Privacy Law FAQs for Nonprofits

In June 2023, the Oregon Legislature passed Senate Bill 619 », the Oregon Consumer Privacy Act. The Oregon Consumer Privacy Act, ORS 646A.570-646A.589 », was signed into law by Governor Kotek and took effect for most entities on July 1, 2024. The law takes effect for nonprofits on July 1, 2025.

The Oregon Consumer Privacy Act (OCPA) is a comprehensive consumer privacy law. The law gives Oregon consumers specific privacy rights which allows them to manage the collection, retention, and use or sale of their personal and sensitive information. It guarantees Oregonians affirmative rights to manage and safeguard their personal data. The OCPA defines personal and biometric data broadly, protects consumer data rights holistically, and holds nonprofits that have access to that data to high standards.

The Department of Justice has put together Frequently Asked Questions (FAQs) for consumers, businesses, and nonprofits to help prepare for the privacy law’s implementation. This page focuses on FAQs for nonprofits. The requirements for businesses and nonprofits are the same under the OCPA. Therefore, we encourage nonprofit entities to review the Privacy Law FAQs for Business, in addition to these FAQs, which are designed to address nonprofit-specific questions.

Privacy Law FAQs for Nonprofits

Open All

When does the law apply to nonprofits?

While the OCPA went into effect on July 1, 2024, its application to nonprofit entities begins on July 1, 2025, and is not retroactive. In other words, compliance for nonprofits must start with existing data/collection/consent as of that date. However, please note that nonprofit entities may still need to conduct Data Protection Assessments for existing data depending on the sensitivity of that data is or how that data is used. Guidelines for conducting Data Protection Assessments can be found on the main consumer privacy webpage: Consumer Privacy - Oregon Department of Justice : Consumer Protection.

Does the privacy law apply to all nonprofits?

No, the OCPA only applies to entities that meet certain thresholds.  These thresholds are the same for nonprofits as they are for other kinds of businesses.  The law applies to entities that conduct business in Oregon or that provide products or services to Oregon residents if, during a calendar year, the entity controls or processes the personal data of:

  • at least 100,000 consumers; or
  • 25,000 or more consumers, and it derives over 25% of annual gross revenue from the sale of personal data.

The nonprofit entities that fit that description are generally called “controllers.”

My nonprofit has a complex hierarchy/structure. How do I determine whether it meets the minimum OCPA threshold for consideration?

It depends on several factors specific to your nonprofit. For example, some factors are how data flows throughout the organization, whether different associated entities utilize or have access to each other’s consumer personal data, and who has decision-making authority over that data. In addition, the management structure of the organization may also impact the threshold calculation. For example, if your nonprofit is a national organization with a central office, think about whether your branch/smaller entity transfers or receives personal data about consumers from that central office.

Keep in mind that the OCPA does not make any distinction based on the source of the data. In other words, the OCPA applies to all consumer personal data, whether it was collected directly from consumers or obtained from sources such as other nonprofits or marketing lists.

Depending on factors specific to your nonprofit entity, the number of consumers whose personal data various related entities control, or process may be added together for purposes of determining whether your nonprofit meets the OCPA’s threshold. The DOJ may request additional information or documentation if you claim that your nonprofit does not meet the OCPA thresholds.

How does the law define personal data?

The privacy law only covers personal data. Personal data is any information that can be linked to an individual, including derived data. Personal data also includes any information that can be linked to an individual’s device or a household device (like a cell phone or a smart appliance).

What is sensitive data and how does it differ from personal data?

Sensitive data is a narrower subset of personal data and has extra legal protections under the privacy law.

Sensitive data is any personal data revealing an individual’s racial or ethnic background, national origin, religious beliefs, mental or physical health conditions or diagnoses, sexual orientation, citizenship or immigration status, status as transgender or nonbinary, or status as a crime victim; genetic data; or biometric data that could be used to identify an individual; personal data of a child under the age of 13; and information about an individual’s specific past or present location.

Special care must be taken with vulnerable populations. Your nonprofit can maintain deidentified data on statistics like ethnicity, religion, but it cannot be tied to an individual without their express consent. For children under 13, parents/guardians must approve any identifiable data collection. Just talking/interacting with an individual from a vulnerable population doesn’t “create” identifiable data. Documenting their name along with ethnicity/religion/health status, etc. would.   

