Oregon Data Privacy Laws: OCPA Consumer Rights Guide (2026)

The Oregon Consumer Privacy Act (OCPA), codified at ORS 646A.570 through 646A.589, took effect July 1, 2024, giving Oregon residents broad rights over their personal data. Oregon stands out among state privacy laws for covering nonprofits, requiring disclosure of the specific third parties that received a consumer's data, and being the only state to include transgender or nonbinary status and crime victim status in its definition of sensitive data. The Attorney General holds exclusive enforcement authority, with penalties reaching $7,500 per affected consumer, and the 30-day cure period expired on January 1, 2026.

This guide covers Oregon's data privacy laws in 2026, including the OCPA's consumer rights, business obligations, enforcement record, data breach notification requirements, data broker registration rules, the federal overlay, and recent legislative updates.

Who Must Comply With the OCPA

The OCPA applies to any person or entity that conducts business in Oregon or provides products or services to Oregon residents and meets either of two processing thresholds during a calendar year:

• Controls or processes personal data of 100,000 or more Oregon consumers (excluding data processed solely for completing a payment transaction), OR
• Controls or processes personal data of 25,000 or more Oregon consumers while deriving 25% or more of annual gross revenue from selling personal data

No Revenue Threshold

Unlike many other state privacy laws, Oregon does not include an initial revenue threshold as part of its applicability criteria. States like California set their privacy law triggers at $25 million in annual revenue. Oregon skips this entirely, which means even smaller businesses and organizations that handle large volumes of Oregon consumer data must comply with the OCPA.

Nonprofits Are Covered

Oregon is one of only a handful of states that includes nonprofit organizations within the scope of its consumer privacy law. After July 1, 2025, nonprofits do not receive a blanket entity-level exemption. The only nonprofit exemptions are narrowly drawn: (1) nonprofit organizations established to detect and prevent insurance fraud, and (2) the non-commercial activity of nonprofits that provide programming to radio or television networks.

The Oregon DOJ has published separate FAQs for nonprofits explaining their obligations under the OCPA.

Entity and Data Exemptions

The OCPA does not apply to state government agencies, certain financial data already regulated under the Gramm-Leach-Bliley Act (GLBA), health information protected under HIPAA, education records covered by FERPA, and data regulated under the Fair Credit Reporting Act (FCRA) or the Driver's Privacy Protection Act (DPPA). However, these are data-level exemptions, not entity-level exemptions. A hospital or bank may still need to comply with the OCPA for consumer data that falls outside those federal frameworks, such as marketing data or website analytics.

Consumer Rights Under the OCPA

The OCPA grants Oregon residents six core privacy rights. The Oregon Department of Justice consumer FAQ describes these rights as covering confirmation, access, correction, deletion, portability, and opt-out.

Right to Know (Confirm and Access)

Consumers can confirm whether a controller is processing their personal data and learn what categories of data are being collected, the purposes of processing, and the categories of third parties with whom data is shared. Consumers can also obtain a copy of their personal data in a portable, readily usable format.

Right to Correct

Consumers can request that a controller correct inaccuracies in their personal data. The controller must make reasonable efforts to correct the data based on the nature of the personal data and the purpose for which it is processed.

Right to Delete

Consumers can request deletion of their personal data held by a controller. The Oregon DOJ's one-year enforcement report identified the right to delete as the most frequently requested and most frequently denied right during the first year of enforcement.

Right to Opt Out

Consumers can opt out of the processing of their personal data for three purposes:

• Targeted advertising
• Sale of personal data
• Profiling that produces legal or similarly significant effects

Right to a List of Specific Third Parties

This is one of the OCPA's most distinctive provisions and one that no other state privacy law replicates at this strength. Consumers can request a list of the specific third-party entities to which a controller has disclosed their personal data. Most other state privacy laws only require businesses to disclose categories of recipients. Oregon requires the actual names of specific entities, giving consumers the ability to track their data downstream and exercise their rights with those third parties directly.

Response Timelines and Appeals

Controllers must respond to consumer rights requests within 45 days of receipt. This period may be extended by an additional 45 days when reasonably necessary, provided the controller informs the consumer of the delay and the reason for it.

