Data Protection Impact Assessment (DPIA) - Oregon
DATA PROTECTION IMPACT ASSESSMENT (DPIA) -- OREGON
Company Name: [________________________________]
Project/Processing Activity Name: [________________________________]
DPIA Reference Number: [____]-DPIA-OR-[____]
Assessment Date: [__/__/____]
Assessment Owner: [________________________________] (Privacy Lead / DPO)
Business Owner: [________________________________]
Status: ☐ Draft ☐ Under Review ☐ Approved ☐ Requires Revision
TABLE OF CONTENTS
- Purpose and Legal Basis for This Assessment
- OCPA Overview and Applicability Analysis
- Project/Processing Activity Description
- Scope of Processing
- Legal Basis, Consumer Rights, and Notice Requirements
- Data Flow Analysis and Transfers
- Security Controls and Safeguards
- Risk Identification and Assessment
- Profiling-Specific Risk Analysis
- Mitigations and Residual Risk
- Children and Minors Analysis
- Sale of Personal Data and Geolocation Analysis
- Universal Opt-Out Mechanism Compliance
- Processor and Service Provider Requirements
- Incident Response and Breach Notification
- OCPA Compliance Checklist
- Approvals and Accountability
- Ongoing Monitoring and Review
- Attachments
- Sources and References
1. PURPOSE AND LEGAL BASIS FOR THIS ASSESSMENT
1.1 Purpose
This Data Protection Impact Assessment ("DPIA") evaluates the privacy and data protection risks associated with [________________________________] ("Project/Processing Activity") and documents the measures taken to mitigate those risks. This DPIA is required under the Oregon Consumer Privacy Act (OCPA), ORS 646A.570-646A.589.
1.2 When a DPIA Is Required
Under the OCPA, a controller must conduct and document a data protection assessment before engaging in processing activities that present a heightened risk of harm to consumers, including:
☐ Processing personal data for targeted advertising
☐ Sale of personal data
☐ Processing sensitive data
☐ Profiling where there is a reasonably foreseeable risk of:
- Unfair or deceptive treatment of consumers
- Unlawful disparate impact on consumers
- Financial, physical, or reputational injury to consumers
- Intrusion upon the solitude or seclusion of a consumer that would be offensive to a reasonable person
- Other substantial injury to consumers
1.3 Retention Requirement
CRITICAL: Under the OCPA, all data protection assessments must be retained for at least five (5) years. This is longer than most comparable state laws (e.g., Colorado requires three years). The Oregon Attorney General may request DPAs to evaluate compliance.
1.4 Trigger Analysis for This DPIA
This DPIA is triggered because the processing activity involves (check all that apply):
☐ Targeted advertising
☐ Sale of personal data
☐ Processing of sensitive data
☐ Profiling with reasonably foreseeable risk of harm
☐ Other heightened risk: [________________________________]
2. OCPA OVERVIEW AND APPLICABILITY ANALYSIS
2.1 Statutory Background
The Oregon Consumer Privacy Act was enacted as Senate Bill 619 in 2023 and became effective July 1, 2024. It is codified at ORS 646A.570-646A.589. Significant amendments were enacted through House Bill 2008 and Senate Bill 3875, with additional requirements effective January 1, 2026.
2.2 Applicability Thresholds
The OCPA applies to a person that conducts business in Oregon or provides products or services targeted to Oregon residents and, during a calendar year:
☐ Controls or processes personal data of 100,000 or more Oregon consumers (excluding data used solely for payment transactions); OR
☐ Controls or processes personal data of 25,000 or more Oregon consumers AND derives 25% or more of annual gross revenue from selling personal data
Note: There is no minimum revenue threshold (unlike California's CCPA). The OCPA also applies to most nonprofit organizations (effective July 1, 2025).
