Understanding the Obligations of a Business Under the Oregon Consumer Privacy Act

Alec Marlega, Arnold Gallagher PC

Over the last decade, the collection and sale of consumer data have played an increasing role in online interactions. In response, states have implemented consumer privacy protections. Oregon joined this trend in 2023 with the passage of Senate Bill 619 and adoption of the Oregon Consumer Privacy Act (OCPA). At the highest level, OCPA regulates businesses that collect and sell consumer information. Data brokers are the prime target, but OCPA can also apply to businesses that incidentally collect or utilize consumer data. For example, a business that stores emails from past customers to send weekly adverts may be subject to OCPA depending on the number of consumers whose information is stored.

Whether learning about it from the news or third-party vendors, businesses have questions about OCPA. What is it? What do they need to do? The Oregon Attorney General, Legislature, and Courts will continue to refine the specifics, but this article seeks to provide a broad overview. As always, there are complexities beyond this article and OCPA may be modified and refined, so careful attention should be given before the collection and use of consumer data.

Who does OCPA apply to?

OCPA applies to any person or entity that conducts business in Oregon or provides products or services to Oregon residents and controls or processes (a) the personal data of 100,000 or more consumers (personal data processed solely for the purpose of completing a payment transaction is excluded) or (b) the personal data of 25,000 or more consumers if 25 percent or more of the person or entity’s annual gross revenue is derived from selling personal data. ORS 646A.572. “Personal data” is any unique identifier that is reasonably linkable to a consumer—for example, names, emails, phone numbers, login information, website visits, prior purchases, approximate location, and other information so long as it could be reasonably linked to a consumer. ORS 646A.570(13)(a). Under ORS 646A.570(7), “consumer” is limited to Oregon residents. If an entity stores or collects any information that could be reasonably linked to 100,000 Oregonians, OCPA applies, and if the information is sold, the lower threshold of 25,000 may apply.

Many entities may assume they are well below the 100,000-Oregonians threshold. Oregon’s population is about 4.2 million, so 100,000 is about 2.38 percent of the entire state. However, businesses should keep in mind that many websites may passively collect information that constitutes personal data. Additionally, it may not be possible to distinguish the personal data of Oregon consumers from the personal data of consumers from other states. Accordingly, an entity should review its online presence and determine all the information collected. This is especially true if the website is managed or hosted through a third-party vendor, as those agreements may contain boilerplate language that permits the third-party vendor to collect and use consumer data in ways beyond what an entity intends.

While most entities will need to consider OCPA, it does not apply to public bodies, and certain classes of data are excluded. ORS 646A.572(2). Employment data is excluded, but most other exclusions relate to data already covered by a different federal law. Although public bodies are exempt, 501(c)(3) entities are not (though 501(c)(3) entities did have an extended period to comply with OCPA that expired July 1, 2025).

Processor or controller?

Assuming OCPA applies, the next question is whether the person is a controller or a processor. The controller determines what data to process and the methods of processing. ORS 646A.570(8). Alternatively, a processor only processes the personal data on behalf of the controller. ORS 646A.570(15). The definition of processing includes any action, operation, or set of actions regarding personal data (such as collecting, storing, disclosing, analyzing, deleting, or modifying). ORS 646A.570(14).

For small businesses, the most common controller-processor relationship arises when a business (controller) contracts with a third-party vendor (processor) to collect and store consumer information. For example, assume there is a business called Widgets R’ Us that sells widgets and wants to establish an online storefront. It also wants to implement a loyalty program so it can track the spending trends of and provide targeted advertisements to its repeat customers. Widgets R’ Us uses a third-party vendor to set up its website (e.g., WordPress, Shopify, or Squarespace). To capture the data that Widgets R’ Us wants, it may authorize the third-party website vendor—let’s say Shopify in this example—to collect personal data from consumers that visit their webpage. In this scenario, Widgets R’ Us is the controller and Shopify is the processor.

