Oregon
💡 Last Updated October 2025. Written with contributions from both human authors and LLMs. If you find incorrect or outdated information let us know at support@optery.com.
Oregon's OCPA gives you the right to opt out of data brokers.
What the OCPA does for you
Oregon's consumer privacy law (OCPA) gives you meaningful control over your personal data. You have the right to know what information businesses collect about you, correct inaccuracies, delete your data, opt out of its sale or use for targeted advertising, and obtain a portable copy of your data. These rights apply to businesses that process data about 100,000 or more Oregon residents, or 25,000+ residents when at least 25% of revenue comes from selling personal data.
Your rights under the OCPA
Right to Know
You can ask a business whether it is processing or has processed your personal data, the categories of data it processes, a list of specific third parties to which your data has been disclosed, and a copy of all personal data it has processed about you.
Exceptions: Does not require disclosure of the controller's trade secrets; Controller may charge a reasonable fee for a second or subsequent request within a 12-month period; If the controller cannot authenticate the request with commercially reasonable effort, it may decline until sufficient information is provided.
Source: ORS 646A.574(1)(a)
Right to Delete
You can require a business to delete your personal data, including data you provided directly, data obtained from other sources, and derived data. If the business obtained your data from another source, it can comply by either deleting the data (retaining only a minimal record to ensure it stays deleted) or opting you out of all processing for non-exempt purposes.
Exceptions: Does not apply to data the controller must retain to comply with a legal obligation; Does not apply to data needed to complete a transaction you requested; Does not apply to data used to investigate, detect, or prevent security incidents or fraud; Does not apply to data used for internal operations compatible with your reasonable expectations.
Source: ORS 646A.574(1)(c), 646A.576(7)
Right to Correct
You can require a business to correct inaccuracies in personal data it holds about you. The business must consider the nature of the data and its purpose for processing when making corrections.
Exceptions: Applies only to inaccuracies, not to data that is accurate but that you disagree with.
Source: ORS 646A.574(1)(b)
Right to Opt Out of Sales
You can opt out of a business selling your personal data to third parties for money or other valuable consideration. Businesses are prohibited from selling the precise location data of consumers or the data of anyone under 16 without consent.
Exceptions: Does not apply to disclosures to processors acting on the controller's behalf; Does not apply to transfers as part of a merger or acquisition; Does not apply when you direct the controller to disclose your data to a third party.
Source: ORS 646A.574(1)(d)(B), 646A.578(2)(d)
Right to Opt Out of Processing
You can opt out of a business using your personal data for targeted advertising — that is, ads selected based on your activity across multiple unrelated websites or apps over time. You can also opt out of profiling used to make decisions that produce significant legal or similar effects on you, such as decisions about credit, housing, employment, health care, or education.
Exceptions: Does not apply to ads based on your activity within the controller's own websites or apps; Does not apply to ads based on the context of your current search or visit; Does not apply to processing solely for measuring or reporting ad frequency or performance.
Source: ORS 646A.574(1)(d)(A), 646A.574(1)(d)(C)
Right to Opt Out of Automated Decisions
You can opt out of having your personal data used for automated profiling when that profiling is used to make decisions that produce significant legal effects or effects of similar significance — for example, decisions about financial or lending services, housing, insurance, education, criminal justice, employment, or health care.
Exceptions: Does not apply to profiling that does not produce legal effects or effects of similar significance; Businesses may not use data for this purpose for anyone under 16 without consent.
Source: ORS 646A.574(1)(d)(C), 646A.578(2)(c)
Right to Data Portability
When you request a copy of your personal data, the business must provide it in a portable, machine-readable format that allows you to transmit it to another company without hindrance, to the extent technically feasible.
Exceptions: Does not require disclosure of the controller's trade secrets; Must be technically feasible.
Source: ORS 646A.574(2)
Right to Non-Discrimination
A business cannot discriminate against you for exercising your privacy rights. This means it cannot deny you goods or services, charge you different prices, or provide you a lower quality or selection of goods or services simply because you exercised a right under this law.
Exceptions: Businesses may offer a different price or level of service in connection with your voluntary participation in a bona fide loyalty, rewards, premium features, discount, or club card program.