2.3 Exemptions
The OCPA does not apply to (check if applicable):
☐ GLBA-covered financial institutions (for activities subject to GLBA)
☐ HIPAA-covered entities and business associates (for protected health information)
☐ Higher education institutions (for FERPA-covered student records)
☐ Government entities
☐ Tribal nations
☐ Certain employment and business-to-business data contexts
2.4 Company Applicability Determination
| Factor | Response |
|---|---|
| Does the Company conduct business in Oregon or target Oregon residents? | ☐ Yes ☐ No |
| Number of Oregon consumer records processed annually | [________________________________] |
| Percentage of revenue from data sales | [____]% |
| Is the Company a nonprofit? | ☐ Yes ☐ No |
| Does any entity-level exemption apply? | ☐ Yes (specify: ____________) ☐ No |
| OCPA Applies? | ☐ Yes ☐ No |
3. PROJECT/PROCESSING ACTIVITY DESCRIPTION
| Field | Description |
|---|---|
| Project/Activity Name | [________________________________] |
| Business Owner | [________________________________] |
| Project Sponsor | [________________________________] |
| Purpose and Objectives | [________________________________] |
| Business Justification | [________________________________] |
| Timeline / Launch Date | [__/__/____] |
| Geographic Scope | [________________________________] |
| Technology Systems Involved | [________________________________] |
| Third Parties / Vendors Involved | [________________________________] |
4. SCOPE OF PROCESSING
4.1 Data Subjects
☐ Oregon consumers (customers, end users)
☐ Employees / applicants (note: employment data context exemptions may apply)
☐ Vendors / business contacts (note: B2B context exemptions may apply)
☐ Website/app visitors
☐ Minors (under 13 or under 16)
☐ Other: [________________________________]
4.2 Categories of Personal Data
☐ Contact information (name, email, phone, address)
☐ Identifiers (account numbers, IP addresses, device IDs)
☐ Financial information (payment card, bank account)
☐ Transaction history
☐ Location data (general)
☐ Online activity / browsing data
☐ Other: [________________________________]
4.3 Sensitive Data (OCPA Definition -- Broader Than Most State Laws)
Under the OCPA, "sensitive data" includes personal data revealing or concerning:
☐ Racial or ethnic background
☐ National origin
☐ Religious beliefs
☐ Mental or physical condition or diagnosis
☐ Sexual orientation
☐ Status as transgender or nonbinary
☐ Status as a victim of crime
☐ Citizenship or immigration status
☐ Precise geolocation data (within a radius of 1,750 feet)
☐ Genetic data processed to uniquely identify a consumer
☐ Biometric data processed to uniquely identify a consumer
☐ Personal data of a known child (under 13 years of age)
CRITICAL: Oregon's definition of sensitive data is broader than most state privacy laws, notably including national origin, transgender/nonbinary status, victim of crime status, and citizenship/immigration status.
Opt-in consent required before processing any sensitive data.
