Quick Guide to Oregon's Data Privacy Law
The Oregon Consumer Privacy Act (OCPA) marked its six-month anniversary on January 1, 2025. To bring residents up to speed on what his office has been doing in that time, the attorney general published a detailed enforcement report in March.
Here’s what we learned about the state’s first six months under the OCPA.
While California is the only state so far to create an entire agency dedicated to privacy, it doesn’t mean that other states are sitting idly by. Similar to Texas, Oregon has created a unit within the attorney general’s office that is dedicated exclusively to privacy enforcement.
The report notes the necessity of robust enforcement by the attorney general, given the OCPA’s lack of a private right of action. The privacy unit has ongoing funding for three attorneys and two specialist positions.
For a law that has only been in effect for six months, the OCPA has generated a lot of interest among state residents. After launching an online portal for submitting consumer privacy complaints, the state received 110 complaints during this initial period.
While that may not sound like a lot, it’s much more than the 30 complaints Connecticut received in the first six months of its privacy law. Though California reported receiving over 2000 consumer privacy complaints in one year, that state also has nearly 10x the population of Oregon and the California Consumer Privacy Act has been in effect since 2020.
Based on these initial numbers, we expect to see strong interest in data privacy rights from Oregonians going into the future.
The OCPA requires the state to give businesses a mandatory 30-day cure period for any alleged violations. If the privacy unit believes a business to be out of compliance, it sends a cure letter detailing its findings.
In the first six months since the OCPA has been in effect, the Oregon attorney general’s office has sent out 21 such cure letters. The report states that responses to the cure letters have been mostly positive, and businesses generally move quickly to fix any potential violations. The AG has also sent out 20 “light” cure letters, which "asked companies to incorporate the law in their online privacy notice and did not cite specific deficiencies in those notices.”
The OCPA’s mandatory cure period provision expires on January 1, 2026. After that date, businesses should not assume they will receive much leeway from the state.
Anyone hoping that states would take a hands-off approach to privacy enforcement is going to be disappointed by this latest report out of Oregon. Data privacy is a big issue, and a political one at that, so attorneys general and other offices are keen to protect their constituents’ rights.
As more privacy laws pass and existing laws are amended, compliance becomes more complicated. For businesses without in-house privacy expertise, staying current with the latest requirements can be too much to manage on their own.
TrueVault helps businesses of all sizes manage the complexities of privacy compliance, no legal background needed. Through our guided workflows, automated tools, and API integrations, you can get your company privacy-compliant in as little as a few hours. Create data maps, onboard vendors, respond to privacy requests, and more with TrueVault.
Best of all, as new privacy laws go into effect, they are added to your privacy center at no additional cost!
Contact our team to learn more about how TrueVault can help your business.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.