DATA PROTECTION IMPACT ASSESSMENT (DPIA)

(State overlay: OR)

1. Project Overview

• Project name/ID: [name]; owner: [business owner]; sponsor: [executive].
• Purpose and objectives: [describe].
• Timeline and launch date: [dates].

2. Scope of Processing

• Data subjects: [customers/employees/vendors/end users].
• Personal data categories: [contact, IDs, financial, location, biometric, health, minors].
• Sensitive data (OCPA definition - broader than most state laws): Check all that apply: (1) Personal data revealing racial or ethnic background; (2) National origin; (3) Religious beliefs; (4) Mental or physical condition or diagnosis; (5) Sexual orientation; (6) Status as transgender or non-binary; (7) Status as victim of crime; (8) Citizenship or immigration status; (9) Precise geolocation data (within radius of 1,750 feet); (10) Genetic data processed for purpose of uniquely identifying consumer; (11) Biometric data processed for purpose of uniquely identifying consumer; (12) Personal data of known child (under 13 years of age). CRITICAL 2026 REQUIREMENT: Effective January 1, 2026, it is UNLAWFUL to sell precise geolocation data of ANY consumer regardless of age. Opt-in consent required for processing sensitive data.
• Volume and retention: [records/year], [retention schedule and deletion triggers per business purpose].
• Processing activities: [collection, storage, analysis, sharing/sale/sharing status]. OCPA definitions: "Sale" = exchange of personal data for monetary or other valuable consideration; "Targeted advertising" = displaying advertisement selected based on personal data obtained from consumer's activities over time to predict preferences or interests; "Profiling" = automated processing to evaluate, analyze, or predict personal aspects concerning consumer's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

3. Legal Basis, Notices, and Rights

• Primary state privacy law(s): Oregon Consumer Privacy Act (OCPA), ORS 646A.600 et seq., effective July 1, 2024; significant amendments via HB 2008 effective January 1, 2026.
• Applicability thresholds: Person who conducts business in Oregon or provides products/services to Oregon residents and, during calendar year: (1) Controls or processes personal data of 100,000+ Oregon residents (excluding data solely for payment transactions); OR (2) Controls or processes personal data of 25,000+ consumers AND derives 25%+ of annual gross revenue from selling personal data. No minimum revenue threshold. OCPA applies to most nonprofit organizations (application to nonprofits began July 1, 2025).
• Entity type exemptions: GLBA-covered financial institutions for activities subject to GLBA, HIPAA-covered entities/business associates for protected health information, higher education institutions for student records subject to FERPA, government entities, tribal nations, certain employment/business-to-business contexts.
• Consumer rights covered: (1) Right to access personal data; (2) Right to correct inaccuracies in personal data; (3) Right to delete personal data; (4) Right to obtain copy of personal data in portable and readily usable format; (5) Right to opt out of sale of personal data, targeted advertising, and profiling in furtherance of decisions producing legal or similarly significant effects. Response timeline: 45 days (with one 45-day extension if reasonably necessary; must notify consumer and explain why). Authentication: Must establish reasonable procedures to verify authenticated request.
• Consent/opt-out mechanics required for sensitive data, minors, targeted ads, sale/sharing: (1) Opt-in consent required for processing sensitive data (consumers must affirmatively indicate agreement); (2) CRITICAL 2026: Effective January 1, 2026, CANNOT sell data of consumers under 16 years of age; (3) CRITICAL 2026: Effective January 1, 2026, CANNOT sell precise geolocation data of any consumer; (4) Consent required for children under 13 per COPPA; (5) Must recognize universal opt-out mechanisms (e.g., Global Privacy Control) effective January 1, 2026; (6) Opt-out required for targeted advertising and profiling.
• Notice/labeling requirements: Privacy notice must be reasonably accessible, clear, and meaningful, disclosing: categories of personal data processed, purposes, how to exercise consumer rights, categories of personal data shared with third parties, categories of third parties, how to opt out of sale/targeted advertising. Must disclose whether controller sells sensitive data and provide mechanism to limit use/disclosure.
• Contracts with processors/service providers: Contract required between controller and processor. Must include: clear instructions for processing; nature and purpose of processing; type of personal data; duration; controller and processor rights and obligations; processor assistance with consumer rights requests; deletion or return of data at end of services or upon controller's request; processor's obligation to make available information necessary to demonstrate compliance.

4. Data Flow and Transfers

• Source systems: [list]; storage/hosting locations: [cloud region/data centers].
• Cross-border transfers: [EU/UK/other]; transfer tool: [SCCs/IDTA/CBPR if applicable].
• Recipients/vendors: [processors/subprocessors/controllers]; due diligence status and DPAs in place.
• Access controls: RBAC groups, least privilege, joiner/mover/leaver process.

