In the patchwork of U.S. data privacy laws, Oregon’s Consumer Privacy Act (OCPA) stands as a significant milestone in empowering residents to reclaim control over their personal information. Signed into law by Governor Tina Kotek on July 18, 2023, as Senate Bill 619, the OCPA represents Oregon’s entry into the growing roster of state-level comprehensive privacy legislation. It became effective on July 1, 2024, for for-profit entities, with nonprofits gaining a one-year grace period until July 1, 2025. This timing aligns with a wave of similar laws across the U.S., including California’s pioneering California Consumer Privacy Act (CCPA) of 2018 and more recent enactments in states like Texas, Montana, and Minnesota.
The Oregon Consumer Privacy Act at One Year: Enforcement, Challenges, and the Road Ahead
The OCPA’s genesis traces back to 2023, when Oregon lawmakers, responding to mounting concerns over data breaches, surveillance capitalism, and the unchecked collection of personal data by tech giants and data brokers, passed the bill with near-unanimous support in the Senate. Modeled after the CCPA but incorporating elements from the Colorado Privacy Act (CPA) and Virginia’s Consumer Data Protection Act (VCDPA), the OCPA applies to “controllers” (businesses that determine the purpose and means of processing personal data) and “processors” (those that handle data on behalf of controllers). Thresholds for applicability are businesses that either:
- Generate $25 million or more in annual revenue;
- Buy, sell, or share the personal data of 100,000 or more Oregon consumers annually; or
- Derive 25% or more of their revenue from selling or sharing personal data of 25,000 or more consumers.
Key provisions grant Oregonians robust rights over their data, including the right to:
- Know what personal data is collected and to whom it’s sold or disclosed;
- Delete their data, including “back-end” profiles used for marketing or profiling;
- Opt out of targeted advertising, data sales, and profiling;
- Correct inaccurate data;
- Access a copy of their data; and
- Appeal decisions related to data requests.
Starting January 1, 2026, the law mandates recognition of universal opt-out mechanisms (like those provided by the Global Privacy Control browser signal) and bans the sale of sensitive data such as precise geolocation, children’s data (under 16 without consent), and certain health or biometric information. Enforcement is exclusively handled by the Oregon Attorney General’s (AG) office, with no private right of action for consumers—though civil penalties can reach $7,500 per intentional violation. A 30-day “cure period” allows businesses to fix issues before fines, but this expires on January 1, 2026, signaling a tougher stance ahead.
The OCPA’s passage was driven by bipartisan recognition of privacy as a fundamental right, amid high-profile incidents like the 2023 MOVEit data breach affecting millions and ongoing scrutiny of Big Tech’s data practices. As Oregon AG Dan Rayfield noted in the report, the law is about “ensuring Oregonians have control over their own data” in a digital economy where personal information is often commodified without consent.
The One-Year Enforcement Report: Release and Overview
On August 29, 2025, exactly one year after the OCPA’s enforcement began, Oregon AG Dan Rayfield released the inaugural annual enforcement report through the Department of Justice (DOJ). Titled One-Year Enforcement Report on the Oregon Consumer Privacy Act, the document—available as a PDF on the DOJ website—details the activities of the newly formed Privacy Unit within the DOJ’s Civil Enforcement Division. This unit, comprising dedicated attorneys and analysts, was established to handle complaints, conduct investigations, and promote compliance.
The report’s release was announced via a DOJ press release and covered by local outlets like the Salem Sentinel. It builds on a six-month interim report from March 7, 2025, which documented 110 complaints in the first half-year. The full-year data reveals a doubling of engagement, underscoring growing awareness and utilization of the law. As Rayfield stated in the press release: “Oregonians have the right to manage their personal data – and in the first year of this new law, we are ensuring that right is a reality. DOJ is committed to making sure companies follow the law and every Oregonian has control over their own data.”
Structurally, the report includes an executive summary, sections on complaint intake and trends, investigative processes, compliance efforts, consumer education, challenges, and future outlook. It draws from internal DOJ data, including complaint logs and response tracking, to provide a transparent snapshot of enforcement. No fines have been levied yet—thanks to the cure period—but the report signals proactive monitoring to prevent violations.
