Oregon Consumer Privacy Act – Compliance Guide

The OCPA takes effect on January 1, 2025. If your business collects personal data from Oregon residents, you may need to comply. This page explains the basics in plain English.

Applies to controllers processing personal data of Oregon residents, with certain thresholds and exemptions.

🎯 Who Must Comply

  • Businesses offering goods or services to Oregon residents
  • Controllers and processors of personal data

Common Exemptions:

  • Government bodies
  • Data under sectoral federal regimes when applicable

📋 Key Requirements

  • Plain-language privacy disclosures
  • Consumer rights: access, correction, deletion, portability
  • Opt-out of targeted advertising and sale of personal data
  • Consent for processing sensitive data
  • Contracts for processor activities

⚠️ Penalties & Enforcement

  • Enforcing Authority: Oregon Department of Justice / Attorney General
  • Penalty Range: Civil penalties per violation
  • Cure Period: Cure opportunities may be available; verify current rules.

How to Prepare for Oregon Compliance

  1. Update privacy notices with Oregon-specific language
  2. Add a rights request intake (form/email) and verification flow
  3. Evaluate trackers/ads and provide opt-out mechanisms

💡 Pro Tip: Start with steps 1-3 to cover 80% of compliance requirements quickly.

📅 Oregon Privacy Law Timeline

🚨 NOW - Before January 1, 2025

Implement privacy policy, cookie consent, and basic data handling procedures.

📋 January 1, 2025 - Law Goes Live

Full compliance required. Enforcement may begin immediately.

✅ Ongoing - Stay Compliant

Monitor for updates, handle user requests, maintain documentation.

Common Oregon Privacy Law Questions

Do I need to comply if I don't have customers in Oregon?

If your website receives any visitors from Oregon, you may need to comply. This includes people who visit your site while traveling, working remotely, or just browsing online.

What counts as "personal data" under OCPA?

Personal data typically includes email addresses, IP addresses, location data, cookies/tracking IDs, and any information that can identify a person directly or indirectly.

How much will compliance cost for a small business?

Basic compliance (privacy policy + cookie banner + user rights) typically costs $20-100/month using automated tools. Compare this to potential fines of Civil penalties per violation.

Check Your Oregon Privacy Compliance

Run a free scan and fix privacy gaps before enforcement begins.

Run Free Privacy Compliance Scan →

📚 Additional Resources

All Privacy Laws Guide

GDPR, CCPA & all 2025 state laws

2025 Compliance Timeline

All deadlines & requirements

Privacy & Security Risks

Fines, lawsuits & consequences