Are there any types of consumer data that do not qualify as personal data?

Publicly available data and deidentified data are not “personal data” under the law. In other words, those two categories of data are exempt even though they may contain what could otherwise be personal data. Publicly available data is information that is intentionally in the public record (ex: property records, widely distributed in the media, etc.). Deidentified data is data that cannot be linked to an individual.

From the statute:

Deidentified data means data that: “Cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable consumer, or to a device that identifies, is linked to or is reasonably linkable to a consumer.” ORS 646A.570 (11).

Publicly available data means data that: “Is lawfully available through federal, state or local government records or through widely distributed media; or a controller reasonably has understood to have been lawfully made available to the public by a consumer.” ORS 646A.570 (13)(b)(A).

For example, if a nonprofit entity generated a prospective donor mailing list using property records, that list would not be “personal data” even though it consisted of a person’s name and address. However, combining information from the property records with data about that donor from your internal records (ex: race, gender, health information, etc.) would turn that “bundle” into personal data, since you are mixing public and private data to create an identifiable profile about a person.

In addition, the law does not apply to certain types of personal information maintained in compliance with specific federal privacy laws, such as the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act. A complete list of exclusions can be found at ORS 646A.572(2).

Is consent required to process personal data under the law?

Yes, for certain types of data and under certain circumstances. Consent is required to collect, store, or otherwise process all categories of “sensitive data,” as defined in the law (see above for more detail about this). If the nonprofit entity is acting as a controller and knows that (or willfully disregards whether) a consumer is at least 13 years old and less than 16 years old, the nonprofit also must obtain consent to process the consumer’s personal data when that processing is for the purposes of sale, targeted advertising, or profiling.

Since the OCPA is not retroactive, consent only needs to be obtained going forward so long as your entity is only maintaining or storing historical data and not processing it in other ways.

In addition, a controller must obtain a consumer’s consent to process personal data for any “secondary purpose” – a purpose that is not reasonably necessary for and compatible with the purposes the controller has specified in its privacy notice. For instance, if a nonprofit’s website states that it collects email addresses only to sign up consumers for a newsletter, the nonprofit cannot use those email addresses to send donor emails or share them with another nonprofit to use for its own purposes.

If a nonprofit entity wants to use previously collected personal data in a different way than what was outlined in the original privacy notice, they may need to get consent for that new usage. The nonprofit also should change their privacy notice so that the use is clearly described.  Please note that entities must proactively notify, and in some cases get express consent, from consumers for changes to a privacy notice.

How does my nonprofit evaluate what personal data we possess?

Your nonprofit is responsible for all of the personal data that is in your possession. Make sure to conduct information audits. Check in with different departments to understand how data is entering your nonprofit. Sometimes there are disconnects between departments, such as where one department does not believe that your organization is collecting personal data, but another department has installed cookie tracking on your website, which likely would constitute the collection of personal data.

What obligations do nonprofits have when they are considered controllers under the law?

Among other obligations, controllers must:

  • Provide a privacy notice regarding the types of personal data the controller processes, the specific purpose(s) for processing data, whether and why the controller shares personal data with third parties, and information about how consumers can exercise their various rights (e.g. access, deletion) over their personal data.
  • Provide a way for consumers to directly contact the controller about privacy-related issues and rights.
  • Limit collection of personal data to what is adequate, relevant, and reasonably necessary for the specific purpose(s) for which the data is collected and processed (also known as “data minimization”).
  • Respond to requests to exercise consumer rights granted under the law within the 45- day response window.
  • Conduct assessments before processing personal data in a manner that presents a heightened risk of harm to consumers (called “Data Protection Assessments”). This includes processing personal data for the purposes of targeted advertising, sale, or profiling, and any processing of sensitive data. There is additional guidance on Data Protection Assessments on the DOJ website. For a more in-depth definition of profiling, see ORS 646A.570.
  • Use reasonable safeguards to secure personal data.

What does it mean that controllers must respond to requests to exercise consumer rights? What must nonprofits specifically provide to consumers?

We use the L.O.C.K.E.D. acronym to explain the specific consumer privacy rights. Consumers can get a List of the specific entities that received their personal data or any personal data from a business. Consumers can Opt-out (say “no”) to a business selling, profiling, and using targeted advertising with their personal data. Consumers can get a Copy of the personal and sensitive data a business has about them. Consumers can Know what personal data a business has collected about them. Consumers can Edit any inaccuracies in the data about them. Finally, consumers can ask the controller to Delete personal and sensitive information businesses have about them.

