Oregon Reports More Than 200 Complaints in Consumer Privacy Act's First Year

The number of complaints is “significant ... compared to other similarly sized states, showing that Oregonians care about their privacy rights,” the attorney general’s office said in a release.

Oregon’s comprehensive consumer privacy law took effect July 1, 2024, for business entities and July 1 this year for nonprofits. It passed the legislature in 2023 (see 2307180077) and, like all other states' comprehensive privacy laws, doesn't contain a private right of action (see 2306220059).

Of the 214 complaints, 130 were related to the OCPA, and 62 involved data brokers. "Social media platforms were the second most complained about type of entity/industry,” the report said, and the right to delete accounted for 77 complaints.

“Oregonians also submitted a substantial number of complaints about the right to request a copy of their data with 20 complaints, and a right to get a list of specific third parties their data was disclosed to, with 19 complaints.”

Oregon's DOJ sought better compliance with the law's provision that "allows consumers to request a list of entities that their personal data was disclosed to, which includes sales of consumer data.” This “helps individuals track to whom their data has been disclosed to, providing them with better understanding of how to follow up potentially with deletion or other privacy rights,” said the report: But many of the companies that are the subject of consumer complaints fail to meet this requirement in some way, while others that claim to comply don't handle requests correctly.

“The right to a list of specific third parties is an enforcement concern for the DOJ, as it represents an important tool for consumers to monitor and understand how their data has been disclosed downstream and makes data practices more transparent,” said the report. “As other states consider adding this right to their comprehensive privacy laws, the Privacy Unit expects companies to focus on better compliance with this provision.”

Some entities have “self-help” approaches for consumers to exercise their privacy rights, but there are often issues with that, too, the report said. Typically, consumers gain control over consumer-facing data, while back-end information is undisturbed, which is a violation of the OCPA.

Additionally, non-account holders aren't always given a mechanism to carry out their rights, another OCPA violation. Oregon DOJ recommended that companies review their privacy rights mechanisms to ensure compliance.

Making sure that electronic forms or other mechanisms are functioning is also key to ensuring compliance with the OCPA, said the report, as some companies have technical problems that lead to violations.

The report noted amendments to the comprehensive privacy law from the 2025 legislature, including expanded protections for minors and a ban on selling precise geolocation data (see 2505220022 and 2503190031).

“Oregonians have the right to manage their personal data -- and in the first year of this new law, we are ensuring that right is a reality,” Attorney General Dan Rayfield (D) said. The state “DOJ is committed to making sure companies follow the law and every Oregonian has control over their own data.”

The state previously released a report on OCPA's first six months, noting that the privacy unit received 110 consumer complaints in that time (see 2503100045). A Q1 2025 report on enforcement of the law, released in April, recorded 47 complaints between January and March, mostly about the government's handling of people's data, the privacy unit said (see 2504220003).