Archives

Does the OCPA address the use of “dark patterns”?

Posted in on October 16, 2024

While the OCPA does not include the term “dark patterns” specifically, the OCPA contains numerous requirements regarding the accessibility and clarity of resources provided to consumers by controllers. The use of dark patterns (or deceptive design) may violate these accessibility... View Article

How should my business calculate whether it meets the threshold to qualify under the OCPA when it has a complex hierarchy/ structure?

Posted in on

It depends on several factors specific to your business. For example, some factors to consider include how data flows throughout the organization, including whether different entities utilize or have access to each other’s consumer personal data, and who has decision-making... View Article

The OCPA says my business can use a “commercially reasonable” method to authenticate consumers when they make a rights request. What does that mean?

Posted in on

Your method(s) of authentication should consider a number of factors: which data right a consumer is exercising; the type, sensitivity, value, and volume of personal data involved; the level of possible harm that improper access or use could cause to... View Article

Can the Attorney General give me legal advice about how the privacy law applies to my business?

Posted in on July 1, 2024

No, the Oregon Department of Justice cannot act as your attorney or give you legal advice. If you have questions or comments about the privacy law, you may email oregonprivacy@doj.oregon.gov. We may use your question to expand and/or clarify the... View Article

What level of detail is required in a privacy notice? What information must be included regarding personal data shared with third parties?

Posted in on June 24, 2024

Privacy notices should be written in clear, straightforward language geared towards consumers. ORS 646A.578(4) describes all topics that should be contained in a controller’s privacy notice. If a controller shares personal data with third parties, the privacy notice must list... View Article

What are the penalties for failing to comply with the law?

Posted in on April 11, 2024

Entities or individuals that violate the law may face civil penalties up to $7,500 per violation. In addition to civil penalties, the Attorney General can also seek other relief, including injunctive relief, restitution, and/or disgorgement.

Are controllers provided notice of a violation before enforcement action is taken?

Posted in on

Between July 1, 2024 and January 1, 2026, if the Attorney General determines that a violation can be remedied, the Attorney General must first send a letter giving the violator 30 days to cure, or fix, the violation. If the... View Article

What is the Oregon Attorney General’s role in enforcing this law?

Posted in on

The Attorney General has sole enforcement power under the privacy law.

Can individuals sue entities for violating the privacy law?

Posted in on

No, the privacy law does not include a private right of action.

Does a controller have to accept a privacy rights request made by a consumer’s agent?

Posted in on

A consumer can use an agent to exercise “opt-out” rights. A controller must comply with the opt-out request if the controller can verify, with commercially reasonable effort, the identity of the consumer and the authorized agent’s authority to act on... View Article