Processors must adhere to instructions provided by the controller. There must be a binding contract between the processor and controller that specifies the rights and obligations of both parties and requires the processor to assist the controller in responding to OCPA requests. ORS 646A.581(1)-(2). The controller may require that the processor indemnify the controller for damages arising from the processor’s non-compliance with OCPA. However, the contract cannot relieve a controller from statutory liability for the processor’s actions. ORS 646A.581(3). Additionally, this allocation of risk can be a negotiation point. A smaller business like Widgets R’ Us may struggle to convince Shopify to modify its form terms. Regardless, it remains critical to review all terms to ensure compliance and that the controller can perform its OCPA obligations.

Consumer rights and how a controller can comply

OCPA grants consumers rights and imposes obligations on controllers and processors. Prior to processing data, a controller must provide a privacy notice. The privacy notice must (a) list the personal data collected, (b) describe the use of the personal data, (c) explain how a consumer may exercise their OCPA rights (including the appeals process), (d) list the personal data shared with third parties, (e) identify the categories of third parties that the controller shares the consumer’s personal data with, (f) provide an email or other contact method, (g) identify the controller, and (h) describe any processing for targeted advertising or profiling purposes (and how the consumer may opt out). ORS 646A.578(4). A controller may only process data as described in the privacy notice and only for the stated purposes. ORS 646A.578(1). Many websites incorporate a privacy link into the home page of their website. For example, Google has a privacy link on the bottom right of its home page that directs consumers to its privacy policies.

In addition to the privacy notice, a consumer may request (a) confirmation of whether the controller is processing the consumer’s data and the categories of personal data the controller processes, (b) the third parties the controller has disclosed the consumer’s personal data to, and (c) a copy of the consumer’s data the controller has processed. ORS 646A.574(1). A consumer may also request corrections, deletion of the consumer’s information, or opt out of the controller’s processing of the consumer’s data for targeted advertising, the sale of personal data, or profiling. ORS 646A.574(1).

Consumers must submit requests in the manner provided by the controller. ORS 646A.576. However, the manner must be consistent with the ways the consumer normally interacts with the controller. ORS 646A.578(5). For example, Widgets R’ Us can require that its loyalty members use an existing account, but it cannot require a new or additional account. Additionally, assuming most of the Widgets R’ Us’s consumers interact through the website, there should be a link on the webpage for the consumer to submit an OCPA request. Often this will be included as part of the privacy notice. If a business does not have the infrastructure for a direct opt-out link, it may list an email that consumers may submit OCPA requests to.

After the consumer has made their request, Widgets R’ Us must respond within forty-five days. ORS 646A.576(5)(a). If needed, Widgets R’ Us can request additional information to verify that the request is not fraudulent or notify the consumer that another forty-five days are needed to process the request. ORS 646A.576(5)(a, d). Widgets R’ Us must provide any information requested by the consumer free of charge but may charge a reasonable fee if a consumer makes multiple requests within a twelve-month period. ORS 646A.576(5)(c).

If Widgets R’ Us declines a consumer’s request, it must explain why and describe the appeals process. ORS 646A.576(5)(b). The appeals process must (a) allow a reasonable time, (b) be conspicuously available, (c) be similar to the process by which the consumer made its initial request, and (d) provide that the appeal must be ruled on within forty-five days. ORS 646A.576(6). This information should also be included in the privacy notice. If an appeal is rejected, Widgets R’ Us must provide the Oregon Attorney General’s contact information so the consumer may make a complaint if it wishes. ORS 646A.576(6)(d). As of this writing, the complaint form can be found at the Oregon Department of Justice’s website.

In addition to responding to requests, controllers need sufficient security measures to protect the data it collects from cyber-attacks or inadvertent disclosure. This includes data protection assessments if the processing involves targeted advertising, profiling, processing sensitive data, selling personal data, etc. ORS 646A.586(1). These assessments must weigh how processing data benefits the controller and consumers and the safeguards the controller employs to mitigate the risks. ORS 646A.586(2). All assessments must be retained for five years and can be requested by the Oregon Attorney General as part of an investigation. ORS 646A.586(2), (5). At a minimum, controllers must have safeguards to consistent with ORS 646A.622, which describes the compliant safeguards to protect from identity theft. ORS 646A.578(1)(c).

