Oregon Consumer Privacy Act

What is OCPA?


OCPA is Oregon’s first ever consumer privacy act. It aims to protect the data privacy of consumers residents. However, it does not apply to all businesses, only to those that do business in Oregon and either:

  • Control or process the personal data of at least 25,000 unique Oregon consumers, excluding data solely for payment transactions or

  • Control or process data of at least 10,000 unique Oregon consumers and derive more than 25% of gross revenue from selling personal data.

Under OCPA, Oregon consumers have the following rights:

  • Right to know about processing activities.
  • Right to access and correct personal data.
  • Right to opt out of the sale of personal data.
  • Right to opt out of targeted advertising.
  • Right to correction of data.
  • Right to deletion of personal data under certain circumstances.

Businesses that meet the threshold for applicability must:

  • Implement reasonable security measures to protect personal data.
  • Conduct data protection assessments for high-risk processing activities.
  • Obtain informed consent for collecting and using sensitive data.
  • Respond to consumer requests within a reasonable timeframe.
  • Disclose data collection and processing practices in a clear and accessible privacy notice.
  • Disclose, to the extent possible, how third parties process personal data shared with them.

MergeBase and OCPA


Although the OCPA does not apply to MergeBase, our data protection and security practices already exceed the requirements outlined in this legislation. Thus, if the law were to apply to us, we can easily achieve compliance.


How Can MergeBase Help You Comply with the OCPA?


Determining the optimal safeguards for your data security is complex. We advise you to strive for the highest standards and stand ready to assist you in achieving compliance.

How MergeBase can contribute:

  • Proactive identification — MergeBase helps identify vulnerabilities in open-source components used within applications processing personal data. These vulnerabilities can be exploited for unauthorized access, violating the security requirements.

  • Prioritization — MergeBase prioritizes vulnerabilities based on severity and exploitability, allowing companies to focus on patching critical ones first, addressing high-risk security gaps faster.

  • Integration with patch management tools — MergeBase reports can be integrated with patch management tools for faster patching, reducing the window of vulnerability for personal data.

  • Ongoing vulnerability scanning — MergeBase’s ongoing monitoring helps companies stay ahead of potential threats and address them promptly, contributing to continuous data security efforts.

  • Auditability — Vulnerability logs and reports provided by MergeBase demonstrate active security monitoring and risk management, potentially helping demonstrate compliance with the data security measures requirement.

  • Reduced attack surface — MergeBase’s focus on open-source components helps minimize the attack surface for applications handling personal data.

  • Improved accountability — Vulnerability reports and logs serve as documentation of ongoing security efforts, potentially supporting accountability under the law.

  • Streamlined processes — Automating vulnerability scanning and prioritization saves time and resources, allowing companies to allocate more effort toward broader data security practices.