OREGON CONSUMER PRIVACY ACT (OCPA) PRIVACY NOTICE

Effective Date: [DATE]
Last Updated: [DATE]

NOTICE TO OREGON RESIDENTS

This Privacy Notice is provided pursuant to the Oregon Consumer Privacy Act, codified at Oregon Revised Statutes (ORS) Section 646A.570-646A.589, which became effective July 1, 2024, with significant amendments effective January 1, 2026.

1. SCOPE AND APPLICABILITY

1.1 Who This Notice Applies To

This Notice applies to Oregon residents acting in an individual or household context ("consumers"). It does not apply to individuals acting in a commercial or employment context.

1.2 Applicability Thresholds

Pursuant to ORS Section 646A.572(1), this Notice applies because [COMPANY NAME]:

☐ Conducts business in Oregon or provides products or services to Oregon residents

AND during a calendar year:

☐ Controls or processes personal data of 100,000 or more Oregon consumers (excluding data processed solely for payment transactions)

☐ Controls or processes personal data of 25,000 or more Oregon consumers AND derives 25% or more of annual gross revenue from selling personal data

1.3 Vehicle Manufacturer Coverage (HB 3875 - Effective September 2025)

Pursuant to HB 3875, the OCPA applies to all vehicle manufacturers regardless of thresholds if they collect personal data from Oregon consumers.

1.4 Exemptions

Pursuant to ORS Section 646A.572(2), the following are exempt:

• Government bodies
• Financial institutions subject to GLBA
• Covered entities and business associates under HIPAA
• Nonprofit organizations
• Data regulated by specific federal laws (GLBA, HIPAA, FCRA, FERPA, COPPA, DPPA)

Note: Unlike many other state privacy laws, Oregon does NOT exempt higher education institutions.

2. DEFINITIONS

Pursuant to ORS Section 646A.570:

"Personal Data" means information that is linked or reasonably linkable to a consumer or to a device that identifies, is linked to, or is reasonably linkable to one or more consumers in a household.

"Sensitive Data" means personal data that:
- Reveals racial or ethnic origin, religious beliefs, national origin, or mental or physical health condition
- Is processed for identifying sexual orientation
- Reveals status as transgender or nonbinary
- Is genetic or biometric data processed for identification purposes
- Is collected from a known child
- Constitutes precise geolocation data

"Sale" means the exchange of personal data for monetary or other valuable consideration.

"Targeted Advertising" means displaying advertisements based on personal data obtained from consumer's activities over time and across nonaffiliated websites or applications.

"Profiling" means any form of automated processing to evaluate, analyze, or predict aspects concerning a natural person's performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

3. CATEGORIES OF PERSONAL DATA PROCESSED

Pursuant to ORS Section 646A.578(1)(a)(A), we process the following categories of personal data:

3.1 General Personal Data

3.2 Sensitive Data

Pursuant to ORS Section 646A.578(4), we collect sensitive data only with your consent:

4. PURPOSES OF PROCESSING

Pursuant to ORS Section 646A.578(1)(a)(B), we process personal data for:

☐ Providing and maintaining our services

☐ Processing transactions and orders

☐ Communicating with you about your account

☐ Customer support and inquiries

☐ Security and fraud prevention

☐ Legal compliance

☐ Research and analytics

☐ Marketing and promotional communications

☐ Personalization of services

☐ Targeted advertising (subject to opt-out)

☐ [ADDITIONAL PURPOSES]

5. SALE OF PERSONAL DATA AND TARGETED ADVERTISING

5.1 Sale of Personal Data

Pursuant to ORS Section 646A.574(1)(d):

☐ We sell personal data

☐ We do not sell personal data

Categories of Data Sold:

5.2 Targeted Advertising

Pursuant to ORS Section 646A.574(1)(c):

☐ We process personal data for targeted advertising

☐ We do not process personal data for targeted advertising

5.3 Profiling

Pursuant to ORS Section 646A.574(1)(e):

