Archives

Are nonprofit entities provided notice of a violation before enforcement action is taken?

Posted in on April 16, 2025

Until January 1, 2026, if the Attorney General determines that a violation of the privacy law has occurred but can be fixed, the Attorney General must first send a letter giving the violator 30 days to cure, or fix, the... View Article

Can the Attorney General give me legal advice about how the privacy law applies to my nonprofit?

Posted in on

No, the Oregon Department of Justice cannot act as your attorney or give you legal advice. If you have questions or comments about the privacy law, you may email oregonprivacy@doj.oregon.gov. We may use your question to expand and/or clarify the... View Article

Can we use generative Artificial Intelligence in our nonprofit?

Posted in on

The Oregon DOJ has published guidance, cautioning entities on their use of generative AI, specifically in the context of the OCPA. Page four of the document (linked in the press release) starts the OCPA section: DOJ Issues Guidance on AI... View Article

Can my nonprofit entity continue to use passive mailings?

Posted in on

For the most part, yes. Consider how much personal data is used/collected for these mailings. If your nonprofit is unsure about OCPA compliance with passive mailings, consider offering an opt-out (or unsubscribe) option to maintain compliance.

The OCPA says my nonprofit can use a “commercially reasonable” method to authenticate consumers when they make a rights request. What does that mean?

Posted in on

Authentication ensures that the individual making the privacy rights request is the person they say they are. Most companies use existing information they have about consumers to authenticate their identity. This is important, because bad actors may try to use... View Article

Does my nonprofit really need to delete a consumer’s personal data when requested?

Posted in on

Yes. You must develop a system to delete personal data when a consumer requests within 45 days of receiving the request, unless another exemption applies.

How is my nonprofit supposed to intake privacy requests from consumers?

Posted in on

Your nonprofit must provide a way for consumers to request their L.O.C.K.E.D. rights. Some entities use a monitored email address. Some use a webform. Any mechanism that your nonprofit implements must be clearly available to consumers, and it must be... View Article

What is a “sale” of personal data?

Posted in on

A “sale” is the exchange of personal data for monetary or other valuable consideration between a controller and a third party. “Valuable consideration” is not limited to money. This could include a nonprofit exchanging donor lists with a separate nonprofit... View Article

What does it mean that controllers must respond to requests to exercise consumer rights? What must nonprofits specifically provide to consumers?

Posted in on

We use the L.O.C.K.E.D. acronym to explain the specific consumer privacy rights. Consumers can get a List of the specific entities that received their personal data or any personal data from a business. Consumers can Opt-out (say “no”) to a business selling, profiling, and... View Article

What obligations do nonprofits have when they are considered controllers under the law?

Posted in on

Among other obligations, controllers must: Provide a privacy notice regarding the types of personal data the controller processes, the specific purpose(s) for processing data, whether and why the controller shares personal data with third parties, and information about how consumers... View Article