If you haven’t started preparing for the Oregon Consumer Privacy Act (OCPA), time is ticking. OCPA goes into effect on July 1, 2024. Nonprofit organizations have an extra year to come into compliance; they have until July 1, 2025. But yes, you heard that correctly. Unlike many other state comprehensive privacy laws, OCPA also applies to nonprofit organizations and the law’s other exceptions are generally more limited than other state laws.
OCPA contains certain consumer rights, consent requirements, data minimization standards, security standards, required information to place in a posted privacy notice, and required contractual language for service providers. It also requires data protection assessments in certain situations.
There’s a lot of work to be done. We recommend starting now (if you haven’t already) and not depending on the limited time 30-day right to cure that may be available only at the Attorney General’s discretion. If your business has been working on its compliance efforts for other state comprehensive privacy laws, that’s a great start. But there are a few Oregon-specific requirements that the Attorney General’s office will be monitoring.
If you need assistance with determining your business’s obligations under OCPA, please contact our privacy & data security team.
This article is provided for informational purposes only—it does not constitute legal advice and does not create an attorney-client relationship between the firm and the reader. Readers should consult legal counsel before taking action relating to the subject matter of this article.
