Oregon Biometric Privacy Laws: Collection, Consent & Penalties (2026)

Oregon takes a layered approach to biometric privacy that sets it apart from most states. Rather than relying on a single law, the state combines comprehensive consumer privacy protections under the OCPA with one of the strongest municipal facial recognition bans in the country through Portland's City Code.

The OCPA is notable for its broader-than-average biometric data definition and a unique consumer right that no other state privacy law provides: the ability to demand a list of the specific third parties that received your personal data. Combined with Portland's outright ban on private-sector facial recognition in public spaces, Oregon offers residents some of the most robust biometric protections available outside of Illinois's BIPA.

For an overview of Oregon's broader privacy framework, see the parent guide to [Oregon Data Privacy Laws](/us-laws/data-privacy-laws/oregon-data-privacy-laws).

How Oregon Defines Biometric Data

The OCPA defines biometric data as personal data generated by automatic measurements of a consumer's biological characteristics. The statute specifically lists these identifiers under ORS 646A.570:

• Fingerprints
• Voiceprints
• Retinal patterns
• Iris patterns
• Gait
• Other unique biological characteristics that allow or confirm the unique identification of the consumer

This definition is broader than what many other states use. The inclusion of gait as a named biometric identifier is uncommon. Most state privacy laws limit their lists to fingerprints, voiceprints, and eye scans.

Oregon also draws a clear line around what is not biometric data. Data generated from a photograph, audio recording, or video recording does not qualify unless that data was specifically generated or used to identify a particular consumer. Facial mapping and facial geometry are similarly excluded unless used to identify a specific individual.

These carve-outs mean that a business taking security camera footage in Oregon is not automatically handling biometric data. However, the moment that footage gets fed into a system that extracts facial geometry to identify specific people, it crosses into regulated territory.

Biometric Data as Sensitive Data Under the OCPA

The OCPA places biometric data in its highest protection category: sensitive data. This classification triggers several additional requirements that do not apply to ordinary personal data.

Other categories of sensitive data under the OCPA include:

• Data revealing racial or ethnic origin
• Religious beliefs
• Mental or physical health conditions or diagnoses
• Sexual orientation
• Status as transgender or nonbinary
• Status as a victim of crime
• Citizenship or immigration status
• Genetic data
• Precise geolocation data
• Personal data of a known child under 13

Oregon's sensitive data list is more expansive than most states. It is one of the few state privacy laws that includes transgender or nonbinary status and crime victim status alongside biometric and genetic data.

Opt-In Consent Requirement

Before processing any sensitive data, including biometric identifiers, a business must obtain the consumer's affirmative opt-in consent. This requirement applies under ORS 646A.572.

Consent must be freely given, specific, informed, and unambiguous. A pre-checked box buried in a lengthy terms-of-service agreement does not meet this standard. The OCPA specifically prohibits the use of dark patterns to obscure or manipulate consent requests.

This means that if a gym in Portland wants to use fingerprint scanners for member check-in, it must clearly explain what biometric data it collects, how it will use and store that data, and obtain each member's affirmative agreement before the first scan.

Data Protection Assessments

Businesses that process biometric data must conduct data protection assessments before beginning that processing. These assessments must weigh the benefits of the processing activity against potential risks to consumers, including risks of:

• Unfair or deceptive treatment
• Unlawful disparate impact
• Financial, physical, or reputational injury
• Intrusion upon solitude or seclusion

The Oregon Attorney General can request these assessments during investigations. This gives the AG a tool to examine whether a company genuinely considered the privacy risks before collecting biometric identifiers.

Oregon's Unique Third-Party Disclosure Right

The OCPA includes a consumer right that no other state privacy law currently provides. Under ORS 646A.574, Oregon consumers can request a list of the specific third parties to which a controller has disclosed their personal data.

Other state privacy laws, including those in California, Colorado, and Connecticut, only require businesses to disclose categories of third-party recipients. Oregon goes further by requiring the actual names of the companies.

Controllers can respond in one of two ways:

• Provide the names of the specific third parties that received that particular consumer's personal data, or
• Provide the names of all third parties to which it has disclosed any consumer's personal data

The Oregon Department of Justice has explained that this right allows consumers to "track their data downstream." For biometric data, this is especially significant. If you gave a company your fingerprint scan and want to know exactly which other companies received it, Oregon law gives you the right to demand those specific names.

