After six months of enforcement of Oregon’s Consumer Privacy Act (OCPA), a new report from Oregon Attorney General Dan Rayfield indicates strong consumer engagement with the law’s privacy rights, notable business compliance efforts and key areas where businesses are falling short. Since the OCPA took effect in July 2024, the Privacy Unit at the Oregon DOJ has received 110 consumer complaints. The most common complaints involve:
- data brokers, particularly background check websites that sell personal information;
- social media and technology companies, which collect and share user data; and
- denials of consumer rights requests, with the right to delete personal data being the most frequently requested and denied right.
Under the OCPA, businesses that fail to comply receive “cure notices,” which provide 30 days to fix violations. In the last six months, the Privacy Unit has initiated and closed 21 privacy enforcement matters. Common compliance deficiencies flagged in these notices include:
- Lack of required disclosures – Many businesses failed to properly inform consumers of their rights under the OCPA.
- Confusing or incomplete privacy notices – Some businesses listed privacy rights for other states but omitted Oregon, giving the impression that OCPA protections do not apply.
- Difficult or hidden opt-out mechanisms –Some businesses made it unnecessarily burdensome for consumers to exercise their rights, by, for example, requiring excessive authentication steps.
The report notes that most businesses have responded positively to enforcement actions, and that businesses receiving cure notices have quickly updated their privacy policies and consumer rights mechanisms in response to DOJ requests.
- Upcoming OCPA Compliance Deadlines July 1, 2025 – Nonprofits will become subject to the OCPA;, the Oregon DOJ is preparing guidance materials to assist nonprofits with compliance.
- January 1, 2026 – The cure notice period will expire, allowing stricter enforcement measures.
- 2026 and beyond – The OCPA’s universal opt-out mechanism provisions will take effect, requiring businesses to honor automated consumer privacy requests.