☐ We engage in profiling that presents reasonably foreseeable risk of unfair or deceptive treatment, unlawful disparate impact, financial or physical injury, intrusion on privacy, or other substantial injury

☐ We do not engage in such profiling

5.4 Prohibition on Sale of Precise Geolocation Data (Effective January 1, 2026)

Pursuant to HB 2008, effective January 1, 2026:

☐ We do NOT sell precise geolocation data (past or present location) of any consumer, regardless of age

6. THIRD-PARTY DISCLOSURES

Pursuant to ORS Section 646A.578(1)(a)(C-D), we share personal data with:

7. YOUR OREGON PRIVACY RIGHTS

Pursuant to ORS Section 646A.574, Oregon consumers have the following rights:

7.1 Right to Know/Access (Section 646A.574(1)(a))

You have the right to confirm whether we are processing your personal data and to access such data.

7.2 Right to Correct (Section 646A.574(1)(b))

You have the right to correct inaccuracies in your personal data.

7.3 Right to Delete (Section 646A.574(1)(f))

You have the right to delete personal data provided by or obtained about you.

7.4 Right to Data Portability (Section 646A.574(1)(g))

You have the right to obtain a copy of your personal data in a portable and, to the extent technically feasible, readily usable format.

7.5 Right to List of Third Parties (Oregon-Specific)

You have the right to obtain a list of the specific third parties, other than natural persons, to whom we have disclosed your personal data or any consumer's personal data.

7.6 Right to Opt Out (Section 646A.574(1)(c-e))

You have the right to opt out of:
- Targeted advertising
- Sale of personal data
- Profiling in furtherance of decisions that produce legal or similarly significant effects

8. EXERCISING YOUR RIGHTS

8.1 How to Submit a Request

Methods to Submit Requests:

☐ Online Portal: [URL]

☐ Email: [PRIVACY EMAIL]

☐ Phone: [PHONE NUMBER]

☐ Mail: [MAILING ADDRESS]

8.2 Identity Verification

We will authenticate your identity before fulfilling your request. If we cannot authenticate your identity, we will request additional information.

8.3 Authorized Agents

You may designate an authorized agent to submit requests on your behalf. We may require:

• Written authorization signed by you
• Verification of your identity
• Verification of the agent's authority

8.4 Response Timeline

Pursuant to ORS Section 646A.574(2)(b):

• Initial Response: Within 45 days of receipt
• Extension: May extend by an additional 45 days when reasonably necessary
• Notification: We will inform you of any extension and the reason

8.5 No Fee

We provide responses free of charge. We may charge a reasonable fee or decline to act on requests that are manifestly unfounded or excessive.

9. UNIVERSAL OPT-OUT MECHANISMS (EFFECTIVE JANUARY 1, 2026)

9.1 Recognition of Opt-Out Preference Signals

Pursuant to ORS Section 646A.574 and HB 2008, effective January 1, 2026, we are required to recognize and process universal opt-out mechanisms including:

☐ Global Privacy Control (GPC)

☐ Other Universal Opt-Out Mechanisms: [SPECIFY]

9.2 How Universal Opt-Out Requests Are Processed

When we receive a universal opt-out signal, we will:

• Process it as a valid opt-out request for targeted advertising and sale of personal data
• Apply the opt-out to the browser or device from which the signal was sent
• Not require you to verify your identity for opt-out requests

9.3 Opt-Out Link

"Your Privacy Choices" Link: [URL]

10. RIGHT TO APPEAL

10.1 Appeal Process

Pursuant to ORS Section 646A.574(2)(d), if we decline your request, you have the right to appeal.

To Submit an Appeal:

☐ Email: [APPEAL EMAIL]

☐ Online Form: [URL]

☐ Mail: [ADDRESS]

10.2 Appeal Response

• We will respond to your appeal within 45 days
• If we deny your appeal, we will provide a method to contact the Oregon Attorney General

10.3 Contact the Attorney General

Oregon Department of Justice
Consumer Protection Section
1162 Court Street NE
Salem, OR 97301-4096
Phone: (877) 877-9392
Website: www.doj.state.or.us/consumer-protection

11. CURE PERIOD

11.1 Before January 1, 2026

We may receive a 30-day notice and opportunity to cure alleged violations.

