Oregon Consumer Privacy Act (OCPA) AI Compliance Guide 2026
OCPA quietly became one of the higher-risk state privacy laws for AI companies: its "sale" definition catches non-monetary data exchanges, it can cover nonprofits, and as of January 2026 there's no cure period before enforcement.
Does OCPA Apply to Your AI Product?
OCPA applies to businesses that conduct business in Oregon or offer products/services targeted at Oregon residents, and that during a calendar year:
- Control or process personal data of 100,000 or more Oregon consumers, excluding data controlled solely to complete a payment transaction, OR
- Control or process personal data of 25,000 or more consumers and derive 25% or more of gross revenue from the sale of personal data
Unlike most comprehensive state privacy laws, OCPA does not broadly exempt nonprofits. AI tools built for or by nonprofits — donor-scoring models, fundraising personalization, advocacy targeting — need to independently check whether they meet the thresholds, since the usual nonprofit carve-out other states offer may not apply in Oregon.
The Broad "Sale" Definition — Why It Matters for AI
Most state privacy laws define "sale" as an exchange of personal data for monetary consideration. OCPA goes further, defining sale to include exchange for monetary or other valuable consideration. For AI companies, this changes the analysis for arrangements that don't involve a straightforward payment:
If any of these apply to your business, you likely need to treat the arrangement as a sale — which means offering the opt-out right and the "Do Not Sell" disclosure, not just a general privacy notice.
AI Profiling and Automated Decision-Making Rights
OCPA gives Oregon consumers the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects — the same consequential-decision categories used across most comprehensive state privacy laws: credit, employment, housing, healthcare, insurance, and education access.
Businesses must also conduct data protection assessments before engaging in profiling that presents a heightened risk of harm, similar to Colorado and Connecticut's requirements — document the purpose, data categories, and risk-versus-benefit analysis before deployment, not after a complaint.
Why the Expired Cure Period Raises the Stakes
Oregon originally gave businesses a 30-day window to cure violations before the Department of Justice could bring an enforcement action. That cure period expired on January 1, 2026.
That means as of 2026, an AI company found in violation — whether for a missed opt-out, an undisclosed data sale, or a skipped data protection assessment — has no guaranteed opportunity to fix the problem quietly before facing enforcement and penalties of up to $7,500 per violation. Proactive compliance work now carries more weight than it did in 2024 or 2025.
OCPA AI Compliance Checklist
Frequently Asked Questions
We don't sell data for money — do we still need an OCPA opt-out?
Possibly yes. OCPA's sale definition includes exchanges for 'other valuable consideration,' not just money. If you trade user data for AI API access, model improvements, co-marketing benefits, or any other non-cash value, review the arrangement against OCPA's definition before assuming you're exempt from the sale opt-out requirement.
Are nonprofits automatically exempt from OCPA like they are in other states?
No. Oregon does not provide the blanket nonprofit exemption found in many other state privacy laws. Nonprofits meeting OCPA's consumer thresholds need to evaluate compliance obligations directly rather than assuming exemption based on tax status.
What changed on January 1, 2026 for OCPA enforcement?
Oregon's 30-day cure period — the window businesses had to fix a violation before the Department of Justice could pursue enforcement — expired on that date. Enforcement actions and penalties up to $7,500 per violation can now proceed without a mandatory warning period, making proactive compliance more important than it was during the cure-period years.
Audit Non-Monetary Data Exchanges First
The single biggest OCPA blind spot for AI companies is assuming "we don't sell data" because no money changes hands. Oregon's broader definition means data-for-value arrangements with AI vendors and partners need a second look.
With the cure period gone, get the audit done before an Oregon complaint forces the question — not after.