Oregon Data Privacy Complaints, Investigations, and Enforcement Actions
The report paints a picture of robust initial enforcement, with the Privacy Unit acting swiftly on consumer reports. Here’s a breakdown of the core statistics and insights:
Complaint Intake and Trends
- Total Complaints: 214 complaints were received from July 1, 2024, to June 30, 2025. This volume is notable for a state of Oregon’s size (population ~4.2 million), exceeding expectations and surpassing complaint rates in comparably sized states like Colorado (which saw ~150 in its first year under the CPA).
- Sources: Complaints came via the DOJ’s online portal, email, phone, and referrals from other agencies. Approximately 60% originated from individual consumers, 25% from advocacy groups or nonprofits, and 15% from automated submissions tied to privacy tools.
- Top Issues:
- Right to Delete (45%): The most common grievance, particularly against online data brokers (e.g., sites offering paid background checks). Consumers reported denials or delays in data deletion requests, with many brokers failing to honor “Do Not Sell My Personal Information” signals.
- Right to Know/Access (30%): Requests for data inventories or disclosures of third-party sharing were often incomplete or ignored.
- Opt-Out Failures (15%): Issues with targeted advertising opt-outs, especially on e-commerce and social media platforms.
- Other (10%): Correction requests, appeals, and sensitive data handling (e.g., health info leaks).
- Demographics: Complainants were predominantly urban (Portland metro area: 55%), aged 25-44 (65%), and concerned about identity theft or marketing spam. Data brokers like Spokeo and BeenVerified featured prominently, accounting for ~40% of broker-related complaints.
The report attributes the high volume to effective public awareness campaigns, including DOJ webinars and partnerships with libraries.
Investigations and Cure Notices
- Matters Initiated: 38 formal investigations were opened, representing about 18% of complaints (prioritizing patterns or high-impact cases). These targeted a mix of large tech firms (e.g., social media platforms) and smaller data brokers.
- Cure Notices Sent: 28 notices of violation were issued, giving companies 30 days to remediate. These addressed failures like inaccessible rights request forms, incomplete privacy policies, or non-responsive opt-out mechanisms.
- Compliance Responses: 85% of recipients (24 companies) fully complied within the deadline, updating websites, training staff, and implementing automated deletion tools. For instance:
- A major background check site revised its deletion process after a cure notice, removing data for 1,200+ Oregon consumers retroactively.
- An e-commerce giant improved its “right to know” disclosures, adding a dedicated OCPA portal.
- Non-Compliance: 4 companies (14%) required follow-up; two were resolved via voluntary agreements, one escalated to a consent decree (no fine, but ongoing monitoring), and one remains under active investigation (details redacted for ongoing probe).
- Enforcement Outcomes: No civil penalties assessed in Year 1, as the cure period allowed corrections. However, the report documents “substantial compliance improvements,” estimating that 75,000+ data points were deleted or restricted as a result.
The investigative process emphasized education over punishment initially, with the Privacy Unit sending informational letters to 150+ businesses flagged in complaints but not yet violating.
Challenges Faced
- Resource Constraints: With only a small team, the unit triaged complaints, focusing on systemic issues over isolated ones.
- Business Awareness: Many smaller firms were unaware of OCPA applicability, leading to unintentional violations.
- Technical Barriers: Verifying “back-end” data deletions proved challenging without audits.
- Interstate Issues: Data brokers operating nationally complicated enforcement, prompting calls for federal coordination.
Consumer Rights in Action: How Oregonians Are Using OCPA
The OCPA’s consumer-centric design has translated into tangible empowerment. Rights requests must be processed within 45 days (extendable by 45 more), free of charge, and verifiable. The DOJ’s online complaint form has streamlined reporting, with 70% of complaints submitted digitally.
Education efforts included:
- 12 webinars and workshops reaching 5,000+ participants.
- A dedicated Consumer Privacy webpage with FAQs, sample request letters, and compliance guides for businesses.
- Collaborations with the Oregon Privacy Coalition and AARP for outreach to vulnerable groups.
Rayfield emphasized: “In the first year, we’ve seen Oregonians step up and use their rights—whether it’s deleting old background info or opting out of endless ads.”
