Oregon Privacy & Security Compliance Guide

🚨 Oregon Consumer Privacy Act (OCPA) - Effective January 1, 2025

January 1, 2025

Covers businesses controlling/processing 100,000+ Oregon consumers' data

🚨 OREGON HB 2008: CURE PERIOD EXPIRED, NEW RESTRICTIONS ACTIVE

CRITICAL UPDATE (January 2026): Oregon's 30-day cure period has expired. AG can now enforce violations immediately without offering businesses a chance to fix issues first. Additionally, HB 2008 added new restrictions on minor data and geolocation tracking.

What HB 2008 Changed:
• ❌ CURE PERIOD EXPIRED: No more 30-day fix window - AG can pursue penalties immediately
• 👶 MINOR DATA SALES BANNED: Cannot sell personal data of consumers known to be under 16
• 📍 GEOLOCATION RESTRICTED: Precise geolocation data within 1,750-foot radius requires explicit consent

Silicon Forest Tech Hub Impact: Intel, Nike, Columbia Sportswear headquarters face expanded OCPA compliance obligations. Apps tracking user location and services with teen users need immediate review.

Unique OCPA Features:
• Explicit opt-in for ALL sensitive data (not just opt-out)
• Covers de-identified data restrictions
• Required privacy assessments before new processing
• Stricter than CCPA on third-party sharing

Portland Progressive Enforcement: With cure period gone, Oregon AG expected to aggressively target tech companies and data brokers. Environmental data, outdoor activity tracking apps, and teen-facing services particularly scrutinized.

Oregon by the Numbers

4.2 million

Population

85,000+

Businesses Affected

67

Recent Data Breaches

$$7,500 per violation

Per Violation Fine

Who Must Comply in Oregon?

Oregon Consumer Privacy Act (OCPA) applies to businesses that:

  • Process personal data of Oregon residents
  • Meet revenue or data volume thresholds
  • Sell products/services to Oregon consumers
  • Have physical or digital presence in Oregon

Oregon-Specific Requirements

OCPA requires explicit opt-in consent for sensitive data, comprehensive vendor oversight, and data protection impact assessments. HB 2008 (2025) amendments: 30-day cure period expired January 1, 2026; sale of personal data prohibited when controller knows consumer is under 16; precise geolocation data restricted within 1,750-foot radius. Unique provisions for de-identified data use.

Recent Oregon Privacy & Security Cases

Oregon DHS breach (2024) - 750,000 records

Portland Public Schools ransomware (2023) - $6.8M cost

Nike third-party breach (2024) - Oregon customers affected

Major Oregon Business Centers

Key cities where privacy compliance is critical for business success:

  • Portland
  • Eugene
  • Salem
  • Gresham
  • Hillsboro

Test Your Oregon Website's Privacy & Security Compliance

Don't wait for regulators or hackers. Check your compliance status now.

Free Privacy & Security Scan →