Compliance Briefing — September 3, 2025

Executive briefing: Oregon’s Consumer Privacy Act (OCPA) began applying to nonprofit organizations on July 1, 2025. Covered nonprofits must now honor access, deletion, correction, and portability requests within 45 days; recognize opt-outs of targeted advertising, sale, and high-risk profiling; and obtain consent before processing sensitive data such as precise geolocation, children’s data, or status as transgender or nonbinary. The Attorney General may bring actions with civil penalties up to $7,500 per violation after an available 30-day cure period.

Key compliance checkpoints

Rights request routing. Stand up intake portals that authenticate donors, volunteers, and beneficiaries, and log decisions for 24 months as Section 646A.576 requires.
Opt-out orchestration. Implement Global Privacy Control (GPC) handling and ensure marketing automation tools can suppress targeted advertising audiences within 15 days.
Sensitive data governance. Tag and segregate sensitive categories, capturing explicit consent and storing consent records for audit review.

Operational priorities

Processor alignment. Amend vendor contracts with confidentiality, duty-to-assist, and deletion clauses mirroring Section 646A.580.
Appeals workflow. Document denial review procedures that deliver determinations within 45 days and provide Attorney General contact information to consumers.
Cure readiness. Prepare remediation runbooks that can close identified violations within the 30-day cure window the Attorney General may offer.

Enablement moves

Train development and communications teams on Oregon’s prohibition against dark patterns that obscure consent or opt-out choices.
Refresh privacy notices to list categories of personal data processed, processing purposes, sharing practices, and rights instructions specific to Oregon residents.

Sources

Zeph Tech equips nonprofits with OCPA compliance tooling, spanning consent capture, opt-out orchestration, and defensible consumer rights evidence.