Oregon Consumer Privacy Act (OCPA): Complete 2026 Compliance Guide

Oregon’s Unique Approach to Data Privacy

The Oregon Consumer Privacy Act (OCPA) took effect on July 1, 2024, after being signed into law on July 18, 2023. Oregon’s privacy law stands out for two key reasons: it is one of the few states that applies its privacy law to nonprofit organizations, and it underwent significant amendments in 2025 that eliminated the cure period, banned the sale of minors’ data, and expanded coverage to all motor vehicle manufacturers.

If your business or nonprofit operates in Oregon or serves Oregon consumers, you may be subject to the OCPA. Use our Privacy Law Calculator to check your compliance obligations across all states.

Who Must Comply with the OCPA?

The OCPA applies to entities that conduct business in Oregon or deliver commercial products or services targeted to Oregon consumers, AND meet either of these thresholds during a calendar year:

• Control or process personal data of 100,000 or more Oregon consumers, OR
• Control or process personal data of 25,000 or more Oregon consumers AND derive over 50% of gross revenue from the sale of personal data

Critical distinction: Unlike most state privacy laws, the OCPA applies to both for-profit businesses and nonprofit organizations. If your nonprofit processes data of 100,000+ Oregon consumers, you are subject to the full requirements of the law.

Motor Vehicle Manufacturers

Under HB 3875 (effective September 26, 2025), all motor vehicle manufacturers that process consumer vehicle data in Oregon are now covered by the OCPA regardless of whether they meet the standard consumer count thresholds. This was a direct response to growing concerns about connected-car data collection.

Exemptions

The OCPA exempts several categories of entities and data types:

• Entity exemptions: Government bodies, financial institutions subject to GLBA, entities covered by HIPAA (entity-level exemption), and institutions of higher education
• Data exemptions: Data governed by HIPAA, GLBA, FCRA, FERPA, DPPA, and certain employment and B2B contact data
• Not exempt: Nonprofit organizations (Oregon is unique in this regard)

Consumer Rights Under the OCPA

Oregon provides its consumers with a comprehensive set of privacy rights, placing it among the more consumer-friendly state laws:

• Right to access — Confirm whether a controller is processing their personal data and access that data
• Right to correction — Request correction of inaccurate personal data
• Right to deletion — Request deletion of personal data
• Right to data portability — Obtain a copy of personal data in a portable, readily usable format
• Right to opt out of sale — Opt out of the sale of personal data
• Right to opt out of targeted advertising — Opt out of processing for targeted advertising
• Right to opt out of profiling — Opt out of profiling in furtherance of decisions with legal or similarly significant effects
• Right to appeal — Appeal a controller’s denial of a consumer rights request

Controllers must respond to consumer requests within 45 days, with one 45-day extension if reasonably necessary.

Key 2026 Changes — What’s New

The OCPA underwent major changes that took effect in late 2025 and early 2026. Businesses must be aware of all of these:

Universal Opt-Out (GPC) Requirement — Effective January 1, 2026

Starting January 1, 2026, businesses must recognize and honor universal opt-out mechanisms such as Global Privacy Control (GPC) for opt-out of data sales and targeted advertising. From July 1, 2026, controllers must also include information about universal opt-out signal methods in their privacy notices. Check your GPC obligations across states with our GPC Compliance Checker.

Cure Period Eliminated — Effective January 1, 2026

The OCPA’s original 30-day cure period expired on January 1, 2026. The Oregon Attorney General now has full enforcement discretion and can proceed directly to enforcement action without offering businesses an opportunity to cure alleged violations.

Minor Data Protections — Effective September 2025

HB 2008 (effective September 26, 2025) added two important protections:

• Ban on selling minor data: Controllers cannot sell personal data when they have actual knowledge the consumer is under 16 years of age
• Precise geolocation data ban: Controllers cannot sell precise geolocation data (within a 1,750-foot radius) of any consumer

Motor Vehicle Data Expansion — Effective September 2025

HB 3875 extended the OCPA’s coverage to all motor vehicle manufacturers that process consumer vehicle data, regardless of whether they meet the standard applicability thresholds. Read more about connected car data privacy.

Key Business Obligations

Privacy Notices

Controllers must provide a reasonably accessible, clear privacy notice covering: categories of personal data processed, purposes of processing, how consumers can exercise their rights (including universal opt-out signal methods as of July 1, 2026), categories of data shared with third parties, and categories of third parties.

Sensitive Data Consent

Processing sensitive data requires opt-in consent. Sensitive data under the OCPA includes: racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, and biometric data used for identification.

Data Protection Assessments

Controllers must conduct and document data protection assessments (DPAs) before engaging in processing that presents a heightened risk of harm to consumers. This includes processing for targeted advertising, sale of personal data, profiling, and sensitive data processing.

Processor Contracts

Controllers engaging processors must establish written contracts governing: the nature and purpose of processing, the type of data processed, duration, rights and obligations, confidentiality requirements, and deletion or return of data upon contract termination.

Enforcement and Penalties

The Oregon Attorney General has exclusive enforcement authority. There is no private right of action.

• Penalties: Up to $7,500 per violation
• Cure period: None (expired January 1, 2026) — AG can enforce immediately

The Oregon DOJ published consumer opt-out guidance on Data Privacy Day in January 2026, signaling an active enforcement posture. View enforcement trends on our Enforcement Tracker.

How Oregon Compares to Other State Privacy Laws

The OCPA occupies a unique position in the US state privacy law landscape:

• Nonprofit applicability: Oregon is one of very few states whose privacy law covers nonprofits — most states exempt them entirely
• GPC required: Oregon joins California, Colorado, Connecticut, Texas, Montana, and Delaware in requiring universal opt-out recognition
• No cure period: Joining California and Colorado in eliminating the cure period — unlike Iowa (permanent 90 days) or Tennessee (60 days)
• Motor vehicle expansion: Oregon and Utah have specific provisions bringing auto manufacturers under their privacy laws
• Minor data protections: The ban on selling data of consumers under 16 places Oregon among the stricter states for children’s privacy
• Precise geolocation ban: The prohibition on selling precise geolocation data mirrors an emerging trend also seen in Virginia’s SB 338

Use our State Comparison Tool for a detailed side-by-side analysis.

7-Step OCPA Compliance Plan

1. Assess applicability — Determine if your organization (including nonprofits) processes data of 100,000+ Oregon consumers, or 25,000+ while deriving 50%+ revenue from data sales. Motor vehicle manufacturers: you are covered regardless of thresholds. Use the Privacy Law Calculator.
2. Implement GPC recognition — Ensure your website and apps recognize and honor Global Privacy Control and other universal opt-out signals. This has been required since January 1, 2026.
3. Update privacy notices — Include all OCPA-required disclosures. By July 1, 2026, you must also include information about universal opt-out signal methods.
4. Review minor data practices — Do not sell personal data of known consumers under 16. Do not sell precise geolocation data (within 1,750-foot radius) of any consumer.
5. Build consumer rights processes — Establish intake, verification, fulfillment, and appeals workflows for all eight consumer rights. Set up a 45-day response timeline.
6. Conduct data protection assessments — Document DPAs for targeted advertising, data sales, profiling, and sensitive data processing before engaging in these activities.
7. Review processor contracts — Ensure all data processor agreements include OCPA-mandated provisions for processing scope, confidentiality, and data return or deletion.

For a detailed walkthrough, visit our Oregon Compliance Checklist.

This article provides general educational information and is not legal advice. Consult qualified legal counsel for guidance specific to your organization. Last updated: March 29, 2026.