Oregon Privacy Law Overview
Oregon's privacy law took effect July 1, 2024 and stands out for transparency. Where most state laws let businesses disclose only the categories of recipients, Oregon lets consumers demand the names of the specific third parties that received their data. The law also reaches many nonprofits, which most state privacy laws exempt.
The Oregon Consumer Privacy Act (OCPA)
The OCPA provides the full slate of consumer rights with opt-in consent for sensitive data, and adds a distinctive transparency right: Oregonians can request a list of the specific third parties to which a business has disclosed their personal data — not merely the categories. Nonprofits became subject to the law on July 1, 2025.
OCPA: Quick Overview
- Effective Date: July 1, 2024
- Citation: Or. Rev. Stat. § 646A.570 et seq.
- Enforced By: Oregon Attorney General
- Maximum Penalty: Up to $7,500 per violation
- Private Right of Action: No (enforcement by the state only)
- Right to Cure: 30 days (expired January 1, 2026)
Who Must Comply
The OCPA applies to businesses that meet Oregon's applicability thresholds:
- Controls or processes the personal data of 100,000+ Oregon consumers per year, or
- Processes data of 25,000+ consumers and derives 25% or more of gross revenue from selling personal data
What makes Oregon different: Oregon uniquely lets consumers obtain the names of the specific third parties that received their data, and it covers many nonprofits that other states exempt.
Consumer Rights Under the OCPA
Oregon residents can exercise the following rights over their personal data:
- Right to access / confirm what data is held
- Right to correct inaccurate data
- Right to delete personal data
- Right to data portability
- Right to opt out of targeted advertising
- Right to opt out of the sale of personal data
- Right to opt out of profiling for significant decisions
Sensitive personal data: Businesses must obtain opt-in consent before processing sensitive data (such as health, biometric, precise-geolocation, or demographic data).
Data Breach Notification in Oregon
Oregon requires notice to affected residents within 45 days and to the Attorney General when a breach affects more than 250 Oregonians.
- Deadline to notify residents: No later than 45 days after discovery of the breach
- Attorney General notice: Notify the Oregon Attorney General if more than 250 residents are affected
- Covered data: Name combined with sensitive identifiers (SSN, driver's license, financial-account or medical information, and more)
Federal Privacy Laws That Apply in Oregon
Even where Oregon law is silent, residents and businesses are covered by federal privacy statutes:
- HIPAA — health information held by providers, plans and their vendors
- GLBA — privacy and safeguards rules for financial institutions
- FERPA — student education records
- FCRA — consumer reporting agencies and background screening
- COPPA — online collection of data from children under 13
- FTC Act §5 — unfair or deceptive privacy and data-security practices
Oregon Privacy Law FAQ
What makes the Oregon Consumer Privacy Act unusual?
Does Oregon's privacy law apply to nonprofits?
How a Oregon Privacy Attorney Can Help
For Businesses
- Build and audit a privacy compliance program
- Draft privacy policies, notices and vendor contracts
- Respond to consumer rights requests
- Manage data-breach response and notification
- Defend regulatory investigations and enforcement
For Consumers
- Enforce your privacy rights against non-compliant businesses
- Pursue or join data-breach litigation
- File complaints with the Oregon Attorney General
- Seek damages for identity theft and fraud
- Stop unlawful data sales and unwanted marketing
Need a Oregon Privacy Attorney?
Whether you are a business working toward compliance or a Oregon resident whose privacy has been violated, our network of Oregon-licensed attorneys can help.
Find a Oregon Privacy Attorney