The Oregon Consumer Privacy Act (OCPA) marked its six-month anniversary on January 1, 2025. To bring residents up to speed on what his office has been doing in that time, the attorney general published a detailed enforcement report in March.

Here’s what we learned about the state’s first six months under the OCPA.

Creation of a Privacy Enforcement Unit

While California is the only state so far to create an entire agency dedicated to privacy, it doesn’t mean that other states are sitting idly by. Similar to Texas, Oregon has created a unit within the attorney general’s office that is dedicated exclusively to privacy enforcement.

The report notes the necessity of robust enforcement by the attorney general, given the OCPA’s lack of a private right of action. The privacy unit has ongoing funding for three attorneys and two specialist positions.

Oregonians Are Interested in Their Privacy Rights

For a law that has only been in effect for six months, the OCPA has generated a lot of interest among state residents. After launching an online portal for submitting consumer privacy complaints, the state received 110 complaints during this initial period.

While that may not sound like a lot, it’s much more than the 30 complaints Connecticut received in the first six months of its privacy law. Though California reported receiving over 2000 consumer privacy complaints in one year, that state also has nearly 10x the population of Oregon and the California Consumer Privacy Act has been in effect since 2020.

Based on these initial numbers, we expect to see strong interest in data privacy rights from Oregonians going into the future.

Mandatory Cure Periods…For Now

The OCPA requires the state to give businesses a mandatory 30-day cure period for any alleged violations. If the privacy unit believes a business to be out of compliance, it sends a cure letter detailing its findings. 

In the first six months since the OCPA has been in effect, the Oregon attorney general’s office has sent out 21 such cure letters. The report states that responses to the cure letters have been mostly positive, and businesses generally move quickly to fix any potential violations. The AG has also sent out 20 “light” cure letters, which "asked companies to incorporate the law in their online privacy notice and did not cite specific deficiencies in those notices.”

The OCPA’s mandatory cure period provision expires on January 1, 2026. After that date, businesses should not assume they will receive much leeway from the state.

‍

Stay Ahead of State Privacy Compliance

Anyone hoping that states would take a hands-off approach to privacy enforcement is going to be disappointed by this latest report out of Oregon. Data privacy is a big issue, and a political one at that, so attorneys general and other offices are keen to protect their constituents’ rights.

As more privacy laws pass and existing laws are amended, compliance becomes more complicated. For businesses without in-house privacy expertise, staying current with the latest requirements can be too much to manage on their own.

TrueVault helps businesses of all sizes manage the complexities of privacy compliance, no legal background needed. Through our guided workflows, automated tools, and API integrations, you can get your company privacy-compliant in as little as a few hours. Create data maps, onboard vendors, respond to privacy requests, and more with TrueVault.

Best of all, as new privacy laws go into effect, they are added to your privacy center at no additional cost!

Contact our team to learn more about how TrueVault can help your business.

‍