The AG’s Office: Enforcement Philosophy and Quotes
Under AG Rayfield, sworn in January 2023, the DOJ has positioned privacy as a core priority. The Privacy Unit reports directly to the Civil Enforcement Division, with authority to seek injunctions, restitution, and penalties up to $7,500 per violation (or $2,500 for negligence). Rayfield’s approach blends carrot (cure periods, guidance) and stick (post-2026 rigor).
Some things that really stand out from the report and press release are notated below and we hope that you’ll use our Free Privacy and Compliance Audit tool to make sure that your business is compliant for operations in Oregon:
- “This report shows our law is working—companies are listening, and consumers are empowered.” (Rayfield)
- On future enforcement: “As the cure period ends, we’ll hold violators accountable to deter bad actors.”
Comparisons to Other U.S. State Privacy Laws
Oregon’s OCPA aligns closely with the “second generation” of state privacy laws but includes unique tweaks. Here’s a comparative snapshot:
| Aspect | OCPA (Oregon) | CCPA/CPRA (California) | CPA (Colorado) | TDPSA (Texas) |
|---|---|---|---|---|
| Effective Date | July 1, 2024 (for-profits) | Jan 1, 2020 / Jan 1, 2023 | July 1, 2023 | July 1, 2024 |
| Thresholds | $25M revenue / 100K consumers | $25M revenue / 100K consumers | $25M revenue / 100K consumers | $25M revenue / 100K consumers |
| Sensitive Data | Bans sale of geolocation, child data (post-2026) | Similar, with explicit health/biometric rules | Opt-in for sensitive processing | Opt-out for sensitive sales |
| Opt-Out Mechanisms | Universal opt-outs required (2026) | Global Privacy Control (GPC) supported | GPC supported | GPC supported |
| Cure Period | 30 days (ends 2026) | 30 days (permanent) | 60 days (permanent) | 30 days (permanent) |
| Enforcement | AG only, no private action | AG + private action (CPRA) | AG only | AG only |
| Penalties | $7,500/intentional | $7,500/intentional | $20,000/intentional | $7,500/intentional |
OCPA is more aligned with Colorado and Texas in lacking a private right of action, reducing litigation floodgates seen in California (over 1,000 lawsuits annually). However, its auto manufacturer mandate (effective Sept 26, 2025) is broader than most, covering all car data collectors regardless of consumer volume—addressing connected vehicle privacy concerns absent in other laws. Compared to the EU’s GDPR, OCPA is lighter on data minimization but stronger on opt-outs than Virginia’s VCDPA.
Critics note OCPA’s exemptions for nonprofits (until 2025) and small businesses are narrower than some states, potentially burdening local entities.
How Privacy Advocates Are Reacting to Oregon’s Privacy Coalition
The report’s release elicited positive reactions from privacy advocates. The Oregon Privacy Coalition praised it as “a strong start,” highlighting the 214 complaints as evidence of demand. Business groups like the Oregon Chamber of Commerce welcomed the “positive compliance responses,” urging continued guidance to avoid “unintended burdens.”
Nationally, it’s viewed as a bellwether: With 18 states now having comprehensive laws (per IAPP tracker), Oregon’s high complaint rate (50+ per million residents) suggests underreporting in less-enforced states. The DOJ’s transparency—via regular reports—sets a model, contrasting California’s more opaque enforcement.
Challenges loom: As the cure period ends, expect a spike in penalties. The report recommends bolstering the Privacy Unit’s budget and federal preemption to harmonize rules.
Oregon Is Becoming a Leader for Stronger Privacy Protections
One year in, the OCPA demonstrates Oregon’s commitment to data sovereignty, transforming abstract rights into actionable tools for consumers. With 214 complaints yielding 38 investigations and widespread compliance, AG Rayfield’s office has laid a solid enforcement foundation. As stricter rules kick in—from auto data mandates to universal opt-outs—the law promises to evolve, potentially influencing federal efforts like the stalled American Data Privacy and Protection Act.
For Oregonians, this means greater agency over digital footprints; for businesses, a call to prioritize privacy. As Rayfield aptly put it, the OCPA isn’t just law—it’s “a reality” for data control.
Book a demo with one of our data privacy experts today and get your website compliant with not only Oregon but all the other states with comprehensive privacy frameworks.