5. Security and Controls

• Technical controls: Encryption in transit/at rest [specify algorithms/key lengths], key management [HSM/KMS], network segmentation, endpoint protections [EDR/AV], logging/monitoring [SIEM], DLP, backups [frequency/retention/testing], vulnerability management [scanning cadence/remediation SLAs].
• Organizational controls: Written information security policies, annual training cadence, vendor due diligence [security questionnaires/assessments], incident response playbook [tested annually], change management, privacy-by-design reviews.
• Authentication/authorization: [MFA method: TOTP/FIDO2/SMS]; [SSO/SAML provider]; session timeouts [specify]; privileged access reviews [quarterly/semi-annual].
• Reasonable security: Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices.

6. Risks and Impact Assessment

• Risks/threats: [unauthorized access, data minimization failure, purpose creep, profiling risk, transfer risk, children/minors risk, unlawful sale of geolocation data (critical for 2026 compliance), unlawful sale of minor's data (critical for 2026 compliance)].
• Likelihood: [low/medium/high]; Impact: [low/medium/high]; Risk rating matrix: [insert].
• Profiling-specific risks: Unfair or deceptive treatment, unlawful disparate impact, financial/physical/reputational injury, intrusion on solitude/seclusion offensive to reasonable person, other substantial injury.

7. Mitigations and Residual Risk

• Planned mitigations: [controls, timelines, owners].
• Testing/validation: [pen test, DPIA/ROPA updates, privacy-by-design checklist].
• Residual risk after mitigations: [rating]; decision: [accept/mitigate further/block].

8. Incident Response and Breach Notification

• Breach notification statute: ORS 646A.604 (Notice of breach of security); amended multiple times, most recently SB 684 effective January 1, 2020.
• Timeline: Notice to affected Oregon consumers required in most expedient manner possible and without unreasonable delay, but NOT LATER THAN 45 DAYS after discovering or receiving notice of breach. Vendor-to-covered entity notification: Not later than 10 days after discovering breach or having reason to believe breach occurred.
• Notification triggers: Breach of security = unauthorized acquisition of computerized data that materially compromises security, confidentiality, or integrity of personal information maintained by covered entity. Personal information = consumer's first name or first initial and last name in combination with one or more of: (a) SSN; (b) Driver's license/state ID number; (c) Passport number; (d) Financial account/credit/debit card number with required security code/access code/password/PIN to permit account access; (e) Data from automatic measurements of individual's physical characteristics (e.g., fingerprint, voiceprint, retina/iris image, or other unique physical representation/digital representation of biometric data); (f) Health insurance policy number/subscriber ID number or unique identifier used by health insurer; (g) Any information about individual's medical history, mental/physical condition, or medical treatment/diagnosis by healthcare professional; (h) Tax identification number; (i) Birth/marriage certificate number.
• Harm exception: Notice not required if, after appropriate investigation or consultation with relevant law enforcement, covered entity reasonably determines that consumers whose personal information was subject to breach are unlikely to suffer harm. Must document determination in writing and maintain documentation for at least 5 years.
• Encryption safe harbor: Notice not required if personal information acquired was encrypted if encryption key/security credential needed to decrypt was not acquired and encryption/security credential remains confidential.
• Regulator/AG notice: If breach affects more than 250 Oregon consumers, must notify Oregon Attorney General either in writing or electronically.
• Content requirements: Notice to consumers must include: description of breach; approximate date of breach; types of personal information subject to breach; contact information for consumer reporting agencies (if applicable); contact information consumer can use to inquire about breach; consumer's rights to obtain police report and request security freeze; advice that consumer can report suspected identity theft to law enforcement, AG, Federal Trade Commission.
• Third-party vendors: Vendor that discovers breach or has reason to believe breach occurred must notify covered entity as soon as practicable but not later than 10 days after discovery.
• Law enforcement delay: Notice may be delayed if law enforcement determines notification will impede criminal investigation and makes written request for delay. Notice required after law enforcement determines disclosure will not compromise investigation and notifies covered entity in writing.
• Penalties: Failure to comply can result in penalties up to $1,000 per violation and up to $500,000 for continuing violation.
• Coordination with other states/GLBA/HIPAA requirements if multi-state: [Coordinate breach notification obligations; GLBA and HIPAA have separate timelines and requirements].

