Oregon

Oregon has enacted one of the most comprehensive state-level data privacy laws in the United States through the Oregon Consumer Privacy Act (OCPA). This landmark legislation, which took effect in July 2024, provides Oregon residents with significant new rights over their personal data while requiring businesses to implement stronger privacy protections. The law stands out for its unique requirement that companies disclose specific third parties who receive consumer data, its broad definition of sensitive data, and its expansion to cover nonprofit organizations. Enforcement is exclusively handled by the Oregon Attorney General, with civil penalties up to $7,500 per violation, though consumers cannot sue directly for violations.

Privacy Law Status

Comprehensive Privacy Law

Oregon has enacted a comprehensive consumer privacy law through Senate Bill 619, known as the Oregon Consumer Privacy Act (OCPA)[1]. The law was signed by Governor Kotek on July 18, 2023, making Oregon the 11th U.S. state to pass comprehensive data privacy legislation[2]. The OCPA provides Oregon residents with extensive rights over their personal data and imposes significant obligations on businesses that collect and process consumer information.

The law was developed through a collaborative process involving the Attorney General’s Consumer Privacy Task Force, which worked with 150 consumer privacy experts and stakeholders representing both consumers and industry[3]. This comprehensive approach resulted in legislation that passed the Oregon State Legislature with strong bipartisan support and established Oregon as a leader in state-level privacy protection[3].

Legislative Activity

The Oregon Legislature passed Senate Bill 619 on June 23, 2023, following extensive stakeholder engagement and expert consultation[4]. The legislation was developed under former Attorney General Ellen Rosenblum’s leadership and represents a significant milestone in Oregon’s commitment to consumer privacy protection[3]. The law builds upon privacy frameworks established by other states, particularly Colorado and Connecticut, while incorporating unique features tailored to Oregon’s priorities.

Current legislative activity focuses on implementation and enforcement rather than new legislation. The Oregon Department of Justice has been actively developing guidance materials, educational resources, and enforcement procedures to support compliance[5]. Future legislative sessions may consider refinements or expansions based on implementation experience and evolving privacy needs.

Implementation Timeline

The OCPA became effective on July 1, 2024, for most businesses and organizations[1]. However, the implementation includes a phased approach with different timelines for various entities and requirements. Nonprofit organizations have an extended compliance deadline of July 1, 2025, recognizing their unique operational considerations[6]. The law includes a cure period until January 1, 2026, during which businesses receive 30 days to address violations before facing penalties[7].

Looking ahead, several key dates will shape the law’s evolution. The cure period expires on January 1, 2026, after which enforcement will become more immediate and stringent[8]. Universal opt-out mechanism provisions will take effect in 2026, requiring businesses to honor automated consumer privacy requests[8]. These implementation milestones reflect a measured approach to privacy law enforcement that balances consumer protection with business adaptation needs.

Your Rights as an Oregon Resident

The Oregon Consumer Privacy Act grants Oregon residents comprehensive rights to control how their personal data is collected, used, and shared by businesses.

Right to know what data is collected: You can request confirmation of whether your personal data is being processed, the categories of data being processed, and access to that data. Uniquely, Oregon law also gives you the right to know the specific third parties that have received your personal data, not just general categories[7].
Right to delete personal information: You can request deletion of your personal data held by a controller, subject to certain exceptions. This is the most commonly exercised right under the OCPA, according to enforcement reports[8].
Right to opt out of data sales: You can opt out of the sale of your personal data, targeted advertising, and profiling used for decisions with legal or similarly significant effects. Businesses must recognize universal opt-out signals, making this process easier[7].
Right to correct inaccurate data: You can request that controllers correct inaccurate or outdated information they have about you[7].
Right to data portability: You can obtain a copy of the personal data you have provided to a controller in a readily usable format[7].
Right to non-discrimination: Businesses cannot discriminate against you for exercising your privacy rights under the OCPA[1].
Special protections for sensitive data: Companies must obtain your explicit opt-in consent before processing sensitive data, which includes health information, genetic or biometric data, precise geolocation, racial/ethnic origin, gender identity, and crime victim status[1][7].

