Consentmo is dedicated to protecting and respecting your privacy. We will only use your personal information to respond to inquiries, provide requested materials, or share updates and services that we believe may interest you.
The Oregon Consumer Privacy Act (OCPA) is a state-level data privacy law designed to provide Oregon residents with greater control over their personal data and establish obligations for businesses that collect, process, or share such data. The law grants consumers rights such as accessing, correcting, deleting, and opting out of the processing of their personal information for targeted advertising, data sales, or profiling. The OCPA was enacted on July 18, 2023, and applies to entities meeting specific thresholds based on revenue or data volume, aligning with similar privacy laws in states like California and Virginia.
The Oregon Consumer Privacy Act (OCPA) applies to businesses that conduct business in Oregon or provide products or services targeted to Oregon residents.
Specifically, it covers for-profit entities that meet one or both of the following thresholds:
- Data Processing Volume: Businesses that control or process the personal data of at least 100,000 Oregon residents in a calendar year.
- Revenue from Data Sales: Businesses that derive over 25% of their gross revenue from the sale of personal data and control or process the personal data of at least 25,000 Oregon residents.
Common reasons include:
- Failure to respond to Consumer Requests such as not addressing consumer rights requests to access, correct, delete, or opt out of the processing of their personal data within the required timeframe.
- Processing Sensitive Data without consent: Collecting or processing sensitive data (e.g., biometric, health, or precise geolocation information) without obtaining explicit, opt-in consent from consumers.
- Lack of Transparency: Failing to provide a clear, accessible privacy notice that explains data collection practices, usage purposes, and consumer rights.
- Insufficient Data Security Measures.
Under the Oregon Consumer Privacy Act (OCPA), businesses that collect, use, or manage personal data are responsible for following the law. This includes data controllers, who decide how and why personal data is used, and data processors, who handle data on behalf of the controllers. Both are responsible for protecting personal data, responding to consumer requests, and following rules for handling sensitive information like health or biometric data.
- Monetary Fines: Businesses can face civil penalties of up to $7,500 per violation, with each affected consumer potentially counting as a separate violation.
- Corrective Actions: The Attorney General can require businesses to fix issues, such as improving their privacy practices or implementing better security measures.
- Cure Period: Before imposing penalties, businesses are typically given a 30-day cure period to address and resolve the violation after being notified. If the issues are not fixed within this timeframe, fines and other actions may proceed.
- Legal Costs.
Improve the effectiveness of your compliance strategy now.
Download checklistTo get consent under the Oregon Consumer Privacy Act (OCPA), you need to clearly explain what data you’re collecting, why you’re collecting it, and how it will be used. Use simple, easy-to-understand language, and make sure individuals actively agree, such as by checking a box or clicking a button. For sensitive data, like health or biometric information, you must get opt-in consent before collecting or using it. Pre-checked boxes or assuming consent are not allowed. If you’re dealing with children’s data, you must get permission from a parent or guardian. Make it easy for people to change their minds and withdraw consent at any time.
The Oregon Consumer Privacy Act (OCPA) is enforced by the Oregon Attorney General, who is responsible for investigating violations. If a business is found to be non-compliant, the Attorney General typically provides a 30-day cure period during which the business can address and fix the issues. If the violations are not resolved within this timeframe, the Attorney General can impose penalties, including fines of up to $7,500 per violation.
Consumers cannot directly sue businesses under the OCPA, but they can report complaints to the Attorney General, who will determine whether enforcement action is necessary.
Start by checking if the law applies to you, like processing data for 100,000 Oregon residents or earning money from selling data. Create a clear privacy policy that explains what data you collect, why you use it, and how consumers can access or control their data. Set up a system to handle requests from customers, like deleting or correcting their data, and always get clear permission (opt-in consent) before using sensitive data like health or location information. For children’s data, make sure you get consent from their parents.
Shopify merchants can use tools like Consentmo to simplify compliance, as it provides automated solutions for cookie consent management, privacy notices, and handling data subject requests.