Applies to businesses processing personal data of 100,000+ Oregon residents, or 25,000+ if you derive 25%+ of revenue from selling personal data. Unique requirement: consumers can request a list of specific third-party recipients.
Effective
2024-07-01
Penalty max
$7,500
Cure period
None
Honor GPC
Required
Overview
The Oregon Consumer Privacy Act (OCPA) took effect July 1, 2024. Oregon's law is largely modeled on Connecticut's CTDPA but has one structurally important addition: consumers have the right to request a list of specific third parties to which the business has disclosed their personal data — not just categories of recipients, but actual named entities. This is a significant operational requirement that most e-commerce businesses are not equipped to satisfy. The 30-day cure period sunsets on January 1, 2026; after that, the AG can pursue enforcement actions immediately. Oregon requires honoring browser-level Global Privacy Control (GPC) signals as a valid opt-out mechanism.
Who it applies to
Businesses processing personal data of 100,000+ Oregon residents annually.
Businesses processing personal data of 25,000+ Oregon residents AND deriving 25%+ of revenue from selling personal data.
Consumer rights
Right to access
Consumers can request a copy of the personal data you hold about them.
Right to correction
Consumers can request you correct inaccurate personal data.
Right to deletion
Consumers can request you delete their personal data, subject to limited exceptions.
Right to portability
Consumers can request a machine-readable copy of their data to transfer elsewhere.
Right to opt out of sale
Consumers can opt out of the sale of their personal data to third parties.
Right to opt out of targeted advertising
Consumers can opt out of personalized ad targeting based on their behavior.
Right to opt out of profiling
Consumers can opt out of automated profiling for decisions with legal or similarly significant effects.
Right to know specific third-party recipients
Consumers can request a list of the specific third parties to whom you have disclosed their personal data.
What this means for e-commerce
Oregon's law has one unique consumer right not found in other states: consumers can request a list of specific third parties to whom you have disclosed their personal data (other states only require categories of recipients). This adds a meaningful operational burden — you need to be able to enumerate, per consumer, which downstream vendors received their data. Oregon's cure period sunsets on January 1, 2026, after which the AG can bring enforcement actions immediately.
Penalties & enforcement
Enforced by the Oregon Attorney General. Penalties range from $0 to $7,500 per violation.
The cure period sunset on 2026-01-01 — the AG can bring enforcement actions immediately upon finding a violation, without first giving you time to fix the problem.
Compliance checklist
Add a 'Your Privacy Choices' link in the site footer
Implement a system to track which specific third parties receive personal data per consumer (Oregon-specific)
Configure your site to detect and honor Global Privacy Control (GPC) signals
Update privacy policy with OCPA-required disclosures
Implement a 45-day consumer request response process
Conduct data protection assessments for high-risk processing
Update vendor and processor agreements
If you serve users aged 13–15, obtain opt-in consent before targeted advertising or data sales
Does the OCPA apply to your business?
Run a free 60-second compliance check across all state privacy laws — including Oregon.
BriefStack is for informational purposes only and does not constitute legal advice. For decisions specific to your business, consult a qualified attorney.