Does OCPA give me the right to delete my data?

Yes. OCPA, effective July 1, 2024, grants Oregon consumers the right to request deletion of personal data held by controllers, with a 45-day response window and one 45-day extension.

What's Oregon's unique third-party list right?

OCPA requires controllers to disclose a list of specific third parties (not just categories) that received a consumer's personal data. This is more granular transparency than Virginia, Texas, or Colorado.

What are OCPA penalties?

Up to $7,500 per violation, plus attorney's fees, expert witness fees, and investigation costs. The Oregon AG has exclusive enforcement authority. The 30-day cure period expired January 1, 2026.

OCPA Explained — The Oregon Consumer Privacy Act

Q: Does OCPA have an authorized-agent framework?

Yes. OCPA explicitly allows Oregon consumers to designate an authorized agent to exercise opt-out rights on their behalf. Controllers must comply once they verify the agent's authority. This is broader than Texas (opt-out signals only) and explicit unlike Virginia.

What Is OCPA

Oregon built privacy law the right way.

The Oregon Consumer Privacy Act (OCPA) became effective on July 1, 2024, after four years of development by the Oregon Attorney General's Consumer Privacy Task Force. That extended development process shows — OCPA contains several consumer protections that other state laws don't, including a full authorized-agent framework and the unique right to obtain a list of specific third parties that received your personal data.

The law is enforced exclusively by the Oregon Attorney General through the DOJ's Privacy Unit. In its first year (July 2024 - July 2025), the Privacy Unit received 214 consumer complaints and issued 38 cure letters — most concerning data brokers and the right to delete personal information. This is active, not theoretical, enforcement.

Your rights under OCPA

Right to Access

Confirm whether a controller processes your personal data and obtain the data in a portable format.

Right to Correct

Fix inaccurate personal data that a controller holds about you.

Right to Delete

Request deletion of personal data a controller has collected about you.

Right to Specific Third Parties

Unique to Oregon: obtain a list of the specific third parties (not just categories) that received your data.

Right to Opt Out

Opt out of processing for targeted advertising, data sales, or profiling for significant decisions.

Authorized Agent

Designate an agent to exercise opt-out rights on your behalf — a full framework, not just GPC signals.

Who has to comply with OCPA

OCPA applies to individuals and entities that conduct business in Oregon or provide products/services to Oregon residents AND meet one of these thresholds:

Control or process personal data of at least 100,000 consumers in a calendar year, OR
Control or process personal data of 25,000+ consumers and derive over 25% of annual gross revenue from the sale of personal data

That second threshold is stricter than Virginia's 50% revenue requirement and matches Colorado's "any revenue from sales" broader test. Two additional coverage notes:

Nonprofit coverage (effective July 1, 2025): Qualifying nonprofits became subject to OCPA a year after for-profits. Most state privacy laws exempt nonprofits entirely.
Auto manufacturer rule (effective September 26, 2025): Auto manufacturers collecting personal data must comply with OCPA regardless of consumer volume. This closes a loophole exploited by connected-vehicle data collection.

Oregon's authorized-agent framework

OCPA explicitly allows consumers to designate an authorized agent to exercise opt-out rights on their behalf. Controllers must comply once they verify:

The consumer's identity (with commercially reasonable effort)
The agent's authority to act on behalf of the consumer

This framework is narrower than California's (which extends to all rights, not just opt-outs) but broader than Texas's (which recognizes only universal opt-out signals, not formal agent appointments). For consumers, it means services like ClickOff Shield can submit opt-out requests on your behalf with statutory backing.

How It Compares

Oregon vs. California: the most consumer-friendly after the original

After California, Oregon is arguably the most consumer-friendly state privacy jurisdiction. It has a full authorized-agent framework (unlike Texas or Virginia), a unique third-party transparency right, and the strongest minor protections. What it lacks is California's DROP centralized registry and dedicated privacy agency.

Feature

Oregon (OCPA)

California (CCPA + SB362)

Right to Delete

Yes, 45-day response

Centralized Delete Registry

No — per-controller requests

Yes — DROP (Aug 1, 2026)

Authorized Agent Framework

Yes — full opt-out agent

Yes — full agent

Third-Party List Right

Yes — specific parties, not categories

Categories only

Universal Opt-Out (GPC)

Required since Jan 2026

Required

Minor Data Sale

Banned under 16 (Jan 2026)

Opt-in required

Precise Geolocation Sale

Banned entirely (Jan 2026)

Sensitive data opt-in

Max Civil Penalty

$7,500 per violation

$7,500 per intentional

Cure Period

Expired Jan 1, 2026

Removed Jan 2023

Nonprofit Coverage

Yes (since July 2025)

No (standard exemption)

The most striking contrast: Oregon extended OCPA to nonprofits and auto manufacturers while most state laws exempt them. If you've wondered why some auto manufacturer privacy notices started changing in late 2025, that's the OCPA auto-manufacturer provision taking effect.

Enforcement

The first year of OCPA enforcement

Oregon's DOJ published its first annual enforcement report on August 29, 2025, covering the first year of OCPA enforcement. Key findings:

214 consumer complaints received by the Privacy Unit — a high volume for a state of Oregon's size
38 enforcement matters closed, each initiated by consumer complaints and resolved through the cure process
Most complaints about data brokers — particularly "people search" sites that combine public records with purchased data to compile background profiles
Right to delete was the most-requested and most-denied right, often due to controllers' self-help mechanisms not functioning properly for authorized agents
Third-party list disclosure emerged as a major enforcement focus — the AG found many controllers weren't providing sufficient detail about specific third parties

The cure period expired January 1, 2026. From that date forward, the AG can pursue enforcement actions directly, without offering businesses a chance to fix violations first. Additional key dates going forward:

January 1, 2026 — UOOM/GPC recognition required, minor data sale banned (under 16), precise geolocation sale banned entirely
July 1, 2026 — Privacy notices must include information about universal opt-out signal methods

The Honest Version

What OCPA still doesn't give you

Oregon's law is strong, but not perfect. Here's what OCPA does not give Oregon residents:

No private lawsuits. Enforcement is AG-only. You cannot personally sue a controller for ignoring your OCPA request.
No centralized delete system. Like every state except California, there's no "delete from all Oregon brokers" infrastructure.
Authorized agent covers opt-outs, not full deletion rights. Your agent can submit opt-out requests for you. For deletion, access, or correction rights, you (or a verified agent with proper authorization) still need to submit individually.
No dedicated privacy agency. Enforcement runs through the DOJ Privacy Unit rather than a specialized agency like California's CPPA. That means less rulemaking capacity and more reliance on consumer complaints.
Self-help mechanism issues. Many controllers' online privacy forms don't work correctly for authorized-agent submissions. The DOJ flagged this as a common enforcement issue. Shield works around these technical issues with direct broker outreach.

OCPA — The OregonConsumer Privacy Act