Oregon Privacy Law (OCPA): What Small Businesses Need to Know

The Oregon Consumer Privacy Act (OCPA) took effect July 1, 2024, and applies to any business processing the personal data of 100,000 or more Oregon consumers in a calendar year — with no annual revenue threshold. A secondary trigger captures businesses processing data of 25,000 or more Oregon consumers and deriving 25% or more of revenue from data sales (lower than the 50% used by most states). The Oregon Attorney General is the sole enforcement authority. OCPA includes one of the broadest definitions of "sensitive data" in any state privacy law, expressly covering precise geolocation, transgender or non-binary status, and immigration status.

Does OCPA Apply to My Business?

OCPA applies to any person that conducts business in Oregon or produces products or services targeted to Oregon residents AND meets one of two thresholds:

• Controls or processes personal data of 100,000 or more Oregon consumers during a calendar year (excluding personal data processed solely to complete a payment transaction), OR
• Controls or processes personal data of 25,000 or more Oregon consumers AND derives more than 25% of gross revenue from the sale of personal data.

The threshold logic is OR, with no revenue floor under either path. Oregon's 25% data sale revenue threshold is lower than the 50% used by California, Texas, Virginia, and most other states.

Oregon accounts for roughly 1.3% of the US population. A national e-commerce store with approximately 7.7 million annual unique US visitors would, on a population basis, reach 100,000 Oregon consumers. The 25,000 + 25% data sale path catches more businesses with ad tech monetization at lower customer counts.

What Does OCPA Require?

OCPA grants Oregon consumers a comprehensive set of rights and includes one of the broadest sensitive data definitions in any state privacy law.

Consumer rights you must honor. Access, correction, deletion, portability, and opt-out of targeted advertising, sale of personal data, and profiling that produces legal or similarly significant effects. Plus the right to obtain a list of specific third parties to which the controller has disclosed the consumer's personal data — a unique provision among state privacy laws. Response deadline is 45 days, with one possible extension. Consumers have the right to appeal denied requests.

Disclosures you must publish. Privacy notice covering categories of personal data processed, purposes, third-party sharing, rights, and appeals process.

Operational practices you must implement. Conduct data protection assessments for high-risk processing. Obtain affirmative opt-in consent before processing sensitive personal data. Establish reasonable security practices. OCPA requires honoring universal opt-out mechanisms including GPC.

Sensitive data — the broadest definition. OCPA's definition of sensitive personal data is among the most expansive in the country. It includes precise geolocation, racial or ethnic origin, religious beliefs, mental or physical health condition or treatment, sex life, sexual orientation, status as transgender or non-binary, status as victim of crime, immigration or citizenship status, biometric data, genetic data, and personal data of a known child. Several of these categories — transgender/non-binary status, victim status, immigration status — are specific to Oregon.

How OCPA Affects Small Businesses

Oregon's broad sensitive data definition is the operational issue most likely to surface compliance gaps. If your store collects information about gender identity, immigration status, or victim status — even incidentally through product personalization or customer support — you must obtain opt-in consent before processing that data. Many e-commerce businesses do not realize they collect data in these categories.

The third-party disclosure list right is also operationally significant. OCPA grants Oregon consumers the right to obtain a list of the specific third parties to which their personal data has been disclosed — not just categories of third parties, but the specific entities. Building a workflow to fulfill this request requires vendor mapping that most businesses have not done.

For Shopify merchants and direct-to-consumer brands, the practical takeaway is: Oregon is more demanding than the population alone suggests. The combination of broad sensitive data, the third-party disclosure right, GPC handling, and the 25% data sale revenue secondary threshold makes OCPA one of the more substantial compliance lifts.

Key Differences from Other State Privacy Laws

OCPA stands out on three dimensions:

Broadest sensitive data definition. OCPA's expanded sensitive data categories — transgender/non-binary status, victim status, immigration status — go beyond every other state privacy law.

