Oregon Consumer Privacy Act (OCPA)

Overview

The Oregon Consumer Privacy Act (OCPA), codified as ORS §646A.570 through §646A.604, was signed into law on July 18, 2023 (SB 619), and became effective July 1, 2024. Oregon is notable for several unique provisions: it applies to nonprofit organizations (unlike most state privacy laws), has specific de-identified data compliance requirements, includes a partial exemption for employee data, and provides a 14-day cure period (the shortest of any state law with a cure period).

Applicability (§646A.572)

The OCPA applies to a person that conducts business in Oregon or provides products or services to Oregon residents AND during a calendar year:

1. Controls or processes personal data of 100,000 or more Oregon consumers (excluding data processed solely for payment transactions); OR
2. Controls or processes personal data of 25,000 or more Oregon consumers AND derives 25% or more of annual gross revenue from selling personal data.

Key unique features:

• Nonprofit applicability: Unlike Virginia, Colorado, Connecticut, and Texas, the OCPA applies to nonprofit organizations
• No revenue threshold alternative: Like Virginia and Colorado, there is no standalone revenue threshold

Exemptions (§646A.572(2)):

• State and local government bodies