You can make one free rights request every 12 months, and businesses have 45 days to respond. If your request is denied, you can appeal the decision to the company and file a complaint with the Oregon Attorney General if necessary[9].

Business Requirements

The OCPA imposes comprehensive obligations on businesses that process Oregon residents’ personal data, with requirements designed to enhance transparency and consumer control.

Coverage thresholds: The law applies to businesses that control or process personal data of at least 100,000 Oregon residents, or 25,000 Oregon residents if they derive at least 25% of gross revenue from selling personal data. Notably, there is no revenue threshold, making the law applicable to smaller businesses that meet the consumer data thresholds[1].
Transparency and notice requirements: Businesses must provide clear privacy notices that disclose data practices, consumer rights under the OCPA, categories of third parties involved in processing, and specific mechanisms for consumers to exercise their rights. Privacy notices must be easily accessible and clearly written[10].
Consumer request procedures: Companies must respond to consumer rights requests within 45 days, with a possible 45-day extension if reasonably necessary. They must provide simple mechanisms for consumers to exercise their rights and cannot make the process unnecessarily burdensome[10].
Consent requirements: Businesses must obtain explicit opt-in consent before processing sensitive data. For children under 13, all data is considered sensitive. For teens aged 13-15, opt-in consent is required for targeted advertising and profiling[1].
Data protection assessments: Companies must conduct formal risk assessments for certain high-risk processing activities, particularly those involving sensitive data or children’s information[7].
Security measures: Businesses must implement reasonable security measures to protect personal data from unauthorized access, use, or disclosure[1].

Practical Impact

Enhanced daily privacy protection: Oregon residents now have concrete tools to control their digital footprint, from opting out of data sales to requesting deletion of unwanted information. The law’s broad definition of sensitive data provides stronger protection for information about health, race, religion, and other personal characteristics[1].
Recourse for privacy violations: While residents cannot sue companies directly, they can file complaints with the Oregon Attorney General’s office, which has already demonstrated active enforcement. In the first six months, the Attorney General received 110 complaints and issued 21 cure notices to businesses[10][8].
Special protection for children and families: The law provides enhanced safeguards for children under 13 (whose data is automatically considered sensitive) and requires parental consent for teens aged 13-15 for certain data uses. Parents can exercise privacy rights on behalf of children under 13[7].
Limitations in enforcement: The law does not include a private right of action, meaning residents cannot sue companies directly for violations. Enforcement depends entirely on the Attorney General’s office, which may limit the practical recourse available to individuals experiencing privacy violations[7].
Business compliance challenges: Early enforcement reports show common deficiencies include confusing privacy notices, missing disclosures about consumer rights, and inadequate opt-out mechanisms. These issues can limit residents’ ability to effectively exercise their rights[10].

Comparison Context

Leading features compared to other states: Oregon’s law includes unique provisions not found in most other state privacy laws, particularly the right to know specific third parties that received personal data (rather than just categories). The law also has an unusually broad definition of sensitive data that includes gender identity and crime victim status, providing more comprehensive protection than most states[1][11].
Coverage of nonprofits: Unlike many other state privacy laws, Oregon’s law applies to nonprofit organizations that meet the thresholds, effective July 1, 2025. This broader coverage provides more comprehensive protection but is less common among state privacy laws[10][2].
No revenue threshold: Oregon’s law applies based solely on the number of consumers whose data is processed, without requiring businesses to meet minimum revenue thresholds. This makes the law applicable to smaller businesses compared to laws in some other states[1].
Missing private enforcement: Oregon residents cannot sue companies directly for privacy violations, unlike California residents under the CCPA. This limits individual recourse compared to California’s more robust enforcement options[7][11].
Moderate penalty structure: Oregon’s maximum civil penalties of $7,500 per violation are substantial but not the highest among state privacy laws. The cure period through 2026 also provides more lenient initial enforcement compared to some other states[7].