What are the requirements for sensitive data?

Sensitive data and the personal data of consumers under sixteen years of age are subject to heightened restrictions. “Sensitive data” is data that reveals a consumer’s racial or ethnic background, national origin, religious beliefs, mental or physical condition, sexual orientation, gender identity, status as a victim of a crime, or citizenship or immigration status; is the personal data of a child; precisely identifies the location of a consumer within 1,750 feet; or is genetic or biometric data. ORS 646A.570(18). A controller may not process any sensitive data without consent or, in the case of children, without compliance with the Children’s Online Privacy Protection Act of 1998. ORS 646A.578(2)(b). Further, a controller may not process any personal data for targeted advertising or profiling if the controller has actual knowledge or willfully disregards that the consumer is under sixteen years of age. ORS 646A.578(2)(c).

One possible way to obtain this consent is through a check-the-box system that pops up when a consumer first opens a website, which is becoming increasingly prevalent. This could be potentially paired with a link to the privacy notice and require the consumer acknowledge that they have reviewed the privacy notice and consent to the business’s processing of the consumer’s sensitive information. That said, regardless of consent, a controller may not sell personal data of a consumer if the controller has actual knowledge or willfully disregards that the consumer is under sixteen years of age or the data precisely locates a consumer with 1,750 feet. ORS 646A.578(2)(d).

What are the enforcement mechanisms?

Enforcement of OCPA lies exclusively with the Oregon Attorney General, who has broad discretion in investigating, so there is no private right of action (this is notably different from the California Consumer Protection Act, CCPA, which provides a private right of action). Following an investigation, the Oregon Attorney General may seek a civil penalty of not more than $7,500 per violation or to enjoin an ongoing violation. ORS 646A.589(4). If successful, the court may also award reasonable attorney fees and costs to the Oregon Attorney General. ORS 646A.589(4). Such claims must be brought in either Multnomah County or the circuit court of a county where any part of the violation occurred. ORS 646A.589(4). Actions must be brought within five years of the controller’s violation. ORS 646A.589(5). Although OCPA does not create a private right of action, the nature of data storage means that a controller liable for one violation may be liable for several, which could significantly compound the penalty.

What does OCPA mean in practice?

The Oregon Attorney General released an Enforcement Report in August 2025, which shed light on the enforcement of OCPA in its first year. Specifically, in the first year of enforcement 214 consumer privacy complaints were received. Enforcement Report: The Oregon Consumer Privacy Act, The First Year (August 2025). Of these, the most complaints (sixty-two) involved data brokers, with social media platforms as a close second. The most frequent complaint by a significant margin was a failure to delete data upon request. Assuming this continues, the best way for a controller to mitigate the risk of an OCPA complaint will likely be timely responding and complying with consumer requests.

While not the main target of OCPA, many businesses that operate online will be unable to ignore OCPA entirely. Even if a business believes it falls beneath the 100,000-Oregonians threshold, many websites passively collect information from its consumers. Additionally, the focus on consumer privacy rights continues to grow, so entities not currently subject to OCPA may wish to jump-start compliance to show consumers a respect for privacy. As bigger tech companies require OCPA compliant systems from smaller partners, it may be in an entity’s best interest to comply even if not legally required.

As mentioned above, Oregon is not the first to adopt consumer privacy protections. California adopted the CCPA as one of the first state consumer privacy protection acts, and it is the one most likely to be explicitly referenced. While anecdotal, I have seen recent data processing agreements defining “Data Protection Laws” as state privacy laws, including the CCPA and similar state privacy laws. This language reflects the difficulty in capturing different laws that have the same goals and are very similar but are not identical. For example, CCPA provides a private right of action and has slightly different applicability thresholds than OCPA. Absent a uniform code, businesses should be careful of a national third-party vendor relying solely on its CCPA compliance as proof it has covered all consumer privacy protections. OCPA is very similar to CCPA, but it is not identical, so businesses should ensure all OCPA required privacy notices and practices are in place because, ultimately, liability under the statute rests with the business. ♦