On this pageDoes the OCPA apply to your business?
State Law Practice Note

Oregon Consumer Privacy Law (OCPA)

The Oregon Consumer Privacy Act gives Oregon consumers rights over their personal data and imposes notice, contracting, and consent duties on controllers above defined thresholds — it is enforced exclusively by the Attorney General, carries civil penalties of up to $7,500 per violation, provides no private right of action, and as of January 1, 2026 no longer offers most businesses a mandatory right to cure.

Lawyer Harvard Law '18 (J.D.) MIT '13 (S.B.) Former Ropes & Gray (6 yrs) Admitted in NY Last reviewed
More details about this document
Editor
, OpenAgreements editor
Feedback
Report a correction
Errata
View reported errata
License
CC BY 4.0
Authorities relied on
Primary lawOr. Rev. Stat. § 646A.572

Does the OCPA apply to your business?

It turns on consumer volume, not dollar revenue. The OCPA applies to a person that conducts business in Oregon or provides products or services to its residents and that, during a calendar year, controls or processes the personal data of 100,000 or more consumers, or 25,000 or more consumers while deriving 25 percent or more of annual gross revenue from selling personal data .

There is no dollar revenue floor for the 100,000-consumer trigger. A consumer is an Oregon resident acting in a capacity other than a commercial or employment context, so workforce, applicant, and business-to-business data fall outside the statute . Section 646A.572(2) mixes two kinds of exemption. Some carve-outs are entity-level: the OCPA does not apply to a public body, to a financial institution as defined in Oregon banking law (or such an institution's affiliate or subsidiary that is only and directly engaged in financial activities), or to insurers and insurance producers . Other carve-outs are data-level: the OCPA exempts HIPAA protected health information, information processed under the Gramm-Leach-Bliley Act and the Family Educational Rights and Privacy Act, and activity carried out strictly under the Fair Credit Reporting Act . The distinctive point worth flagging is that there is no blanket entity-level exemption for HIPAA-covered health-care entities — Oregon exempts the regulated health data rather than the entity, so a HIPAA-covered business must still comply with the OCPA for any personal data that falls outside the exempt categories. Nonprofits are now covered.

Sources for this answer

Primary law · 2023-07-01

A.1 Or. Rev. Stat. § 646A.572

The OCPA applies to persons doing business in Oregon or targeting residents that control or process the data of 100,000 or more consumers, or 25,000 or more while deriving 25 percent or more of gross revenue from selling personal data.

ORS 646A.570 to 646A.589 apply to any person that conducts business in this state, or that provides products or services to residents of this state, and that during a calendar year, controls or processes: (A) The personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or (B) The personal data of 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal data.

See Or. Rev. Stat. § 646A.572(1)(a).

Primary law · 2023-07-01

A.2 Or. Rev. Stat. § 646A.570

A consumer is an Oregon resident acting in a capacity other than a commercial or employment context, which excludes workforce and business-to-business data.

“Consumer” means a natural person who resides in this state and acts in any capacity other than in a commercial or employment context.

See Or. Rev. Stat. § 646A.570(7).

Primary law · 2023-07-01

A.3 Or. Rev. Stat. § 646A.572

The OCPA grants entity-level exemptions to a financial institution as defined in Oregon banking law, to insurers, and to insurance producers, in addition to public bodies.

(L) A financial institution, as defined in ORS 706.008, or a financial institution’s affiliate or subsidiary that is only and directly engaged in financial activities, as described in 12 U.S.C. 1843(k), as in effect on January 1, 2024;

See Or. Rev. Stat. § 646A.572(2)(a), (L), (n), (o).

Primary law · 2023-07-01

A.4 Or. Rev. Stat. § 646A.572

The OCPA also grants data-level and activity-level exemptions, including HIPAA protected health information, information processed under the Gramm-Leach-Bliley Act and FERPA, and activity carried out strictly under the Fair Credit Reporting Act.

(b) Protected health information that a covered entity or business associate processes in accordance with, or documents that a covered entity or business associate creates for the purpose of complying with, the Health Insurance Portability and Accountability Act of 1996, P.L. 104-191, and regulations promulgated under the Act, as in effect on January 1, 2024;

See Or. Rev. Stat. § 646A.572(2)(b), (j), (k).

What must your Oregon privacy policy contain?

A controller must provide a reasonably accessible, clear and meaningful privacy notice that lists the categories of personal data it processes, describes the purposes for processing, explains how a consumer may exercise and appeal rights, lists the categories of personal data shared with third parties, and describes the categories of those third parties .

