What Is the OCPA? Oregon Consumer Privacy Act

The Oregon Consumer Privacy Act (OCPA), codified at ORS 646A.570 to 646A.589, took effect July 1, 2024 for most businesses and July 1, 2025 for covered nonprofit organizations. Enacted as Senate Bill 619 and signed by Governor Tina Kotek on July 18, 2023, it gives Oregon residents a full slate of data rights, including one feature few other states match: the right to obtain a list of the specific third parties that received their personal data.

As of 2026, the Oregon Attorney General's Department of Justice holds exclusive enforcement authority and may seek civil penalties of up to $7,500 per violation. The 30-day right to cure that businesses relied on through 2025 sunset on January 1, 2026, so a business can no longer count on a guaranteed grace period before the state acts.

Jurisdiction scope: This covers the Oregon Consumer Privacy Act (ORS 646A.570 to 646A.589). It is general legal information, not legal advice.

What the OCPA is: statute, enactment, and dual effective dates

The Oregon Consumer Privacy Act is Oregon's first comprehensive consumer data privacy law. It is codified at Oregon Revised Statutes Sections 646A.570 through 646A.589 and was enacted during the 2023 regular session as Senate Bill 619, a measure requested by then-Attorney General Ellen Rosenblum. Governor Tina Kotek signed SB 619 into law on July 18, 2023.

The OCPA has two effective dates, a structure that sets Oregon apart from most state privacy laws. For most controllers, the law took effect July 1, 2024. For covered nonprofit organizations, it took effect one year later, on July 1, 2025. That staggered timeline reflects another Oregon distinction: the OCPA reaches many nonprofit organizations at all. Several other state privacy laws exempt nonprofits entirely, so the nonprofit community in those states never has a compliance date.

The delayed nonprofit date gave charities, advocacy groups, and similar organizations extra time to build privacy programs before their obligations began. As of 2026, both effective dates have passed, so every category of covered organization, for-profit and nonprofit alike, is now fully subject to the OCPA.

For the controller and processor obligations, privacy notice content rules, and data protection assessment requirements in full, see the Oregon data privacy laws parent page.

Who the OCPA covers: applicability with no dollar threshold

The OCPA's applicability test lives in ORS 646A.572(1). The law applies to a person that conducts business in Oregon, or that provides products or services to residents of Oregon, and that during a calendar year controls or processes the personal data of either of two groups.

The first trigger, ORS 646A.572(1)(a), is 100,000 or more consumers, counting all consumers except those whose data is controlled or processed "solely for the purpose of completing a payment transaction." The payment-transaction carve-out means a retailer does not count every card swipe toward the threshold if the only data involved is what is needed to process that single purchase.

The second trigger, ORS 646A.572(1)(b), is 25,000 or more consumers, but only "while deriving 25 percent or more of the person's annual gross revenue from selling personal data." This lower headcount applies to data-driven businesses whose model depends on selling personal information.

What is notably absent is any dollar-revenue floor. Many state privacy laws, including Utah's and Virginia's, pair a consumer-count threshold with a revenue threshold, so that a company below a set annual revenue level escapes coverage regardless of how much data it handles. Oregon set no such floor. A company that meets the 100,000-consumer count is covered even if its annual revenue is modest. This makes the OCPA's net broader at the low-revenue end than several of its peer statutes.

The practical consequence is that mid-size and even smaller companies that process large volumes of Oregon resident data can be covered, where the same company might escape coverage under a law that requires both a data count and a revenue minimum.

Oregon's exemptions: narrower than most states

Many state privacy laws grant sweeping entity-level exemptions: if an organization is a financial institution subject to the Gramm-Leach-Bliley Act, or is a nonprofit, the entire organization falls outside the law. Oregon took a narrower path, and this is one of the OCPA's defining features.

At the data level, ORS 646A.572(2) excludes "protected health information" processed by entities complying with HIPAA, and it excludes various categories of data governed by other federal frameworks. These are data-level carve-outs: the specific regulated data is exempt, not necessarily the whole organization.