Third-party disclosure list right. OCPA grants consumers the right to obtain a list of specific third parties to which their data has been disclosed. Most other state laws only require disclosing categories of third parties.

25% data sale revenue threshold. Lower than the 50% used by most states. Catches more businesses with ad tech and affiliate revenue.

Universal opt-out signal mandate. Like California, Colorado, Connecticut, and several other states, Oregon requires honoring GPC.

Compared to California CCPA/CPRA, Oregon has broader sensitive data categories but no private right of action. Compared to Virginia VCDPA, Oregon adds the third-party disclosure right, broader sensitive data, the lower secondary threshold, and the GPC mandate. Compared to Iowa ICDPA, Oregon is dramatically more demanding.

How to Comply with OCPA

If OCPA applies to your business, the following steps establish baseline compliance.

1. Confirm scope. Calculate annual Oregon consumer count from analytics and customer records. Check whether you derive 25% or more of revenue from data sales with at least 25,000 Oregon consumers.
2. Audit your data collection for Oregon's broad sensitive data categories. Identify whether you collect — even incidentally — information about gender identity, immigration status, victim status, or other Oregon-defined sensitive categories. Implement opt-in consent for any such collection.
3. Map your third-party data sharing. Build a vendor inventory showing which specific third parties receive consumer personal data. You will need this to fulfill third-party disclosure list requests.
4. Implement automatic GPC signal handling. Detect Global Privacy Control browser headers and apply opt-out preferences automatically.
5. Update your privacy notice with categories, purposes, third-party sharing, rights, and appeals process.
6. Add explicit opt-out mechanisms for targeted advertising, sale of personal data, and profiling.
7. Build a consumer rights request workflow including the third-party disclosure list right.
8. Build a denial appeals process with timely written response.
9. Conduct data protection assessments for high-risk processing activities.
10. Document reasonable security practices appropriate to data volume.

OCPA Enforcement and Penalties

The Oregon Attorney General has exclusive enforcement authority for OCPA. There is no private right of action — Oregon consumers cannot sue businesses directly. The AG may seek civil penalties under Oregon's Unlawful Trade Practices Act, with penalties of up to $7,500 per violation.

OCPA includes a 30-day cure period before formal enforcement during the first year after the law's effective date (until July 1, 2025), after which the cure period becomes discretionary.

Frequently Asked Questions

When did Oregon's privacy law take effect?

Oregon's Consumer Privacy Act (OCPA) took effect July 1, 2024. The Oregon Attorney General is the sole enforcement authority with no private right of action.

Does OCPA have a revenue threshold?

No. OCPA applies based on consumer data volume only: 100,000 or more Oregon consumers annually, or 25,000 or more consumers if 25% or more of revenue comes from data sales. There is no annual revenue minimum.

What sensitive data categories does OCPA cover?

OCPA's sensitive data definition is among the broadest in the country. It includes precise geolocation, racial or ethnic origin, religious beliefs, health information, sex life, sexual orientation, status as transgender or non-binary, status as victim of crime, immigration or citizenship status, biometric data, genetic data, and personal data of a known child. Several of these categories are unique to Oregon.

What is OCPA's third-party disclosure list right?

Oregon grants consumers the right to obtain a list of the specific third parties to which their personal data has been disclosed — not just categories of third parties, but the specific entities. This is a unique right among US state privacy laws and requires businesses to maintain detailed vendor mapping.

Does OCPA require honoring universal opt-out signals?

Yes. OCPA requires covered businesses to honor universal opt-out mechanisms including the Global Privacy Control browser signal.

What are the penalties for OCPA violations?

The Oregon AG can seek civil penalties of up to $7,500 per violation under the Unlawful Trade Practices Act. There is no private right of action. A 30-day cure period applied during the first year after the effective date.

Check if OCPA applies to your business → Take the free 5-minute quiz

This guide is for informational purposes only and does not constitute legal advice. Last updated: April 2026.