The Oregon Consumer Privacy Act (OCPA) gives Oregon residents rights over their personal data and requires covered businesses to honor opt-outs and protect sensitive data. Signed as Senate Bill 619, it has applied to covered businesses since July 1, 2024, and to qualifying nonprofits since July 1, 2025.
This guide covers who must comply, Oregon's unique right to name specific third parties, sensitive data rules, the universal opt-out mandate, and penalties. It closes with how Consently supports the opt-out side of compliance.
What Is the Oregon Consumer Privacy Act (OCPA)?
The Oregon Consumer Privacy Act (OCPA) is a state law, Senate Bill 619, codified at ORS 646A.570 to 646A.589. It creates personal-data rights for Oregon consumers and sets compliance duties for the controllers that collect their data. Oregon signed the law in 2023, joining the wave of US state privacy laws that started with California in 2018.
The OCPA gives Oregon residents the right to access, copy, correct, and delete their personal data. It also grants the right to opt out of the sale of that data, its use in targeted advertising, and certain profiling. These rights apply only when an Oregon resident acts as an individual, not in an employment or business-to-business context.
When Did the Oregon Consumer Privacy Act Take Effect?
The Oregon Consumer Privacy Act took effect July 1, 2024, one year after Governor Tina Kotek signed it into law.
The full timeline runs as follows.
- July 18, 2023: Governor Kotek signs Senate Bill 619, establishing the OCPA.
- July 1, 2024: The OCPA takes effect for covered for-profit and nonprofit businesses that already meet the thresholds.
- July 1, 2025: Compliance begins for qualifying nonprofit organizations.
- September 2025: A 2025 amendment brings motor vehicle manufacturers into scope regardless of the usual consumer thresholds.
- January 1, 2026: Controllers must start honoring universal opt-out signals, and the 30-day cure period sunsets.
Who Has to Comply with the Oregon Consumer Privacy Act?
A business must comply with the OCPA if it conducts business in Oregon or provides products or services to Oregon residents. It also must meet one of two consumer-count thresholds.
The two thresholds are:
- 100,000 or more consumers: the business controls or processes the personal data of 100,000 or more Oregon consumers in a calendar year.
- 25,000 or more consumers plus data sales: the business controls or processes the personal data of 25,000 or more Oregon consumers and derives more than 25% of its annual gross revenue from selling personal data.
The OCPA sets no revenue-size threshold, unlike the CCPA's roughly $26.6 million gate. A small business with modest revenue can still fall under Oregon's law if it meets either consumer-count threshold. The law also reaches businesses outside Oregon that sell to or target Oregon residents.
Oregon's law also reaches further than most state privacy laws: it covers qualifying nonprofit organizations, which many other states exempt entirely. Nonprofit compliance began July 1, 2025, one year after the law took effect for other covered businesses.
Who Is Exempt from the OCPA?
Several entity types and data categories fall outside OCPA coverage.
- Financial institutions already regulated under the Gramm-Leach-Bliley Act.
- Protected health information already covered by HIPAA.
- Consumer report data already governed by the Fair Credit Reporting Act.
- State, local, and tribal government bodies.
- Certain insurers, insurance producers, and insurance consultants.
- Employment records and job-applicant data, since the OCPA excludes anyone acting in an employment context.
- Publicly available data and deidentified data.
A 2025 amendment removed one exemption rather than adding one. As of September 2025, motor vehicle manufacturers and certain affiliates must comply with the OCPA regardless of the usual consumer thresholds.
What Rights Does the OCPA Give Oregon Consumers?
Oregon residents get six core rights, and controllers must act on a request within 45 days.
| Right | What it lets a consumer do |
|---|---|
| Right to Know | Confirm what personal data a controller has collected and which categories it falls into |
| Right to a List of Third Parties | Get a list of the specific third parties that received their personal data |
| Right to Correct | Fix inaccuracies in the personal data a controller holds |
| Right to Delete | Request deletion of their personal and sensitive data |
| Right to a Copy | Obtain a portable copy of their personal and sensitive data |
| Right to Opt Out | Say no to the sale of personal data, targeted advertising, and certain profiling |
The Oregon Department of Justice frames these six rights with its own mnemonic: keep your data L.O.C.K.E.D. (List, Opt-out, Copy, Know, Edit, Delete). Controllers must respond to a verified request no later than 45 days after receiving it.
One of these six rights gets its own section next, because it is the detail that sets Oregon apart from every other state privacy law.
The Right to a List of Specific Third Parties (What Makes Oregon Different)
Oregon was the first US state to give consumers the right to a list of the specific third parties that received their personal data. That list must name actual companies, not categories.
