Archives

What does my business do when a consumer opts out of contact but also requests that their personal data be deleted?

Posted in on May 13, 2025

You can maintain the necessary minimum information to honor the do not contact request, but any extraneous information should be deleted unless an OCPA exemption applies.

Can we use generative Artificial Intelligence in our business?

Posted in on

The Oregon DOJ has published guidance regarding the use of generative AI, including in the context of the OCPA. Page four of the document (linked in the press release) starts the OCPA section: DOJ Issues Guidance on AI for Oregon... View Article

The law requires that an entity uses reasonable safeguards to secure personal data. What are reasonable safeguards?

Posted in on

Data security is an important component of the OCPA. If an entity maintains personal data, they must secure it. Common features of “reasonable safeguards” include risk assessment (evaluating potential data security problems), access controls (having more complex requirements for passwords,... View Article

My business allows consumers to delete and copy the data from their online account. Isn’t that enough?

Posted in on

Most entities have “back end” data about consumers that isn’t part of their online profile/account. Just offering consumers rights relating to their profile is insufficient. Your entity must provide the above rights to all the personal data they have on... View Article

Does the OCPA address the use of “dark patterns”?

Posted in on October 16, 2024

While the OCPA does not include the term “dark patterns” specifically, the OCPA contains numerous requirements regarding the accessibility and clarity of resources provided to consumers by controllers. The use of dark patterns (or deceptive design) may violate these accessibility... View Article

How should my business calculate whether it meets the threshold to qualify under the OCPA when it has a complex hierarchy/ structure?

Posted in on

It depends on several factors specific to your business. For example, some factors to consider include how data flows throughout the organization, including whether different entities utilize or have access to each other’s consumer personal data, and who has decision-making... View Article

The OCPA says my business can use a “commercially reasonable” method to authenticate consumers when they make a rights request. What does that mean?

Posted in on

Your method(s) of authentication should consider a number of factors: which data right a consumer is exercising; the type, sensitivity, value, and volume of personal data involved; the level of possible harm that improper access or use could cause to... View Article

Can the Attorney General give me legal advice about how the privacy law applies to my business?

Posted in on July 1, 2024

No, the Oregon Department of Justice cannot act as your attorney or give you legal advice. If you have questions or comments about the privacy law, you may email oregonprivacy@doj.oregon.gov. We may use your question to expand and/or clarify the... View Article

What level of detail is required in a privacy notice? What information must be included regarding personal data shared with third parties?

Posted in on June 24, 2024

Privacy notices should be written in clear, straightforward language geared towards consumers. ORS 646A.578(4) describes all topics that should be contained in a controller’s privacy notice. If a controller shares personal data with third parties, the privacy notice must list... View Article

What are the penalties for failing to comply with the law?

Posted in on April 11, 2024

Entities or individuals that violate the law may face civil penalties up to $7,500 per violation. In addition to civil penalties, the Attorney General can also seek other relief, including injunctive relief, restitution, and/or disgorgement.