4.4 Volume and Retention
| Data Element | Estimated Volume | Retention Period | Deletion Trigger |
|---|---|---|---|
| [________________] | [____] records | [____] months/years | [________________] |
| [________________] | [____] records | [____] months/years | [________________] |
4.5 Processing Activities
☐ Collection
☐ Storage
☐ Analysis / profiling
☐ Sharing with third parties
☐ Sale of personal data (OCPA: exchange for monetary or other valuable consideration)
☐ Targeted advertising (displaying ads based on personal data from consumer activity over time)
☐ Profiling (automated processing to evaluate, analyze, or predict personal aspects)
☐ Other: [________________________________]
5. LEGAL BASIS, CONSUMER RIGHTS, AND NOTICE REQUIREMENTS
5.1 Consumer Rights Under OCPA
| Right | Description | Response Timeline |
|---|---|---|
| Right to Access | Know whether controller processes personal data; obtain copy | 45 days (+ 45-day extension with notice) |
| Right to Correct | Correct inaccuracies in personal data | 45 days (+ 45-day extension) |
| Right to Delete | Delete personal data provided by or obtained about consumer | 45 days (+ 45-day extension) |
| Right to Portability | Obtain copy in portable, readily usable format | 45 days (+ 45-day extension) |
| Right to Opt Out | Opt out of sale, targeted advertising, and profiling (legal/significant effects) | Without undue delay |
| Right to Appeal | Appeal denial of rights request | 45 days to respond to appeal |
5.2 Privacy Notice Requirements
The Company must provide a reasonably accessible, clear, and meaningful privacy notice disclosing:
☐ Categories of personal data processed
☐ Purposes of processing
☐ How to exercise consumer rights (including appeal process)
☐ Categories of personal data shared with third parties
☐ Categories of third parties
☐ How to opt out of sale and targeted advertising
☐ Whether the controller sells sensitive data and mechanism to limit use/disclosure
5.3 Consent Requirements
| Processing Activity | Consent Type Required |
|---|---|
| Sensitive data processing | Opt-in consent (affirmative indication of agreement) |
| Children under 13 | COPPA verifiable parental consent |
| Sale of data of consumers under 16 (eff. Jan. 1, 2026) | Prohibited |
| Sale of precise geolocation data (eff. Jan. 1, 2026) | Prohibited |
6. DATA FLOW ANALYSIS AND TRANSFERS
6.1 Data Flow Diagram
Attach data flow diagram as Appendix or describe below:
| Step | Source | Processing | Destination | Data Categories | Legal Basis |
|---|---|---|---|---|---|
| 1 | [________] | [________] | [________] | [________] | [________] |
| 2 | [________] | [________] | [________] | [________] | [________] |
6.2 Third-Party Recipients
| Vendor/Recipient | Role (Processor/Controller) | Data Shared | DPA in Place? | Due Diligence? |
|---|---|---|---|---|
| [________________] | ☐ Processor ☐ Controller | [________] | ☐ Yes ☐ No | ☐ Yes ☐ No |
| [________________] | ☐ Processor ☐ Controller | [________] | ☐ Yes ☐ No | ☐ Yes ☐ No |
6.3 Cross-Border Transfers
☐ Data remains within the United States
☐ Data transferred internationally: [________________________________]
☐ Transfer mechanism: [SCCs / CBPR / Other: ________________]
7. SECURITY CONTROLS AND SAFEGUARDS
7.1 Reasonable Security (OCPA Requirement)
Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
7.2 Technical Controls
| Control | Implementation | Status |
|---|---|---|
| Encryption in transit | [TLS version/cipher] | ☐ Implemented ☐ Planned ☐ N/A |
| Encryption at rest | [AES-256/other] | ☐ Implemented ☐ Planned ☐ N/A |
| Key management | [HSM/KMS provider] | ☐ Implemented ☐ Planned ☐ N/A |
| Network segmentation | [Description] | ☐ Implemented ☐ Planned ☐ N/A |
| Endpoint protection | [EDR/AV solution] | ☐ Implemented ☐ Planned ☐ N/A |
| Logging and monitoring | [SIEM platform] | ☐ Implemented ☐ Planned ☐ N/A |
| Data loss prevention | [DLP solution] | ☐ Implemented ☐ Planned ☐ N/A |
| Vulnerability management | [Scan frequency/SLAs] | ☐ Implemented ☐ Planned ☐ N/A |
| Backup and recovery | [Frequency/retention/testing] | ☐ Implemented ☐ Planned ☐ N/A |
7.3 Organizational Controls
☐ Written information security policies
☐ Annual security awareness training
☐ Vendor security due diligence program
