OCPA Compliance Checklist for Oregon Businesses

Businesses subject to the Oregon Consumer Privacy Act (OCPA), codified at ORS 646A.570 to 646A.589, must run an applicability test, publish a compliant privacy notice, obtain opt-in consent before processing sensitive data, recognize a universal opt-out signal as of January 1, 2026, complete data protection assessments for high-risk processing, sign processor contracts, and build a way to disclose the specific third parties that received a consumer's data. This checklist walks through each step as of 2026.

The enforcement stakes rose in 2026. The 30-day right to cure that controllers relied on through 2025 sunset on January 1, 2026, so the Oregon Attorney General may now bring an action without first offering a guaranteed window to fix the problem. Civil penalties run up to $7,500 per violation under ORS 646A.589.

Jurisdiction scope: This covers the Oregon Consumer Privacy Act (ORS 646A.570 to 646A.589). It is general legal information, not legal advice.

Step 1: Run the applicability test

The first task is to determine whether the OCPA applies at all. Under ORS 646A.572(1), the law covers a person that conducts business in Oregon, or that provides products or services to residents of Oregon, and that during a calendar year controls or processes the personal data of either 100,000 or more consumers, or 25,000 or more consumers while deriving 25 percent or more of annual gross revenue from selling personal data.

The defining feature of this test is that it uses no dollar-revenue floor. Unlike Utah and Virginia, Oregon does not require a business to cross a minimum revenue threshold before the law applies. A company that meets the 100,000-consumer count is covered regardless of how large or small its revenue is. The Oregon OCPA overview explains why this broad net pulls in companies that escape coverage under several peer state laws.

When counting consumers toward the 100,000 threshold, exclude data controlled or processed "solely for the purpose of completing a payment transaction" under ORS 646A.572(1)(a). A business should also check the exemption list in ORS 646A.572(2), but should not assume a single regulatory status removes the whole organization. Oregon's exemptions are narrower than most states: GLBA and HIPAA data are handled at the data level, and most nonprofits are covered rather than exempt, which is why nonprofits got a delayed July 1, 2025 effective date.

Step 2: Publish a compliant privacy notice

Under ORS 646A.578, a covered controller must provide consumers with a reasonably accessible, clear, and meaningful privacy notice. The notice must describe the categories of personal data the controller processes, the purposes for processing, how a consumer may exercise their rights and appeal a decision, the categories of personal data the controller shares with third parties, and the categories of those third parties.

The notice must also identify whether the controller sells personal data or processes it for targeted advertising, and it must explain how a consumer may opt out of those activities. As of January 1, 2026, the notice should reflect that the controller recognizes a universal opt-out mechanism. Keep the notice current: when processing practices change materially, the notice must be updated to match.

Step 3: Obtain opt-in consent for sensitive data

Oregon requires affirmative, opt-in consent before a controller may process sensitive data. Under ORS 646A.578, a controller may not process sensitive data about a consumer without first obtaining the consumer's consent, and for the data of a known child, it must process that data consistent with the federal Children's Online Privacy Protection Act.

The reason this step demands attention is the breadth of Oregon's sensitive-data definition. Under ORS 646A.570(18), sensitive data includes data revealing racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or nonbinary, status as a victim of crime, and citizenship or immigration status. It also covers a child's personal data, genetic or biometric data, and precise geolocation within 1,750 feet. The express inclusion of transgender or nonbinary status, crime-victim status, and immigration status makes Oregon's gate wider than many states. Consent must be a clear affirmative act; pre-checked boxes and inferred agreement do not qualify.

Step 4: Recognize the universal opt-out mechanism by January 1, 2026

A controller that processes personal data for targeted advertising or that sells personal data must let consumers opt out through a universal opt-out mechanism as of January 1, 2026, under ORS 646A.578. This is a browser-level or device-level signal that communicates the consumer's choice without the consumer visiting each controller individually.

