Two OCPA deadlines landed on the same day. As of January 1, 2026, the Oregon Consumer Privacy Act requires businesses to honor universal opt-out signals, and on that same date the law's cure period expired. The OCPA took effect on July 1, 2024 for most businesses (July 1, 2025 for nonprofits), and it carries a feature few other state laws share: Oregonians can ask for the names of the specific companies that received their data, by name, where other states stop at broad categories.
Does the OCPA reach cookies?
The OCPA covers personal data linked or reasonably linkable to a consumer or a device, which explicitly reaches cookie and device identifiers used for advertising. Oregon's definition of a device link is a bit broader than some peers, so tracking identifiers are firmly in scope. Functional cookies confined to your own site generally aren't.
The activities that matter are sale (Oregon defines it broadly, covering monetary or other valuable consideration) and targeted advertising. Oregon residents can opt out of both, plus certain profiling.
Cookieless identifiers count too
The OCPA reaches data linked to a device as well as to a named person, so the opt-out extends past classic browser cookies. Hashed-email identifiers, probabilistic fingerprints, mobile advertising IDs, and connected-TV identifiers are all in scope when they drive sale or targeted advertising. That reframing catches a common assumption: teams sometimes read "we dropped third-party cookies" as "we stopped selling data," but under Oregon the identifier's form doesn't matter, only what you do with it. If you shifted budget into server-side or cookieless tracking to get around third-party-cookie deprecation, Oregon still applies, and both the opt-out and your privacy notice have to reach those identifiers.
The consent model: opt-out, now with a mandatory signal
Oregon runs an opt-out model. You may set analytics and advertising cookies by default, provided you give residents a clear opt-out and, as of January 1, 2026, honor a universal opt-out mechanism automatically.
A visitor whose browser sends GPC has opted out of sale and targeted advertising. Your site has to detect that and suppress the relevant cookies before they fire, no banner click needed. The Oregon Department of Justice highlighted the universal opt-out tool directly on Data Privacy Day, so this is front of mind for the regulator.
The specific-third-parties right
Here's Oregon's distinctive twist. Most state laws let a consumer ask which categories of third parties received their data. The OCPA goes further: a resident can request a list of the specific third parties (named companies, not category labels) to which the controller has disclosed their personal data, or personal data generally.
For cookie compliance that raises the bar on record-keeping. If you can't name the ad networks, analytics vendors, and data partners your tags share data with, you can't answer the request. Your cookie inventory has to be accurate and current.
Who's covered, including nonprofits
The OCPA applies to businesses operating in Oregon or targeting its residents that either control or process the personal data of 100,000 or more consumers in a year, or process the data of 25,000 or more consumers while deriving 25 percent or more of annual gross revenue from selling personal data. Oregon is unusual in reaching nonprofits, which came into scope on July 1, 2025, a year after commercial businesses. If you run a nonprofit with meaningful web traffic, the OCPA is one of the few broad state privacy laws that reaches nonprofits at all.
Sensitive data needs opt-in
Processing sensitive data requires prior opt-in consent. Oregon's list covers data revealing racial or ethnic background, national origin, religious beliefs, mental or physical health, sex life, sexual orientation, status as transgender or nonbinary, citizenship or immigration status, precise geolocation, genetic and biometric data, and data from a child. Precise geolocation and any health-adjacent tracking need consent before they run.
Penalties and the expired cure period
The Oregon Attorney General has sole enforcement authority, with civil penalties up to $7,500 per violation. The cure period sunset on January 1, 2026, so the AG no longer has to give notice and time to fix a violation before acting. The Oregon DOJ has published quarterly enforcement reports since the law took effect, which tells you the office is tracking complaints and following up. With the cure period gone as of 2026, there's no automatic second chance to fall back on, so getting the opt-out right the first time is the whole game.
A practical setup for Oregon traffic
- Keep a precise cookie inventory, down to named third parties, so you can answer the specific-third-parties request.
- Publish a clear opt-out for sale and targeted advertising.
- Honor GPC automatically, mandatory since January 2026.
- Gate sensitive data behind opt-in, precise geolocation included.
- Log opt-outs and signals, because there's no cure period to fall back on.
How CookieBeam handles Oregon
CookieBeam's US opt-out states preset serves the OCPA opt-out model, and GPC honoring is default-on in the runtime, meeting the January 2026 mandate. The scanner builds a named inventory of the third-party scripts and cookies on your site, which is the record you need to answer Oregon's specific-third-parties request rather than guessing at categories. The regional consent engine serves opt-out to Oregon and opt-in to the EU from one banner, and sensitive categories can require opt-in. Confirm the current OCPA text and DOJ guidance before finalizing.
Related guides
Read Global Privacy Control explained and universal opt-out mechanisms across US state laws, plus the complete guide to US state privacy laws. Primary source: the Oregon DOJ privacy-law FAQs for businesses.