Does the OCPA apply to nonprofits?

Yes. Oregon is one of the few states whose privacy law applies to both for-profit and nonprofit organizations that meet the applicability thresholds.

When did the GPC requirement take effect in Oregon?

The universal opt-out mechanism requirement, including GPC recognition, took effect on January 1, 2026. Businesses must honor GPC and similar universal opt-out signals for opt-out of data sales and targeted advertising. The Oregon DOJ published consumer guidance on this requirement on Data Privacy Day in January 2026.

Who does the OCPA apply to?

The OCPA applies to entities conducting business in Oregon or targeting Oregon consumers that process data of 100,000+ consumers, or 25,000+ consumers while deriving 50%+ of revenue from data sales. As of September 2025, motor vehicle manufacturers are subject to the OCPA regardless of these thresholds under HB 3875.

What did Oregon HB 2008 and HB 3875 change?

HB 3875 (signed May 2025, effective September 26, 2025) expanded the OCPA to cover all motor vehicle manufacturers processing consumer vehicle data, removing prior exemptions for companies below the threshold. HB 2008 prohibits the sale of personal data of known minors under 16 and the sale of precise geolocation data within a 1,750-foot radius.

Oregon Privacy Law

Oregon Consumer Privacy Act

Effective: July 1, 2024Active

Overview

The Oregon Consumer Privacy Act (OCPA) was signed into law on July 18, 2023, and became effective on July 1, 2024. Oregon's law is notable for its broad scope, applying to both for-profit and nonprofit organizations, and for including a requirement to honor universal opt-out mechanisms starting in 2026. The OCPA provides Oregon consumers with comprehensive privacy rights, including the right to access, correct, delete, and port personal data, as well as opt-out rights for data sales, targeted advertising, and profiling. The law includes an appeals process and requires data protection assessments for high-risk processing activities. Oregon is one of the few states whose privacy law applies to nonprofit organizations. The law applies to entities conducting business in Oregon or targeting Oregon consumers that control or process personal data of 100,000 or more consumers, or control or process personal data of 25,000 or more consumers while deriving more than 50% of gross revenue from the sale of personal data. The OCPA originally included a 30-day cure period, which expired on January 1, 2026 — the Oregon AG now has full enforcement discretion without first offering a cure opportunity. Penalties can reach $7,500 per violation, enforced by the Oregon Attorney General. The universal opt-out mechanism requirement also took effect on January 1, 2026.

Applicability Thresholds

Conditions are joined by OR — meeting ANY one triggers applicability.

100,000+

Oregon consumers' data processed

25,000+ consumers

AND 50%+ revenue from data sales

Consumer Rights

Right to Access

Right to Delete

Right to Correct

Data Portability

Opt-Out of Sale

Opt-Out of Targeted Ads

Opt-Out of Profiling

Limit Sensitive Data Use

Right to Appeal

Private Right of Action

Key Changes in 2025-2026

Universal opt-out mechanism requirement took effect January 1, 2026 — businesses must honor GPC and similar signals
30-day cure period expired January 1, 2026 — Oregon AG now has full enforcement discretion without offering cure opportunity
Oregon DOJ published consumer opt-out guidance and handout on Data Privacy Day (January 2026)
HB 3875 (effective September 26, 2025) expanded scope to cover all motor vehicle manufacturers processing consumer vehicle data, removing prior threshold exemptions
HB 2008 (effective September 26, 2025) prohibits sale of personal data of known minors under 16 and sale of precise geolocation data within a 1,750-foot radius
Nonprofit organizations remain subject to the law — unique among state privacy laws

Enforcement Details

Enforced By

Oregon Attorney General

Penalty Per Violation

$7,500

Cure Period

None — immediate enforcement

Private Right of Action

No — AG enforcement only

Sensitive Data Categories

Consent model: opt-in

Racial or ethnic originReligious beliefsMental or physical health diagnosisSexual orientationCitizenship or immigration statusBiometric data for identification

Universal Opt-Out / GPC Requirements

GPC / Universal Opt-Out Required

Starting January 1, 2026, businesses must recognize and honor universal opt-out mechanisms such as Global Privacy Control (GPC) for opt-out of data sales and targeted advertising.

Effective: January 1, 2026

Minor / Child Protections

The OCPA requires opt-in consent for processing personal data of known children under 13. Enhanced protections apply for teen data, requiring consent for targeted advertising and data sales involving consumers aged 13-15. As of September 26, 2025, HB 2008 prohibits the sale of personal data when a controller has actual knowledge that the consumer is under 16 years of age.

Compliance Checklist

1Assess applicability — note the OCPA applies to both for-profit and nonprofit organizations
2Motor vehicle manufacturers: verify compliance regardless of consumer count or revenue thresholds (HB 3875)
3Ensure universal opt-out signal recognition (GPC) is fully implemented — required since January 1, 2026
4Note: the 30-day cure period has expired — violations may now be enforced immediately without cure opportunity
5Do not sell personal data of known consumers under 16 (HB 2008)
6Do not sell precise geolocation data within a 1,750-foot radius (HB 2008)
7Update privacy notices with all OCPA-required disclosures
8Implement consumer rights request mechanisms with 45-day response period
9Obtain opt-in consent for processing sensitive personal data
10Conduct data protection assessments for high-risk processing activities
11Review data processor agreements to include OCPA-mandated provisions

Oregon Privacy Law FAQ

Official Resources

Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.