Overview
The Oregon Consumer Privacy Act (OCPA) is a comprehensive data privacy law that gives Oregon residents increased control over their personal data while imposing strict requirements on businesses. Signed into law in July 2023, the OCPA took effect on July 1, 2024, making Oregon one of the latest U.S. states to implement broad consumer privacy protections.
OCPA shares similarities with Virginia’s CDPA, Colorado’s CPA, and Connecticut’s CTDPA, but introduces unique requirements, such as broader sensitive data protections and a private right of action for certain violations.
Who Must Comply?
The OCPA applies to businesses that conduct business in Oregon or target Oregon residents and meet one of the following criteria:
✔ Process personal data of at least 100,000 Oregon consumers annually
✔ Process personal data of at least 25,000 Oregon consumers and derive 25%+ of revenue from selling personal data
Exemptions:
The law does not apply to:
🚫 Government agencies
🚫 Nonprofits
🚫 Financial institutions subject to GLBA
🚫 HIPAA-covered entities (hospitals, insurers, healthcare providers)
🚫 Higher education institutions
Key Consumer Rights Under OCPA
✔ Right to Access – Consumers can request a copy of their personal data.
✔ Right to Correct – Consumers can request corrections to inaccurate personal data.
✔ Right to Delete – Consumers can request the deletion of personal data.
✔ Right to Data Portability – Consumers can receive their data in a portable format.
✔ Right to Opt-Out – Consumers can opt out of:
- Targeted advertising
- Sale of personal data
- Automated profiling that affects legal or financial decisions
Business Compliance Requirements
✔ Universal Opt-Out Mechanisms (Starting January 1, 2025) – Businesses must recognize Global Privacy Control (GPC) signals.
✔ Stronger Sensitive Data Protections – Businesses must obtain explicit opt-in consent before processing:
📌 Racial/ethnic origin
📌 Religious beliefs
📌 Biometric data
📌 Health conditions
📌 Sexual orientation
📌 Citizenship or immigration status
✔ Transparency Requirements – Companies must provide clear privacy policies detailing data collection and usage.
✔ Data Protection & Security – Businesses must use reasonable security measures to protect personal data.
✔ Data Protection Assessments (DPA) – Businesses must conduct risk assessments for:
📌 Targeted advertising
📌 Data sales
📌 AI-driven automated decision-making
Real-World Enforcement Cases
The Oregon Department of Justice enforces the OCPA, with penalties of up to $7,500 per violation.
📌 Private Right of Action for Certain Violations
Oregon is one of the few states that allows consumers to sue businesses for certain privacy violations, specifically for unauthorized sale of sensitive data.
Since the law just took effect in July 2024, major enforcement cases are expected in 2025, likely targeting data brokers, AI-driven profiling, and companies failing to comply with opt-out mechanisms.
📌 Comparison with Other State Privacy Laws
The Oregon OCPA is one of the strongest consumer privacy laws due to:
✅ Expanded Sensitive Data Protections – Covers citizenship status and sexual orientation, which many state laws do not.
✅ Private Right of Action – Consumers can sue for certain violations.
✅ Universal Opt-Out Signals Required (2025) – Businesses must honor automated privacy requests.
Future of OCPA Regulation
📌 Increased enforcement on AI-driven profiling and data brokers in 2025.
📌 Expansion of private right of action to include more privacy violations.
📌 Potential updates to align with a federal privacy law if passed.
Oregon’s OCPA is among the strongest U.S. privacy laws, with broad consumer rights, strict business compliance requirements, and private enforcement options.
