The Oregon Consumer Privacy Act took effect on July 1 2024 for for-profit businesses. In its first year, the Oregon Department of Justice received more complaints than expected, signaling active consumer engagement with their new privacy rights.
How OCPA Enforcement Works
The Oregon Attorney General has exclusive enforcement authority under the OCPA. Consumers cannot bring private lawsuits for violations.
Until January 1 2026, businesses receive a 30-day cure period to address alleged violations before enforcement proceeds. After that date, the Attorney General can pursue penalties immediately.
Penalties can reach up to $7,500 per violation. Each affected consumer can represent a separate violation, so fines can accumulate for widespread non-compliance.
First Year Complaint Data
The Oregon Department of Justice released its first year enforcement report in August 2025, covering July 1 2024 to 30th June 2025.
Volume: 214 complaints were received in the first year. This exceeded expectations and surpassed complaint rates in comparably sized states. Colorado, for example, saw approximately 150 complaints in its first year under the CPA.
Sources: Approximately 60% of complaints came from individual consumers, 25% from advocacy groups or nonprofits, and 15% from automated submissions tied to privacy tools.
Top Issues: The right to delete was the most common grievance, accounting for 45% of complaints. Consumers reported denials or delays in data deletion requests, particularly against online data brokers.
Enforcement Status
As of January 2026, the Oregon DOJ has not publicly announced enforcement actions resulting in fines under the OCPA. The 30-day cure period has allowed many potential violations to be resolved before formal enforcement proceedings.
This pattern is consistent with other states during their initial enforcement periods. The cure period provides businesses an opportunity to correct issues, which often means violations are resolved without public action.
Enforcement Expectations
Based on complaint data and the OCPA’s structure, businesses should expect attention in these areas:
Deletion requests. The high volume of deletion-related complaints signals this is a priority for Oregon consumers and likely for the Attorney General. Ensure your deletion processes are functional and timely.
Data brokers. Complaints specifically targeted online data brokers for failing to honor deletion requests. Businesses in this sector face heightened scrutiny.
Third-party disclosure. Oregon’s unique requirement to identify specific third parties to which data has been disclosed may generate enforcement attention as consumers begin exercising this right.
Sensitive data categories. Oregon’s broader definition of sensitive data, including transgender/non-binary status and crime victim status, creates additional compliance requirements not present in other states.
What Changes in January 2026
Two significant changes take effect on January 1 2026:
Cure period expires. The 30-day cure period ends, giving the Attorney General discretion to pursue enforcement immediately upon discovering a violation.
Universal opt-out required. Businesses must honor opt-out preference signals such as Global Privacy Control. Failure to implement GPC support will be an easily identifiable violation.
What This Means for Your Organization
Oregon’s first year complaint data suggests consumers are actively exercising their privacy rights. The right to delete is the leading concern, so deletion processes should be a compliance priority.
Prepare for January 2026 by:
- Testing deletion request workflows for timely response
- Implementing Global Privacy Control support
- Documenting third parties to which you disclose personal data
- Reviewing sensitive data processing against Oregon’s broader categories
The end of the cure period means less room for error. Proactive compliance is the prudent approach.
