Oregon · OCDPAWordPress hosting with OCDPA plugin built into the platform.
Oregon is the only US state privacy law that covers non-profits the same way it covers for-profits. Yovale's compliance MU-plugin treats them identically — opt-out signals for sale, targeted advertising and profiling, opt-in for sensitive data, Universal Opt-Out Mechanism honored since January 1, 2026, a 45-day response workflow, and an appeal channel. You don't install it. You don't update it. You don't pay for it. It's how every Yovale site ships, on every plan. The same platform also handles CCPA, VCDPA, CPA, CTDPA, TDPSA, and MCDPA — one stack, every US state privacy law.
Under the OCDPA, you can opt out of the sale of personal data, targeted advertising, and profiling. You can also access, correct, delete, or export the data we hold about you — including the names of specific third parties we've shared it with.
Six obligations you have to meet.
The Oregon Consumer Data Privacy Act took effect on July 1, 2024 for for-profit controllers and on July 1, 2025 for non-profits — making Oregon the first US state to extend a comprehensive consumer privacy regime to non-profit entities. It applies to controllers that process the personal data of 100,000 or more Oregon residents, or 25,000 or more when 25% or more of revenue comes from selling personal data. Enforcement sits with the Oregon Attorney General, with civil penalties of up to $7,500 per violation. The 30-day cure period sunsetted on January 1, 2026.
- 01
Opt-out for sale, targeted ads, profiling
Oregon residents can opt out of the sale of personal data, targeted advertising, and profiling that produces legal or similarly significant effects. The mechanism has to be clear, conspicuous, and free of dark patterns.
- 02
Universal Opt-Out Mechanism (UOOM/GPC)
Since January 1, 2026, controllers must honor browser-level signals like Global Privacy Control as a valid opt-out from sale and targeted advertising. Oregon was the last of the state laws to make UOOM mandatory, finishing a wave that started with California.
- 03
Opt-IN for sensitive data
You cannot process sensitive data without explicit consent. Sensitive data covers race or ethnic origin, national origin, religion, mental or physical health condition, sex life, sexual orientation, transgender or non-binary status, citizenship or immigration status, crime victim status, genetic or biometric data, precise geolocation, and data from a known child.
- 04
Non-profit applicability
Unlike every other US state privacy law, the OCDPA applies to non-profits on the same terms as for-profits, with the threshold check effective July 1, 2025. If your charity, museum, advocacy group or membership association crosses 100,000 Oregon residents, you are in scope.
- 05
Consumer rights: access, correct, delete, port, list
Oregon residents can request access to the personal data you hold, the names of specific third parties you've disclosed it to, correct inaccuracies, delete it, and obtain a portable copy. You respond within 45 days, extendable once by 45 days when reasonably necessary. The right to the list of specific third parties is unique to Oregon.
- 06
Appeal process
When you deny a consumer request, you must give the consumer a clear way to appeal the decision and respond to the appeal within 45 days. If the appeal is denied, you provide a written explanation and a link to file a complaint with the Oregon Attorney General.
Built into the platform. Not a plugin you install.
Yovale ships OCDPA compliance as a signed must-use plugin — part of the hosting itself, not something you install from the WordPress repository. It's version-pinned, fetched from R2 with SHA-256 verification, and dropped into a per-site bind-mounted mu-plugins directory at provision time. Updates ship through the same channel your hosting updates do. Non-profits and for-profits get the same configuration — no separate SKU, no carve-outs, no checkbox to remember.
Oregon-aware consent and UOOM
Oregon visitors see OCDPA opt-out controls for sale, targeted advertising and profiling, plus opt-in prompts before any sensitive data category is processed. Browser GPC signals are honored automatically at the edge — no banner click required to set the state. EU visitors still see GDPR opt-in, California still sees CCPA. One platform, every regulation.
Privacy portal with third-party listing
/.well-known/privacy on every Yovale site. Oregon residents can submit access, correction, deletion and portability requests, and request the list of specific third parties their data was disclosed to. Every request shows up in your Compliance dashboard tab with a 45-day SLA timer.
Audit log of every signal
Each opt-out — banner click, UOOM/GPC header, portal submission — is written to a dedicated audit database with timestamp, IP-derived region, and the originating signal. Exportable as JSON or CSV from the dashboard. Survives plugin updates, theme switches, and host migration.
