Oregon Strengthens Consumer Data Protections with New Privacy Law Amendments

Oregon Governor Tina Kotek enacted House Bill 2008 (HB 2008), significantly amending the Oregon Consumer Privacy Act (OCPA). Effective January 1, 2026, these changes introduce robust safeguards for children’s personal data and precise geolocation information, setting a high bar for privacy protections in the state. The amendments impose strict prohibitions and new obligations that businesses must address to ensure compliance.

According to a panel during the IAPP’s Global Privacy Summit in DC earlier this year the regulators in Oregon confirmed that they are ramping up their enforcement actions and want to see specific supplement for Oregon residents vs most companies only mentioning California in their privacy notices. Luckily Captain Compliance has an automated privacy solution for this and to help with Oregons child privacy laws that go live next year.

Enhanced Protections for Children’s Data

The amended OCPA prioritizes the privacy of minors under 16 by introducing stringent rules for handling their personal data:

• Absolute Ban on Data Sales: Businesses are prohibited from selling personal data of consumers under 16 if they have actual knowledge of the consumer’s age or willfully disregard it. Unlike other privacy frameworks, this prohibition applies regardless of whether consent is obtained from the minor or their guardian.
• COPPA Alignment: Any processing of sensitive children’s data must adhere to the federal Children’s Online Privacy Protection Act (COPPA), ensuring consistency with national standards.

These restrictions aim to shield young consumers from exploitative data practices, placing Oregon among the forefront of states prioritizing minors’ privacy.

Restrictions on Precise Geolocation Data

The amendments also impose a groundbreaking ban on the sale of precise geolocation data, defined as data pinpointing a consumer’s or device’s location within a 1,750-foot radius, whether past or present:

• No Consent Exceptions: The sale of such data for monetary or other valuable consideration is prohibited, even if the consumer consents. This directly impacts industries reliant on location-based advertising and data-sharing ecosystems.
• Limited Exemptions: Certain data types, such as communication contents or utilities-related data, are exempt, but the scope of the ban remains broad, affecting most commercial geolocation practices.

This move underscores Oregon’s commitment to curbing the unchecked commodification of location data, a growing concern in the digital economy.

Broader Obligations for Data Controllers

Beyond specific protections, HB 2008 strengthens general data handling requirements for businesses operating as data controllers in Oregon:

• Purpose Limitation: Businesses must clearly state the purposes for collecting personal data in their privacy notices and limit collection to what is necessary and relevant.
• Consumer Control: Consumers gain enhanced rights to revoke consent, with businesses required to halt data processing within 15 days of an opt-out request.
• Accessible Opt-Out Systems: User-friendly mechanisms must be provided for opting out of data sales, targeted advertising, and profiling with significant legal or similar impacts.
• Transparent Privacy Notices: Notices must detail data categories collected, processing purposes, consumer rights, third-party data sharing, and contact information.
• Non-Discrimination: Businesses cannot penalize consumers for exercising their rights, though they may offer incentives, such as loyalty programs, to encourage voluntary data sharing.

These requirements aim to empower consumers while fostering transparency and accountability in data practices.

Action Plan for Businesses

To comply with the new OCPA amendments, businesses should take proactive steps before the January 1, 2026, deadline:

1. Conduct a Data Audit: Map all personal data collected, focusing on data from minors under 16 and precise geolocation information. Data mapping and data classification are going to become a routine need for businesses operating and marketing to Oregon consumers.
2. Update Privacy Policies: Revise notices to reflect the new requirements, ensuring clear disclosures about data practices and consumer rights.
3. Implement Technical Safeguards: Establish controls to prevent unauthorized data sales, including age verification processes to avoid “willful disregard” of consumer age.
4. Streamline Consent Management: Develop or refine opt-out and consent revocation systems to meet the 15-day processing requirement.
5. Train Employees: Educate teams in marketing, IT, and data analytics on the updated legal obligations and internal compliance procedures.
6. Review Vendor Agreements: Ensure third-party contracts align with the new restrictions, particularly for location-based advertising and data-sharing arrangements.

Setting a New Standard in Privacy Rights

Oregon’s amendments to the OCPA mark a bold step in consumer data protection, surpassing many state laws by eliminating consent as a basis for certain data sales. By prioritizing the privacy of minors and restricting the commercial use of geolocation data, Oregon is redefining expectations for data-driven businesses. Companies operating in the state must take action now in order to align their practices with these stringent requirements, ensuring compliance by the 2026 effective date otherwise be prepared to hear from the Oregon regulators.