What the Oregon Consumer Privacy Act Covers
The Oregon Consumer Privacy Act (OCPA), signed into law as Senate Bill 619 in July 2023, took effect on 1 July 2024. It grants Oregon residents a set of privacy rights over their personal data and places corresponding obligations on businesses that collect or process that data.
The law applies to any entity conducting business in Oregon or targeting Oregon residents that, during a calendar year, controls or processes personal data of 100,000 or more Oregon consumers, or 25,000 or more consumers while deriving 25 per cent or more of gross revenue from selling personal data.
One feature that sets the OCPA apart from other US state privacy laws is that it covers nonprofit organisations, a provision that took effect on 1 July 2025.
Consumer Rights Under the OCPA
Oregon residents can exercise the right to know, delete, correct, and obtain a portable copy of their personal data. The OCPA also provides the right to opt out of targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects. These opt-out rights mirror those in several other state laws, but Oregon's enforcement has been notably active.
Controllers must respond to consumer requests within 45 days, with the option to extend by another 45 days if reasonably necessary.
Oregon's Broad Definition of Sensitive Data
The OCPA defines sensitive data more expansively than most US state privacy frameworks. Laws like the Virginia VCDPA and Connecticut CTDPA cover standard categories such as racial origin and health data. Oregon goes further.
Under the OCPA, sensitive data includes information revealing:
- Racial or ethnic background
- National origin
- Religious beliefs
- Mental or physical health condition or diagnosis
- Sexual orientation
- Status as transgender or non-binary
- Status as a victim of a crime
- Citizenship or immigration status
It also covers precise geolocation data (within a radius of 1,750 feet), genetic and biometric data used for identification, and the personal data of a known child.
Oregon is the first US state to treat transgender or non-binary status and crime victim status as sensitive data categories. This matters for any website collecting demographic information or processing form submissions that might capture these details.
Opt-In Consent Required for Sensitive Data
Sensitive data under the OCPA requires affirmative opt-in consent before processing. Your cookie banner must obtain explicit permission before any cookies or scripts that process sensitive data categories fire.
If your site collects health-related browsing data, processes precise geolocation, or gathers any information touching the categories above, you must obtain consent first - not after.
Universal Opt-Out Signals: The January 2026 Requirement
From 1 January 2026, controllers subject to the OCPA must recognise universal opt-out preference signals. The most widely adopted signal is Global Privacy Control (GPC), which sends a machine-readable signal from the browser indicating a preference to opt out of data sales and targeted advertising.
This aligns Oregon with states like Colorado and Texas, which also require GPC recognition. The Oregon DOJ highlighted the universal opt-out tool on Data Privacy Day in January 2025.
Your consent management platform must detect the Sec-GPC HTTP header or the navigator.globalPrivacyControl JavaScript property and treat a positive signal as a valid opt-out. Kukie.io can detect GPC signals automatically and adjust cookie behaviour accordingly.
How to Implement GPC Detection
When a GPC signal is detected, suppress any cookies categorised as targeting or advertising - such as _fbp, _gcl_au, or ad network pixels - before they fire. A properly configured CMP handles this automatically. If you manage consent manually, you need logic to read the Sec-GPC: 1 header. A technical guide to honouring GPC signals covers the details.
Enforcement: The Oregon DOJ's Active Approach
The Oregon Attorney General holds exclusive enforcement authority under the OCPA. There is no private right of action, meaning consumers cannot sue businesses directly for violations.
Between 1 July 2024 and 1 January 2026, the AG must issue a 30-day cure notice before pursuing enforcement - but only if the violation is curable. After 1 January 2026, the cure period expires entirely.
Oregon's Privacy Unit has been active from day one. In the first year of enforcement, the unit received 214 consumer complaints and initiated 38 cure letter matters. The most common deficiencies identified were:
- Failing to disclose notice of consumer rights
- Providing inadequate disclosures about third parties receiving personal data
- Making rights request mechanisms overly burdensome
All cure letter matters from the first six months were resolved. This suggests the AG's office is focused on achieving compliance rather than pursuing fines - but that posture will shift once the cure period ends.
OCPA Compared to Other State Privacy Laws
The table below shows how the OCPA compares with other US state privacy laws.
| Provision | Oregon (OCPA) | California (CCPA/CPRA) | Colorado (CPA) | Virginia (VCDPA) |
|---|---|---|---|---|
| Effective date | 1 July 2024 | 1 January 2020 / 2023 | 1 July 2023 | 1 January 2023 |
| Covers nonprofits | Yes (from July 2025) | No | No | No |
| Universal opt-out signal | Required from Jan 2026 | Required | Required | Not required |
| Sensitive data consent | Opt-in | Opt-out (right to limit use) | Opt-in | Opt-in |
| Transgender/non-binary status as sensitive | Yes | No | No | No |
| Crime victim status as sensitive | Yes | No | No | No |
| Cure period | 30 days (expires Jan 2026) | None (removed) | 60 days (expired Jan 2025) | 30 days |
| Private right of action | No | Limited (data breaches) | No | No |
Practical Steps for Website Compliance
If your website attracts visitors from Oregon, these steps will help.
Audit your data collection. Run a cookie scan to identify every cookie and tracker. Categorise each one and determine whether any process sensitive data as defined by the OCPA.
Update your privacy notice. The OCPA requires disclosure of data categories processed, purposes, third parties receiving data, and how consumers can exercise their rights. A generic privacy policy may not meet these specifics.
Implement GPC detection. Before the January 2026 deadline, ensure your consent solution recognises GPC signals. Test with browser extensions that send the Sec-GPC header.
Obtain opt-in consent for sensitive data. If your site processes any of Oregon's sensitive data categories, you need affirmative consent before that processing begins.
Make rights requests easy. The Oregon DOJ flagged burdensome request mechanisms in its cure letters. Provide a clear method for consumers to submit access, deletion, and opt-out requests.
Frequently Asked Questions
Does the Oregon Consumer Privacy Act apply to small businesses?
The OCPA applies to businesses that process the personal data of 100,000 or more Oregon consumers annually, or 25,000 or more if they derive 25 per cent of revenue from data sales. Small businesses below these thresholds are not covered, though they may still be subject to other privacy obligations.
When do Oregon websites need to honour GPC signals?
From 1 January 2026, controllers subject to the OCPA must recognise and honour universal opt-out preference signals such as Global Privacy Control. Before that date, honouring GPC is advisable but not yet mandatory under Oregon law.
What makes Oregon's sensitive data definition different from other states?
Oregon is the first US state to include transgender or non-binary status and crime victim status as sensitive data categories. It also covers citizenship and immigration status, which few other state laws address explicitly.
Can consumers sue businesses for OCPA violations?
No. The OCPA does not include a private right of action. Only the Oregon Attorney General can enforce the law. Consumers can file complaints with the Oregon Department of Justice.
Does the OCPA apply to nonprofit organisations?
Yes. From 1 July 2025, nonprofit entities that meet the processing thresholds are subject to the OCPA. Oregon is one of very few states to extend its privacy law to nonprofits.
What happens after the OCPA cure period expires in January 2026?
After 1 January 2026, the Oregon Attorney General is no longer required to issue a 30-day cure notice before taking enforcement action. Businesses should aim to be fully compliant before this date to avoid potential penalties.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets or whether they fall under Oregon's sensitive data rules, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