Source: ORS 646A.578(2)(e), 646A.578(3)(b)
Right to Limit Sensitive Data
Businesses must obtain your consent before processing your sensitive personal data. Sensitive data includes racial or ethnic background, national origin, religious beliefs, mental or physical health conditions or diagnoses, sexual orientation, transgender or nonbinary status, victim-of-crime status, citizenship or immigration status, children's data, precise geolocation (within 1,750 feet), and genetic or biometric data.
Exceptions: Does not apply to data that is de-identified; For children's data, the controller must comply with the Children's Online Privacy Protection Act (COPPA) rather than obtain consent directly from the child; Processing may be permitted without consent where another exemption applies, such as for security incident response or legal compliance.
Source: ORS 646A.578(2)(b)
How to exercise your rights
- See which data brokers have your information. Optery scans 200+ brokers to show you what’s exposed. Start a free scan →
- Submit a OCPA deletion or opt-out request. Covered businesses have 45 days to respond (ORS 646A.576(5)), with up to 45 additional days if they invoke the extension provision.
- Let Optery automate the whole process. We submit opt-out and deletion requests on your behalf, track compliance, and resubmit whenever brokers re-add your data. Sign up free →
Authorized agents
The OCPA mentions authorized agents only in the context of opt-out requests (Or. Rev. Stat. § 646A.800 et seq.). Data brokers may choose to — but are not required to — honor deletion requests submitted by an authorized agent. In practice, many brokers do accept agent-submitted deletion requests. Optery handles both types on your behalf where permitted.
Enforcement and penalties
The OCPA is enforced by Oregon Attorney General. The Attorney General can bring civil actions and seek penalties of up to $7,500 per violation. The Attorney General has exclusive authority to enforce this law — there is no private right of action for consumers to sue directly. Before suing, the Attorney General may give a controller a 30-day opportunity to cure the violation (this cure period applies only until January 1, 2026, after which it applies only to qualifying public broadcasting entities).
Who does the OCPA apply to?
This law applies to businesses that conduct business in Oregon or offer products or services to Oregon residents and that, during a calendar year, control or process the personal data of 100,000 or more Oregon consumers (other than for completing a payment transaction), or control or process data of 25,000 or more consumers while deriving 25% or more of annual gross revenue from selling personal data. Motor vehicle manufacturers and their affiliates are also covered regardless of these thresholds when processing data from vehicle use. Many entities are exempt, including government bodies, covered health entities under HIPAA, financial institutions subject to Gramm-Leach-Bliley, insurers, and nonprofits.
Frequently asked questions
What businesses does Oregon's privacy law apply to?
The law applies to businesses that do business in Oregon or provide products or services to Oregon residents, and that either process the personal data of 100,000 or more Oregon consumers per year, or process data of 25,000 or more consumers while deriving 25% or more of their annual revenue from selling personal data (ORS 646A.572(1)). Many types of organizations are exempt, including government agencies, health-covered entities under HIPAA, and financial institutions subject to federal Gramm-Leach-Bliley rules.
How do I submit a request to access, correct, or delete my data?
You submit your request using the method the business specifies in its privacy notice (ORS 646A.576(1)). The business must respond within 45 days, and can extend that by another 45 days if needed with notice to you (ORS 646A.576(5)(a)). If the business declines your request, it must explain why and tell you how to appeal the decision.
Can I have someone else submit a privacy request on my behalf?
Yes — you can designate an authorized agent to opt out of the sale of your personal data or targeted advertising on your behalf, including through a browser setting or privacy tool (ORS 646A.576(4)). Parents and legal guardians can also exercise privacy rights on behalf of their minor children. However, authorized agents can only make opt-out requests on your behalf, not requests to access, correct, or delete your data.
What happens if a business violates my privacy rights?
Oregon's Attorney General has exclusive authority to enforce this law and can sue businesses for up to $7,500 per violation (ORS 646A.589(4)). You cannot sue a business directly under this law. If a business denies your privacy request, you have the right to appeal within the company and, if that fails, to contact the Attorney General's office to file a complaint.
What is 'sensitive data' and do I need to give consent before it is processed?
Sensitive data includes information about your race, ethnicity, religion, health conditions, sexual orientation, gender identity, immigration status, precise location, and biometric or genetic data, as well as any data about children under 13 (ORS 646A.570(18)). Yes — businesses must obtain your explicit consent before processing your sensitive data (ORS 646A.578(2)(b)). You also have the right to revoke that consent at any time, and the business must stop processing within 15 days.