OCPA

Oregon Consumer Privacy Act

Flag of US
Oregon, United StatesOpt-outState
Back to Regulations Guide

Key Facts

Effective Date
July 1, 2024
Enacted
July 18, 2023
Enforcing Authority
Oregon Attorney General
Consent Model
Opt-out
Fulfillment Time
45 days
Applies To
Entities (including nonprofits) in OR or targeting OR residents: 100,000+ consumers OR 25,000+ consumers and 25%+ revenue from selling PI

Overview

Oregon's OCPA is the first US state comprehensive privacy law to cover nonprofit organizations (effective July 2025). It also has the broadest sensitive data definition among US states, uniquely including transgender/nonbinary status and status as a victim of crime.

What This Means for Your Website

  • Opt-in consent is required for all categories of sensitive data (broadest definition among US states)
  • Nonprofits must comply from July 2025 — the first US state to require this
  • GPC signals must be honored from January 2026 (when the cure period also sunsets)
  • Data of visitors under 16 cannot be sold or used for targeted advertising
  • The 30-day cure period sunsets January 1, 2026

Key Requirements

The Oregon AG enforces the OCPA with penalties up to $7,500 per violation. Consumer requests must be fulfilled within 45 days. The broadest sensitive data definition captures categories unique to Oregon. Nonprofit coverage expands the law's reach significantly.

How ConsentStack Handles This

ConsentStack detects Oregon visitors and applies opt-in consent for sensitive data using Oregon's expanded definition. Enhanced protections block data sale and advertising for under-16 visitors.

Penalties

Up to $7,500 per violation.

Maximum Fine
$7,500 per violation

Key Requirements

  • Opt-in consent for all categories of sensitive data
  • Honor GPC/universal opt-out signals from January 2026
  • Consumer rights: access, correct, delete, portability, opt-out
  • Data protection assessments for high-risk processing
  • Nonprofit compliance from July 2025

Notable Provisions

  • First US state to cover nonprofits
  • Broadest sensitive data definition (transgender/nonbinary status, crime victim)
  • Cure period sunsets January 2026
  • Under 16 data cannot be sold/shared for targeted advertising

US State Specifics

Cure Period
30 days
Private Right of Action
No
Global Opt-out Required
Yes
Sensitive Data Opt-in
Yes
Children Provisions
Under 16: data cannot be sold or used for targeted advertising.

Other North America Regulations

CPRACalifornia, United States
The CPRA is the most comprehensive US state privacy law with a dedicated enforcement agency (CPPA). Cross-context behavioral advertising via cookies constitutes sharing personal information, triggering opt-out obligations. GPC signals must be honored as valid opt-out requests.
CCPACalifornia, United States
The CCPA was the first comprehensive consumer privacy law in the United States, giving California residents the right to know what personal information businesses collect and to opt out of its sale. It established the opt-out consent model that most subsequent US state privacy laws adopted.
PIPEDACanada (Federal)
Canada's federal private-sector privacy law based on 10 fair information principles. Requires express consent for sensitive data and implied consent for less sensitive data. OPC guidance addresses cookies and online behavioral advertising. The CPPA replacement bill died January 2025; a new bill is expected.
Quebec Law 25Quebec, Canada
The most GDPR-like privacy law in the Americas. Requires explicit, granular consent per purpose before deploying ANY tracking technology. Implied consent is explicitly prohibited for cookies and tracking. Features extraterritorial scope, mandatory PIAs, and GDPR-level penalties (4% worldwide turnover). The strictest cookie consent requirements in North America.
CPAColorado, United States
Colorado's CPA features the highest per-violation penalties among US state privacy laws at $20,000. Must honor GPC signals since July 2024. Participated in a joint GPC enforcement sweep with California and Connecticut in September 2025. The cure period was eliminated in January 2025.
TDPSATexas, United States
The TDPSA is the broadest US state privacy law — no revenue thresholds and no minimum consumer data volume thresholds. Applies to any non-small-business processing personal data of Texas residents. Must honor GPC signals since January 2025. This breadth means far more businesses are captured than under any other state law.

Frequently Asked Questions

Does Oregon's privacy law cover nonprofits?

Yes. Oregon is the first US state to extend comprehensive privacy law coverage to nonprofits, effective July 2025.

What is unique about Oregon's sensitive data definition?

Oregon has the broadest definition among US states, uniquely including transgender/nonbinary status and status as a victim of crime.

When does Oregon require GPC signal honoring?

From January 1, 2026, when the 30-day cure period also sunsets. ConsentStack will honor GPC signals automatically.

Stay compliant with OCPA

ConsentStack helps you implement Opt-out consent for Oregon, United States automatically.

Get started free