Oregon Consumer Privacy Act (OCPA)

Overview

The Oregon Consumer Privacy Act (OCPA), codified at Or. Rev. Stat. § 646A.570 et seq. and enacted as SB 619 (2023), became effective July 1, 2024. The OCPA is one of the most protective state privacy laws after California and extends coverage in distinctive ways: it does not exempt non-profits, it requires controllers to disclose specific named third parties in response to access requests (not just categories), it prohibits the sale of precise geolocation data outright (effective January 1, 2026), and it extends coverage to connected-vehicle data regardless of consumer-count thresholds.

Applicability: (a) 100,000+ Oregon consumers processed per year, or (b) 25,000+ consumers AND 25%+ of gross revenue from sale or licensing of personal data.

Exemptions: HIPAA entities, GLBA financial institutions, FCRA/DPPA/FERPA/COPPA-regulated data, employee/B2B. Non-profits ARE covered — an outlier choice.

Consumer Rights

• Right to confirm and access — including a list of specific third parties the data was shared with (more rigorous than the category-level baseline)
• Right to correct
• Right to delete
• Right to portability (machine-readable)
• Right to opt out of sale, targeted advertising, and profiling
• Right to appeal — 45-day response window

Sensitive data includes the standard categories plus transgender status (a protection unique to Oregon) and a broad biometric definition spanning facial geometry, voice patterns, iris/retina scans, and fingerprints. Opt-in consent is required.

Compliance Requirements

Controllers must publish privacy notices, honor GPC/UOOM (mandatory since January 1, 2026), perform DPIAs for high-risk processing, and execute processor contracts per § 646A.574. Connected-vehicle manufacturers and affiliates are covered regardless of consumer-count thresholds for data collected from vehicles owned or leased by Oregon residents — telemetry, location, diagnostics, and driving-behavior data all fall in scope. The prohibition on sale of precise geolocation data (as of January 2026) is a hard prohibition, not an opt-out.

Cure Period + Enforcement

The Oregon AG holds exclusive enforcement authority. Penalties reach $7,500 per violation. The original 30-day cure period expired January 1, 2026 — no automatic safe harbor remains.

How Inori Addresses This

• Notice: src/content/legal/privacy.mdx v1.2 discloses categories of third parties (Stripe, Anthropic, Firebase); Oregon's named-party requirement is satisfied because the list is already enumerated by specific provider, not just by category.
• GPC (mandatory): middleware.ts:respectGpc honors Sec-GPC: 1.
• DSAR: /api/dsar returns the specific list of third parties alongside standard access responses; 30-day SLA.
• Geolocation: Inori does not collect precise geolocation — the January 2026 sale prohibition is moot for us.
• Connected vehicles: Out of scope — Inori does not collect vehicle data.
• Sensitive data including transgender status: Not collected.
• Deferred: Specific-third-party disclosure UI in the privacy settings page is planned; currently the list is delivered via the DSAR response.

Related Concepts

See CCPA/CPRA, VCDPA, Colorado Privacy Act, and CTDPA for comparative frameworks. GPC covers the mandatory UOOM signal. DSAR handles the unified request pipeline. MCDPA is a similar protective model with a lower consumer threshold.