Oregon Consumer Privacy Act
A landscape picture across a lake. The background has a white tipped mountain in the centre. In the midground there are hills with pine trees rising up from the bottom of the mountain to either side of the image. The sky behind the mountain is bright blue with one large cloud seeming to billow up from the mountain.

The Oregon Consumer Privacy Act will come into effect on July 1, 2024.

The OCPA is the eleventh comprehensive privacy law in the United States.

It has a lot of similarities to Montana and Texas’ laws.

Value Privacy’s experts are able to help your organization prepare and become fully compliant with any privacy laws that impact your business. 

Who Does it Affect

Entities that conduct business in Oregon or provides products or services to Oregon residents and during a calendar year controls or processes:

  • The personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or
  • The personal data of 25,000 or more consumers while deriving 25% or more of its annual gross revenue from selling personal data.


  • Information protected under HIPAA, Gramm-Leach-Bliley Act, Driver’s Privacy Protection Act Family Educational Rights and Privacy Act, and the Airline Deregulation Act and specified employee-related information
  • Public corporations
  • State, local and special government bodies
  • Financial institutions as defined under the Bank Holding Company Act
  • Insurers which meet specified definitions under Oregon state law including non-profit organizations that are established in connection with insurance activities.

Consumer Rights

The right to confirm whether or not a controller is processing their personal data and to access that data.

Inaccuracies in their personal data, considering the nature of the data and the purposes of the processing of their data.

Personal data provided by or obtained about them.

The right to obtain a copy of their personal data that they previously provided to the controller in a portable and to the extent that is technically feasible, readily used format that allows them to transmit the data to another controller without hindrance, where the processing is carried out by automated means.

Of the processing of personal data for the purposes of: targeted advertising; the sale of personal data; or, profiling in advancing decisions that produce legal or similarly significant effects concerning the consumer.


The Oregon Attorney General is responsible for the enforcement of the Oregon Consumer Privacy Act and can seek civil penalties of up to $7,500 per violation.

Cure period

There will be a 30-day cure period for organisations to rectify the issue before the Attorney General is able to bring any action. However this cure period will only last until January 1, 2026.

Value Privacy are on hand to make sure your business is compliant with data and privacy regulations. Whether you need a privacy health check or you want help to make sure you and your business are ready for the arrival of the Colorado Privacy Act, we’re here to help. You can find out more about what we do or contact us and have a chat about your needs.