If a controller denies a request, they must explain the justification and provide instructions for appealing the decision. The controller must respond to the appeal within 45 days. If the appeal is also denied, the controller must provide the consumer with information on how to file a complaint with the Oregon Attorney General.

Sensitive Data and Special Categories

The OCPA defines "sensitive data" broadly and requires opt-in consent before a controller may process it. Oregon's sensitive data definition under ORS 646A.570 is notably more expansive than most other state privacy laws. Sensitive data includes:

• Racial or ethnic origin
• Religious beliefs
• Health diagnosis or conditions
• Sexual orientation or sex life
• Citizenship or immigration status
• Genetic data
• Biometric data used to identify an individual (fingerprints, retina scans, facial recognition templates)
• Personal data of a known child under 13
• Precise geolocation data (within 1,750 feet)
• Status as transgender or nonbinary
• Status as a victim of crime

The last two categories are unique to Oregon. No other comprehensive state privacy law enacted as of May 2026 explicitly includes transgender or nonbinary status or crime victim status as sensitive data categories. Businesses operating in Oregon must obtain opt-in consent before collecting, processing, or sharing data that reveals either of these statuses.

Children's Data Protections

The OCPA provides heightened protections for children's data. A parent or legal guardian can exercise privacy rights on behalf of a child under age 13.

Under HB 2008 (2025), Oregon strengthened these protections further:

• Sale of children's data is prohibited. Controllers may not sell personal data if they have actual knowledge or willfully disregard that the consumer is under 16 years of age.
• Geolocation tracking of minors is restricted. The sale of data that accurately identifies a consumer's present or past location within a radius of 1,750 feet is prohibited if the consumer is under 16.
• Profiling of minors is restricted. Controllers may not process or profile a consumer if they know or willfully disregard that the consumer is younger than 16.

These protections for minors extend beyond COPPA, which applies only to children under 13. Oregon's protections cover consumers under 16.

Business Obligations

Privacy Notice Requirements

Controllers must publish a clear, accessible privacy notice that includes:

• The categories of personal data processed
• The purposes for processing personal data
• How consumers can exercise their rights
• The categories of personal data shared with third parties
• The categories of third parties with whom data is shared
• A description of any processing for targeted advertising, profiling, or sale of personal data, along with a procedure to opt out

Under HB 2008 (2025), controllers must now also specify the express purposes for which they collect and process personal data and limit collection to only data that is adequate, relevant, and reasonably necessary for those stated purposes.

Data Minimization

The OCPA requires controllers to limit their collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed. Businesses cannot collect data speculatively for potential future use.

Data Protection Assessments

Controllers must conduct and document data protection assessments before engaging in processing activities that present a heightened risk of harm to consumers. These assessments are required for:

• Processing personal data for targeted advertising
• Selling personal data
• Processing personal data for profiling where there is a reasonably foreseeable risk of harm
• Processing sensitive data

Assessments must be maintained on file for at least five years. The Oregon DOJ has published detailed guidelines and noted that assessments conducted to comply with other state privacy laws can satisfy OCPA requirements, provided they are reasonably similar in scope.

Processor Contracts

When a controller engages a processor to handle personal data on its behalf, the relationship must be governed by a contract that clearly defines the roles, responsibilities, and data processing instructions. Processors must assist controllers in meeting their OCPA obligations, including responding to consumer rights requests.

Security Safeguards

Controllers must implement and maintain reasonable administrative, technical, and physical safeguards to protect the confidentiality, integrity, and accessibility of personal data. Under HB 2008 (2025), this obligation is now explicitly codified within the OCPA itself.

Universal Opt-Out and Geolocation Sale Ban

Starting January 1, 2026, controllers must recognize and honor Universal Opt-Out Mechanisms (UOOMs). The most widely adopted example is the Global Privacy Control (GPC), a browser-based signal that automatically communicates a consumer's opt-out preferences to every website they visit.

When a controller detects a GPC signal or other recognized UOOM, they must treat it as a valid request to opt out of the sale of personal data and targeted advertising. Controllers must honor these requests within 15 days.

