Oregon Releases Report on the First Six Months of its Oregon Consumer Privacy Act

Alert

08 April 2025

5 min read

Oregon Attorney General Dan Rayfield has released a report detailing implementation steps and enforcement actions taken during the first six months of the Oregon Consumer Privacy Act ("OCPA"), which entered into force in July 2024.¹ The report describes the Oregon Department of Justice Privacy Unit's ("Privacy Unit") extensive efforts to educate consumers and business about the OCPA and emphasizes the high level of consumer engagement.

Over the first six months the OCPA has been in effect, the Privacy Unit has issued 21 cure letters to companies, all of which were closed by the time the report was issued. The OCPA has a "cure period" until January 1, 2026. During this period, the OCPA gives companies a 30-day window to cure violations the Privacy Unit identifies.

Some of the most common deficiencies the Privacy Unit identified in its 2025 cure notices involved companies:

Posting confusing privacy policies
Failing to fully disclose to consumers their rights under the OCPA
Failing to provide consumers with simple mechanisms to exercise their rights

Oregon Consumer Privacy Act – Background

As described in our prior client alert on the OCPA, the OCPA was signed into law in 2023 and went into effect on July 1, 2024. During the current cure period, if the Oregon Department of Justice (ODOJ) believes that a violation can be fixed, then it gives a company notice and 30 days to remedy or cure the violation. However, if the ODOJ determines that a violation is not curable, it may bring an enforcement action.

Under the OCPA, consumers have privacy rights that allow them to manage the collection, retention, processing and sale of their personal or sensitive data. Controllers of data have corresponding obligations to, among other things, provide clear privacy notice, limit collection of personal data, obtain consent for processing of sensitive personal data and respond to consumer requests to exercise their rights within 45 days.

The OCPA currently applies to individuals and entities conducting business in Oregon that process personal data of 100,000 consumers or of those who process personal data of 25,000 consumers and derive at least 25 percent of their gross revenue from the sale of personal data. As of July 1, 2025, the OCPA will expand to apply to nonprofit entities. Notably, many other state privacy laws do not cover nonprofits.

The enforcement report highlights several "innovative" features of the Oregon law, including that:

Oregon was the first state to give consumers a right to know specific third parties to whom their data was disclosed
Its definition of "sensitive data" is expansive, including gender identity and crime victim status
It expands protections for personal and sensitive data for children under 13, as well as teens 13–15

The First Six Months of the OCPA: Implementation and Outreach

The report describes the Privacy Unit's outreach and enforcement efforts since the law's enactment. These include creating a dedicated Consumer Privacy Website² that explains the law to consumers and businesses, provides a contact email address³ and includes a prominent link to an online Complaint Form. The Privacy Unit regularly updates the website's FAQs and is preparing a new set of FAQs for nonprofit entities before the law expands to cover them in July 2025.

The ODOJ's direct outreach efforts have targeted state legislators, trade associations, groups of lawyers and technologists and consumers. A consumer survey, which helped inform that outreach, revealed that 80 percent said privacy was very important to them and that children's privacy is their greatest concern.⁴

The Privacy Unit, which sits within the Attorney General's Civil Enforcement Division, has "expanded significantly" since the OCPA went into effect. The Unit currently includes two Assistant Attorneys General, one policy analyst and one technology analyst.

Oregon Consumer Complaints

The report emphasizes the "significant number [of consumer complaints] compared to other similarly sized states." In the first six months, Oregon consumers lodged 110 complaints, compared to the 30 consumer complaints made in Connecticut during the first six months of that state's privacy law.

Some consumers' complaints related to data brokers—"specifically 'background' websites purportedly providing in-depth background reports on individuals for a fee." Other complaints related to social media / technology platforms. Another group of complaints related to consumers being denied requests to delete their personal information, which the report points out is by far the most common right exercised by consumers. Fewer numbers of complaints came from consumers wanting copies of their personal data or information about which businesses had accessed their personal data.

Enforcement Actions in the Initial Cure Period

The Privacy Unit initiated 21 "cure letter matters" in the first six months of the OCPA. These included inquiry letters seeking information to assess compliance, and letters with both inquiries and cure notices. The Privacy Unit also issued "light" cure letters, which simply asked companies to incorporate OCPA provisions into their notices, without citing any deficiencies.

The most common deficiencies identified in the cure letters were:

Failure to disclose notice of consumer rights under the OCPA
Inadequate disclosures, in particular about third parties the consumers' personal data had been sold to
Confusing privacy notices, for example, that list specific states in the "Your State Rights" section but exclude Oregon, which may mislead consumers into thinking privacy rights are only available in the named states
Inadequate or burdensome rights mechanisms, often including a failure to provide an obvious link consumers can access to opt out of sharing their data or exercise other privacy rights

The report concludes that "[o]verall, the responses … received to date have been positive. Most companies updated privacy notices and/or improved consumer rights mechanisms quickly upon receiving cure notices."

Looking ahead

The Privacy Unit is preparing to expand its remit to cover nonprofits as of July 1, 2025, while continuing to issue cure letters as "ongoing learning opportunities" for covered businesses. Beginning in January 2026, the cure period will phase out, and the OCPA's added requirement of universal opt-out mechanisms will go into effect. We will continue to monitor the developing privacy environment in the state.

_{1 Enforcement Report: The Oregon Consumer Privacy Act (2024), The First Six Months (March 2025) available at}_{https://www.doj.state.or.us/wp-content/uploads/2025/03/OCPA-Six-Month-Enforcement-Report.pdf}_.
2_{https://www.doj.state.or.us/consumer-protection/id-theft-data-breaches/privacy/}₃_{oregonprivacy@doj.oregon.gov}₄_{https://www.doj.state.or.us/media-home/news-media-releases/doj-survey-finds-most-oregonians-care-about-privacy-curious-about-new-law/}

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}