OCPA Consumer Rights: Oregon Data Privacy Act

The Oregon Consumer Privacy Act (OCPA), codified at ORS 646A.570 to 646A.589, gives Oregon residents the right to access, correct, delete, and port their personal data, to opt out of targeted advertising, sales, and certain profiling, and, distinctively, to request a list of the specific third parties that received their data. Controllers must respond to a verified request within 45 days under ORS 646A.578.

As of 2026, these rights are enforced exclusively by the Oregon Attorney General, and the 30-day right to cure that controllers leaned on through 2025 sunset on January 1, 2026. Consumers who are denied may appeal, and a controller must act on the universal opt-out signal as of January 1, 2026.

Jurisdiction scope: This covers the Oregon Consumer Privacy Act (ORS 646A.570 to 646A.589). It is general legal information, not legal advice.

The full slate of OCPA consumer rights

The OCPA gives Oregon residents a complete set of data rights, set out in ORS 646A.574. The Oregon DOJ summarizes them with the memory aid LOCKED: List, Opt-out, Copy, Know, Edit, and Delete. The statutory rights map onto that framing.

Under ORS 646A.574(1)(a)(A), a consumer has the right to confirmation "as to whether the controller is processing or has processed the consumer's personal data," along with access to that data. Under ORS 646A.574(1)(b), the consumer may "require a controller to correct inaccuracies in personal data about the consumer," taking into account the nature and purpose of the processing. Under ORS 646A.574(1)(c), the consumer may "require a controller to delete personal data about the consumer," including data the consumer provided and data the controller otherwise obtained or collected.

Data portability is part of the access right. Under ORS 646A.574(2), when a consumer exercises the access right, the controller must provide the personal data "in a portable and, to the extent technically feasible, readily usable format" that lets the consumer transmit the data to another controller without hindrance, where the processing is carried out by automated means.

These rights apply to "consumers," meaning Oregon residents acting in an individual or household context. Data about individuals acting in a commercial or employment context is generally outside the consumer definition. The Oregon OCPA overview explains how applicability and the consumer definition fit together.

The specific third-party list right, front and center

Oregon's signature right is the ability to learn exactly which third parties received a consumer's data. ORS 646A.574(1)(a)(B) gives a consumer the right to obtain "a list of specific third parties, other than natural persons," to which the controller has disclosed the consumer's personal data. At the controller's option, the controller may instead provide a list of the specific third parties to which it has disclosed any personal data.

The phrase "specific third parties" is the operative language. Most state privacy laws require a controller to disclose only the categories of third parties with which it shares data, such as "advertising networks" or "service providers." Oregon goes further. A consumer can ask for the named entities, not just the groupings. The carve-out for "natural persons" means the controller need not list individual people, but it must identify the businesses and organizations that received the data.

This right is one of the harder OCPA obligations to satisfy operationally, because it requires a controller to track disclosures at the level of identifiable recipients. A controller that shares data with dozens of vendors and partners must be able to reconstruct, for a given consumer or at least at the system level, which specific entities received personal data. For consumers, the payoff is a level of transparency that exposes the actual flow of their information. Oregon led on this right, and as of 2026 it remains rare among state privacy laws.

Opt-out rights: targeted advertising, sale, and profiling

ORS 646A.574(1)(d) gives consumers the right to opt out of three categories of processing. The first, under ORS 646A.574(1)(d)(A), is targeted advertising, meaning advertising selected based on personal data obtained from the consumer's activities across nonaffiliated websites or applications. The second, under ORS 646A.574(1)(d)(B), is the sale of personal data. The third, under ORS 646A.574(1)(d)(C), is "profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance."

The profiling opt-out matters most in automated decision settings. Profiling that affects a consumer's access to credit, employment, housing, insurance, education, or similar opportunities falls within this right. A consumer who does not want automated profiling driving such decisions may opt out.

