Oregon Consumer Privacy Act (OCPA)
A practical compliance guide for website owners. Learn what Oregon's privacy law requires and how to implement it on your site.
Who Must Comply
Conducts business in Oregon or targets Oregon residents AND during a calendar year: controls/processes personal data of 100K+ consumers, OR controls/processes data of 25K+ consumers and derives 25%+ revenue from selling personal data
What Your Website Must Do
| Requirement | Status |
|---|---|
| Cookie consent banner | Recommended |
| Do Not Sell link | Required |
| Do Not Share link | Required |
| Honor GPC browser signals | Recommended |
| Universal opt-out mechanism | Not required |
| Sensitive data opt-in consent | Required |
Required Links & Notices
The OCPA requires the following links or notices to be visible on your website:
- 1Do Not Sell My Personal Data
- 2Privacy Policy
Enforcement & Penalties
Key Things to Know
Oregon's privacy law is unique in that it applies to nonprofits — one of the few state privacy laws to do so. It follows the Virginia model with opt-out rights for targeted advertising and data sales.
Unique feature: Oregon includes nonprofits in its scope, unlike most other state privacy laws. The law also does not exempt entities covered by HIPAA at the entity level — only HIPAA-covered data is exempt.
How to Configure LegalBanner for OCPA
- 1
Create your site
Sign up for free and add your website domain in the dashboard.
- 2
Set consent mode to "Opt-out"
In Settings, select the consent mode that matches Oregon's requirements.
- 3
Install the snippet
Add the one-line script tag to your website. The banner, opt-out links, and GPC support are automatic.
- 4
Generate your Privacy Policy
Use the built-in policy wizard to generate a OCPA-compliant privacy policy.
Set up OCPA compliance in 5 minutes
LegalBanner handles Oregon privacy requirements automatically — cookie banner, opt-out links, and GPC support included.
Frequently Asked Questions
Does the Oregon OCPA apply to nonprofits?
Yes. Oregon is one of the few states whose privacy law applies to nonprofits. If your nonprofit processes personal data of Oregon residents above the threshold, you must comply with the OCPA.
Does Oregon require a cookie consent banner?
The OCPA does not require opt-in cookie consent. You must provide opt-out mechanisms for targeted advertising, sale of personal data, and profiling. A cookie preference center is recommended.
Does Oregon require honoring GPC signals?
The OCPA does not currently require honoring GPC signals. However, as of January 2026, controllers must recognize universal opt-out mechanisms. GPC support is recommended now for future compliance.
What are the penalties for OCPA violations?
The Oregon AG can impose penalties up to $7,500 per violation. There is a 30-day cure period that sunsets in January 2026.
How is Oregon different from other state privacy laws?
Oregon uniquely covers nonprofits, does not exempt HIPAA-covered entities (only HIPAA-covered data), and has a broader definition of 'sensitive data' that includes transgender/nonbinary status and precise geolocation (within 1,750 feet).