Geolocation Sale Ban for All Consumers

Also effective January 1, 2026, the OCPA bans the sale of precise geolocation data for all Oregon consumers, regardless of age. This prohibition applies to data that accurately identifies a consumer's present or past location within a radius of 1,750 feet. Unlike the children's-data provision, which hinges on age, this ban applies to every Oregon consumer covered by the OCPA.

Enforcement and Penalties

Attorney General Enforcement

The Oregon Attorney General has exclusive enforcement authority over the OCPA. There is no private right of action, meaning individual consumers cannot sue businesses directly for OCPA violations. Instead, consumers file complaints with the Oregon DOJ Consumer Protection Division.

Cure Period Has Expired

From July 1, 2024 through December 31, 2025, the OCPA included a 30-day cure period. If the DOJ identified a fixable violation, it had to provide the business with notice and 30 days to remedy the problem before taking formal enforcement action.

That cure period expired on January 1, 2026. The Oregon Attorney General can now serve a Civil Investigative Demand or file a lawsuit without first offering notice-and-cure. This represents a significant shift in the enforcement landscape for businesses operating in Oregon.

Penalty Amounts

Each affected consumer can count as a separate violation, meaning a data processing violation affecting thousands of Oregon residents could result in penalties in the tens of millions of dollars.

First-Year Enforcement Results

The Oregon DOJ released its one-year enforcement report in August 2025 covering the period from July 1, 2024 through June 2025. Key findings include:

• The Privacy Unit received 214 total consumer complaints during the first year
• Social media platforms and data brokers generated the most complaints
• Deletion requests were the consumer right most frequently requested and denied
• 38 enforcement matters were closed during the period, all resolved through the notice-and-cure process then in effect
• The DOJ reported that most businesses updated their privacy notices and improved their consumer rights mechanisms quickly after being contacted

The six-month enforcement report, released in March 2025, also noted over 250 complaints from Oregonians regarding the handling of consumer data by the federal Department of Government Efficiency (DOGE) in Q1 2025.

Oregon Data Broker Registration Law

Separate from the OCPA, Oregon enacted a data broker registration requirement that took effect January 1, 2024. The law is codified at ORS 646A.593 and is administered by the Oregon Department of Consumer and Business Services (DCBS).

A "data broker" is a business that knowingly collects and sells or licenses to third parties the brokered personal data of a consumer with whom the business does not have a direct relationship. Social media companies, retail loyalty programs, and companies that have a direct relationship with the consumer whose data they collect are generally excluded.

Registration Requirements

Data brokers must:

• Register annually with the DCBS before collecting, selling, or licensing brokered personal data within Oregon
• Pay a $600 annual registration fee
• Disclose in their registration whether Oregon residents may opt out of all or some of the broker's activities
• Disclose whether Oregon residents may authorize an agent to exercise opt-out rights on their behalf

As of a January 2025 implementation update, approximately 69% of required data brokers had renewed their registrations, with ongoing enforcement efforts for non-compliant brokers.

Oregon Data Breach Notification Law

Separate from the OCPA, Oregon maintains a data breach notification statute under the Oregon Consumer Information Protection Act (OCIPA), codified at ORS 646A.600 through 646A.628.

What Triggers Notification

A "breach of security" is defined as an unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information. This does not include inadvertent acquisition by an employee or agent if the information is not misused and does not pose an actual threat to consumer security.

Personal Information Defined

Under the OCIPA, personal information includes a consumer's first name or initial and last name combined with any of the following:

• Social Security number
• Driver's license or state ID number
• Passport number or other U.S. identification number
• Financial account numbers with access codes
• Biometric data (fingerprints, retina scans, iris images)
• Health insurance information
• Medical history or information about a health condition or treatment
• A username or account ID plus a password or security question answers

Notification Timeline

Entities must notify affected Oregon consumers no later than 45 days after discovering or receiving notice of the breach. The notification must include a description of the incident, the type of personal information involved, contact information for the entity, and contact information for major credit reporting agencies.

