Oregon residents now have some of the strongest consumer privacy protections in the United States. The Oregon Consumer Privacy Act (OCPA), which took effect in July 2024 and expanded significantly in January 2026, gives Oregonians the right to access, correct, delete, and control the sale of their personal data. This guide breaks down what the law protects, how to exercise your rights, and what's new in 2026.
What is the Oregon Consumer Privacy Act?
The OCPA (Oregon Revised Statutes Chapter 646A) is a comprehensive consumer privacy law modeled loosely on the California Consumer Privacy Act (CCPA) and Virginia's VCDPA, but with several stronger protections. It applies to businesses that:
- Conduct business in Oregon or target products or services to Oregon residents, and
- Control or process the personal data of at least 100,000 Oregon consumers, or
- Derive 25% or more of gross revenue from selling the data of 25,000+ Oregon consumers
OCPA is broader than CCPA in one key way
Unlike California's CCPA, the OCPA grants you the right to request a list of every specific third party that has received your personal data — not just categories of recipients. This is one of the strongest transparency rights in any U.S. state privacy law.
Your rights as an Oregon consumer
Under the OCPA, you have the right to:
- Access — Request a copy of the personal data a business holds about you
- Correct — Request correction of inaccurate personal data
- Delete — Request deletion of your personal data
- Portability — Receive your data in a readily-usable, portable format
- Opt out of sale — Stop businesses from selling your personal data
- Opt out of targeted advertising — Stop profile-based ads
- Opt out of profiling — Stop significant automated decision-making
- Know third-party recipients — Get a specific list of third parties that received your data
What changed in January 2026
Two major provisions of the OCPA went into effect on January 1, 2026:
Universal opt-out mechanisms (UOOMs)
Businesses must now honor universal opt-out signals, such as the Global Privacy Control (GPC). When your browser or privacy tool sends a GPC signal, businesses are legally required to treat it as an opt-out of sale and targeted advertising — without requiring you to click anything on the site.
Direct enforcement
As of January 1, 2026, the Oregon Attorney General is no longer required to provide businesses with a 30-day "cure period" before enforcement. Violations can be pursued immediately, with penalties up to $7,500 per violation.
Special protections for minors
The OCPA includes some of the strongest child-privacy provisions in any state law:
- Personal data of consumers under 16 cannot be sold, under any circumstances
- Data of under-16 users cannot be used for targeted advertising
- Precise geolocation data of minors is subject to additional restrictions
Precise geolocation requires affirmative consent
The OCPA also prohibits the sale of any consumer's precise geolocation data — even with consumer consent. Businesses cannot pay you to give up this right.
How to exercise your rights
To make an OCPA request:
- Identify the business. Find the company's privacy policy — usually linked in the website footer.
- Locate their consumer rights form. Most companies publish a dedicated form or email address for OCPA / state privacy requests.
- Submit your request. Specify whether you want to access, delete, correct, or opt out. Include identifying information so the business can locate your records.
- Wait for response. Businesses have 45 days to respond (extendable once by 45 more days for complex requests).
- Appeal if denied. If your request is refused, the OCPA guarantees you an appeal process. If the appeal is also denied, you can file a complaint with the Oregon Attorney General.
Does the OCPA cover data brokers?
Yes — and aggressively. Data brokers, aggregators, and people-search sites that process data of Oregon residents are covered if they meet the thresholds. You can submit OCPA deletion requests to companies like Spokeo, Whitepages, BeenVerified, and Acxiom, and they are legally required to honor them within 45 days.
However, data brokers re-ingest public records and purchased data continuously. A one-time OCPA request typically results in your profile reappearing within 3 to 12 months. Continuous monitoring is the only sustainable way to stay off these lists.
What the OCPA does not do
There are some important gaps:
- No private right of action. Only the Oregon AG can enforce the OCPA — you cannot sue a business directly.
- Employee data is partly excluded. Data processed in a purely employment context has limited protections.
- Does not override federal law. Data regulated under HIPAA, GLBA, FERPA, or FCRA is exempt.
How PrivacyOn helps Oregon residents
PrivacyOn uses the OCPA's right-to-delete as the legal foundation for its opt-out requests to data brokers. Oregon residents enrolled with PrivacyOn benefit from continuous monitoring of 100+ brokers, automatic re-submission of deletion requests, and GPC-enabled browser recommendations that trigger universal opt-out signals across the web. The service covers individuals, couples, and families of up to five people — starting at $8.33/month.
Final checklist for Oregon residents
- Enable Global Privacy Control in your browser (Firefox, Brave, DuckDuckGo browser all support it natively)
- Submit OCPA deletion requests to the five largest data brokers (Spokeo, BeenVerified, Whitepages, PeopleFinder, Intelius)
- Ask each broker for the list of third parties that received your data
- Freeze your credit at Equifax, Experian, and TransUnion
- Consider enrolling in continuous monitoring to handle the re-ingestion problem
The OCPA is one of the most powerful privacy laws in the U.S. — but rights on paper only matter if you exercise them. Use this guide to put the law to work for you.