Oregon Consumer Privacy Act: What Businesses Need to Know
Guide to Oregon's OCPA for businesses. Oregon uniquely covers nonprofits and has no revenue threshold. Learn rights, penalties, and compliance steps.
Last updated: 2026-02-08
If your business processes personal data from Oregon residents, the Oregon Consumer Privacy Act (OCPA) has been in effect since July 1, 2024 -- and it has two features that set it apart from nearly every other state privacy law. First, Oregon does not require a minimum revenue threshold to reach the second applicability tier, making it easier for mid-size businesses to be covered. Second, and more significantly, Oregon is one of the only states whose comprehensive privacy law applies to nonprofit organizations, not just for-profit businesses. Whether you are running an online retailer, a SaaS platform, or a charitable organization with Oregon donors, this guide will help you understand what the OCPA requires and how to comply.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Privacy regulations are complex and change frequently. You should consult a qualified attorney for guidance specific to your business. The information here is based on the Oregon Consumer Privacy Act (Or. Rev. Stat. § 646A.570 et seq., SB 619), as of the date of publication.
Does This Law Apply to Your Business?
The OCPA applies to persons that conduct business in Oregon or provide products or services to Oregon residents, and that during a calendar year control or process the personal data of a specified number of Oregon consumers.
The first threshold covers entities that control or process the personal data of 100,000 or more Oregon consumers. This excludes data controlled or processed solely to complete a payment transaction. Oregon has approximately 4.2 million residents, so a nationally operating e-commerce site where 3 percent of visitors are Oregonians could approach this number.
The second threshold applies to entities that control or process the personal data of 25,000 or more Oregon consumers while deriving any portion of revenue from the sale of personal data. Oregon does not set a minimum revenue percentage. Even a small amount of revenue from data sales, combined with the 25,000-consumer count, is sufficient to trigger coverage.
Here is where Oregon breaks new ground: the OCPA applies to nonprofit organizations. Most state privacy laws exempt nonprofits entirely. Oregon does not. If you run a charitable organization, a trade association, or a public interest group that processes personal data from 100,000 or more Oregon residents, you are covered. This is a significant expansion of the privacy law landscape and reflects Oregon's view that consumers deserve privacy protections regardless of the tax status of the entity processing their data. The nonprofit obligation takes effect on July 1, 2025, giving nonprofits an additional year to prepare.
Exempt entities include government bodies, entities regulated under HIPAA, financial institutions covered by the Gramm-Leach-Bliley Act, and data governed by the Fair Credit Reporting Act, FERPA, and the Driver's Privacy Protection Act. However, the OCPA's nonprofit coverage means that many organizations that would be exempt under other state laws need to assess their obligations under Oregon's law.
Consider a mid-size environmental nonprofit based in Portland with 120,000 donors and supporters across Oregon. Under every other state privacy law, that organization would be exempt. Under the OCPA, starting July 1, 2025, it is covered.
What Rights Do Consumers Have?
The OCPA grants Oregon consumers a standard set of privacy rights. Your business must respond to consumer requests within 45 days, with a possible 45-day extension when reasonably necessary.
Right to Access. Consumers can confirm whether your business is processing their personal data and obtain a copy of the data. You must provide the information in a format that is reasonably accessible to the consumer.
Right to Correction. Consumers can request that you correct inaccurate personal data. Your business must take commercially reasonable steps to correct it.
Right to Deletion. Consumers can ask you to delete the personal data you have collected about them. You must also instruct your processors to delete it, subject to standard exceptions for legal compliance, fraud detection, and completing transactions.
Right to Portability. When consumers exercise their access right, you must provide the data in a portable, readily usable format that allows them to transmit it to another entity without hindrance.
Right to Opt Out. Consumers can opt out of the processing of their personal data for targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects.
Oregon also includes a right to obtain a list of specific third parties to whom the controller has disclosed the consumer's personal data. This is more specific than laws that only require disclosure of categories of third parties -- Oregon consumers can ask for actual names of entities that have received their data.
| Right | Granted? | Notes |
|---|---|---|
| Access | ✅ | Confirm processing and provide a copy of data |
| Correction | ✅ | Commercially reasonable efforts required |
| Deletion | ✅ | Must delete and instruct processors to delete |
| Portability | ✅ | Data in portable, machine-readable format |
| Opt out of sale | ✅ | No minimum revenue percentage for applicability |
| Opt out of targeted ads | ✅ | Must stop targeted advertising on request |
| Opt out of profiling | ✅ | For decisions with legal or significant effects |
| List of third parties | ✅ | Must identify specific third parties, not just categories |
What Your Business Must Do
Your privacy notice must clearly identify the categories of personal data you process, the purposes of processing, how consumers can exercise their rights (including how to appeal a denial), the categories of personal data shared with third parties, and the categories of those third parties. If you sell personal data or process it for targeted advertising, you must disclose that. The notice must be reasonably accessible and clear.
Consumer requests must be handled within 45 calendar days, with a possible 45-day extension when reasonably necessary, provided you notify the consumer and explain the reason. You need a documented workflow for intake, identity verification, data retrieval, response delivery, and recordkeeping.
For sensitive data, the OCPA requires opt-in consent before processing. Sensitive data includes racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship or immigration status, genetic or biometric data processed for identification, data from a known child under 13, and precise geolocation data. Oregon's definition of precise geolocation data means data that identifies a consumer's location within a radius of 1,750 feet.
