The Oregon Consumer Privacy Act, enacted via Senate Bill 619 in June 2023, took effect July 1, 2024—with an enforcement window opening January 2026. It regulates how businesses handle personal data of Oregon residents and grants them strong privacy rights.
Key responsibilities include:
Recognizing whether you are a controller (decides data use) or processor (acts on behalf of a controller)
Offering a clear privacy policy covering data categories, purposes, third-party sharing, consumer rights, contact info, profiling, and related opt-outs
Only collecting necessary data and protecting it with reasonable administrative, technical, and physical measures
Performing data protection assessments when processing sensitive data, engaging in profiling, targeted ads, or selling personal data
Establishing contracts between controllers and processors that reflect OCPA obligations
Businesses should:
Conduct an audit:
Perform a full audit of data collection and sharing practices and identify personal data collected and its purposes
Update privacy policy:
Review and update privacy and cookie policies with OCPA-specific disclosures
Implement consent management:
Implement cookie consent banners and opt-out flows to automate consent capture and preference management
Ensure consumer rights:
Establish mechanisms to respond to consumer rights requests within 45 days
Perform Data Protection Assessments:
Safeguard privacy with regard to targeted advertising, data sales, profiling, or processing sensitive data.
OCPA applies if, during a calendar year, your business processes personal data of 100,000 or more Oregon consumers (excluding payment-only data), or processes 25,000+ consumers while deriving 25%+ revenue from data sales.
It applies to entities conducting business in Oregon or serving its residents—this includes nonprofits, which received a delayed compliance deadline that took effect July 1, 2025.
Exemptions include government agencies, financial institutions under GLBA, HIPAA-covered entities, educational, public-interest nonprofit groups (e.g. fraud prevention, press associations).
The law guarantees Oregon residents these rights:
Consumers can access and confirm processing of personal data
Consumers can request to correct inaccuracies
Consumers can request that their personal data be deleted
Consumers have a right to port/download/transmit their information in a usable format
Consumers can opt out of the sale of personal data, targeted advertising, and profiling that produces legal/significant effect
Consumers can find out what third parties have received their data and confirm whether an entity is processing it
Controllers must respond within 45 days, with a possible additional 45-day extension, and must explain any denials with appeal instructions. Parents must consent to data processing of children under 13 in accordance with COPPA.
Cookies that facilitate sensitive data tracking, targeted ads, or data sharing fall under OCPA regulation. Businesses must:
Inform users clearly in banner notices
Obtain explicit consent for non-essential cookies
Provide an easy mechanism to opt-out and withdraw consent
Under the OCPA, businesses must implement clear cookie banners or consent interfaces when cookies are used for targeted advertising, profiling, or data sharing—including cookie consent specifically tailored to Oregonians. The banner must clearly inform users what types of cookies are used, allow opt-in or opt-out, and let users withdraw consent easily.
The Oregon Attorney General enforces the OCPA. After identifying a violation, they may issue a 30-day cure notice; post-January 1, 2026, violations can result in civil fines of up to 7,500 USD per violation, plus legal fees. There's no private right of action—only AG enforcement is permitted.
In addition to undertaking certain actions to comply with OCPA Oregon, organizations should also adhere to data privacy best practices, such as:
Audit:
Conduct a data audit to identify all cookies and trackers on their websites
Categorize:
Categorize cookies (e.g., necessary, preference, analytics, marketing)
Implement consent management:
Ensure consent banners are implemented correctly with granular choices, enable users to withdraw consent at any time, and maintain consent logs
Check third-party contracts:
Review third-party data-sharing practices
It applies to entities conducting business or serving Oregon residents and meeting thresholds: ≥ 100k consumers or ≥ 25k + 25% revenue from data sales.
Any data that can reasonably be linked to an individual—names, emails, device IDs, geolocation, browsing habits, etc.
Racial/ethnic origin, religion, health, biometric/genetic data, sexual orientation, precise geolocation, citizenship, crime victim status, transgender status, and children’s data under 13.
Enforcement rests solely with the Oregon Attorney General’s Office.
Government bodies, HIPAA/GLBA-covered entities, certain nonprofits (fraud prevention, broadcast reporting), employment-related data, deidentified publicly available data.
Visit the Oregon DOJ’s Consumer Privacy site for more detailed information about OCPA compliance and enforcement.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
