Posted in on May 13, 2025
You can maintain the necessary minimum information to honor the do not contact request, but any extraneous information should be deleted unless an OCPA exemption applies.
Posted in on
The Oregon DOJ has published guidance regarding the use of generative AI, including in the context of the OCPA. Page four of the document (linked in the press release) starts the OCPA section: DOJ Issues Guidance on AI for Oregon... View Article
Posted in on
Data security is an important component of the OCPA. If an entity maintains personal data, they must secure it. Common features of “reasonable safeguards” include risk assessment (evaluating potential data security problems), access controls (having more complex requirements for passwords,... View Article
Posted in on
Most entities have “back end” data about consumers that isn’t part of their online profile/account. Just offering consumers rights relating to their profile is insufficient. Your entity must provide the above rights to all the personal data they have on... View Article
Posted in on October 16, 2024
While the OCPA does not include the term “dark patterns” specifically, the OCPA contains numerous requirements regarding the accessibility and clarity of resources provided to consumers by controllers. The use of dark patterns (or deceptive design) may violate these accessibility... View Article
Posted in on
It depends on several factors specific to your business. For example, some factors to consider include how data flows throughout the organization, including whether different entities utilize or have access to each other’s consumer personal data, and who has decision-making... View Article
Posted in on
Your method(s) of authentication should consider a number of factors: which data right a consumer is exercising; the type, sensitivity, value, and volume of personal data involved; the level of possible harm that improper access or use could cause to... View Article
Posted in on July 1, 2024
No, the Oregon Department of Justice cannot act as your attorney or give you legal advice. If you have questions or comments about the privacy law, you may email oregonprivacy@doj.oregon.gov. We may use your question to expand and/or clarify the... View Article
Posted in on June 24, 2024
Privacy notices should be written in clear, straightforward language geared towards consumers. ORS 646A.578(4) describes all topics that should be contained in a controller’s privacy notice. If a controller shares personal data with third parties, the privacy notice must list... View Article
Posted in on April 11, 2024
Entities or individuals that violate the law may face civil penalties up to $7,500 per violation. In addition to civil penalties, the Attorney General can also seek other relief, including injunctive relief, restitution, and/or disgorgement.