Action Steps for Residents

Learn your rights and how to exercise them: Review the Oregon Department of Justice’s consumer resources to understand your specific rights under the OCPA. Each company’s privacy notice should explain how to submit requests, typically through online forms or email[9].
Review and update your privacy settings: Check the privacy settings on websites, apps, and services you use regularly. Look for opt-out links or privacy preference centers, which companies are required to provide under the law[5].
Exercise your rights strategically: Start by requesting information from data brokers and background check websites, which have been the subject of numerous consumer complaints. Consider requesting deletion of data from services you no longer use[8].
Monitor children’s online activity: Use the law’s enhanced protections for children by reviewing the privacy practices of websites, apps, and services your children use. Exercise parental rights to request deletion of children’s data when appropriate[5].
Report violations and non-responsive companies: If companies fail to respond to your requests within 45 days or deny legitimate requests, file a complaint with the Oregon Attorney General’s Consumer Protection division[9].
Stay informed about implementation: Follow updates from the Oregon Department of Justice about new guidance, enforcement actions, and upcoming changes like the universal opt-out mechanism requirements in 2026[5].

Official Resources and Contact Information

Oregon Attorney General – Consumer Protection

The Oregon Attorney General’s office enforces the OCPA and provides resources for consumers experiencing privacy issues. The Consumer Protection division handles privacy complaints and provides educational materials about consumer rights.

Consumer Hotline: 1-877-877-9392 (8:30 AM – 4:30 PM, Monday-Friday)

Email: help@oregonconsumer.gov

Privacy-specific inquiries: oregonprivacy@doj.oregon.gov

Online complaint form: Oregon DOJ Consumer Complaint Form

Privacy Law Information and Guidance

The Oregon Department of Justice maintains comprehensive resources about the OCPA, including guidance for consumers, businesses, and nonprofits.

Main privacy law page: Oregon Consumer Privacy Law

Consumer resources and toolkit: Privacy Protection Resources

Oregon State Legislature

Contact your state legislators about privacy issues, upcoming legislation, or concerns about the implementation of the OCPA.

General legislative information: help.leg@oregonlegislature.gov or 1-800-332-2313

Find your representatives: Search for your 2025 Oregon legislators

Oregon State Legislature: Official Legislature Website

Public Records and Legislative Process

Oregon maintains strong public records access for citizens seeking information about the legislative process, enforcement actions, or government accountability related to privacy protection.

Public records requests: Oregon Legislature Public Records

Legislative Counsel: 503-986-1243

Citizens can request public records related to privacy law enforcement, legislative deliberations, or agency guidance. The Oregon State Legislature maintains a tradition of open and transparent government with broad public access to records and information about the legislative process.

Sources and Citations

[1] www.ketch.com/regulatory-compliance/oregon-consumer-privacy-act-ocpa

[2] www.cookieyes.com/blog/oregon-consumer-privacy-act-ocpa/

[3] www.doj.state.or.us/wp-content/uploads/2025/03/OCPA-Six-Month-Enforcement-Report.pdf

[4] www.doj.state.or.us/consumer-protection/id-theft-data-breaches/privacy/

[5] www.doj.state.or.us/media-home/news-media-releases/take-action-online-to-protect-your-privacy-rights/

[6] www.doj.state.or.us/consumer-protection/for-businesses/privacy-law-faqs-for-nonprofits/

[7] usercentrics.com/knowledge-hub/oregon-consumer-privacy-act-ocpa/

[8] www.hunton.com/privacy-and-information-security-law/key-findings-from-oregons-consumer-privacy-act-report

[9] olis.oregonlegislature.gov/liz/2025R1/Downloads/CommitteeMeetingDocument/304415

[10] www.whitecase.com/insight-alert/oregon-releases-report-first-six-months-its-oregon-consumer-privacy-act

[11] syrenis.com/resources/blog/oregon-consumer-privacy-act-comparison/

Last Updated August 2025. Written with contributions from both human authors and Perplexity AI. If you find incorrect or outdated information let us know at support@optery.com.