Oregon's Consumer Privacy Act (OCPA), signed by Governor Tina Kotek on July 18, 2023, became effective July 1, 2024, with a delayed effective date of July 1, 2025 for nonprofits. Oregon's law is considered one of the most consumer-friendly state privacy laws enacted. Key features include: no exemption for publicly available data in the context of data aggregation β a significant departure from most state laws that allow data brokers to use public records freely. Oregon also has a broad definition of sensitive data that includes personal data revealing a consumer's status as a victim of a crime. The OCPA requires opt-in consent for sensitive data processing and provides all standard consumer rights.
Residents of Oregon have the following legally enforceable privacy rights under OCPA:
Confirm whether a business processes your personal data and obtain a copy in portable format.
Request correction of inaccurate personal data held about you by covered businesses.
Request deletion of personal data you've provided or that has been collected about you.
Receive your personal data in a machine-readable, portable format to transfer to other services.
Prevent businesses from selling your personal data to third parties for commercial purposes.
Stop businesses from using your data to show you personalized ads based on your online behavior.
Opt out of automated decision-making used in significant decisions about credit, employment, or housing.
Businesses cannot penalize you with higher prices or reduced service for exercising your rights.
The OCPA applies to controllers that conduct business in Oregon or provide products or services to Oregon residents AND that during a calendar year control or process personal data of 100,000 or more consumers, or control or process personal data of 25,000 or more consumers while deriving 25% or more of gross revenue from selling personal data. Nonprofits are initially exempt but become subject to the law on July 1, 2025 β a significant provision given that many data brokers and advocacy organizations are structured as nonprofits.
Under OCPA, the following categories are classified as sensitive personal data and require explicit opt-in consent before processing:
Racial or ethnic origin Β· Religious or philosophical beliefs Β· Mental or physical health diagnoses Β· Sexual orientation or gender identity Β· Citizenship or immigration status Β· Genetic or biometric data uniquely identifying a person Β· Personal data of known minors Β· Precise geolocation data (within 1,750 feet)
Under OCPA, businesses must respond to consumer rights requests within 45 days of receipt. This may be extended by an additional 45 days with prior written notice explaining the reason for the delay. Businesses must also establish an internal appeals process for denied requests, with a response due within 60 days.
The Oregon Attorney General has exclusive enforcement authority. After providing the controller a 30-day written notice and opportunity to cure (through January 1, 2026), the AG may bring a civil action seeking penalties up to $25,000 per violation. Each day of a continuing violation constitutes a separate violation. Oregon's relatively high per-violation penalty ceiling signals legislative intent toward meaningful enforcement.
To exercise your rights under OCPA, contact the business through their official privacy portal (typically linked at the bottom of their website under "Privacy" or "Your Privacy Rights"). Clearly state:
1. That you are a Oregon resident invoking rights under OCPA
2. Your full name and contact information linked to your account
3. The specific right you are invoking (access, deletion, opt-out of sale, etc.)
4. The legal deadline for response (45 days)
If the company denies your request, you have the right to appeal. If the company does not respond or appeal fails, you may file a complaint with the Oregon Attorney General's office.
| Term | Definition Under OCPA |
|---|---|
| Personal Data | Any information linked or reasonably linkable to an identified or identifiable natural person. Does not include de-identified data or publicly available information. |
| Controller | A natural or legal person that, alone or jointly with others, determines the purposes and means of processing personal data. |
| Processor | A natural or legal person that processes personal data on behalf of a controller (e.g., a cloud hosting vendor). |
| Sale of Personal Data | The exchange of personal data for monetary or other valuable consideration by the controller to a third party. |
| Targeted Advertising | Displaying ads selected based on personal data obtained from a consumer's activities across non-affiliated websites or applications. |
| Profiling | Automated processing to evaluate, analyze, or predict aspects of a consumer's economic situation, health, personal preferences, behavior, location, or movements. |