Privacy Policy
(Oregon Consumer Privacy Act (OCPA) Compliant)

Summary

This template is an external, customer-facing data privacy policy intended for entities covered by the disclosure and transparency requirements of the Oregon Consumer Privacy Act (OCPA), ORS § 646A.570 to ORS § 646A.589, effective on July 1, 2024. This template includes practical guidance, drafting notes, and optional clauses. The purpose of the privacy policy is to provide consumers with a comprehensive description of a business's personal information practices, to inform consumers about their personal information rights, and to provide necessary information required to exercise their OCPA rights. Privacy policies can vary depending on the jurisdiction covered and unique factors such as the nature of the data collected, industry-specific regulatory obligations, and specific protections for certain classes of consumers. As such, privacy policies should be carefully tailored to address the specific business needs of your organization and its likely audiences. Prior to drafting a privacy policy, an organization should engage in a comprehensive data mapping process. You should identify the: • Categories of personal information collected, including sensitive personal information • Purposes for which the personal data is collected • Sources and methods of personal data collection • Affiliates or third parties to whom the personal information is disclosed or shared • Where and how long personal data is stored • How personal data will be processed –and– • Personal data the organization shares with third parties The organization will also need to know the location and accessibility of consumer information to comply with individual requests to exercise their rights under the OCPA. The OCPA requires a reasonably accessible, clear, and meaningful privacy policy that includes: • The categories of personal data, including sensitive data, processed by the controller • The purposes for processing the personal data • How consumers may exercise their OCPA rights, including how to appeal a controller's decision regarding the consumer's request • The categories of personal data, including sensitive data, that the controller shares with third parties • A description of all categories of third parties with which the controller shares personal data at a level of detail that enables the consumer to understand what type of entity each third party is and, to the extent possible, how each third party may process personal data • An electronic mail address or other online method by which a consumer can contact the controller that the controller actively monitors • Identification of the controller, including any business name under which the controller registered with the Secretary of State and any assumed business name that the controller uses in Oregon • A clear and conspicuous description of any processing of personal data in which the controller engages for the purpose of targeted advertising or for the purpose of profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance, and a procedure by which the consumer may opt out of this type of processing -and- • A description of the method or methods the controller has established for a consumer to submit a request under ORS § 646A.574(1). ORS § 646A.578(4). While this template includes the statutory requirements, you should include specific and easily understandable descriptions that apply to your company's privacy practices. For more guidance on Oregon privacy laws, see Data Privacy and Cybersecurity State Law Compliance Resource Kit (OR). For a full listing of related data security & privacy content for first-year associates, see First-Year Associate Resource Kit: Data Security and Privacy. For general information on drafting a privacy policy see Privacy Policies: Drafting a Policy and Privacy Policy Checklist. For guidance on complying with the OCPA, see Consumer Data Privacy (OR). To compare state privacy laws, see the Consumer Data Privacy topic in the Data Security & Privacy State Law Comparison Tool. For more on privacy policy fundamentals, see Privacy Policy Fundamentals: Preliminary Considerations for Drafting a Privacy Notice Video and Privacy Policy Fundamentals: The Notice Requirement Video.