Unlock unlimited alerts, exports & API access — RuleWatch Pro at $29/mo

Regulation dossier

Oregon, United States

Oregon Consumer Privacy Act

PrivacyIn Effect

A focused view of the rule, its enforcement posture, and the timeline teams should keep in their operating plan.

Plain-English summary

What this regulation means

Built for operators

Oregon gives consumers rights to access, correct, delete, and port personal data and to opt out of sale, targeted advertising, and certain profiling. Controllers must provide privacy notices, minimize data, conduct assessments for higher-risk processing, and obtain consent before processing sensitive data. The law also reaches many nonprofit organizations that are exempt under other state privacy regimes.

Reading guide

Use the timeline below to see how the rule progressed from enactment to current obligations.

Related regulations surface adjacent requirements in the same jurisdiction or policy lane.

Timeline

Regulatory lifecycle

Sequence: In Effect -> Nonprofit Scope Expands
  1. 1

    Jul 1, 2024

    In Effect

    Oregon's consumer privacy rights and controller duties became effective for most covered entities.

  2. 2

    Jul 1, 2025

    Nonprofit Scope Expands

    The Oregon law's nonprofit coverage changes reached their next implementation milestone.

Pro feature

📊 Stay ahead of this regulation

Get email alerts when this regulation changes and export records to CSV for your compliance workflow — available with RuleWatch Pro.

  • →Email alerts when this regulation is updated or enforced
  • →Export to CSV or JSON for compliance reporting
  • →API access to integrate regulation tracking into your workflows
See what's included

Subscribe for regulation alerts

Get alerts for this regulation →

Free weekly digest for compliance professionals following material legal changes.

No spam. Professional updates only.

Free to join. Unsubscribe anytime.

Related regulations

What else belongs on the watchlist

Pulled from the same jurisdiction or category so teams can compare adjacent obligations quickly.

Indiana, United States

Indiana Consumer Data Protection Act

PrivacyIn Effect

Indiana gives consumers rights to confirm processing, access data, correct inaccuracies, delete certain personal data, obtain portable copies, and opt out of targeted advertising, sale, and profiling. It applies to businesses that meet threshold tests and requires clear notices, purpose limitation, security safeguards, and contracts with processors. The attorney general enforces the law after a cure process.

Effective
Jan 1, 2026
View detail

New York, United States

New York Child Data Protection Act

PrivacyIn Effect

New York requires operators of covered online sites, services, and connected devices to provide privacy-by-default protections for minors and to limit data processing unless a statutory exception applies. It affects operators directed to children or that know a user is under 18, with special focus on profiling, data transfers, and persistent identifiers.

Effective
Jun 20, 2025
View detail

Iowa, United States

Iowa Consumer Data Protection Act

PrivacyIn Effect

Iowa gives consumers rights to know whether personal data is processed, access and delete data they provided, and obtain a portable copy, while also allowing opt outs from data sale. It applies to controllers that meet volume thresholds and focuses on privacy notices, reasonable security, and processor contracts. Compared with some other state privacy laws, it is narrower on correction and sensitive-data consent requirements.

Effective
Jan 1, 2025
View detail