DSAR Requirements in Oregon (OCPA)
Oregon DSAR requirements: consumer rights, response deadlines, identity verification, and penalties under the OCPA.
Last updated: 2026-02-08
Consumer Rights That Trigger DSARs
Oregon consumers can submit requests to:
- Access all personal data you hold about them
- Correct inaccurate personal data
- Delete personal data you collected
- Port their data in a portable, machine-readable format
- Opt out of the sale of personal data
- Opt out of targeted advertising
- Opt out of profiling that produces legal or similarly significant effects
- Obtain a list of specific third parties their data was shared with (unique to Oregon)
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.
Response Deadline
45 days from receipt. You can extend by an additional 45 days if reasonably necessary — but you must notify the consumer of the extension and the reason.
Identity Verification
Required before fulfilling any request. The OCPA does not prescribe a specific verification method.
Appeal Process
If you deny a request, the consumer can appeal. You must provide notice of their right to contact the Oregon Attorney General if the appeal is denied.
Penalties
- $7,500 per violation
- 30-day cure period available until January 1, 2026
- No private right of action — only the Attorney General can enforce
Enforced by the Oregon Attorney General.
DSAR-Specific Exemptions
You may decline or limit a request when the data is needed to:
- Comply with a legal obligation
- Detect security incidents or protect against fraud
- Complete a transaction the consumer requested
Sensitive data (racial/ethnic origin, religious beliefs, health data, sexual orientation, biometric data, children's data, precise geolocation within 1,750 feet) requires opt-in consent before processing.
Who This Applies To
Businesses that process personal data of 100K+ Oregon consumers or 25K+ consumers with any revenue from data sales. No revenue threshold. Nonprofits are covered from July 1, 2025 (unique to Oregon).
For the full Oregon privacy law guide, see boringgovernance.com.
Related Guides
- How to Respond to a DSAR — response process
- DSAR Response Deadlines — all deadlines
- DSAR Identity Verification — verification methods
- DSAR Exemptions — when you can refuse