What types of compliance documents can ComplianceIQ generate?

ComplianceIQ generates privacy policies, terms of service, employee handbooks, data handling policies, OSHA compliance documents, acceptable use policies, HIPAA compliance docs, information security policies, and more — all tailored to your industry.

Are the generated documents legally valid?

ComplianceIQ generates comprehensive, industry-standard compliance documents informed by current regulations. While they provide an excellent foundation, we recommend having critical documents reviewed by legal counsel for your specific jurisdiction.

How does ComplianceIQ stay current with regulations?

Our AI models are continuously updated with the latest regulatory frameworks including GDPR, CCPA, HIPAA, SOC 2, OSHA, and more. Pro and Enterprise plans include regulatory update alerts.

← All states·OCPA

Oregon (OCPA) Privacy Law Compliance

The Oregon Consumer Privacy Act (effective July 1, 2024) follows the Virginia template but adds a distinctive right — consumers can obtain a list of the specific third parties (not just categories) to whom the controller has disclosed personal data. Non-profits get an extra year (effective July 1, 2025) but no broad non-profit exemption like other states.

Statute

Oregon Consumer Privacy Act

Or. Rev. Stat. §646A.570 et seq.

Effective

Jul 1, 2024 (non-profits: Jul 1, 2025)

Enforcer

Oregon Attorney General

(exclusive)

Consumer rights

9 business obligations

Run free policy audit Does this apply to me? ↓

Who must comply

Persons that conduct business in Oregon OR produce products/services targeted to Oregon residents
AND one of: (a) control or process personal data of 100,000+ Oregon consumers (excluding for payment-only purposes); OR (b) control/process data of 25,000+ consumers AND derive 25%+ gross revenue from the sale of personal data

Exemptions

State + local government, financial institutions subject to GLBA, HIPAA PHI + BA processing
Employment + B2B data fully exempt
FCRA, DPPA, FERPA in context
NOTE: Oregon does NOT broadly exempt non-profits (compliance required Jul 1, 2025)

Consumer rights (9)

Right to access / know

Confirm whether personal data is processed and obtain a copy in a portable format

Right to correct

Correct inaccurate personal data

Right to delete

Request deletion of personal data the controller has collected

Right to data portability

Receive data in a portable, machine-readable format

Right to opt out of sale

Opt out of the sale of personal data to third parties

Right to opt out of targeted advertising

Opt out of cross-context behavioural advertising

Right to opt out of profiling with legal effect

Opt out of automated decisions producing legal or similarly significant effects

Right to appeal

Appeal a controller's refusal to honour a rights request (typically 45–60 days)

Right to know specific third parties

Receive a list of the SPECIFIC third parties (not just categories) to whom the controller has disclosed personal data

Business obligations (9)

Public privacy notice

Clear, accessible notice of categories collected, purposes, third parties, rights, and contact channel

Rights response within 45 days

Respond to consumer rights requests within 45 days (extendable by 45 more with notice)

Data processing agreements

Written contracts with processors restricting their processing to the controller's documented instructions

Data protection assessments

Document risk assessment for targeted advertising, sale, profiling, sensitive data processing

Honour universal opt-out signals (GPC)

Recognise the Global Privacy Control browser signal as a valid opt-out (where required)

Reasonable security practices

Administrative, technical, physical safeguards appropriate to the data's sensitivity

Data minimisation + purpose limitation

Collect only what is adequate, relevant, and reasonably necessary for the disclosed purposes

Children & teen consent

Opt-in consent before selling or sharing data of minors (age threshold varies 13–16)

Opt-in for sensitive data

Affirmative consent before processing sensitive data

Required privacy notice elements

Categories of personal data processed (including, on request, the SPECIFIC third parties)
Purpose of processing
Active method to submit rights requests + appeal process
Categories of personal data sold or processed for targeted advertising
Opt-out instructions
Statement of UOOM recognition

Don't hand-check this. Drop your existing privacy policy into the free policy audit and we'll grade every required element and surface the missing language.

Common compliance pitfalls

⚠ Inability to disclose specific third parties on request

Oregon's right to know SPECIFIC third parties (not just categories) is unique. Controllers must build the inventory + retrieval workflow — categorisation alone fails.

⚠ Assuming non-profit exemption

Most states fully exempt non-profits. Oregon does NOT — non-profits became subject to OCPA July 1, 2025. Non-profit healthcare, education adjacent organisations must comply.

⚠ Cure sunset

The 30-day cure window sunset January 1, 2026. AG may pursue penalties immediately.

FAQ

What's the specific-third-party right?

Oregon consumers can request not just categories of third parties (like every other state) but the specific names. Build a data-sharing inventory now; if you discover the request workflow on the day of the first request, you'll fail to respond within 45 days.

Does OCPA apply to non-profits?

Yes. Oregon is unusual in NOT broadly exempting non-profits — they became subject July 1, 2025 (one year after for-profits). Religious organisations are partially exempt.

Does Oregon honour GPC?

Yes, since July 1, 2024 effective date. UOOM honouring is built into OCPA from day one (unlike Colorado/Connecticut which phased it in).

Grade your Oregon privacy policy in 20 seconds

Paste your privacy policy and we'll score it against OCPA requirements — categories collected, rights enumeration, opt-out mechanism, sensitive data handling. Free, 3 audits/day, no signup.

Run free audit for Oregon