Law: Oregon Consumer Privacy Act (OCPA)

Regulator: The Oregon Attorney General (AG)

Summary: On July 18, 2023, the Oregon State Governor signed the Oregon Consumer Privacy Act (OCPA) into law. The provisions of the OCPA will enter into effect over time, with Sections 1-9 coming into effect on July 1, 2024, and a year later in 2025 for charitable organizations, and certain amendments becoming operative on January 1, 2026. In line with other US state privacy laws, the OCPA introduces requirements related to the processing of personal data and establishes definitions, including in relation to biometric data, the sale of personal data, as well as sensitive data. The OCPA also provides consumers with several rights including the right of access and the right to opt out of targeted advertising and the sale of personal data. Furthermore, the OCPA outlines various obligations for organizations within scope and provides the Oregon Attorney General (AG) with enforcement powers.

In addition, Oregon joined many other US states in updating its data breach notification law in 2019, which was originally the Oregon Consumer Identity Theft Protection Act under §646A.600 et seq. of the Oregon Revised Statutes (Oregon Revised Statutes) and has now become the Oregon Consumer Information Protection Act (OCIPA). Substantive changes to the OCIPA include the expansion of the definition of a breach of security and the creation of new obligations for vendors, including a requirement to notify the applicable covered entity within 10 days of discovery of a breach.

You can follow legislative developments in the US through the USA State Law Tracker.