← Back to Blog

OCPA Explained: Oregon's Consumer Privacy Act for Online Businesses

Oregon's Consumer Privacy Act has no revenue or consumer-count exemptions for nonprofits and covers more entity types. Here's what you need to know.

2026-03-04

The Oregon Consumer Privacy Act (OCPA) took effect on July 1, 2024. It stands out because of its broad coverage — it applies to nonprofits with no exemption, and it has some of the strictest requirements around children's data and sensitive data processing.

Who Does the OCPA Apply To?

The OCPA applies to businesses that conduct business in Oregon or target Oregon residents and meet either threshold:

  • Control or process personal data of at least 100,000 Oregon consumers per year, OR
  • Control or process personal data of at least 25,000 Oregon consumers and derive 25% or more of gross revenue from selling personal data

Key difference: Oregon explicitly includes nonprofits — most other state privacy laws exempt them. If your nonprofit collects personal data from Oregon residents and meets the thresholds, the OCPA applies.

Consumer Rights Under the OCPA

Oregon consumers have the right to:

  • Access their personal data — including a list of specific third parties (not just categories) to whom data has been disclosed
  • Correct inaccurate data
  • Delete their personal data
  • Data portability — obtain a copy
  • Opt out of sale, targeted advertising, and profiling

The specific third-party disclosure requirement is more demanding than most states. You must be able to tell consumers exactly which companies received their data, not just "advertising partners" or "analytics providers."

You must respond within 45 days, with a possible 45-day extension.

Key Requirements

Privacy Policy

Your privacy policy must disclose:

  • Categories of personal data processed
  • Purposes for processing
  • How consumers can exercise their rights
  • Categories of third parties receiving data
  • Whether you sell data or use it for targeted advertising

Sensitive Data (Stricter Than Most States)

The OCPA requires opt-in consent before processing sensitive data, which includes:

  • Racial or ethnic origin
  • Religious beliefs
  • Health data
  • Sexual orientation
  • Citizenship or immigration status
  • Biometric and genetic data
  • Children's data (under 13) — Oregon has particularly strict protections here
  • Precise geolocation data
  • Transgender or nonbinary status — Oregon explicitly protects this category

Data Protection Assessments

Required for processing that presents a heightened risk of harm:

  • Targeted advertising
  • Selling personal data
  • Profiling
  • Processing sensitive data

Enforcement and Penalties

The OCPA is enforced by the Oregon Attorney General. There is no private right of action. The initial 30-day cure period expired on January 1, 2026 — the AG can now take enforcement action without offering a chance to fix violations.

Penalties can reach $7,500 per violation.

OCPA Compliance Checklist

  • Privacy policy with all required disclosures — including specific third-party recipients
  • Cookie consent banner with opt-out for non-essential cookies
  • Sensitive data consent — opt-in before processing
  • Children's data protections — verify age and get parental consent where required
  • Data protection assessments for high-risk processing
  • Consumer request process — 45-day response window
  • Third-party tracking — document exactly which companies receive your visitor data

Check Your Compliance

ClearConsent scans your site against all 19 US state privacy laws including the Oregon Consumer Privacy Act. It identifies trackers, cookies, and compliance gaps specific to Oregon's requirements.

Scan your site free — no signup required.

Ready to check your site's compliance?

ClearConsent scans your website against 21 privacy laws in under 60 seconds.

Scan Your Site Free