Industry News

Oregon’s Consumer Privacy Act: 110 Complaints Filed in 6 Months

Written by Verified Credentials | Apr 3, 2025 3:15:00 PM

In June 2023, the Oregon Legislature passed Senate Bill 619, also known as the Oregon Consumer Privacy Act (OCPA). The law took effect on July 1, 2024, establishing more comprehensive protection for consumer personal data and setting new guidelines employers are required to follow. Attorney General Dan Rayfield recently released a six-month enforcement report highlighting the bill’s impact and progress.

 

OCPA overview

The OCPA grants consumers broader rights over personal data and sets clear guidelines for data controllers (entities responsible for controlling and managing consumer data). Some key rights for consumers under OCPA include the following:

  • Consumers have the right to:
    • know if their personal data is processed
    • request and access a copy of their personal data in a portable and usable format
    • request the deletion of their personal data from websites
    • opt out of the sale of personal data
  • Opt-in for minors: Oregon was already obligated to follow the guidelines of the federal Children’s Online Privacy Protection Act (COPPA) when processing the data of children under 13. The OCPA builds on this by requiring that companies be aware of a consumer's age and obtain explicit consent (opt-in) before selling the personal data of minors aged 13 to 15 in most situations.

Compliance and enforcement

  • Cure period: The OCPA gives companies a 30-day window to respond to identified violations. The mandatory cure period expires on January 1, 2026.
  • Nonprofit regulations: Starting July 1, 2025, nonprofits will also be subject to OCPA guidelines. The Oregon Department of Justice (DOJ) is preparing guidance materials to assist nonprofits with compliance.

You can read the full text here to learn more about consumer rights, business obligations, and enforcement.

 

Key highlights from the enforcement report

By early 2025, the Oregon DOJ's Privacy Unit had already received 110 complaints, suggesting a high level of engagement. Attorney General Dan Rayfield emphasized the importance of the new regulations in the 6-month report, stating,

“This law gives people and families the ability to manage their personal information and have it removed from websites. We’re already seeing real results, and we’ll continue pushing to make sure companies respect these rights and that every Oregonian has the control they deserve over their own data.”

The Attorney General’s Civil Enforcement Division Privacy Unit identified several common violations in the report:

  • Lack of disclosures: For example, failing to inform consumers of their rights altogether.
  • Inadequate or misleading disclosures: Insufficient or unclear information listed to meet the need for transparency that OCPA requires, and/or not listing some or all third parties that private data is being sold to.
  • Issues with resources: Making links, opt-outs, or requests to privacy rights unreasonably difficult to find or access, or in some cases, absent altogether.
  • Denial to delete personal information: Not deleting personal consumer information upon request in compliance with the law.

Most complaints pertained to online data brokers and social media or technology platforms, with the most common issue being the denial of consumers' requests to delete their personal information. To read the full report, click here.

 

Keeping an eye on privacy laws as they develop

bigger picture

Between January and April 2025, the Privacy Unit initiated and closed 21 privacy matters, indicating that the state government intends to take violations seriously. These laws may also affect remote hiring and apply to employers who handle consumer data for Oregon residents or hire remotely in the state.

Oregon’s law is just one of several state-level consumer data privacy laws to recently go into effect. Earlier this year, we covered other similar consumer privacy laws in Delaware, New Jersey, New Hampshire, Iowa, and Nebraska. To remain compliant, employers in their respective states should meet with their legal advisors regularly and keep up with the latest developments in data privacy regulations. Verified Credentials will attempt to provide updates on the latest data privacy laws as updates become available.

 

This content is for informational purposes only and shall not constitute legal 
opinion or advice. Consult your legal counsel to ensure compliance.
View full post