Scope and applicability
The Act applies to any business (not-for-profit businesses are excluded until July 1, 2025) that does business in Oregon and controls or processes the personal information of (i) at least 100,000 Oregon residents or (ii) at least 25,000 Oregon residents while deriving at least 25% of its revenue from the sale of personal information. The Act does not apply to personal information collected in the context of employment or business-to-business relationships.
The Act does not include entity-level exemptions for organizations subject to the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA). However, it does contain data-level exemptions for these organizations, among other data-level exemptions for certain research and credit reporting purposes as required or allowed by applicable laws.