Oregon passed its Consumer Privacy Act in July 2023, becoming one of the growing number of US states with consumer privacy legislation. The law took effect on July 1 2024, with nonprofits given an additional year until July 1 2025.
What Is the OCPA?
The Oregon Consumer Privacy Act (OCPA) grants Oregon residents rights over their personal data and establishes obligations for businesses that collect and process that information. The law is codified as ORS 646A.570-646A.589.
The OCPA includes several features that set it apart from other state privacy laws, including a requirement to disclose specific third parties to which data has been shared and a broader definition of sensitive data.
Does It Apply to Your Business?
The OCPA applies to entities that conduct business in Oregon or provide products or services to Oregon residents. To be covered, an entity must also meet at least one of two thresholds during a calendar year:
Threshold 1: Control or process the personal data of 100,000 or more Oregon residents. Personal data processed solely to complete a payment transaction is excluded from this count.
Threshold 2: Control or process the personal data of 25,000 or more Oregon consumers AND derive 25% or more of annual gross revenue from selling personal data.
The law does not include a revenue threshold, so businesses with modest revenue can still be covered if they meet the data volume thresholds.
Nonprofits Are Covered
Unlike most other state privacy laws, the OCPA applies to nonprofit organizations that meet the applicability thresholds. Nonprofits received a one-year grace period and must have been compliant by July 1 2025.
Key Consumer Rights
Oregon residents have the following rights:
- Right to confirm whether a business is processing their personal data
- Right to access their personal data
- Right to correct inaccuracies
- Right to delete their personal data
- Right to obtain a portable copy of their data
- Right to opt out of targeted advertising
- Right to opt out of the sale of personal data
- Right to opt out of profiling for decisions with legal or significant effects
- Right to know the specific third parties to which data has been disclosed
The last right is unique to Oregon. No other state privacy law currently requires controllers to identify the specific third parties to which they have disclosed a consumer’s personal data.
Business Obligations
Covered entities must:
- Provide clear and accessible privacy notices
- Limit data collection to what is reasonably necessary for disclosed purposes
- Implement reasonable security measures
- Obtain consent before processing sensitive data
- Respond to consumer requests within 45 days
- Conduct data protection assessments for high-risk processing activities
Sensitive Data
The OCPA defines sensitive data more broadly than most other state laws. Sensitive data includes:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnosis
- Sexual orientation
- Citizenship or immigration status
- Genetic data
- Biometric data
- Children’s data
- Precise geolocation
- Status as transgender or non-binary
- Status as a victim of crime
The inclusion of transgender/non-binary status and crime victim status reflects Oregon’s broader approach to privacy protection.
Enforcement and Penalties
The Oregon Attorney General has exclusive enforcement authority. Consumers cannot bring private lawsuits under the OCPA.
The law includes a 30-day cure period for alleged violations, which expires on January 1 2026. After that date, the Attorney General can pursue enforcement immediately.
Penalties can reach up to $7,500 per violation. Each affected consumer can count as a separate violation.
From January 1 2026, businesses must also honor universal opt-out preference signals such as Global Privacy Control.
Key Dates
- July 18 2023: OCPA signed into law
- July 1 2024: OCPA took effect for for-profit businesses
- July 1 2025: OCPA took effect for nonprofits
- January 1 2026: 30-day cure period expires; universal opt-out mechanisms required
Where to Find Official Resources
- Oregon Department of Justice Consumer Privacy page: doj.state.or.us
- Full legal text: ORS 646A.570-646A.589
Getting Started
Oregon’s OCPA requires attention to its unique features. Review whether you can identify the specific third parties to which you disclose personal data, as consumers have the right to request this information. Assess your sensitive data processing against Oregon’s broader definition, which includes categories not found in other state laws.
With the cure period expiring in January 2026 and universal opt-out requirements taking effect at the same time, businesses should be working toward full compliance now.