Most state privacy laws let a consumer ask only what categories of third parties got their data. Common category labels include advertising partners or analytics providers. The OCPA goes further. An Oregon consumer can ask a controller to name the actual companies that shared or sold their data.
For a covered business, that means tracking and producing the names of every specific third party a consumer's data reached, not just a category label. It is a meaningfully higher record-keeping bar than the categories-only disclosure other states require. That duty falls on the controller, not any third party, to maintain the list.
What Counts as Sensitive Data Under the OCPA?
Sensitive data under the OCPA is personal data that reveals specific, high-risk information about a consumer. It requires the consumer's affirmative opt-in consent before a controller can process it.
The OCPA classifies the following as sensitive data.
- Race or ethnicity
- Religion
- Mental or physical health condition
- Sexuality
- Citizenship or immigration status
- Status as transgender or nonbinary
- Status as a crime victim
- Genetic or biometric data
- Precise location data
- Any personal data belonging to a child under 13
Two of these categories, status as transgender or nonbinary and status as a crime victim, appear in few other state privacy laws. That makes Oregon's sensitive-data list broader than most. A 2025 amendment also restricts the sale of precise geolocation data pinpointed to within a 1,750-foot radius.
Sensitive data is the one place the OCPA flips from opt-out to opt-in. Everywhere else in the law, a controller can process personal data by default and must offer a way to opt out. For sensitive data, consent must come first, and it must be freely given and specific, not buried in broad terms of service.
Children get an added layer of protection. Businesses must get a parent or legal guardian's consent before collecting, using, or processing any personal data from a child under 13. Consumers between 13 and 15 get a narrower protection: businesses cannot use their data for targeted advertising or certain profiling without permission.
What Is the Universal Opt-Out Mechanism Requirement?
A universal opt-out mechanism (UOOM) is a browser or device-level signal, such as Global Privacy Control. It tells every website at once that a consumer opts out of targeted advertising and the sale of their data. Under the OCPA, covered controllers must accept and honor recognized UOOMs, a requirement that started January 1, 2026.
This is a website-level obligation that arrived later than the rest of the OCPA. The duty to detect and honor the signal sits with the business, not with any single vendor. Before January 1, 2026, controllers could accept universal opt-out signals voluntarily; now they must.
The Oregon Department of Justice has publicized the change directly to consumers. It describes the change as a new browser setting that lets Oregonians opt out of data sales across every site at once.
What Does the OCPA Require Businesses to Do?
Covered businesses, called controllers, carry a set of core duties under the OCPA.
- Post a clear privacy notice and be transparent about what data is collected and why.
- Limit, or minimize, the personal data they collect to what the stated purpose actually needs.
- Get affirmative opt-in consent before processing any consumer's sensitive data.
- Respond to verified consumer requests within 45 days.
- Accept and honor opt-out requests, including recognized universal opt-out signals since January 1, 2026.
- Keep personal data secure with reasonable administrative, technical, and physical safeguards.
- Conduct data protection assessments before high-risk processing, such as targeted advertising, profiling, or selling data.
Data protection assessments are documented risk reviews. The Oregon Attorney General can request a completed assessment during an investigation. A controller running targeted-advertising or data-sale processing needs one on file, not just a general privacy policy.
How Is the Oregon Consumer Privacy Act Enforced? (Fines and the Attorney General)
The Oregon Attorney General holds sole enforcement power under the OCPA, and there is no private right of action. Oregon consumers cannot sue a business directly for a violation.
Violations can carry civil penalties of up to $7,500 per violation, a figure set directly in the statute. Each affected consumer's data can count as a separate violation, so penalties scale with the number of people involved.
Businesses originally received a 30-day window to fix a violation before facing enforcement. As of January 1, 2026, the Attorney General is no longer required to give controllers notice and an opportunity to cure. There is no longer a guaranteed cure period for any OCPA violation.
Consumers who believe a business violated the OCPA can file a complaint with the Oregon Department of Justice. The department also runs a Consumer Hotline for privacy-law questions.
How Is the OCPA Different from the CCPA and GDPR?
The Oregon Consumer Privacy Act, the CCPA, and the GDPR all grant data rights, but they diverge on consent model, applicability, and enforcement.
| OCPA | CCPA / CPRA | GDPR | |
|---|---|---|---|
| Consent model | Opt-out by default; opt-in for sensitive data | Opt-out by default; opt-in for minors and sensitive data | Opt-in required before processing |
| Applicability | Consumer-count thresholds only, no revenue gate | Revenue, data-volume, or data-sale-revenue thresholds | Any organization processing EU residents' data |
| Third-party disclosure | Names the specific third parties that received data | Discloses categories of third parties, not names | Discloses recipients or categories under transparency rules |
| Enforcement | Oregon Attorney General only; no private right of action | California Privacy Protection Agency and Attorney General; limited private right of action for breaches | National data protection authorities |
The OCPA's controller-and-processor terminology and its unique third-party-naming right set it apart from the CCPA, which discloses recipient categories rather than specific company names. Neither law requires opt-in consent by default the way the EU's GDPR does. A site serving Oregon, California, and EU visitors needs to show each audience the model their law requires.