On financial institutions, Oregon's structure is more limited than the typical blanket GLBA exemption. ORS 646A.572(2) addresses financial institutions defined under ORS 706.008 and affiliates engaged only in financial activities, but Oregon's exemptions for the financial sector are framed around specific licensed roles and regulated data rather than a sweeping pass for any company that touches GLBA-covered information.

On nonprofits, the contrast is sharpest. Most state privacy laws exempt all nonprofit organizations. Oregon does not. It carves out only narrow categories, such as a nonprofit organization that detects and prevents insurance fraud, and noncommercial activity by publishers and broadcasters. The general body of Oregon nonprofit organizations is covered, which is why the legislature gave them a delayed July 1, 2025 effective date. A consumer advocacy group, a museum, or a membership association that meets the applicability thresholds is generally subject to the OCPA.

Public corporations and public bodies, including bodies such as Oregon Health and Science University and the Oregon State Bar, are addressed within the ORS 646A.572(2) exemption list. Businesses should map each data set and entity against the exemption list rather than assuming a single regulatory status removes the whole organization from the law.

The broad sensitive-data definition

Sensitive data sits at the center of the OCPA because processing it requires opt-in consent. The definition in ORS 646A.570(18) is notably broad compared to peer states.

Under ORS 646A.570(18)(a)(A), sensitive data includes personal data that "reveals a consumer's racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or nonbinary, status as a victim of crime or citizenship or immigration status." Two of those categories stand out. The express inclusion of "status as transgender or nonbinary" is rare in state privacy law, and the inclusion of "status as a victim of crime" is also uncommon. Many states cover sexual orientation and immigration status, but Oregon's explicit naming of transgender or nonbinary status and crime-victim status broadens the protected set.

The definition continues. ORS 646A.570(18)(a)(B) covers "a child's personal data." ORS 646A.570(18)(a)(C) covers precise location data, specifically data that "accurately identifies within a radius of 1,750 feet a consumer's present or past location." ORS 646A.570(18)(a)(D) covers data that "is genetic or biometric data."

Because sensitive data triggers an opt-in consent requirement, the breadth of Oregon's definition has real operational weight. A controller that processes data revealing a consumer's immigration status or transgender status, or that processes precise geolocation, must obtain affirmative consent first. A broader definition means more data categories fall inside the consent gate.

The specific third-party list right: Oregon's signature feature

The OCPA's most distinctive consumer right is the ability to learn exactly which third parties received a consumer's data. Under ORS 646A.574(1)(a)(B), a consumer may request "a list of specific third parties, other than natural persons," to which the controller has disclosed the consumer's personal data, or, at the controller's option, any personal data.

This is meaningfully different from the disclosure most state privacy laws require. Under the more common model, a consumer can learn only the categories of third parties, such as "advertising partners" or "data analytics vendors." Oregon goes further and lets the consumer ask for the named, specific entities. Oregon was a leader in adding this right, and as of 2026 it remains uncommon nationally.

For businesses, the specific-third-party list right is one of the harder OCPA obligations to engineer, because it requires tracking disclosures at the level of named recipients rather than broad categories. For consumers, it offers far more transparency about where their data actually traveled. The Oregon consumer rights guide covers this right and the response procedure in depth.

OCPA vs. CCPA: the key differences

Oregon's OCPA and California's CCPA are often compared by companies that operate nationally. The state data privacy law comparison page covers the broader multistate picture, but several differences between the OCPA and California's CCPA stand out.

The most consequential differences are the coverage net and the third-party list right. Oregon's lack of a dollar-revenue floor pulls in companies that the CCPA's $25 million revenue threshold would leave out, and Oregon's specific-third-party list right gives consumers a level of transparency the CCPA's category-level disclosure does not.

The two laws also differ on sensitive data. California uses a "right to limit" the use of sensitive personal information, an opt-out model. Oregon requires opt-in consent before sensitive data may be processed at all, a stricter default for that data.

Related guides

• Oregon data privacy laws parent hub
• OCPA consumer rights
• OCPA compliance checklist
• State data privacy law comparison
• What is the CCPA?

Sources