As Oregon’s data privacy landscape continues to evolve, nonprofits must take note: the Oregon Consumer Privacy Act (OCPA) will apply to nonprofit organizations beginning on July 1, 2025. The grace period granted to nonprofits is set to sunset, meaning organizations must be fully compliant by this date to avoid penalties.
What Does This Mean for Nonprofits? The OCPA grants Oregon consumers several rights over their personal data, and nonprofits that conduct business in Oregon (or that provide products or services to Oregon residents) and meet certain thresholds must be prepared to honor them. These rights include:
- The right to access, correct, and delete personal data.
- The right to opt out of targeted advertising and the sale of personal data.
- The right to obtain a portable copy of personal data.
For nonprofits controlling or processing data of 100,000 or more consumers annually (excluding data used solely for payment transactions) or those controlling or processing data of 25,000 or more consumers and deriving over 25% of revenue from selling personal data, compliance will be mandatory on July 1, 2025. In preparation, organizations must ensure they have implemented all required measures, including updating privacy policies, strengthening data security, and responding to consumer requests in a timely manner.
Action Items for Nonprofits. To ensure compliance, nonprofit organizations should:
- Review Data Collection Practices: Understand what personal data is being collected, why it is collected or retained, and how it is used.
- Update Privacy Policies: Ensure policies reflect consumer rights under the OCPA.
- Develop Response Procedures: Establish clear protocols for responding to consumer requests.
- Implement Security Measures: Strengthen data protection to safeguard consumer information.
The OCPA is part of a national shift toward greater consumer data protection and, in Oregon, nonprofits are not exempt from these evolving legal obligations. With enforcement set to begin on July 1, 2025, nonprofits that fail to comply risk civil penalties of up to $7,500 per violation and reputational harm. Now is the time to assess your organization’s data practices and ensure you are fully prepared.