Attorney General Reporting

If a breach affects more than 250 Oregon consumers, the entity must also report the breach to the Oregon Department of Justice within the same 45-day window, along with a sample copy of the consumer notification.

Breach Notification Penalties

Safeguard Requirements

The OCIPA also requires businesses that maintain personal information to develop, implement, and maintain reasonable safeguards. These must include administrative, technical, and physical measures to protect the security, confidentiality, and integrity of personal information.

2025-2026 Legislative Updates

HB 2008 (2025): OCPA Amendments

Oregon's legislature passed HB 2008 during the 2025 regular session, strengthening several OCPA provisions:

• Purpose specification. Controllers must state the express purposes for collecting and processing personal data in their privacy notices.
• Data minimization codified. Collection must be limited to data that is adequate, relevant, and reasonably necessary for the specified purposes.
• Security safeguards. Controllers must establish safeguards protecting the confidentiality, integrity, and accessibility of personal data.
• Consent revocation. Controllers must provide an effective means for consumers to revoke previously given consent.
• Children's data sale ban. Prohibits the sale of personal data belonging to consumers under 16.
• Minor geolocation restrictions. Bans selling location data (within 1,750 feet accuracy) of consumers under 16.
• Profiling restrictions for minors. Prohibits processing or profiling consumers the controller knows or willfully disregards are under 16.

SB 1546 (2026): AI Companion Chatbot Law

Oregon enacted SB 1546 in 2026, becoming one of the first states to regulate AI companion chatbots. The law takes effect January 1, 2027.

SB 1546 covers operators of "artificial intelligence companions," defined as AI systems that simulate a sustained human-like relationship or companionship with users and retain contextual information across interactions to personalize engagement. Key requirements include:

• Disclosure. Chatbots must regularly remind users that they are AI, not real people, and cannot misrepresent themselves as humans.
• Mental health safeguards. Operators must detect expressions of suicidal ideation or self-harm, interrupt the conversation when necessary, and provide referrals to crisis resources such as the 988 Suicide and Crisis Lifeline.
• Minor protections. Additional requirements apply when an operator knows or has reason to believe a user is under 18.
• Annual public reporting. Operators must publish disclosures summarizing crisis referrals, intervention protocols, and clinical best practices.

Enforcement is via a private right of action with $1,000-per-violation statutory damages, making this one of the few Oregon-specific AI statutes with direct consumer enforcement.

Federal Overlay

Oregon consumers and businesses also operate under several federal data privacy frameworks that interact with or supplement the OCPA.

TAKE IT DOWN Act (2025)

President Trump signed the TAKE IT DOWN Act (Pub. L. 119-12) on May 19, 2025. The law criminalizes the publication of non-consensual intimate imagery (NCII), including AI-generated deepfakes. Criminal liability began immediately upon signing. Platform takedown obligations became effective May 19, 2026: covered platforms must remove NCII within 48 hours of a victim request and delete all copies. The FTC enforces the platform obligations, with potential civil penalties of $53,088 per violation.

HIPAA

The Health Insurance Portability and Accountability Act governs protected health information (PHI) held by covered entities and their business associates. Oregon healthcare providers, health plans, and their vendors remain subject to HIPAA's Privacy and Security Rules independently of the OCPA. However, HIPAA-regulated data may still be subject to the OCPA when collected for purposes outside HIPAA's scope.

GLBA (Gramm-Leach-Bliley Act)

Financial institutions subject to the Gramm-Leach-Bliley Act must comply with its Safeguards Rule (updated by the FTC in 2023) regarding the security of consumer financial data. GLBA-regulated financial data is exempt from the OCPA at the data level, but financial institutions must still comply with OCPA requirements for non-GLBA consumer data they collect.

FCRA (Fair Credit Reporting Act)

Consumer reporting agencies and users of consumer reports must comply with the Fair Credit Reporting Act's requirements for accuracy, permissible purpose, and consumer access rights. FCRA-regulated data is exempt from the OCPA.

COPPA (Children's Online Privacy Protection Act)

COPPA requires verifiable parental consent before collecting personal information from children under 13 online. Oregon's OCPA children's provisions extend protections to consumers under 16, going further than COPPA's 13-and-under threshold.