Section 646A.578(4) is the content checklist for an Oregon privacy policy, and it is prescriptive. Beyond the items above, the notice must specify an actively monitored email address or other online contact method, identify the controller by its registered and assumed business names, give a clear and conspicuous description of any targeted advertising or qualifying profiling along with how to opt out, and describe the methods for submitting requests . The controller must also limit collection to data that is adequate, relevant and reasonably necessary for the disclosed purposes . A generic multistate notice that omits the appeal route, the third-party-sharing detail, or the request mechanics is the most common Oregon notice gap, so the policy should track section 646A.578(4) item by item.

Sources for this answer

Primary law · 2023-07-01

B.1 Or. Rev. Stat. § 646A.578

A controller must provide a reasonably accessible, clear and meaningful privacy notice that lists the categories of personal data processed and describes the purposes for processing, among other required disclosures.

A controller shall provide to consumers a reasonably accessible, clear and meaningful privacy notice that: (a) Lists the categories of personal data, including the categories of sensitive data, that the controller processes; (b) Describes the controller’s purposes for processing the personal data;

See Or. Rev. Stat. § 646A.578(4).

Primary law · 2023-07-01

B.2 Or. Rev. Stat. § 646A.578

The privacy notice must also explain how consumers exercise and appeal their rights, disclose third-party sharing, identify the controller, and describe targeted-advertising and profiling opt-out procedures.

(c) Describes how a consumer may exercise the consumer’s rights under ORS 646A.570 to 646A.589, including how a consumer may appeal a controller’s denial of a consumer’s request under ORS 646A.576; (d) Lists all categories of personal data, including the categories of sensitive data, that the controller shares with third parties; (e) Describes all categories of third parties with which the controller shares personal data at a level of detail that enables the consumer to understand what type of entity each third party is and, to the extent possible, how each third party may process personal data;

See Or. Rev. Stat. § 646A.578(4).

Primary law · 2023-07-01

B.3 Or. Rev. Stat. § 646A.578

A controller must limit its collection of personal data to what is adequate, relevant and reasonably necessary for the purposes specified in the privacy notice.

Limit the controller’s collection of personal data to only the personal data that is adequate, relevant and reasonably necessary to serve the purposes the controller specified in paragraph (a) of this subsection;

See Or. Rev. Stat. § 646A.578(1)(b).

What must your contracts with vendors and processors include?

A processor must enter into a contract with the controller that governs how the processor processes personal data on the controller's behalf — so a data processing agreement is a statutory requirement, not a best practice .

Section 646A.581(2) then fixes the required terms: clear processing instructions and the nature, purpose, type, and duration of processing; specification of each party's rights and obligations; a duty of confidentiality on everyone who processes the data; deletion or return of the data at the controller's direction or at the end of services; information the controller needs to verify compliance; a flow-down requirement binding subcontractors to the same obligations; and a right to assess the processor's safeguards . The processor also has an affirmative duty to help the controller respond to consumer requests and conduct data protection assessments. A compliant template data processing agreement tracks each of these.

Sources for this answer

Primary law · 2023-07-01

C.1 Or. Rev. Stat. § 646A.581

A processor must enter into a contract with the controller that governs how the processor processes personal data on the controller's behalf.

The processor shall enter into a contract with the controller that governs how the processor processes personal data on the controller’s behalf.

See Or. Rev. Stat. § 646A.581(2).

Primary law · 2023-07-01

C.2 Or. Rev. Stat. § 646A.581

The controller-processor contract must impose a duty of confidentiality, require deletion or return of data, require subcontractor flow-down, and allow assessment of the processor's safeguards.

(d) Ensure that each person that processes personal data is subject to a duty of confidentiality with respect to the personal data; (e) Require the processor to delete the personal data or return the personal data to the controller at the controller’s direction or at the end of the provision of services, unless a law requires the processor to retain the personal data;

See Or. Rev. Stat. § 646A.581(2).

When do you need consent, and must you honor a universal opt-out signal?

You need consent for sensitive data, and you must honor a universal opt-out signal. A controller may not process a consumer's sensitive data without first obtaining consent, and if it knows the consumer is a child it must instead follow the federal Children's Online Privacy Protection Act . Sensitive data includes data revealing race or ethnicity, religious beliefs, a mental or physical condition or diagnosis, sexual orientation, transgender or nonbinary status, crime-victim status, or citizenship or immigration status; a child's personal data; precise geolocation; and genetic or biometric data .

