Oregon Privacy & Security Compliance Guide

🚨 OREGON HB 2008: CURE PERIOD EXPIRED, NEW RESTRICTIONS ACTIVE

CRITICAL UPDATE (January 2026): Oregon's 30-day cure period has expired. AG can now enforce violations immediately without offering businesses a chance to fix issues first. Additionally, HB 2008 added new restrictions on minor data and geolocation tracking.

What HB 2008 Changed:
• ❌ CURE PERIOD EXPIRED: No more 30-day fix window - AG can pursue penalties immediately
• 👶 MINOR DATA SALES BANNED: Cannot sell personal data of consumers known to be under 16
• 📍 GEOLOCATION RESTRICTED: Precise geolocation data within 1,750-foot radius requires explicit consent

Silicon Forest Tech Hub Impact: Intel, Nike, Columbia Sportswear headquarters face expanded OCPA compliance obligations. Apps tracking user location and services with teen users need immediate review.

Unique OCPA Features:
• Explicit opt-in for ALL sensitive data (not just opt-out)
• Covers de-identified data restrictions
• Required privacy assessments before new processing
• Stricter than CCPA on third-party sharing

Portland Progressive Enforcement: With cure period gone, Oregon AG expected to aggressively target tech companies and data brokers. Environmental data, outdoor activity tracking apps, and teen-facing services particularly scrutinized.

🚨 CONDUENT BREACH (2026): 10.5 million Oregon records exposed in what may be the largest government data breach in U.S. history. Conduent, which processes Oregon Medicaid and SNAP benefits, had 8.5 TB of data stolen by SafePay ransomware. Affected data includes SSNs, medical records, and benefit enrollment. Notifications ongoing through April 2026.