Data protection assessments are required for processing activities that present a heightened risk of harm to consumers. These include targeted advertising, the sale of personal data, processing sensitive data, and profiling. The assessments must weigh the benefits of the processing against potential risks to consumers, taking into account the use of de-identification, consumer expectations, and the context of the processing. These assessments must be made available to the Attorney General upon request.
Processor agreements must specify the nature, purpose, and duration of processing, the types of data involved, and the obligations and rights of both parties. Processors must assist with consumer requests, maintain appropriate security, and delete or return data at the end of the relationship.
For nonprofits covered by the OCPA (starting July 1, 2025), all of these obligations apply in the same way as they do for for-profit businesses. There is no lighter compliance path for nonprofits. Organizations with limited resources should start by mapping their data and building a basic DSAR response process.
How Is It Enforced?
The OCPA is enforced exclusively by the Oregon Attorney General. There is no private right of action.
Violations are treated as unlawful trade practices under Oregon's Unlawful Trade Practices Act, which allows for civil penalties of up to $7,500 per violation. As with other state laws, violations are counted per consumer and per incident, so a widespread compliance failure could result in substantial aggregate fines.
The law includes a 30-day cure period that expires on January 1, 2026. During this window, if the Attorney General notifies a business of a violation, the business has 30 days to cure it and provide a written statement that the violation has been fixed and will not recur. After January 1, 2026, the Attorney General has discretion to grant a cure period based on factors such as the number of violations, the size and complexity of the business, and the nature and extent of the processing activities.
Oregon's Attorney General has been active in consumer protection enforcement, and the state's tech-heavy economy (particularly in the Portland metro area) means there is both a large volume of data processing and political will to enforce privacy standards.
How This Compares to Other State Laws
Oregon's nonprofit coverage and the third-party disclosure right are its distinguishing features. Here is how it compares to Colorado, Montana, and California:
| Feature | OCPA (OR) | CPA (CO) | MTCDPA (MT) | CCPA/CPRA (CA) |
|---|---|---|---|---|
| Effective date | Jul 1, 2024 | Jul 1, 2023 | Oct 1, 2024 | Jan 1, 2020 |
| Consumer threshold | 100K | 100K | 50K | 100K |
| Revenue threshold | None (any revenue + 25K) | None (any revenue + 25K) | None (any revenue + 25K) | 50% or $26.625M |
| Covers nonprofits | Yes (from Jul 2025) | No | No | No |
| Specific third-party list | Yes | No | No | No (categories only) |
| Cure period | 30 days (sunsets Jan 2026) | 60 days (sunset 2025) | 60 days (sunsets Apr 2026) | None |
| Private right of action | No | No | No | Yes (breaches only) |
| Sensitive data consent | Opt-in | Opt-in | Opt-in | Opt-out |
Oregon's nonprofit coverage is the headline differentiator. No other major state privacy law extends comprehensive obligations to nonprofits in the same way. If your organization is a nonprofit with a significant Oregon presence, you cannot rely on the exemptions that protect you in other states. The right to obtain a list of specific third parties (not just categories) is also a practical difference -- your business needs to maintain records of actual entities that have received consumer data, not just broad descriptions.
Action Checklist for Small Businesses
-
Count your Oregon consumers. Review your customer database, analytics, and marketing data. Determine whether you hit the 100,000 threshold, or the 25,000 threshold combined with any data sale revenue.
-
If you are a nonprofit, do not assume you are exempt. Oregon covers nonprofits starting July 1, 2025. Assess whether you meet the threshold.
-
Update your privacy notice. Include required disclosures about data categories, processing purposes, third-party sharing, consumer rights, and the appeals process.
-
Build a DSAR response process. Set up intake channels, document your workflow, and designate a point person. Be prepared to provide a list of specific third parties to whom you have disclosed a consumer's data.
-
Implement opt-in consent for sensitive data. If you collect health data, biometric data, precise geolocation (within 1,750 feet), or data about children, build an affirmative consent mechanism.
-
Maintain a third-party disclosure log. Track the specific entities you share consumer data with, not just categories. This is required to fulfill Oregon's third-party list right.
-
Conduct data protection assessments. Document risks and benefits for targeted advertising, data sales, profiling, and sensitive data processing.
-
Update processor contracts. Ensure vendor agreements include OCPA-required provisions on purpose, scope, security, and consumer request assistance.
-
Train your team. Brief customer-facing staff on spotting privacy requests and routing them to the right person.
Key Dates
- July 18, 2023: Governor Tina Kotek signed the OCPA into law (SB 619).
- July 1, 2024: OCPA took effect for for-profit businesses.
- July 1, 2025: OCPA takes effect for nonprofit organizations.
- January 1, 2026: 30-day cure period expires; AG gains discretion on cure opportunities.
References
- Oregon Consumer Privacy Act: Or. Rev. Stat. § 646A.570 et seq. (SB 619, 2023). Full text on Oregon Legislature
- Oregon Attorney General's Office: Consumer protection resources
- Oregon Unlawful Trade Practices Act: Or. Rev. Stat. § 646.605 et seq.
Last reviewed: February 2026. Privacy laws change frequently. Verify all statutory references against the current text of the law and consult qualified legal counsel before making compliance decisions for your business.
Need help building a consumer request process? Download our DSAR Response Templates for a ready-to-use framework that covers intake, verification, and response.