Signed DPA — non-profit and for-profit alike
Pre-signed controller-processor contract that meets OCDPA requirements. Lists every sub-processor (Cloudflare, Anexia, R2), purpose limits, confidentiality, deletion at end of service, assistance with consumer requests. Same document for a Portland 501(c)(3) and a Bend e-commerce store — Yovale doesn't treat the categories differently.
Why infrastructure beats a plugin.
Typical WordPress OCDPA plugin
- Adds 200-500ms to every page load (banner JS, geo lookup, GPC parsing, DB writes)
- Stores opt-out signals in wp_options — slow, untyped, breaks with object caching
- Updates through wp-admin — you maintain it, you break it, you debug conflicts
- Costs $49-149/year per site and rarely handles non-profit configuration
- Breaks when you migrate hosts; opt-out history, UOOM logs and appeal records lost
Yovale's built-in approach
- 0ms latency — opt-out state and GPC header computed at the edge worker, cached in the CDN
- Audit log in a dedicated database, queryable, never blocks page render
- Updates ship through the platform — you don't see them, you don't break them
- Included on every plan ($149 / $249 / $499 per year), same setup for non-profits and for-profits
- Travels with your site forever — opt-out, UOOM and appeal history are yours to export
14 regulations. One toggle each. All automatic.
- Opt-out for sale, targeted ads, profiling
- UOOM/GPC honored since Jan 1, 2026
- Opt-in for sensitive data
- 45-day response, 45-day appeal
- Applies to non-profits since July 1, 2025
OCDPA + Yovale, answered.
Does the OCDPA apply to my non-profit?
Yes, if it processes the personal data of 100,000 or more Oregon residents in a calendar year, or 25,000 or more when 25% or more of gross revenue comes from selling personal data. Oregon is the first US state where comprehensive consumer privacy obligations explicitly apply to 501(c) organizations on the same terms as for-profits — that part of the law took effect July 1, 2025. Yovale treats both categories identically: same MU-plugin, same dashboard, same DPA, same audit log.
What is the Universal Opt-Out Mechanism and when did it become required?
Since January 1, 2026, Oregon controllers must honor browser-level opt-out signals — in practice, the Global Privacy Control (GPC) header — as a valid opt-out from sale of personal data and targeted advertising. Oregon was the last of the state privacy laws to make UOOM mandatory, finishing a wave that started with California's CPRA. Yovale reads the GPC header at the Cloudflare edge worker and applies the opt-out before analytics, ad pixels or third-party tags fire — no banner click required.
How does the OCDPA compare to VCDPA, CPA, CTDPA, and CCPA?
All of them give consumers opt-out for sale and targeted advertising plus rights to access, correct, delete, and port their data. The OCDPA is unique in three ways: it explicitly covers non-profits, it lets consumers request the list of specific third parties their data was disclosed to (not just categories), and it uses the lower 25% revenue threshold that aligns with Colorado and Connecticut rather than Virginia's 50%. Like Colorado and Connecticut, opt-in for sensitive data is required and UOOM is mandatory. Yovale handles all of them from one platform.
Is there still a cure period?
No. The 30-day cure period sunsetted on January 1, 2026. Before that date, the Oregon Attorney General had to notify a controller and give 30 days to fix a violation before bringing an enforcement action. After January 1, 2026, the AG can move directly to enforcement with civil penalties of up to $7,500 per violation. This is one of the reasons Yovale's compliance is enabled by default rather than opt-in — there is no longer a grace window to retrofit it later.
What counts as sensitive data under Oregon's definition?
Sensitive data under the OCDPA covers race or ethnic origin, national origin, religion, mental or physical health condition or diagnosis, sex life, sexual orientation, transgender or non-binary status, citizenship or immigration status, status as a crime victim, genetic or biometric data processed to uniquely identify a person, precise geolocation, and personal data from a known child. Oregon's list is broader than most state laws — transgender or non-binary status and crime-victim status are specifically named. Yovale's MU-plugin blocks any plugin or script that touches a sensitive category until the consumer has actively opted in.
What happens when I deny a consumer request?
The platform sends the consumer a denial notice with a one-click appeal link. The appeal opens a separate 45-day SLA case in your Compliance dashboard with the original decision attached. If you deny the appeal too, Yovale automatically attaches a link for the consumer to file a complaint with the Oregon Attorney General, as required by the OCDPA.
Ship an OCDPA-compliant WordPress site in 60 seconds.
Every Yovale site is OCDPA-ready from the moment you deploy — non-profit or for-profit, the configuration is identical. No plugin to install. No processor contract to chase. No UOOM parser to wire up. Start the free Growth trial and see your first compliance dashboard.