Posted in on January 2, 2026
Yes. The law requires consent to process data of children under the age of 13. As of January 1, 2026, a controller cannot sell the data of a consumer who is under 16 years of age. Also, a controller cannot... View Article
Posted in on
No. As of January 1, 2026, it is unlawful to sell a consumer’s precise geolocation (past or present location) data. This ban on the sale of location data applies to all consumers regardless of their age. See HB 2008 for... View Article
Posted in on September 26, 2025
Yes. As of September 2025, the OCPA applies to all motor vehicle manufacturers, and their affiliates that control or process personal data obtained from an Oregon consumer’s use of a motor vehicle. The number of Oregonians does not matter.
Posted in on May 13, 2025
You can maintain the necessary minimum information to honor the do not contact request, but any extraneous information should be deleted unless an OCPA exemption applies.
Posted in on
The Oregon DOJ has published guidance regarding the use of generative AI, including in the context of the OCPA. Page four of the document (linked in the press release) starts the OCPA section: DOJ Issues Guidance on AI for Oregon... View Article
Posted in on
Data security is an important component of the OCPA. If an entity maintains personal data, they must secure it. Common features of “reasonable safeguards” include risk assessment (evaluating potential data security problems), access controls (having more complex requirements for passwords,... View Article
Posted in on
Most entities have “back end” data about consumers that isn’t part of their online profile/account. Just offering consumers rights relating to their profile is insufficient. Your entity must provide the above rights to all the personal data they have on... View Article
Posted in on October 16, 2024
While the OCPA does not include the term “dark patterns” specifically, the OCPA contains numerous requirements regarding the accessibility and clarity of resources provided to consumers by controllers. The use of dark patterns (or deceptive design) may violate these accessibility... View Article
Posted in on
It depends on several factors specific to your business. For example, some factors to consider include how data flows throughout the organization, including whether different entities utilize or have access to each other’s consumer personal data, and who has decision-making... View Article
Posted in on
Your method(s) of authentication should consider a number of factors: which data right a consumer is exercising; the type, sensitivity, value, and volume of personal data involved; the level of possible harm that improper access or use could cause to... View Article
