Businesses operating across the U.S. should pay close attention to the rapidly evolving consumer privacy landscape. To date, 20 states, including Oregon, have enacted comprehensive consumer privacy laws, with 14 already in effect and six more set to take effect later this year and on January 1, 2026. Compliance can be particularly challenging, as each law contains unique provisions and requirements, often compelling businesses to tailor disclosures to meet the specific demands of each statute.
Recent information released by the Oregon Attorney General offers a good example of the importance of compliance. Oregon’s consumer privacy law, the Oregon Consumer Protection Act (OCPA), took effect on July 1, 2024. In March 2025, just six months after the launch of OCPA, the Oregon Attorney General released a report summarizing 110 complaints received from consumers about OCPA violations. Businesses failed to comply with OCPA for the following reasons:
- Incomplete Privacy Notices: Many businesses fail to include all required disclosures within their privacy policies, leading to compliance failures.
- Confusing or Unclear Privacy Notices: Privacy policies must clearly outline the rights consumers have in each state where the business operates.
- Failure to Provide a Clear Opt-Out Mechanism: Some companies make it difficult for consumers to exercise their rights by requiring excessive authentication or failing to provide conspicuous opt-out links.
As consumer privacy laws continue to expand, companies must ensure they are compliant with various state-specific requirements to avoid regulatory scrutiny and penalties. Even if a business intends to comply, privacy notices that lack required disclosures or present overly complex processes for exercising privacy rights may still be deemed noncompliant.
Key Privacy Law Requirements: While the details of each state law vary, most contain core principles that businesses must address, including:
- Consumer Privacy Rights: States grant consumers rights such as the right to access, correction, deletion, and the ability to opt out of targeted advertising and data sales.
- Notice: Businesses must publish a privacy notice that informs consumers of the types of personal data that is collected, how the business uses the data, whether the business shares the data with third parties, and how individuals can exercise their consumer privacy rights.
- Responding to Consumer Requests: Businesses must establish clear, timely procedures for handling consumer privacy rights requests.
- Implementing Security Measures: Businesses must take reasonable steps to protect personal data from unauthorized access, use, and disclosure.
Failure to Comply Can Result in Significant Penalties: Noncompliance with state privacy laws can lead to serious consequences. Most enforcement actions arise from consumer complaints to the governing body, prompting investigations and potential fines. State attorneys general and privacy regulators take these issues seriously, and penalties for violations can be substantial. Businesses that fail to comply may face civil penalties per violation, reputational harm, and operational disruptions.