Additional Consumer Rights

Beyond the unique third-party disclosure right, Oregon consumers have a full set of data rights that apply to biometric data under the OCPA:

Right to confirm and access. You can ask any covered business whether it is processing your biometric data and request access to that data.

Right to correct. You can request correction of inaccurate biometric data held by a business.

Right to delete. You can request deletion of the biometric data a business holds about you.

Right to data portability. You can obtain a copy of your data in a portable, readily usable format.

Right to opt out. You can opt out of the processing of personal data for targeted advertising, the sale of personal data, or profiling that produces legal or similarly significant effects.

Right to non-discrimination. Businesses cannot penalize you for exercising any of these rights.

Businesses must respond to consumer rights requests within 45 days, with the option to extend by an additional 45 days when reasonably necessary.

Universal Opt-Out Mechanism

As of January 1, 2026, the OCPA requires businesses to honor universal opt-out signals. Oregon consumers can install a browser extension or enable a device setting that automatically sends a "do not sell my data" signal to every website they visit.

The Oregon Department of Justice has actively promoted this tool, calling it a way to stop companies from selling or sharing personal data without requiring consumers to opt out website by website.

Portland's Facial Recognition Ban

Portland stands out nationally for having two separate ordinances that ban facial recognition technology. The city passed both unanimously in September 2020, making Portland one of the first major U.S. cities to ban facial recognition use by both government agencies and private businesses.

The Private-Sector Ban (Chapter 34.10)

Portland City Code Chapter 34.10 prohibits private entities from using face recognition technologies in places of public accommodation within city limits. This ban took effect January 1, 2021.

Face recognition technology is defined as automated or semi-automated processes using face recognition that assist in identifying, verifying, detecting, or characterizing facial features of an individual.

Places of public accommodation include any location offering accommodations, advantages, facilities, or privileges to the public. This covers:

• Restaurants, bars, and food service establishments
• Retail stores and shopping centers
• Hotels and lodging
• Entertainment venues
• Recreation facilities
• Transportation services

Private clubs, religious organizations, and private residences are excluded.

The Government Ban

A separate ordinance bans all City of Portland bureaus and offices from acquiring or using face recognition technologies. This ban took effect immediately upon passage in September 2020.

The city cited documented accuracy disparities in facial recognition systems, which show higher error rates for women and people of color, as a primary reason for both bans.

Exemptions

Portland's private-sector ban includes three narrow exceptions under Section 34.10.040:

• Legal compliance. A private entity may use facial recognition to the extent necessary to comply with federal, state, or local laws.
• Personal device access. Individuals may use facial recognition to unlock their own personal or employer-issued devices.
• Social media auto-detection. Automatic face detection features in social media applications are permitted.

Penalties and Private Right of Action

Unlike the OCPA, which only allows Attorney General enforcement, Portland's facial recognition ban includes a private right of action. Any person injured by a material violation can sue the private entity for:

• Actual damages sustained, or
• $1,000 per day for each day of violation, whichever is greater

Courts may also award reasonable attorney fees to a prevailing plaintiff if the plaintiff made a written demand at least 30 days before filing suit.

This private enforcement mechanism makes Portland's ban significantly more powerful than many other facial recognition restrictions across the country.

Oregon's Breach Notification Law and Biometric Data

Separate from the OCPA, Oregon's Consumer Information Protection Act (OCIPA) at ORS 646A.600 through 646A.628 requires businesses to notify affected individuals when a security breach compromises personal information.

Oregon's definition of personal information for breach notification purposes explicitly includes biometric data from automatic measurements of a consumer's physical characteristics, such as an image of a fingerprint, retina, or iris.

Key breach notification requirements:

• 45-day notification deadline. Entities must notify affected Oregon consumers within 45 days of discovering the breach.
• AG reporting for large breaches. If a breach affects 250 or more Oregon consumers, the entity must also report to the Oregon Department of Justice within the same 45-day window.
• Name not always required. A combination of biometric data with other personal identifiers (even without a consumer's name) can trigger the notification requirement.