What the Oregon Consumer Privacy Act Means for Your Website and Cookies
A site covered by the OCPA needs a working way for Oregon visitors to opt out of targeted-advertising cookies and data sales. It also needs records that prove those choices were honored.
The practical checklist for a covered site:
- Post a clear privacy notice describing what data your cookies and trackers collect and why.
- Show Oregon visitors a way to opt out of targeted-advertising cookies and the sale of their data.
- Get affirmative opt-in consent before loading anything that processes sensitive data.
- Detect and honor recognized universal opt-out signals, a requirement in force since January 1, 2026.
- Keep records of each visitor's consent and opt-out choices for compliance proof.
- Track the specific third parties that receive shared or sold data, so you can name them if a consumer asks.
Sites already meeting the GDPR's rules for cookie banners have the underlying banner-and-records discipline in place already. The same discipline carries over when you make your website GDPR compliant: block non-essential tags until a visitor consents, then log the outcome. Oregon fits into a wider pattern; see how it compares across the country in our guide to data privacy laws explained.
How Consently Helps You Meet Oregon's Opt-Out and Consent Requirements
Consently supports the consumer-facing side of OCPA compliance: an opt-out banner for Oregon visitors, region-based display, and an audit trail of consent choices.
Consently shows Oregon visitors CCPA and US state-law opt-out tools built from the same opt-out template used across US state privacy laws. A Do Not Sell or Share control sits front and center. Region-based display means Oregon and other US visitors see the opt-out model, while EU visitors see the GDPR opt-in banner instead, all from one account.
Two features back the disclosure and record-keeping side. Consent logs with export give a timestamped record of who opted out and when. That record is useful if the Oregon Attorney General ever asks for proof of compliance. The cookie, privacy, and terms-and-conditions policy generators produce the clear privacy notice the OCPA requires, without a separate legal-drafting tool.
One requirement Consently does not handle automatically: detecting and honoring a visitor's universal opt-out signal, such as Global Privacy Control. That duty sits with the business under the OCPA. Consently's banner, region-based display, and consent logs support the disclosure and opt-out tasks around it, not UOOM detection itself. A policy generator provides compliance assistance, not a legal guarantee.
Every Consently plan includes a 14-day free trial, no credit card required. Try Consently free to see the opt-out banner and consent log in your own dashboard.
FAQs
What is the Oregon Consumer Privacy Act in simple terms?
The Oregon Consumer Privacy Act is an Oregon law that gives residents rights over their personal data. It requires covered businesses to honor opt-outs and protect sensitive data.
When did the Oregon Consumer Privacy Act go into effect?
The OCPA took effect July 1, 2024. Nonprofit compliance began July 1, 2025, and universal opt-out honoring became mandatory January 1, 2026.
Who has to comply with the Oregon Consumer Privacy Act?
Businesses that control or process the personal data of 100,000 or more Oregon consumers per year. Also covered: businesses that process 25,000 or more consumers while deriving over 25% of revenue from selling personal data.
Does the Oregon Consumer Privacy Act apply to small businesses?
Only if a small business meets one of the two consumer-count thresholds. Many small sites fall below 100,000 Oregon consumers, but a site that sells data and reaches 25,000 consumers is covered regardless of its revenue.
Does the Oregon privacy law cover nonprofits?
Yes. Oregon's law is unusually broad and brought qualifying nonprofit organizations into scope on July 1, 2025, unlike many state privacy laws that exempt nonprofits entirely.
What are the penalties for violating the Oregon Consumer Privacy Act?
Civil penalties run up to $7,500 per violation, enforced solely by the Oregon Attorney General. There is no guaranteed cure period for violations occurring on or after January 1, 2026.
Who enforces the Oregon Consumer Privacy Act?
The Oregon Attorney General holds sole enforcement power. No other agency and no private party can enforce the OCPA.
Is there a private right of action under the OCPA?
No. Oregon consumers cannot sue a business directly for an OCPA violation; they can file a complaint with the Oregon Department of Justice instead.
How is the Oregon Consumer Privacy Act different from the CCPA?
The OCPA sets no revenue threshold, uses controller terminology, and lets consumers request the names of specific third parties that received their data. The CCPA discloses only recipient categories and allows a limited private right of action for certain data breaches.

