enactedUS-OREffective July 1, 2024

Oregon Consumer Privacy Act (OCPA)

Complete compliance guide for companies with <200 employees. Everything you need to know about OCPA requirements, deadlines, and penalties.

DSAR Deadline

45 calendar days

+ 45 days extension

Max Penalty

$7,500/violation

Up to $7,500 per violation under Oregon's Unlawful Trade Practices Act. The initial 30-day cure period expired on January 1, 2026, meaning violations are now immediately enforceable. The Attorney General is the sole enforcement authority.

Threshold

100,000 consumers

Est. Cost

$4,000 – $16,000

4-12 weeks

Mid-Market Compliance Guide

Oregon's OCPA stands out for two reasons: it applies to nonprofits (unlike most US state privacy laws), and it requires controllers to disclose specific third parties — not just categories — to whom data has been shared. This makes compliance more demanding for companies with complex data-sharing arrangements. The threshold is 100,000+ consumers (excluding payment transactions) or 25,000+ consumers deriving 25%+ revenue from data sales.

Key Requirements

Provide a clear and reasonably accessible privacy notice
Limit data collection to what is reasonably necessary
Obtain consent before processing sensitive data including children's data
Conduct data protection assessments for high-risk processing
Honor universal opt-out mechanisms
Provide a list of specific third parties to whom data has been disclosed

Enforced by: Oregon Attorney GeneralOfficial site

Consumer Rights

Right to Access personal data

Right to Correct inaccurate data

Right to Delete personal data

Right to Data Portability

Right to Opt-Out of sale, targeted advertising, and profiling

Right to Obtain a list of specific third parties receiving data

Business Obligations

1.Provide privacy notice with required disclosures
2.Respond to consumer requests within 45 days
3.Disclose specific third parties (not just categories)
4.Conduct and document data protection assessments
5.Execute data processing agreements with processors

Exemptions

•HIPAA-covered entities and data
•GLBA-covered financial institutions
•Government entities
•Higher education institutions

Related Privacy Laws

VCDPA

US-VA

Virginia Consumer Data Protection Act

CPA

US-CO

Colorado Privacy Act

CCPA/CPRA

US-CA

California Consumer Privacy Act

Recommended Compliance Tools

No vendors have been reviewed for OCPA coverage yet.

Browse all compliance tools

Get a mid-market compliance checklist for OCPA

We'll send you a practical, step-by-step checklist tailored for companies with <200 employees. No spam, unsubscribe anytime.

See how DPAs enforce OCPA in practice

Real fines, real violations, real lessons. Browse our enforcement database to understand what gets penalized under OCPA.

Browse Enforcement Actions

Disclaimer: This is general information, not legal advice. Consult a qualified attorney for your specific situation. Laws and regulations may change. Last reviewed: 3/3/2026.

Read the official text of OCPA