GDPR and multi-state alignment: harmonize records of processing (Article 30), data protection impact assessments, and vendor management protocols across GDPR, California CPRA, Colorado CPA, and Virginia VCDPA to simplify evidence.

Implementation plan

Phase	Timeline	Core activities
Discovery	Weeks 1–4	Refresh data inventories with Oregon residency markers, system owners, processing purposes, retention periods, and downstream sharing. Confirm lawful bases and consent status for sensitive data.
Design	Weeks 5–8	Update privacy notices, consent management flows, cookie banners, and preference centers; design universal opt-out ingestion and propagation architecture; map appeal processes and AG escalation steps.
Build & Integrate	Weeks 9–12	Configure consent platforms (OneTrust, TrustArc, homegrown) to recognize GPC signals; automate rights workflow management within CRM/CS systems; update processor contract templates and procurement intake.
Test & Launch	Weeks 13–16	Conduct tabletop exercises covering SAR intake, identity verification, appeals, and AG referrals; perform privacy engineering testing to validate opt-out propagation across web, mobile, and backend pipelines.
Operationalize	Ongoing	Monitor request volumes, track SLA adherence, conduct quarterly data protection assessments, and review vendor attestations.

organizational responsibilities

• Chief Privacy Officer: Owns policy updates, rights workflow design, and regulatory liaison with the Oregon Department of Justice.
• Legal and compliance: Update terms of service, review profiling use cases, advise on automated decision-making disclosures, and manage appeals documentation.
• Data and engineering teams: Instrument systems to capture residency and consent signals, propagate opt-outs across data warehouses, analytics, and adtech integrations, and maintain audit logs.
• Marketing and product: Reconcile targeted advertising, personalization, and experimentation programs with opt-out flags; design fallback experiences for opted-out users.
• Customer operations: Train support agents on authentication, rights fulfillment, appeals, and AG referral scripts; integrate case management tools with privacy ticketing systems.
• Procurement and vendor management: Update contract language, perform due diligence on processors, maintain vendor risk scores, and track attestations.

Considerations by sector

• Financial services: Coordinate OCPA controls with GLBA, CFPB Section 1033 data access initiatives, and Oregon’s data breach statutes. Ensure automated credit or underwriting decisions include human review and opt-out options.
• Healthcare and life sciences: Segment HIPAA protected health information from OCPA-covered data; implement dual-governance processes for patient portals, wellness apps, and clinical research data.
• Retail and e-commerce: Align loyalty programs, targeted offers, and third-party marketplaces with opt-out signals; ensure point-of-sale systems capture minimal data when exclusions apply.
• Technology platforms: Evaluate AI and analytics workloads for profiling impacts; maintain model documentation and fairness assessments for automated decisions affecting Oregon consumers.

Metrics and assurance

• Rights request SLAs: percentage completed within 45 days, number of extensions invoked, and appeal resolution times.
• Universal opt-out honoring rate: proportion of browser sessions or API calls where signals are detected and actioned; audit logs demonstrating propagation to downstream systems.
• Sensitive data consent capture: coverage by dataset, business unit, and processing activity; exception handling workflow metrics.
• Data protection assessment completion: inventory of high-risk processing evaluations with remediation status and board reporting.
• Vendor compliance: percentage of processors with updated OCPA contract addenda, attestation receipt dates, and follow-up actions.

Ninety-day action agenda

1. Days 1–30: Complete inventory refresh, policy gap analysis, and rights workflow design; brief executive leadership on enforcement risks and resource needs.
2. Days 31–60: Deploy consent management updates, automate universal opt-out intake, execute processor contract updates, and launch workforce training.
3. Days 61–90: Perform end-to-end testing of rights handling, run appeals tabletop exercises, finalize data protection assessments, and prepare AG-ready documentation packages.

Partnering with privacy, legal, data, and product teams to industrialise OCPA compliance—providing Oregon-specific inventories, consent engineering patterns, processor governance, and reporting packs so teams can scale transparent, rights-respecting data programs.

You may also find useful

Hand-picked articles on adjacent topics.

Cybersecurity · Credibility 90/100 · July 5, 2024

Cybersecurity Weekly — CVE-2024-6387

Weekly cyber briefings help security teams stay current on evolving threats. Key focus areas include ransomware trends, vulnerability disclosures, and nation-state activity. Maintaining situational awareness is an…

Cybersecurity · Credibility 90/100 · July 12, 2024

Cybersecurity Weekly — RegreSSHion

RegreSSHion remediation, Oregon's privacy law enforcement, and new PRC living-off-the-land advisories dominated this week. Here are the controls, incident playbooks, and board updates you need.

Cybersecurity · Credibility 90/100 · July 1, 2024

Cyber Resilience — CVE-2024-6387

RegreSSHion (CVE-2024-6387) is a remote code execution vulnerability in OpenSSH's sshd. It is a race condition in the signal handler that is been in the code since 2006. Patch OpenSSH to 9.8p1 or later.

Cybersecurity · Credibility 90/100 · July 2, 2024

Cyber Threat — Volt Typhoon

CISA and partners released guidance on PRC state-sponsored actors using 'living off the land' techniques—meaning they are using your own tools against you. They are abusing legitimate admin tools like PowerShell, WMI…

Cybersecurity · Credibility 90/100 · June 26, 2024

NIST SP 800-82 Rev. 3 Final Guidance

NIST published the final SP 800-82 Revision 3 to expand industrial control system security practices across OT, IIoT, and cloud-hosted supervisory environments.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Complete Beginner Cybersecurity Guide for Home Users

  A practical cybersecurity guide designed for non-technical home users. Covers threat awareness, home network security, password management, multi-factor authentication, device…

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

Documentation

1. Oregon SB 619 (OCPA) — Enrolled text — olis.oregonlegislature.gov
2. Oregon Department of Justice: OCPA compliance guidance — www.doj.state.or.us
3. ISO/IEC 27001:2022 — Information Security Management Systems — International Organization for Standardization