☐ Incident response plan (tested annually)
☐ Change management procedures
☐ Privacy-by-design reviews for new projects
7.4 Access Controls
| Control | Description |
|---|---|
| Authentication | [MFA method: TOTP/FIDO2/other] |
| Authorization | [RBAC / least privilege / JML process] |
| Session management | [Timeout: ____ minutes] |
| Privileged access reviews | [Frequency: quarterly/semi-annual] |
8. RISK IDENTIFICATION AND ASSESSMENT
8.1 Risk Register
| Risk ID | Risk Description | Likelihood (L/M/H) | Impact (L/M/H) | Risk Rating | Mitigation |
|---|---|---|---|---|---|
| R-01 | Unauthorized access to personal data | [____] | [____] | [____] | [________________________________] |
| R-02 | Data minimization failure / purpose creep | [____] | [____] | [____] | [________________________________] |
| R-03 | Profiling resulting in unlawful disparate impact | [____] | [____] | [____] | [________________________________] |
| R-04 | Inadequate consent for sensitive data | [____] | [____] | [____] | [________________________________] |
| R-05 | Unlawful sale of precise geolocation data (2026) | [____] | [____] | [____] | [________________________________] |
| R-06 | Unlawful sale of minor's data (under 16, 2026) | [____] | [____] | [____] | [________________________________] |
| R-07 | Cross-border transfer without adequate safeguards | [____] | [____] | [____] | [________________________________] |
| R-08 | Vendor/processor non-compliance | [____] | [____] | [____] | [________________________________] |
| R-09 | Failure to recognize universal opt-out signals | [____] | [____] | [____] | [________________________________] |
| R-10 | Breach notification timeline non-compliance | [____] | [____] | [____] | [________________________________] |
9. PROFILING-SPECIFIC RISK ANALYSIS
If this processing activity involves profiling, assess the following risks:
| Profiling Risk Category | Applicable? | Assessment |
|---|---|---|
| Unfair or deceptive treatment of consumers | ☐ Yes ☐ No | [________________________________] |
| Unlawful disparate impact on consumers | ☐ Yes ☐ No | [________________________________] |
| Financial injury to consumers | ☐ Yes ☐ No | [________________________________] |
| Physical injury to consumers | ☐ Yes ☐ No | [________________________________] |
| Reputational injury to consumers | ☐ Yes ☐ No | [________________________________] |
| Intrusion upon solitude/seclusion offensive to reasonable person | ☐ Yes ☐ No | [________________________________] |
| Other substantial injury | ☐ Yes ☐ No | [________________________________] |
Profiling opt-out: Consumers have the right to opt out of profiling that produces decisions with legal or similarly significant effects. Ensure mechanism is available and functional.
10. MITIGATIONS AND RESIDUAL RISK
10.1 Planned Mitigations
| Risk ID | Mitigation Action | Owner | Deadline | Status |
|---|---|---|---|---|
| [____] | [________________________________] | [________] | [__/__/____] | ☐ Not Started ☐ In Progress ☐ Complete |
| [____] | [________________________________] | [________] | [__/__/____] | ☐ Not Started ☐ In Progress ☐ Complete |
10.2 Testing and Validation
☐ Penetration testing scheduled/completed: [__/__/____]
☐ Privacy-by-design review completed: [__/__/____]
☐ Consent mechanism tested: [__/__/____]
☐ Opt-out mechanism tested (including universal opt-out): [__/__/____]
☐ Consumer rights request workflow tested: [__/__/____]
10.3 Residual Risk Determination
| Overall Residual Risk Rating | ☐ Low ☐ Medium ☐ High |
|---|---|
| Decision | ☐ Accept ☐ Mitigate Further ☐ Block Processing |
| Justification | [________________________________] |
11. CHILDREN AND MINORS ANALYSIS
11.1 Children Under 13
☐ Does this processing involve personal data of known children under 13?
☐ If yes, COPPA verifiable parental consent obtained?
☐ Under OCPA, personal data of a known child under 13 is sensitive data requiring opt-in consent
11.2 Consumers Under 16 (Effective January 1, 2026)
CRITICAL 2026 REQUIREMENT: Effective January 1, 2026, it is unlawful to sell personal data of consumers under 16 years of age.
☐ Does this processing involve sale of personal data of consumers who may be under 16?
☐ If yes, what age verification mechanisms are in place?
