If you haven’t started preparing for the Oregon Consumer Privacy Act (OCPA), time is ticking. OCPA goes into effect on July 1, 2024. Nonprofit organizations have an extra year to come into compliance; they have until July 1, 2025. But yes, you heard that correctly. Unlike many other state comprehensive privacy laws, OCPA also applies to nonprofit organizations and the law’s other exceptions are generally more limited than other state laws.

OCPA contains certain consumer rights, consent requirements, data minimization standards, security standards, required information to place in a posted privacy notice, and required contractual language for service providers. It also requires data protection assessments in certain situations.

There’s a lot of work to be done. We recommend starting now (if you haven’t already) and not depending on the limited time 30-day right to cure that may be available only at the Attorney General’s discretion. If your business has been working on its compliance efforts for other state comprehensive privacy laws, that’s a great start. But there are a few Oregon-specific requirements that the Attorney General’s office will be monitoring.