Majority of complaints involved denied requests to have information removed from websites

Attorney General Dan Rayfield released a report today, showing results from the first 6 months of Oregon’s Consumer Privacy Act. The comprehensive law, which took effect in July, empowers individuals and families to take control of their personal data, which could range from your home address to browsing history and even mental health information.

“This law gives people and families the ability to manage their personal information, and have it removed from websites,” Rayfield said. “We’re already seeing real results and we’ll continue pushing to make sure companies respect these rights and that every Oregonian has the control they deserve over their own data.”

As of the beginning of 2025, the Privacy Unit within the Civil Enforcement Division at Oregon DOJ had received 110 complaints. This is a significant number compared to other similarly sized states, showing that Oregonians care about their privacy rights, and that they are engaged with the process. Connecticut, for example, received only 30 complaints in the first six months of the effective date of its privacy law.

Most of the complaints were about online data brokers: – specifically, the websites that provide background reports on people for a fee, and social media/technology platforms. The number one right consumers have requested and been denied, is the right to delete their information.

In the last six months, the Privacy Unit has initiated and closed 21 privacy matters, after sending notices of violation (also called “cure notices”) and broader information requests to companies.

Some of the common deficiencies identified in the cure notices included:

• Lacking disclosures (e.g., failure to incorporate notice of consumer rights under the OCPA);
• Inadequate disclosures (e.g., failure to sufficiently inform Oregon consumers about their rights under the law, specifically the list of third parties to whom their data has been sold);
• Confusing privacy notices (e.g., notices that are not clear or accessible to the average consumer);
  o For example: notices that name one or two states in the “your state rights” section but not Oregon, giving consumers the impression that privacy rights are only available to people who live in those named state
• Lacking or burdensome rights mechanisms (e.g., failure to include a clear and conspicuous link to a webpage enabling consumers to opt out, request their privacy rights, or inappropriately difficult authentication requirements).

The OCPA gives companies a 30-day window to respond to identified violations. Overall, the responses we have received to date have been positive. Most companies updated privacy notices and/or improved consumer rights mechanisms quickly after being contacted by the Privacy Unit.

Starting July 1, 2025, nonprofits will also be subject to the OCPA. The Privacy Unit has already performed outreach to some of Oregon’s nonprofits and is preparing nonprofit-specific support materials for the Consumer Privacy Webpage.

The Oregon DOJ rolled out a new toolkit in January with additional handouts and social media content to help Oregonians protect their online information. If businesses are not responsive after someone requests to have their information taken down, individuals and families can fill out this complaint form.