AI Laws in Oregon (OR)

What HB 4006 requires

Oregon has enacted HB 4006 — AI in Public Services. State agencies using AI must disclose, document, and allow appeals. Private sector guidance pending. This page explains what the law requires in plain language, who is in scope, the penalty for non-compliance, and what your business needs to do before the January 1, 2027 deadline.

Who is in scope

The law covers Oregon state agencies that deploy AI for benefits determination, licensing, law enforcement, or public-service delivery; private-sector operators serving state contracts are also in scope. Company size does not determine whether you are in scope — a startup with ten employees using an off-the-shelf AI hiring tool has the same disclosure obligations as an enterprise running a custom-built model. What matters is whether the AI system makes or substantially informs a decision that affects a Oregon resident in a consequential way. Notably, the obligation extends to vendors: if your company deploys an AI tool built by a third party, you — as the deployer — are responsible for ensuring it meets Oregon's requirements, even if you did not build it.

Key compliance requirements

Oregon's AI law for public-sector systems requires state agencies to create and maintain an inventory of every AI tool used in government operations. Each entry in the inventory must describe the system's purpose, the decisions it informs, the data inputs, and the vendor or developer responsible for it. Agencies must also establish an appeals process so that individuals affected by an AI-assisted decision can request human review. For private-sector companies that provide AI tools to the state, contract language must address these transparency and accountability obligations — vendors who cannot demonstrate compliance may be excluded from procurement.

Penalties for non-compliance

Oregon's AI law gives the state attorney general authority to investigate violations and seek civil relief. While statutory penalty amounts are still being finalized by implementing regulations, enforcement precedent from early AI cases in other states suggests regulators will prioritize companies with the widest reach and the most significant consumer impact.

What to do now

Build your AI inventory first. You cannot comply with Oregon's requirements if you do not know which systems are in scope. Map every AI or automated decision system your company uses that touches Oregon residents — including third-party vendor tools integrated into your product.

Review government contracts. If your company provides AI tools to Oregon state agencies, review pending and existing contracts to ensure they address the inventory, transparency, and appeals requirements that now flow through to vendors.

Assign a compliance owner. Designate someone — legal counsel, a privacy officer, or a dedicated AI governance lead — to track regulatory developments, own the audit documentation, and respond if an enforcement inquiry arrives. The compliance deadline is January 1, 2027. Don't wait until the deadline to start.

Oregon AI law in the broader regulatory landscape

Oregon's law does not exist in isolation. The trend across the United States is toward more regulation, not less: at least 20 states enacted or proposed AI-specific legislation in 2025 alone, and federal enforcement agencies — the FTC, EEOC, CFPB, and HHS — have all issued guidance making clear that existing laws apply to AI systems even where no AI-specific statute exists. Companies doing business across state lines must track each state's requirements independently — there is no federal preemption that would allow a company to satisfy Oregon's law and automatically comply with requirements in Illinois, Colorado, or New York.

The EU AI Act applies to any company serving EU customers, even if you're based in Oregon. Penalties reach €35M or 7% of global revenue. Deadline: August 2, 2026.