There are exemptions to these rights in the statute. Make sure your nonprofit does a close reading of the law to fully understand any exemptions.

What is a “sale” of personal data?

A “sale” is the exchange of personal data for monetary or other valuable consideration between a controller and a third party. “Valuable consideration” is not limited to money. This could include a nonprofit exchanging donor lists with a separate nonprofit entity. There are some exceptions to the definition of “sale” stated in the law. Those exceptions can be found at ORS 646A.570(17)(b).

How is my nonprofit supposed to intake privacy requests from consumers?

Your nonprofit must provide a way for consumers to request their L.O.C.K.E.D. rights. Some entities use a monitored email address. Some use a webform. Any mechanism that your nonprofit implements must be clearly available to consumers, and it must be functional and monitored, meaning that it is actively checked on a regular basis.

Does my nonprofit really need to delete a consumer’s personal data when requested?

Yes. You must develop a system to delete personal data when a consumer requests within 45 days of receiving the request, unless another exemption applies.

The OCPA says my nonprofit can use a “commercially reasonable” method to authenticate consumers when they make a rights request. What does that mean?

Authentication ensures that the individual making the privacy rights request is the person they say they are. Most companies use existing information they have about consumers to authenticate their identity. This is important, because bad actors may try to use the OCPA to request copies of people’s personal data for purposes such as identity theft.

Your method(s) of authentication should consider the following factors: which privacy right a consumer is exercising; the type, sensitivity, value, and volume of personal data involved; the level of possible harm that improper access or use could cause to the consumer; and the cost of authentication to your nonprofit. You must avoid methods that place an unreasonable burden on the consumer submitting a privacy rights request (often this is mandating that they provide a copy of their driver’s license even if they are just requesting to opt-out of targeted advertising).

For instance, it should be easy to authenticate a consumer for a deletion request, because the likelihood of harm to a consumer from an improper deletion request is relatively low. In contrast, requests for a copy of personal or sensitive data should be subject to a more rigorous authentication process, given the higher potential for harm to a consumer if your nonprofit gave a copy of the consumer’s data to an unauthorized person.

Can my nonprofit entity continue to use passive mailings?

For the most part, yes. Consider how much personal data is used/collected for these mailings. If your nonprofit is unsure about OCPA compliance with passive mailings, consider offering an opt-out (or unsubscribe) option to maintain compliance.

Can we use generative Artificial Intelligence in our nonprofit?

The Oregon DOJ has published guidance, cautioning entities on their use of generative AI, specifically in the context of the OCPA. Page four of the document (linked in the press release) starts the OCPA section: DOJ Issues Guidance on AI for Oregon Businesses.

Can the Attorney General give me legal advice about how the privacy law applies to my nonprofit?

No, the Oregon Department of Justice cannot act as your attorney or give you legal advice. If you have questions or comments about the privacy law, you may email oregonprivacy@doj.oregon.gov. We may use your question to expand and/or clarify the list of frequently asked questions (FAQs) on our website to address common concerns of consumers and businesses and other nonprofits.

Are nonprofit entities provided notice of a violation before enforcement action is taken?

Until January 1, 2026, if the Attorney General determines that a violation of the privacy law has occurred but can be fixed, the Attorney General must first send a letter giving the violator 30 days to cure, or fix, the violation. If the Attorney General determines that no fix is possible for the violation, no such letter is required. After January 1, 2026, the Attorney General is not required to send a cure notice under any circumstances and can proceed directly to enforcement action.

Disclaimer: These FAQs address select provisions of the OCPA and do not cover all potentially applicable laws or enforcement circumstances; case-by-case enforcement determinations will be made by the Antitrust, False Claims, & Privacy Section. FAQs do not implement, interpret, or make specific the law enforced or administered by the Oregon Department of Justice, establish substantive policy or rights, constitute legal advice, or reflect the views of the Attorney General.

FAQs do not provide any options for alternative relief or safe harbor from potential violations. The statute controls in the event of any conflicting interpretation. These FAQs are hypothetical examples of how a nonprofit might review its practices. Nonprofits should consult the statute and/or an attorney before taking any action to ensure compliance with the law.