Oregon Data Privacy Laws: OCPA Consumer Rights Guide (2026)

Oregon has joined the growing list of states with comprehensive consumer data privacy legislation. The Oregon Consumer Privacy Act (OCPA), codified at ORS 646A.570 through 646A.589, became effective on July 1, 2024. It stands out among state privacy laws for its broad scope, its inclusion of nonprofits, and its lack of a revenue threshold for covered businesses.

This guide covers everything you need to know about Oregon's data privacy laws in 2026, including the OCPA's consumer rights, business obligations, enforcement mechanisms, data breach notification requirements, and recent legislative updates.

Who Must Comply With the OCPA

The OCPA applies to any person or entity that conducts business in Oregon or provides products or services to Oregon residents and meets either of two processing thresholds during a calendar year:

• Controls or processes personal data of 100,000 or more Oregon consumers (excluding data processed solely for completing a payment transaction), OR
• Controls or processes personal data of 25,000 or more Oregon consumers while deriving 25% or more of annual gross revenue from selling personal data

No Revenue Threshold

Unlike many other state privacy laws, Oregon does not include an initial revenue threshold as part of its applicability criteria. States like California set their privacy law triggers at $25 million in annual revenue. Oregon skips this entirely, which means even smaller businesses and organizations that handle large volumes of Oregon consumer data must comply with the OCPA.

Nonprofits Are Covered

Oregon is one of only a handful of states that includes nonprofit organizations within the scope of its consumer privacy law. After July 1, 2025, nonprofits do not receive a blanket entity-level exemption. The only nonprofit exemptions are narrowly drawn: (1) nonprofit organizations established to detect and prevent insurance fraud, and (2) the non-commercial activity of nonprofits that provide programming to radio or television networks.

Entity and Data Exemptions

The OCPA does not apply to state government agencies, certain financial data already regulated under the Gramm-Leach-Bliley Act (GLBA), health information protected under HIPAA, education records covered by FERPA, and data regulated under the Fair Credit Reporting Act (FCRA) or the Driver's Privacy Protection Act (DPPA). However, these are data-level exemptions, not entity-level exemptions. A hospital or bank may still need to comply with the OCPA for consumer data that falls outside those federal frameworks, such as marketing data or website analytics.

Consumer Rights Under the OCPA

The OCPA grants Oregon residents six core privacy rights, sometimes referred to as the L.O.C.K.E.D. framework by the Oregon Department of Justice:

Right to Know (Confirm)

Consumers can confirm whether a controller is processing their personal data and learn what categories of data are being collected, the purposes of processing, and the categories of third parties with whom data is shared.

Right to Access and Portability

Consumers can obtain a copy of their personal data in a portable, readily usable format. This allows individuals to review exactly what information a business holds about them.

Right to Correct

Consumers can request that a controller correct inaccuracies in their personal data. The controller must make reasonable efforts to correct the data based on the nature of the personal data and the purpose for which it is processed.

Right to Delete

Consumers can request deletion of their personal data held by a controller. The Oregon DOJ's first-year enforcement report noted that the right to delete was the number one right consumers requested and were denied by businesses.

Right to Opt Out

Consumers can opt out of the processing of their personal data for three purposes:

• Targeted advertising
• Sale of personal data
• Profiling that produces legal or similarly significant effects

Right to a List of Third Parties

This is one of the OCPA's most distinctive provisions. Consumers can request a list of the specific third-party entities to which a controller has disclosed their personal data. Most other state privacy laws only require businesses to disclose categories of recipients. Oregon requires the actual names of specific entities, giving consumers the ability to track their data downstream and exercise their rights with those third parties as well.

Response Timelines and Appeals

Controllers must respond to consumer rights requests within 45 days of receipt. This period may be extended by an additional 45 days when reasonably necessary, provided the controller informs the consumer of the delay and the reason for it.

If a controller denies a request, they must explain the justification and provide instructions for appealing the decision. The controller must respond to the appeal within 45 days. If the appeal is also denied, the controller must provide the consumer with information on how to file a complaint with the Oregon Attorney General.

Business Obligations

Privacy Notice Requirements

Controllers must publish a clear, accessible privacy notice that includes:

• The categories of personal data processed
• The purposes for processing personal data
• How consumers can exercise their rights
• The categories of personal data shared with third parties
• The categories of third parties with whom data is shared
• A description of any processing for targeted advertising, profiling, or sale of personal data, along with a procedure to opt out

Under HB 2008 (2025), controllers must now also specify the express purposes for which they collect and process personal data and limit collection to only data that is adequate, relevant, and reasonably necessary for those stated purposes.