The OCIPA was first enacted in 2007 and updated in 2019 to strengthen its protections.

Who Must Comply With the OCPA

The OCPA applies to entities that conduct business in Oregon or produce products or services targeted to Oregon residents and meet one of these thresholds:

• Control or process personal data of 100,000 or more Oregon consumers during a calendar year, or
• Control or process personal data of 25,000 or more Oregon consumers and derive 25% or more of annual gross revenue from the sale of personal data

The OCPA applies to nonprofits as of July 1, 2025, making Oregon one of the few states whose comprehensive privacy law covers nonprofit organizations.

Employment Exemption

The OCPA exempts data maintained for employment records purposes. Individuals acting as employees, job applicants, or independent contractors of a controller are not treated as "consumers" under the law when their data is processed in the context of that role.

This means that if your Oregon employer collects fingerprints for a timekeeping system or uses badge-based biometric scanners for building access, the OCPA does not regulate that specific collection. However, the breach notification law under ORS 646A.600 still applies if that employer-held biometric data is compromised in a data breach.

Other Key Exemptions

The OCPA also exempts:

• HIPAA-covered entities and data
• Financial institutions subject to the Gramm-Leach-Bliley Act
• Data regulated under the Fair Credit Reporting Act
• Data governed by FERPA
• Government entities

OCPA Enforcement and Penalties

The Oregon Attorney General has exclusive enforcement authority over the OCPA. There is no private right of action for OCPA violations (though Portland's facial recognition ban does provide one).

Civil penalties can reach up to $7,500 per violation.

The enforcement timeline has evolved:

• July 1, 2024, through December 31, 2025: The AG was required to issue a 30-day cure notice before taking enforcement action.
• January 1, 2026, onward: The cure notice requirement expired. The AG can now proceed directly to enforcement action without giving businesses a chance to fix violations first.

First-Year Enforcement Results

The Oregon AG's Privacy Unit released its one-year enforcement report covering the OCPA's first year. Key findings include:

• 214 consumer complaints received, a notably high number for a state of Oregon's size
• 38 enforcement matters initiated and closed after sending violation notices
• Most violations involved data brokers failing to honor deletion requests and companies failing to disclose third-party data recipients
• Companies generally responded positively, updating privacy notices and improving consumer rights mechanisms

No biometric-specific enforcement actions were reported in the first year, but the AG's focus on third-party disclosure failures is directly relevant to biometric data handling.

How Oregon Compares to Other States

Oregon's biometric privacy protections are stronger than most states, though they differ in structure from the handful of states with dedicated biometric privacy statutes.

Stronger than most comprehensive privacy law states. Oregon's broader biometric definition (including gait), unique third-party disclosure right, nonprofit coverage, and the Portland facial recognition ban collectively provide more protection than states like Kentucky, Indiana, or Tennessee.

Different approach than dedicated biometric laws. States like Illinois (BIPA), Texas (CUBI), and Washington have standalone biometric privacy statutes with specific retention schedules, destruction requirements, and (in Illinois's case) a private right of action. Oregon integrates biometric protections into its comprehensive privacy framework instead.

Portland stands alone. Portland's combined government and private-sector facial recognition ban, complete with a private right of action and $1,000-per-day penalties, is one of the strongest municipal biometric restrictions in the United States.

More Oregon Laws

• Oregon Recording Laws
• Oregon Car Seat Laws
• Oregon Data Privacy Laws
• Oregon Recording Laws
• Oregon Recording Laws
• Oregon Recording Laws
• Oregon Child Support Laws
• Oregon Recording Laws

Sources and References

This article references Oregon statutes and official government publications. For the full text of the OCPA, visit the Oregon Legislature. For OCPA guidance and filing complaints, visit the Oregon Department of Justice Privacy FAQs. For Portland's facial recognition ban, see Portland City Code Chapter 34.10. For breach notification information, visit the Oregon DOJ Data Breaches page.

This article provides general legal information about Oregon biometric privacy laws. It is not legal advice. Consult a qualified attorney for guidance on your specific situation. Laws and regulations change frequently. Verify current requirements through official Oregon government sources.