Oregon's definition of "sale" in ORS 646A.570(17) is broad. It covers "the exchange of personal data for monetary or other valuable consideration by the controller with a third party." The inclusion of "other valuable consideration," not just money, means data swaps and other non-cash exchanges can count as sales that trigger the opt-out right. The statute lists exclusions, including disclosures to processors, disclosures to affiliates, and disclosures a consumer directed, so not every data transfer is a sale.

Response deadlines: 45 days plus one extension

Controllers must act on a verified consumer request within a defined window. Under ORS 646A.578, a controller must respond to a consumer's request without undue delay and in any event within 45 days of receiving the request. When reasonably necessary, the controller may extend the response period by an additional 45 days, for a total of 90 days, provided it informs the consumer of the extension and the reason for it within the initial 45-day window.

If a controller declines to act on a request, it must inform the consumer without undue delay, and within the 45-day period, of the reasons for not acting and of how the consumer may appeal the decision. The controller generally must provide information in response to a consumer request free of charge, at least once during any 12-month period, though it may decline or charge a reasonable fee for requests that are manifestly unfounded, excessive, or repetitive.

Controllers must also establish a reliable means for consumers to submit requests and to authenticate them. A controller may not require a consumer to create a new account in order to exercise a right, although it may require the consumer to use an existing account.

The universal opt-out mechanism, effective January 1, 2026

Oregon requires controllers to honor a platform-level opt-out signal as of January 1, 2026. Under ORS 646A.578, a controller that processes personal data for targeted advertising or sells personal data must allow a consumer to opt out through a universal opt-out mechanism, a technology that communicates the consumer's choice to opt out without the consumer having to visit each controller individually.

The Global Privacy Control (GPC), a browser-level signal supported by a growing set of browsers and extensions, is the leading example of such a mechanism. The Oregon DOJ has identified Global Privacy Control as a qualifying signal. The mechanism must reflect the consumer's own affirmative, voluntary choice rather than a default setting imposed by a browser or platform.

The practical effect is significant. A consumer who enables a qualifying signal opts out across all participating controllers at once, rather than clicking an opt-out link on every website. As of 2026, controllers that process data for targeted advertising or that sell personal data must detect and honor these signals. The OCPA compliance checklist covers what businesses must build to recognize them.

The appeals process

The OCPA builds in an appeal right when a controller denies a request. Under ORS 646A.578, a controller must establish a process for a consumer to appeal the controller's refusal to act on a request. The appeal process must be conspicuously available and similar to the process for submitting the original request.

Within 45 days of receiving an appeal, the controller must inform the consumer in writing of any action taken or not taken in response, along with a written explanation of the reasons. If the controller denies the appeal, it must provide the consumer with an online mechanism, if available, or another method, to contact the Oregon Attorney General to submit a complaint.

That link to the Attorney General is important. Because the OCPA has no private right of action, a consumer who believes a controller wrongly denied a request cannot sue the controller directly. The path runs to the Oregon DOJ, which can investigate and enforce. The OCPA overview explains the enforcement structure in more detail.

Rights and deadlines at a glance

How OCPA rights compare nationally

Oregon's rights track the broad pattern that most post-2020 state privacy laws share: access, correction, deletion, portability, and opt-out. Where Oregon diverges is the specific-third-party list right and the breadth of its sensitive-data definition, which feeds the opt-in consent requirement covered in the OCPA overview.

Compared to California's CCPA, Oregon's opt-out structure for sensitive data is stricter. California uses a right to limit the use of sensitive personal information, an opt-out model, while Oregon requires opt-in consent before sensitive data may be processed. On disclosure transparency, Oregon's named-third-party list goes beyond the CCPA's category-level disclosure. The state data privacy law comparison page maps these differences across all current state laws.

Related guides

• Oregon data privacy laws parent hub
• What is the OCPA?
• OCPA compliance checklist
• State data privacy law comparison
• What is the CCPA?

Sources