Attorney General Rayfield Releases One Year Report on Oregon Consumer Privacy Act

August 29, 2025
• Posted in ,

Oregonians most concerned about data brokers and deleting personal information; DOJ has resources for Oregonians to know their rights

Attorney General Dan Rayfield has released a report with the results from the first year of the Oregon Consumer Privacy Act (OCPA). The comprehensive law, which took effect last July, empowers individuals and families to take control of their personal data – ranging from browsing history or home address to mental health information.

“Oregonians have the right to manage their personal data – and in the first year of this new law, we are ensuring that right is a reality,” Rayfield said. “DOJ is committed to making sure companies follow the law and every Oregonian has control over their own data.”

In the first year of enforcement, the Privacy Unit within the Civil Enforcement Division at Oregon DOJ received 214 complaints – a significant number compared to other similarly sized states, showing that Oregonians care about their privacy rights.

Of the complaints received:

  • The majority of complaints were about online data brokers – including websites that provide background reports for a fee. The top right that Oregonians have been requested and been denied is the right to delete their information.
  • The Privacy Unit has initiated and closed 38 matters, after sending notices of violation (also called “cure notices”) and broader information requests to companies. These notices give entities a chance to correct compliance issues before additional enforcement steps are taken.

Currently, the OCPA requires DOJ to give companies 30 days to cure any identified violations before taking formal enforcement action. Overall, the responses we have received to date have been positive. Most companies updated privacy notices and/or improved consumer rights mechanisms quickly after being contacted by the Privacy Unit.

Key takeaways for businesses to ensure compliance include:

  • Companies need to ensure that they are offering consumers the right to know any third-party entities their personal data has been disclosed to, including through the sale of consumer data.
  • Companies need to ensure that “back-end” personal data – such as marketing profiles or shopping patterns – are included when consumers request to copy or delete data.
  • Companies need to ensure their rights request form is accessible, functioning, and complete.

As of July 1, 2025, nonprofits are also subject to the OCPA. The DOJ Consumer Privacy website includes FAQs for nonprofits, as well as for businesses and consumers.

The full report can be found on the DOJ website at https://www.doj.state.or.us/wp-content/uploads/2025/08/OCPA-One-Year-Enforcement-Report-2025.pdf

What Oregonians should know:

The DOJ Consumer Privacy website includes resources for Oregonians about how to protect your personal data, including:

If businesses are not responsive after someone requests to have their information taken down, individuals and families can fill out this complaint form ».

What’s next:

  • Starting on September 26, 2025, the OCPA will apply to all auto manufacturers that collect personal data regardless of the number of consumers in Oregon.
  • As of January 1, 2026, controllers are banned from selling precise geolocation data and banned from selling the data of children under 16 and using the data of children under 16 for targeted advertising and certain types of profiling.
  • The 30-day cure provision described above sunsets on January 1, 2026.
  • Beginning January 1, 2026, controllers are required to honor consumers’ requests to opt out of the sale of their data or targeted advertising via universal opt-out mechanisms.

The Oregon Department of Justice will continue to share regular reports to ensure transparency.