The Global Privacy Control (GPC) is the leading example, and the Oregon DOJ has identified it as a qualifying signal. The mechanism must reflect the consumer's affirmative, voluntary choice rather than a default setting. To comply, a controller must build the technical capability to detect a qualifying signal and to treat it as a valid opt-out from targeted advertising and sale. The OCPA consumer rights guide covers how this signal interacts with individual opt-out requests.

Step 5: Complete data protection assessments

Under ORS 646A.586, a controller must conduct and document a data protection assessment for each processing activity that presents a heightened risk of harm to a consumer. The statute names the high-risk categories: processing for targeted advertising, the sale of personal data, processing sensitive data, and certain profiling, specifically profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment, financial or physical injury, intrusion on solitude or private affairs, or other substantial injury.

The assessment must weigh the benefits of the processing against the risks to the consumer, as mitigated by safeguards the controller can use. The controller must keep the assessment and make it available to the Oregon Attorney General upon request in connection with an investigation. Assessments apply to processing activities conducted on or after the law's effective date and are not retroactive. Because the Attorney General may demand them during an investigation, assessments function both as a compliance obligation and as potential enforcement evidence.

Step 6: Execute processor contracts

Under ORS 646A.581, a controller that engages a processor to handle personal data on its behalf must do so under a binding contract. The contract must set out the processing instructions, the nature and purpose of the processing, the type of data subject to processing, the duration of the processing, and the rights and obligations of both parties.

The contract must also require the processor to ensure that each person processing the data is subject to a duty of confidentiality, to delete or return personal data at the end of the engagement, to make available information necessary to demonstrate compliance, to allow and cooperate with reasonable assessments, and to engage subcontractors only under a written contract that imposes the same obligations. A controller that shares data with vendors without these contractual terms in place has a compliance gap that the Attorney General can act on.

Step 7: Build the specific third-party list mechanism

Oregon's signature obligation is the duty to disclose specific third parties. Under ORS 646A.574(1)(a)(B), a consumer may request a list of the specific third parties, other than natural persons, to which the controller disclosed the consumer's personal data, or at the controller's option any personal data. This is named-entity disclosure, not the category-level disclosure most state laws require.

To satisfy it, a controller must maintain records of disclosures at the level of identifiable recipients, not just broad groups such as "advertising partners." This is one of the harder OCPA capabilities to engineer, because it requires tracking which specific organizations received personal data. Building this capability early, including a data map of recipients and a workflow to generate the list on request, is the practical core of OCPA readiness on this point. The OCPA overview explains why Oregon led on this right and why it remains rare.

Enforcement now that the cure period has sunset

Enforcement of the OCPA belongs exclusively to the Oregon Attorney General, acting through the Oregon Department of Justice. Under ORS 646A.589(8), the Attorney General "has exclusive authority to enforce" the OCPA, and the statute does not create a private right of action. No consumer may sue a covered business directly under the OCPA, no matter how clear the violation.

The biggest 2026 change is the end of the guaranteed cure period. Through 2025, ORS 646A.589 required the Attorney General, before bringing an action, to notify the controller and allow 30 days to cure. That cure provision sunset on January 1, 2026. As of 2026, the Attorney General may still choose to allow a controller to fix a problem, but is no longer required to offer a 30-day window. A controller can no longer assume it will get a grace period before enforcement.

Civil penalties run up to $7,500 for each violation under ORS 646A.589(4)(a). The per-violation structure means that a systemic failure affecting many consumers, such as ignoring deletion requests at scale or selling sensitive data without consent, can accumulate quickly. The Oregon DOJ also publishes enforcement reports describing the most common compliance gaps it sees, which businesses can use to prioritize their own programs.

OCPA compliance checklist at a glance

Related guides

• Oregon data privacy laws parent hub
• What is the OCPA?
• OCPA consumer rights
• State data privacy law comparison
• What is the CCPA?

Sources