Consent must be a freely given, specific, informed and unambiguous affirmative act, and a consumer's inaction does not count as consent. Separately, the request methods a controller offers must let a consumer or authorized agent send a signal indicating a preference to opt out of the sale of personal data or targeted advertising, through a mechanism that requires an affirmative choice rather than a default setting . In practice that means the program has to recognize a browser- or device-level universal opt-out preference signal, not just an on-site opt-out link.

Sources for this answer

Primary law · 2023-07-01

D.2 Or. Rev. Stat. § 646A.570

Sensitive data includes data revealing protected characteristics, a child's personal data, precise geolocation within 1,750 feet, and genetic or biometric data.

“Sensitive data” means personal data that: (A) Reveals a consumer’s racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or nonbinary, status as a victim of crime or citizenship or immigration status; (B) Is a child’s personal data;

See Or. Rev. Stat. § 646A.570(18)(a).

Primary law · 2025-01-01

D.3 Or. Rev. Stat. § 646A.578

A controller's request methods must let a consumer or authorized agent send an opt-out preference signal that requires an affirmative choice rather than a default setting.

Allow a consumer or authorized agent to send a signal to the controller that indicates the consumer’s preference to opt out of the sale of personal data or targeted advertising under ORS 646A.574 (1)(d) by means of a platform, technology or mechanism that: (A) Does not unfairly disadvantage another controller; (B) Does not use a default setting but instead requires the consumer or authorized agent to make an affirmative, voluntary and unambiguous choice to opt out;

See Or. Rev. Stat. § 646A.578(5)(c).

Who enforces the OCPA, and can consumers sue?

The Attorney General enforces it, and consumers cannot sue. The Attorney General has exclusive authority to enforce the OCPA, and the statute provides no private right of action . The Attorney General may bring an action for a civil penalty of up to $7,500 for each violation, plus injunctive or other equitable relief .

There is also no longer a general right to cure. The OCPA's pre-suit notice-and-cure provision sunset on January 1, 2026 for ordinary covered businesses; from that date the 30-day cure survived only for a controller that is a noncommercial educational broadcast station and that meets two further conditions — it receives Corporation for Public Broadcasting funding or is a designated emergency-alert primary entry point, and it distributes its journalism content without cost to recipients . Even that narrow carve-out is temporary: the legislature repealed the cure section in full effective July 1, 2026, after which no controller has a statutory right to cure . The practical takeaway is to build the notice, consent, contracting, and opt-out controls before a complaint arrives, because covered businesses no longer have a statutory window to fix a violation after the Attorney General identifies it. The Attorney General must bring an action within five years after the last act constituting the violation.

Sources for this answer

Primary law · 2023-07-01

E.1 Or. Rev. Stat. § 646A.589

The Attorney General has exclusive authority to enforce the OCPA, and the statute creates no private right of action.

The Attorney General has exclusive authority to enforce the provisions of ORS 646A.570 to 646A.589. ORS 646A.570 to 646A.589, or any other laws of this state, do not create a private right of action to enforce a violation of ORS 646A.570 to 646A.589.

See Or. Rev. Stat. § 646A.589(7).

Primary law · 2023-07-01

E.2 Or. Rev. Stat. § 646A.589

The Attorney General may bring an action for a civil penalty of up to $7,500 for each violation, or to enjoin a violation or obtain other equitable relief.

The Attorney General may bring an action to seek a civil penalty of not more than $7,500 for each violation of ORS 646A.570 to 646A.589 or to enjoin a violation or obtain other equitable relief.

See Or. Rev. Stat. § 646A.589(4)(a).

Primary law · 2025-06-24

E.3 Or. Rev. Stat. § 646A.589

Beginning January 1, 2026, the pre-suit 30-day cure requirement applies only to a controller that is a noncommercial educational broadcast station that receives CPB funding or is a designated emergency-alert primary entry point and distributes its journalism content without cost, so other businesses no longer have a mandatory cure period.

(a) Receives funding from the Corporation for Public Broadcasting or is a primary entry point, national primary or state primary, as defined in 47 C.F.R. 11.18, as in effect on the effective date of this 2025 Act; and (b) Distributes the noncommercial educational broadcast station’s journalism content without cost to recipients.

See Or. Laws 2025, ch. 417, § 5(2).

Primary law · 2025-06-24

E.4 Or. Laws 2025, ch. 417, § 6

The legislature repealed the cure-period section in full effective July 1, 2026, after which no controller has a statutory right to cure.

Section 5 of this 2025 Act is repealed on July 1, 2026.

See Or. Laws 2025, ch. 417, § 6.