☐ Has the Company implemented controls to prevent sale of data for consumers under 16?
12. SALE OF PERSONAL DATA AND GEOLOCATION ANALYSIS
12.1 Sale of Personal Data
Under the OCPA, "sale" means the exchange of personal data for monetary or other valuable consideration.
☐ Does this processing involve sale of personal data? ☐ Yes ☐ No
☐ If yes, opt-out mechanism provided?
☐ Privacy notice discloses sale?
12.2 Precise Geolocation Data (Effective January 1, 2026)
CRITICAL 2026 REQUIREMENT: Effective January 1, 2026, it is unlawful to sell precise geolocation data (within 1,750-foot radius) of any consumer, regardless of age.
☐ Does this processing involve precise geolocation data? ☐ Yes ☐ No
☐ Is precise geolocation data sold or shared for valuable consideration? ☐ Yes ☐ No
☐ If yes, has the Company implemented controls to cease sale by the effective date?
13. UNIVERSAL OPT-OUT MECHANISM COMPLIANCE
Effective January 1, 2026, the OCPA requires controllers to recognize universal opt-out mechanisms (e.g., Global Privacy Control).
☐ Has the Company implemented technical capability to detect and honor universal opt-out signals?
☐ Technical implementation: [________________________________]
☐ Testing completed: [__/__/____]
☐ Signal(s) recognized: ☐ Global Privacy Control (GPC) ☐ Other: [________]
14. PROCESSOR AND SERVICE PROVIDER REQUIREMENTS
14.1 OCPA Contractual Requirements
Contracts between controllers and processors must include:
☐ Clear instructions for processing personal data
☐ Nature and purpose of processing
☐ Type of personal data subject to processing
☐ Duration of processing
☐ Rights and obligations of controller and processor
☐ Processor's obligation to assist with consumer rights requests
☐ Deletion or return of data upon termination or controller request
☐ Processor's obligation to make available information necessary to demonstrate compliance
☐ Processor's obligation to allow and cooperate with reasonable assessments by the controller
14.2 Vendor Assessment
| Vendor | Contract Compliant? | DPA Executed? | Security Assessment? | Last Reviewed |
|---|---|---|---|---|
| [________________] | ☐ Yes ☐ No | ☐ Yes ☐ No | ☐ Yes ☐ No | [__/__/____] |
15. INCIDENT RESPONSE AND BREACH NOTIFICATION
15.1 Oregon Breach Notification (ORS 646A.604)
| Requirement | Detail |
|---|---|
| Notification to consumers | Most expedient manner possible; no later than 45 days after discovery |
| Notification to vendors | Vendor must notify covered entity within 10 days of discovering breach |
| AG notification | Required if 250+ Oregon consumers affected |
| Harm exception | Not required if investigation determines consumers unlikely to suffer harm (documented; retained 5 years) |
| Encryption safe harbor | Not required if data was encrypted and key was not compromised |
| Penalties | Up to $1,000 per violation; up to $500,000 for continuing violations |
15.2 Notice Content Requirements
☐ Description of breach
☐ Approximate date of breach
☐ Types of personal information affected
☐ Contact information for consumer reporting agencies (if applicable)
☐ Covered entity contact information
☐ Consumer's rights to obtain police report and request security freeze
☐ Advice regarding identity theft reporting (AG, FTC, law enforcement)
16. OCPA COMPLIANCE CHECKLIST
| Requirement | Status | Notes |
|---|---|---|
| Applicability determination completed | ☐ Done ☐ Pending | |
| Privacy notice updated for OCPA | ☐ Done ☐ Pending | |
| Consumer rights request workflow operational | ☐ Done ☐ Pending | |
| 45-day response timeline implemented | ☐ Done ☐ Pending | |
| Appeal process documented and functional | ☐ Done ☐ Pending | |
| Sensitive data consent mechanism deployed | ☐ Done ☐ Pending | |
| Data protection assessments completed and retained | ☐ Done ☐ Pending | Retain 5+ years |
| Processor/vendor contracts updated | ☐ Done ☐ Pending | |