Data Minimization

The OCPA requires controllers to limit their collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed. Businesses cannot collect data "just in case" it might be useful later.

Data Protection Assessments

Controllers must conduct and document data protection assessments before engaging in processing activities that present a heightened risk of harm to consumers. These assessments are required for:

• Processing personal data for targeted advertising
• Selling personal data
• Processing personal data for profiling where there is a reasonably foreseeable risk of harm
• Processing sensitive data

Assessments must be maintained on file for at least five years. The Oregon DOJ has published detailed guidelines and noted that assessments conducted to comply with other state privacy laws can satisfy OCPA requirements, provided they are reasonably similar in scope.

Processor Contracts

When a controller engages a processor to handle personal data on its behalf, the relationship must be governed by a contract that clearly defines the roles, responsibilities, and data processing instructions. Processors must assist controllers in meeting their OCPA obligations, including responding to consumer rights requests.

Security Safeguards

Controllers must implement and maintain reasonable administrative, technical, and physical safeguards to protect the confidentiality, integrity, and accessibility of personal data. Under HB 2008 (2025), this obligation is now explicitly codified within the OCPA itself.

Sensitive Data and Special Categories

The OCPA defines "sensitive data" broadly and requires opt-in consent before a controller may process it. Sensitive data includes:

• Racial or ethnic origin
• Religious beliefs
• Health diagnosis or conditions
• Sexual orientation or sex life
• Citizenship or immigration status
• Genetic data
• Biometric data used to identify an individual (such as fingerprints, retina scans, or facial recognition templates)
• Personal data of a known child under 13
• Precise geolocation data (within 1,750 feet)

Children's Data Protections

The OCPA provides heightened protections for children's data. A parent or legal guardian can exercise privacy rights on behalf of a child under age 13.

Under HB 2008 (2025), Oregon strengthened these protections further:

• Sale of children's data is prohibited. Controllers may not sell personal data if they have actual knowledge or willfully disregard that the consumer is under 16 years of age.
• Geolocation tracking of minors is restricted. The sale of data that accurately identifies a consumer's present or past location within a radius of 1,750 feet is prohibited if the consumer is under 16.
• Profiling of minors is restricted. Controllers may not process or profile a consumer if they know or willfully disregard that the consumer is younger than 16.

Universal Opt-Out Mechanism

Starting January 1, 2026, controllers must recognize and honor Universal Opt-Out Mechanisms (UOOMs). The most widely adopted example is the Global Privacy Control (GPC), a browser-based signal that automatically communicates a consumer's opt-out preferences to every website they visit.

When a controller detects a GPC signal or other recognized UOOM, they must treat it as a valid request to opt out of the sale of personal data and targeted advertising. Controllers must honor these requests within 15 days.

This means Oregon consumers can set their preference once in their browser and have it automatically applied across all covered websites and platforms, rather than submitting individual opt-out requests to each business.

Enforcement and Penalties

Attorney General Enforcement

The Oregon Attorney General has exclusive enforcement authority over the OCPA. There is no private right of action, meaning individual consumers cannot sue businesses directly for OCPA violations. Instead, consumers file complaints with the Oregon DOJ.

Cure Period Has Expired

From July 1, 2024 through December 31, 2025, the OCPA included a 30-day cure period. If the DOJ identified a fixable violation, it had to provide the business with notice and 30 days to remedy the problem before taking formal enforcement action.

That cure period expired on January 1, 2026. The Oregon DOJ Privacy Unit is no longer required to give businesses an opportunity to fix violations before pursuing enforcement. This represents a significant shift in the enforcement landscape for businesses operating in Oregon.

Penalty Amounts

Violation Type	Maximum Penalty
OCPA violation (per violation)	$7,500
Each affected consumer	Counts as separate violation
Attorney fees and costs	Recoverable by the state
Expert witness fees	Recoverable by the state
Investigation costs	Recoverable by the state

Each affected consumer can count as a separate violation, meaning a data processing violation affecting thousands of Oregon residents could result in penalties in the tens of millions of dollars.

