Skip to main content

Oregon Consumer Privacy Act

The Oregon Consumer Privacy Act grants Oregon residents rights to access, correct, delete, and opt out of the sale and profiling of their personal data. It applies to qualifying businesses and many nonprofits, requires consent for sensitive data, and is enforced by the Oregon Attorney General.

Jurisdiction
Oregon

Oregon Consumer Privacy Act

The Oregon Consumer Privacy Act (OCPA), enacted as Senate Bill 619 and codified at ORS 646A.570 to 646A.589, is Oregon's comprehensive data privacy statute. It gives Oregon residents control over how businesses collect, use, and share their personal data, and it sets clear obligations for data controllers and processors. The law took effect on July 1, 2024, with a delayed effective date of July 1, 2025 for qualifying nonprofit organizations.

The OCPA follows the model established by other state privacy laws but includes broader definitions in several areas. Notably, its definition of personal data and its treatment of nonprofits are wider than many peer statutes.

Who It Applies To

The OCPA applies to any person that conducts business in Oregon, or that provides products or services targeted to Oregon residents, and that during a calendar year controls or processes the personal data of either 100,000 or more consumers, or 25,000 or more consumers while deriving 25 percent or more of annual gross revenue from selling personal data. Unlike most state laws, it covers many nonprofits. It excludes data governed by sector laws such as HIPAA and the Gramm-Leach-Bliley Act.

Key Requirements

Controllers must provide a clear privacy notice describing the categories of data processed, the purposes, how consumers exercise rights, and the categories shared with third parties. Consumers have rights to confirm processing, access, correct, delete, obtain a portable copy, and opt out of targeted advertising, the sale of personal data, and certain profiling. Processing of sensitive data requires opt-in consent. Controllers must conduct and document data protection assessments for high-risk processing, including targeted advertising, sale of data, sensitive data processing, and profiling that presents reasonably foreseeable risk. Controllers must honor universal opt-out mechanisms.

Penalties for Non-Compliance

The Oregon Attorney General has exclusive enforcement authority. Violations are treated as unlawful trade practices, carrying civil penalties of up to 25,000 dollars per violation. Until January 1, 2026 the Attorney General must provide a 30-day cure period before bringing an action; after that date the cure period is discretionary.

How to Comply

Map personal data flows and confirm whether thresholds are met, including nonprofit status. Publish an accurate, accessible privacy notice and build reliable mechanisms for handling consumer requests within 45 days. Implement opt-in consent flows for sensitive data and recognized universal opt-out signals. Establish a repeatable process for data protection assessments and retain documentation. Review vendor contracts to ensure processor obligations are in place.

Relationship to Other Laws

The OCPA sits within a fast-growing patchwork of U.S. state privacy laws that share a common vocabulary of controllers, processors, consumers, and consumer rights, largely derived from the Washington Privacy Act blueprint. Because the OCPA's definition of personal data is broader than several peers and it covers many nonprofits, organizations that already comply with Virginia or Colorado should not assume automatic Oregon compliance. The right to obtain a list of the specific third parties that received a consumer's data, rather than merely the categories, is a notable Oregon enhancement that several later state laws adopted. For multistate operators, the practical strategy is to build to the strictest common denominator and then layer state-specific obligations such as Oregon's third-party disclosure and nonprofit coverage. Engineering teams should treat consumer-rights handling, consent capture, and assessment documentation as reusable platform capabilities rather than one-off legal tasks, since the same controls satisfy many statutes at once and reduce the cost of each new state law.

Operational Mechanics

Like its sibling state statutes, this law sets concrete operational requirements that engineering and operations teams must implement. Controllers must respond to a verified consumer rights request without undue delay and within 45 days of receipt, with a single 45-day extension permitted where reasonably necessary given the complexity and volume of requests, provided the consumer is notified of the extension and the reason. Where a controller declines to act, it must inform the consumer of the reason and provide instructions for appealing the decision; the law requires an internal appeal process, and if an appeal is denied the controller must give the consumer a method to contact the state Attorney General to submit a complaint. Controllers may not charge a fee for the first request in a defined period and must establish a secure, reliable means for consumers to submit requests, taking into account the ways consumers normally interact with the controller. Relationships with processors must be governed by a binding contract that sets out processing instructions, confidentiality duties, deletion or return of data at the end of the engagement, and the duty to assist the controller with security, breach response, and assessments. Treating these mechanics as shared platform services, rather than rebuilding them per state, is the most efficient path to durable, multistate compliance.