| Universal opt-out mechanism implemented (by Jan 1, 2026) | ☐ Done ☐ Pending | |
| Sale of precise geolocation data ceased (by Jan 1, 2026) | ☐ Done ☐ Pending ☐ N/A | |
| Sale of data of consumers under 16 ceased (by Jan 1, 2026) | ☐ Done ☐ Pending ☐ N/A | |
| Breach notification procedures tested | ☐ Done ☐ Pending | |
| Reasonable security measures documented | ☐ Done ☐ Pending | |
| Non-discrimination controls in place | ☐ Done ☐ Pending |
17. APPROVALS AND ACCOUNTABILITY
| Role | Name | Date | Signature |
|---|---|---|---|
| Privacy Lead / DPO | [________________________________] | [__/__/____] | [________________] |
| Information Security Lead | [________________________________] | [__/__/____] | [________________] |
| Legal Counsel (Oregon law) | [________________________________] | [__/__/____] | [________________] |
| Business Owner | [________________________________] | [__/__/____] | [________________] |
| Executive Approver | [________________________________] | [__/__/____] | [________________] |
18. ONGOING MONITORING AND REVIEW
☐ This DPIA will be reviewed at least annually or upon material changes to the processing activity
☐ Changes triggering review: new data categories, new vendors, expanded scope, regulatory changes, security incidents
☐ Next scheduled review: [__/__/____]
☐ DPIA retention: minimum five (5) years per OCPA requirements
18.1 Enforcement Note
CRITICAL: The 30-day cure period under the OCPA sunsets January 1, 2026. After that date, the Oregon Attorney General may proceed directly to enforcement without providing a cure notice, at the AG's discretion. Civil penalties up to $7,500 per violation. The Attorney General has exclusive enforcement authority; there is no private right of action under the OCPA.
19. ATTACHMENTS
☐ Data flow diagrams and system architecture
☐ Records of processing activities (ROPA) entry
☐ Vendor list and processor agreements
☐ Data protection assessment documentation (retain 5+ years)
☐ Security practices documentation
☐ Sensitive data consent mechanism screenshots/documentation
☐ Universal opt-out mechanism implementation documentation
☐ Compliance documentation for 2026 prohibitions (geolocation/minors data sale)
☐ Breach notification templates and procedures
☐ Oregon-specific privacy notice
20. SOURCES AND REFERENCES
- Oregon Consumer Privacy Act (OCPA), ORS 646A.570-646A.589 -- https://www.doj.state.or.us/consumer-protection/for-businesses/privacy-law-faqs-for-businesses/
- Oregon Senate Bill 619 (2023)
- Oregon House Bill 2008 (2025 amendments)
- Oregon Data Breach Notification Act, ORS 646A.604
- Oregon Attorney General Consumer Protection -- https://www.doj.state.or.us/consumer-protection/
- Children's Online Privacy Protection Act (COPPA), 15 U.S.C. 6501-6506
- GDPR Article 35 (DPIA methodology reference)
- NIST Privacy Framework -- https://www.nist.gov/privacy-framework
This document is a template provided for informational purposes only and does not constitute legal advice. It must be reviewed and customized by a qualified attorney licensed in Oregon before implementation.
About This Template
Compliance documents are what regulated businesses use to prove they follow the rules that apply to their industry, whether that is privacy, anti-money-laundering, consumer protection, or sector-specific requirements. Regulators look for consistent policies, up-to-date records, and clear evidence of employee training. The cost of getting compliance paperwork right is almost always smaller than the cost of an enforcement action, fine, or public disclosure.
Important Notice
This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.
Last updated: April 2026
Make this Data Protection Impact Assessment (DPIA) - Oregon yours
Let Ezel rewrite every section to fit your situation, then export to Word or PDF ready to use. $49 for a single document, no subscription.