On August 29, 2025, Oregon Attorney General Dan Rayfield released the first annual enforcement report detailing the state’s activity under the Oregon Consumer Privacy Act (OCPA). The findings underscore the seriousness with which the Oregon Department of Justice (DOJ) is approaching privacy enforcement and offer critical lessons for businesses subject to the law.
Oregonians Are Exercising Their Privacy Rights
The Oregon DOJ received 214 complaints in the first year, an impressive volume for a state of Oregon’s size. The complaints reflect a high level of consumer awareness and concern, particularly around data brokers and the right to delete personal information. Thirty-eight enforcement matters were closed, each initiated by consumer complaints and resolved through Oregon’s current “notice and cure” process, which allows businesses 30 days to address compliance issues before formal enforcement begins. (Note: starting January 1, 2026, the Oregon DOJ will no longer be required to follow the notice and cure process and may instead immediately seek enforcement penalties for violations.)
Businesses Misunderstand the Scope of Personal Information
A common compliance gap identified by the DOJ is that many businesses failed to grasp the full scope of personal information covered by the OCPA, assuming that only online data like website or app activity was covered. In reality, offline and internally generated data (such as marketing profiles, shopping behavior, and other back-end information) are also subject to the law. When consumers request access or deletion, businesses must ensure that all personal data – regardless of how or where it was collected – is covered by their response.
Privacy Request Mechanisms Must Work
The DOJ found that many businesses had non-functional or inaccessible privacy request forms, which hindered consumers from exercising their rights. Forms that were broken, confusing, or difficult to navigate were a frequent source of complaints. Businesses must ensure that their intake mechanisms are accessible, understandable, and operational, meeting both consumer expectations and regulatory standards.
Oregon’s Unique Transparency Requirement
One of the most distinctive features of the OCPA is its requirement that businesses disclose to consumers upon request the names of third parties to whom personal data has been sold. This provision allows consumers to trace the flow of their data and make privacy requests directly to downstream recipients. Similar provisions exist in Minnesota’s law and Rhode Island’s upcoming privacy legislation, suggesting a growing trend toward data custody transparency.
Legislative Updates: What’s Changing in 2026
The Oregon Legislature amended the OCPA with several impactful changes that take effect on January 1, 2026:
- Ban on selling precise geolocation data: Businesses will be prohibited from selling this data, even with consumer consent.
- Ban on selling data of minors: Personal data of consumers under 16 cannot be sold or even shared for targeted advertising.
- End of the cure period: The mandatory 30-day cure provision will sunset, giving the DOJ discretion to enforce violations immediately.
- Universal opt-out mechanisms: Businesses must honor opt-out requests via standardized universal opt-out tools, allowing consumers to opt out of data sales and targeted advertising.
Nonprofits and Auto Manufacturers Now Covered
As of July 1, 2025, nonprofits are subject to the OCPA. And beginning September 26, 2025, auto manufacturers collecting personal data must comply regardless of consumer volume in Oregon.
With 19 states now having comprehensive privacy laws in effect or taking effect next year, businesses must adopt robust and proactive compliance programs. The Oregon DOJ’s enforcement activity demonstrates that regulators are not only monitoring compliance but are prepared to act. Businesses should ensure their privacy practices are comprehensive, transparent, and responsive to both consumer and regulatory expectations.
Wondering how the OCPA might impact your business? For guidance on OCPA compliance or other privacy law questions, please reach out to our team.
A Partner at M&S, Josh advises clients on a range of proactive and responsive matters, helping them achieve their business goals while complying with federal and state privacy and other consumer protection laws.