First-Year Enforcement Results

The Oregon DOJ released its one-year enforcement report in August 2025 covering the period from July 1, 2024 through June 30, 2025. Key findings include:

• The Privacy Unit received 157 consumer complaints through March 2025
• Social media platforms and data brokers generated the most complaints
• Deletion requests were the consumer right most frequently requested and denied
• 38 enforcement matters were closed, all resolved through the notice-and-cure process
• The DOJ reported that most businesses updated their privacy notices and improved their consumer rights mechanisms quickly after being contacted

The Q1 2025 report also noted over 250 complaints from Oregonians regarding the handling of consumer data by the federal Department of Government Efficiency (DOGE).

Oregon Data Breach Notification Law

Separate from the OCPA, Oregon maintains a data breach notification statute under the Oregon Consumer Information Protection Act (OCIPA), codified at ORS 646A.600 through 646A.628.

What Triggers Notification

A "breach of security" is defined as an unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information. This does not include inadvertent acquisition by an employee or agent if the information is not misused and does not pose an actual threat to consumer security.

Personal Information Defined

Under the OCIPA, personal information includes a consumer's first name or initial and last name combined with any of the following:

• Social Security number
• Driver's license or state ID number
• Passport number or other U.S. identification number
• Financial account numbers with access codes
• Biometric data (fingerprints, retina scans, iris images)
• Health insurance information
• Medical history or information about a health condition or treatment
• A username or account ID plus a password or security question answers

Notification Timeline

Entities must notify affected Oregon consumers no later than 45 days after discovering or receiving notice of the breach. The notification must include:

• A description of the incident
• The type of personal information involved
• Contact information for the entity
• Contact information for major credit reporting agencies
• Advice to review account statements and credit reports

Attorney General Reporting

If a breach affects more than 250 Oregon consumers, the entity must also report the breach to the Oregon Department of Justice within the same 45-day window, along with a sample copy of the consumer notification.

Breach Notification Penalties

Violation Type	Maximum Penalty
Per violation (OCIPA)	$1,000
Continuing violation cap	$500,000

Safeguard Requirements

The OCIPA also requires businesses that maintain personal information to develop, implement, and maintain reasonable safeguards. These must include administrative, technical, and physical measures to protect the security, confidentiality, and integrity of personal information. Businesses should conduct regular risk assessments, implement access controls and encryption, train employees on data handling procedures, and monitor for security threats.

2025 Legislative Updates: HB 2008

Oregon's legislature passed HB 2008 during the 2025 regular session, strengthening several OCPA provisions:

• Purpose specification. Controllers must now state the express purposes for collecting and processing personal data in their privacy notices.
• Data minimization codified. Collection must be limited to data that is adequate, relevant, and reasonably necessary for the specified purposes.
• Security safeguards. Controllers must establish safeguards protecting the confidentiality, integrity, and accessibility of personal data.
• Consent revocation. Controllers must provide an effective means for consumers to revoke previously given consent.
• Children's data sale ban. Prohibits the sale of personal data belonging to consumers under 16.
• Minor geolocation restrictions. Bans selling location data (within 1,750 feet accuracy) of consumers under 16.
• Profiling restrictions for minors. Prohibits processing or profiling consumers the controller knows or willfully disregards are under 16.

How Oregon Compares to Other State Privacy Laws

Oregon's OCPA shares structural similarities with the privacy laws in Colorado, Connecticut, and Virginia, but includes several provisions that make it more protective of consumers:

Feature	Oregon (OCPA)	California (CCPA/CPRA)	Colorado (CPA)
Revenue threshold	None	$25 million	None
Nonprofits covered	Yes (after July 2025)	No	No
Right to list specific third parties	Yes	No (categories only)	No (categories only)
Sensitive data opt-in consent	Yes	Yes	Yes
Universal opt-out required	Yes (Jan 2026)	Yes	Yes (July 2024)
Cure period	Expired Jan 2026	None	None
Maximum penalty per violation	$7,500	$7,500	$20,000
Private right of action	No	Limited (data breaches)	No

More Oregon Laws

Explore other Oregon legal topics covered on Recording Law:

• Oregon Recording Laws
• Oregon Surveillance Camera Laws
• Oregon Background Check Laws
• Oregon Statute of Limitations
• Oregon Whistleblower Laws
• [Oregon Medical Records Retention Laws
• Oregon Car Seat Laws
• Oregon Child Support Laws
• Oregon Lemon Law

Browse all state data privacy law guides on our Data Privacy Laws hub page.

This article is for informational purposes only and does not constitute legal advice. Laws and regulations change frequently. Consult a licensed Oregon attorney for advice specific to your situation.