FTC Act Section 5

The FTC's authority to prohibit unfair or deceptive acts or practices applies broadly to data privacy and security. Oregon businesses not covered by the OCPA (those below the processing thresholds) may still face FTC enforcement for privacy-related deception or unfairness.

How Oregon Compares to Other State Privacy Laws

Oregon's OCPA shares structural similarities with the privacy laws in Colorado, Connecticut, and Virginia, but includes several provisions that make it more protective of consumers:

Practical Compliance Steps for Oregon Businesses

Businesses that meet the OCPA's processing thresholds should take these steps to comply:

1. Audit your data inventory. Map what personal data you collect, why you collect it, where it goes, and which third parties receive it. Purpose limitation and data minimization both require this foundation.
2. Update your privacy notice. Include express processing purposes, a description of all sensitive data processing, instructions for consumers to exercise rights, and a named opt-out procedure for targeted advertising and data sales.
3. Build a consumer rights request workflow. Establish a reliable intake mechanism (email, web form, or toll-free number) and ensure you can respond within 45 days. Include an appeal process.
4. Conduct data protection assessments. Document assessments for all targeted advertising, data sales, profiling, and sensitive data processing activities. Retain assessments for five years.
5. Honor Universal Opt-Out Mechanisms. As of January 1, 2026, GPC signals are legally operative opt-out requests. Test your systems to confirm they detect and process GPC signals within 15 days.
6. Review your geolocation data practices. Stop selling precise geolocation data (within 1,750 feet accuracy) for all Oregon consumers, not just minors.
7. Check sensitive data consent. If you collect or process data revealing transgender or nonbinary status or crime victim status, verify you have opt-in consent. These categories are unique to Oregon.
8. Register if you are a data broker. If you sell or license personal data about Oregon consumers with whom you have no direct relationship, register with the DCBS and pay the $600 annual fee.
9. Review processor contracts. Ensure all data processing agreements with vendors contain the required OCPA provisions.
10. Train employees. Security safeguards obligations include training employees on data handling procedures and monitoring for security threats.

How Oregon Residents Exercise Their Rights

Oregon consumers can exercise their OCPA rights by submitting a request directly to any covered business. The business must provide at least two methods to submit rights requests, one of which must not require creating an account.

To exercise your rights:

• Locate the privacy notice on the company's website. It must contain instructions for submitting requests.
• Submit a rights request via the method listed (typically a web form or email address for privacy requests).
• Expect a response within 45 days, with an optional 45-day extension. The business must tell you if it is extending the deadline and why.
• Appeal a denial using the process described in the denial notice. The business must respond to your appeal within 45 days.
• File a complaint with the Oregon Attorney General if a business denies your appeal or fails to respond. The Oregon DOJ's consumer privacy complaint portal accepts OCPA complaints.

For opt-out rights, enabling the Global Privacy Control in a supported browser automatically communicates your opt-out preference to all covered websites you visit. Businesses must honor GPC signals within 15 days as of January 1, 2026.

More Oregon Laws

Explore other Oregon legal topics covered on Recording Law:

• Oregon Recording Laws
• Oregon Surveillance Camera Laws
• Oregon Background Check Laws
• Oregon Statute of Limitations
• Oregon Whistleblower Laws
• Oregon Car Seat Laws
• Oregon Child Support Laws
• Oregon Lemon Law
• Oregon AI Meeting Recording Laws
• Oregon Alimony Laws
• Oregon At-Will Employment Laws
• Oregon Car Accident Laws
• Oregon Child Custody Laws
• Oregon Common Law Marriage Laws
• Oregon Deepfake Laws
• Oregon Divorce Laws
• Oregon Dog Bite Laws
• Oregon Emancipation Laws
• Oregon Expungement Laws
• Oregon Hit and Run Laws
• Oregon Landlord-Tenant Laws

In-depth guides

• What Is the OCPA? Oregon Consumer Privacy Act
• OCPA Consumer Rights: Your Data Privacy Rights
• OCPA Compliance Checklist for Businesses (2026)