11.2 After January 1, 2026

Pursuant to HB 2008, effective January 1, 2026:
- The mandatory cure period has ended
- The Attorney General may proceed directly to enforcement action at their discretion
- No cure period is required

12. CHILDREN'S DATA PROTECTIONS (EFFECTIVE JANUARY 1, 2026)

12.1 Prohibition on Sale of Minor Data

Pursuant to HB 2008, effective January 1, 2026:

☐ We do NOT sell personal data of consumers under 16 years of age

12.2 Children Under 13

We comply with COPPA and obtain verifiable parental consent before collecting personal data from children under 13.

12.3 Minors 13-15

We obtain consent from a parent or guardian before:
- Selling personal data
- Processing personal data for targeted advertising

13. DATA PROTECTION ASSESSMENTS

Pursuant to ORS Section 646A.580, we conduct data protection assessments for processing activities that present heightened risk of harm, including:

☐ Processing for targeted advertising

☐ Sale of personal data

☐ Processing for profiling with reasonably foreseeable risk

☐ Processing sensitive data

☐ Any processing presenting heightened risk of harm

14. DATA MINIMIZATION AND PURPOSE LIMITATION

14.1 Data Minimization

Pursuant to ORS Section 646A.578(2), we limit collection to what is adequate, relevant, and reasonably necessary for the specified purposes.

14.2 Purpose Limitation

Pursuant to ORS Section 646A.578(3), we do not process personal data for purposes incompatible with the disclosed purposes without obtaining your consent.

15. DATA SECURITY

Pursuant to ORS Section 646A.578(1)(b), we maintain reasonable administrative, technical, and physical data security practices appropriate to:

• The volume and nature of personal data
• The purposes for which we process personal data

Our security measures include:

☐ Encryption of data in transit and at rest

☐ Access controls and authentication

☐ Regular security assessments

☐ Employee training

☐ Incident response procedures

☐ Vendor security requirements

16. DATA RETENTION

We retain personal data only as long as reasonably necessary for the purposes disclosed:

17. CONTROLLER AND PROCESSOR RELATIONSHIPS

17.1 Controller Information

[COMPANY NAME] is the controller of personal data processed under this Notice.

Controller Contact:
[ADDRESS]
[EMAIL]
[PHONE]

17.2 Processor Contracts

Pursuant to ORS Section 646A.582, our contracts with processors include:

• Clear processing instructions
• Nature and purpose of processing
• Type of data processed
• Duration of processing
• Rights and obligations of both parties
• Confidentiality requirements
• Subprocessor restrictions
• Audit rights

18. ENFORCEMENT

18.1 Attorney General Enforcement

The Oregon Attorney General has exclusive enforcement authority. Entities may face civil penalties up to $7,500 per violation.

18.2 No Private Right of Action

Pursuant to ORS Section 646A.586, the OCPA does not create a private right of action.

19. CONTACT INFORMATION

Privacy Inquiries:

Name: [PRIVACY OFFICER NAME]
Title: [TITLE]
Email: [EMAIL]
Phone: [PHONE]
Address: [ADDRESS]

Consumer Rights Requests:

Email: [EMAIL]
Online: [URL]
Phone: [PHONE]

20. CHANGES TO THIS NOTICE

We may update this Notice to reflect changes in our practices or legal requirements. We will notify you of material changes:

☐ By posting an updated Notice on our website

☐ By email notification

☐ By notice within our application

DOCUMENT CONTROL

Legal Review: ☐ Completed Date: _________ Reviewer: _________

Next Review Date: _____________

This Notice is provided for informational purposes and compliance with the Oregon Consumer Privacy Act. It does not constitute legal advice. Consult with qualified legal counsel for specific compliance questions.