9. State Overlay Checklist (OR)

• Applicability thresholds and exemptions: 100,000+ Oregon residents (excluding payment-only data) OR 25,000+ consumers + 25%+ revenue from sale. No revenue minimum. Applies to most nonprofits (effective July 1, 2025). Exemptions: GLBA institutions (for GLBA activities), HIPAA covered entities (for PHI), FERPA-covered student records, government entities, tribal nations, certain employment/B2B contexts.
• Sensitive data definition and consent/opt-out requirements: 12 categories of sensitive data (BROADER than most state laws - see Section 2 above): racial/ethnic background, national origin, religious beliefs, mental/physical condition/diagnosis, sexual orientation, transgender/non-binary status, victim of crime status, citizenship/immigration, precise geolocation (1,750 ft), genetic/biometric data, child data (under 13). Opt-in consent required for processing. CRITICAL 2026: Effective January 1, 2026, UNLAWFUL to sell precise geolocation data of ANY consumer. UNLAWFUL to sell data of consumer under 16.
• Consumer rights and response timelines/appeals: Access, correct, delete, portability, opt-out of sale/targeted ads/profiling. Response: 45 days + one 45-day extension (with explanation). Appeals: Consumer may appeal denial; controller must respond to appeal within 45 days; must inform consumer of right to contact AG with complaint.
• Opt-out of sale/targeted advertising/profiling requirements: Must provide clear and conspicuous method for opting out. CRITICAL: Must recognize universal opt-out mechanisms (e.g., Global Privacy Control) effective January 1, 2026. Profiling opt-out required for decisions with legal/similarly significant effects.
• Processor/service provider contract requirements (flow-downs, audit rights, deletion/return): Contract required. Must include: processing instructions, nature/purpose, data type, duration, controller/processor rights/obligations, consumer rights assistance, deletion/return at end of services or upon request, processor's obligation to demonstrate compliance.
• Data Protection Assessment / Risk Assessment triggers: Required for processing activities presenting heightened risk of harm: (1) Targeted advertising; (2) Sale of personal data; (3) Processing sensitive data; (4) Profiling if reasonably foreseeable risk of unfair/deceptive treatment, unlawful disparate impact, financial/physical/reputational injury, intrusion on solitude/seclusion, or other substantial injury. CRITICAL: Must maintain DPAs for AT LEAST 5 YEARS (longer retention than CO's 3 years). Attorney General may request DPAs to evaluate compliance.
• Security measures expectations (reasonable security; specific mandates if any): Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices. Document security controls in DPAs.
• Breach notice timeline and content requirements: 45 days max to notify consumers from discovery; 10 days for vendors to notify covered entities; notify AG if 250+ consumers affected. Content: breach description, date, PI types, credit agency contacts, covered entity contact, consumer rights (police report, security freeze), identity theft reporting info. Penalties: up to $1,000 per violation, up to $500,000 for continuing violation.
• Children/minors rules (e.g., COPPA; state-specific if any): Personal data of known children under 13 is sensitive data requiring consent. CRITICAL 2026: Effective January 1, 2026, CANNOT sell data of consumers under 16 years of age. Comply with COPPA for children under 13.
• Non-discrimination/retaliation prohibitions under state law: Controller may not discriminate against consumer for exercising OCPA rights, including denying goods/services, charging different prices/rates, or providing different level/quality. Financial incentives permitted with reasonable relationship to value of consumer's data and opt-in consent after clear disclosure.
• Recordkeeping: ROPA/DPIA retention and appeal tracking: Maintain DPAs for AT LEAST 5 YEARS (unique requirement; longer than most states). Maintain documentation of consumer request responses and appeal determinations. Document harm determinations for breach exceptions (5-year retention). CRITICAL: 30-day cure period SUNSETS January 1, 2026; after that date, AG may proceed directly to enforcement without cure notice (at AG's discretion). Attorney General has exclusive enforcement authority; civil penalties up to $7,500 per violation. No private right of action.

10. Approvals and Accountability

• Privacy lead/DPO review: [name/date].
• Security review: [name/date].
• Legal review (state law overlay): [name/date].
• Business owner certification: [name/date].
• Executive approver: [name/title/date].

11. Attachments

• Data flow diagrams/architecture.
• Records of processing activities entry.
• Vendor list and processor agreements.
• Data protection assessments (required for targeted advertising, sales, sensitive data processing, profiling; retain for 5+ years).
• Security practices documentation.
• Sensitive data consent mechanisms.
• Universal opt-out mechanism implementation (required January 1, 2026).
• Documentation of compliance with 2026 prohibitions on selling geolocation data and minors' data.
• State-specific notices/links and breach templates.