Oregon's OCPA establishes comprehensive privacy rights similar to Connecticut's, with the key innovation that consumers can request a list of the SPECIFIC third parties to whom their data has been disclosed (not just categories).
Last reviewed 2026-06-19 · Risk rating rationale: 100,000-consumer threshold catches most national websites. The named-third-party disclosure right is more burdensome than other state laws.
Find out in 10 seconds whether your site meets Oregon's requirements
Scantra runs a free, no-account, 9-check audit of your homepage covering privacy policy, contact info, CCPA-style opt-out, security headers, accessibility, and SEO basics. Most Oregon sites we scan fail at least three.
No credit card · Email required so we can send you the full results.
Key Oregon laws affecting websites
The statutes most likely to apply to a commercial website serving Oregon residents. Click a citation to read the official text where available.
OCPA
— Oregon Consumer Privacy Act· Effective 2024
Applies to: Entities that conduct business in Oregon or provide products or services to Oregon residents AND control or process data of 100,000+ Oregon consumers (or 25,000+ with 25%+ revenue from data sale).
What your website must do
Privacy notice with categories of data, purposes, sharing, rights
Disclose to consumers, on request, the SPECIFIC third parties to whom personal data has been disclosed
Opt-out of sale, targeted ads, profiling for significant decisions
Opt-in for sensitive data
Data protection assessments for high-risk processing
Which AI uses the state has chosen to regulate, who's covered, and what the website has to disclose.
OCPA covers profiling for significant decisions with opt-out rights.
Practical requirements for your website
Disclose use of profiling for credit / employment / housing / insurance / healthcare / education decisions
Provide an opt-out path
Frequently asked questions about Oregon website compliance
What's special about the Oregon 'specific third party' disclosure right?
Unlike Virginia, Colorado, and Connecticut — which require disclosure of CATEGORIES of third parties — Oregon lets consumers ask for the actual NAMES of the third parties to whom their data has been disclosed. This requires maintaining a real-time data-sharing registry, which is operationally heavier than category-only laws.
Are non-profits subject to OCPA?
OCPA exempts non-profits in some circumstances but not blanket — specifically, non-profits that process personal data 'in connection with' a domestic violence shelter or victim-services activity get specific exemptions. Most other non-profits ARE subject if they meet the thresholds. Confirm with counsel.
Ready to check your own site against Oregon's requirements?
The same free 9-rule scan, no signup needed. Two of the findings include drafted fixes you can copy/paste; full results (and ongoing monitoring) come with a free account.
Important: Scantra is a software tool and a non-profit publisher, not a law firm. The summaries on this page are written for general business orientation and reflect the editors' reading of the statutes as of 2026-06-19. They are not legal advice and should not be the only source you rely on for compliance decisions. For your specific situation, consult a licensed attorney in Oregon.