On March 20, 2026, Oklahoma Governor Kevin Stitt signed Senate Bill 546 into law, enacting the Oklahoma Consumer Data Privacy Act (OCDPA). Oklahoma thus became the 20th state to adopt a broadly applicable comprehensive consumer data privacy statute. The OCDPA takes effect on January 1, 2027. The law is generally considered business friendly compared to many of its state counterparts, with higher applicability thresholds, a permanent cure period, and broad entity-level exemptions, including for nonprofit organizations.
Applicability
The OCDPA applies to controllers and processors that conduct business in Oklahoma or produce a product or service targeted to Oklahoma residents and that, during a calendar year either: (1) control or process the personal data of at least 100,000 Oklahoma consumers, or (2) control or process the personal data of at least 25,000 Oklahoma consumers and derive more than 50 percent of gross revenue from the sale of personal data.
Notably, the 50 percent revenue threshold is significantly higher than the typical 25 percent threshold, raising the bar for applicability and likely excluding many businesses that would be covered under other state privacy laws.
Key Definitions
Consumer – Unlike the California Consumer Privacy Act, “consumer” does not include individuals acting in an employment or commercial context.
Personal Data – Any information including sensitive data that is linked or reasonably linkable to an identified or identifiable individual. This includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.
Sensitive Data – Sensitive data is defined narrowly to include: (1) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (2) genetic or biometric data processed for the purpose of uniquely identifying an individual; (3) personal data collected from a known child; and (4) precise geolocation data, defined as information derived from technology including GPS coordinates, that directly identifies the specific location of an individual with precision and accuracy within a radius of 1,750 feet.
Biometric Data – Data generated from measurements of an individual’s biological characteristics that is used to identify a specific individual. The OCDPA provides that biometric data does not include a physical or digital photograph, a video or audio recording, or data generated from a physical or digital photograph or a video or audio recording unless such data is generated to identify a specific individual.
Sale – Limited to exchanges of personal data for monetary consideration only, excluding exchanges for other valuable consideration. This is narrower than definitions in several other states.
Consent – A clear, affirmative act reflecting freely given, specific, informed, and unambiguous agreement. Consent does not include acceptance of broad terms, passive interactions (e.g., hovering over, muting, or closing content), or “dark patterns.” “Dark patterns” are user interface design choices that manipulate or trick consumers into taking actions they did not intend, such as consenting to data collection, subscribing to services, or making purchases by exploiting cognitive biases or using deceptive visual cues. Common examples include pre-checked consent boxes, confusing opt-out flows, and misleading button labels (e.g., making the “accept” button prominent while hiding the “decline” option).
Exemptions
The OCDPA includes both entity-level and data-level exemptions.
Entity-Level Exemptions include:
- Financial institutions subject to Title V of the Gramm-Leach-Bliley Act (GLBA)
- Covered entities and business associates governed by the Health Insurance Portability and Accountability Act (HIPAA)
- Nonprofits
- State agencies and political subdivisions (and service providers acting on their behalf)
- Institutions of higher education
- Individuals processing personal data for purely personal or household activities
Data-Level Exemptions include data governed by GLBA, HIPAA, the Fair Credit Reporting Act (FCRA), the Family Educational Rights and Privacy Act (FERPA), employment-related data, and emergency contact data, among others.
Common Business Activity Exceptions permit processing for purposes such as legal compliance, fulfilling consumer requests, security incident response, public-interest research, and internal operations aligned with consumer expectations.
Controller and Processor Obligations include:
Data Minimization – Controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purposes. Controllers must also obtain opt-in consent to process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed processing purposes.
Data Security – Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data at issue.
Transparency – Controllers must provide consumers with a reasonably accessible and clear privacy notice that includes: the categories of personal data processed (including sensitive data); the purpose for processing; how consumers may exercise their rights; the categories of personal data shared with third parties; and the categories of third parties with whom data is shared. If a controller sells personal data or processes data for targeted advertising, the controller must clearly and conspicuously disclose such processing and the manner in which consumers may opt out.
Sensitive Data Processing – Controllers may not process sensitive data without first obtaining consumer consent, or, in the case of a known child, without compliance with the Children’s Online Privacy Protection Act (COPPA). The law requires consent for processing sensitive data but notably does not provide consumers the right to revoke that consent.
Non-Discrimination – Controllers may not discriminate against consumers for exercising their rights under the OCDPA, including by denying goods or services or charging different prices.
Processor Oversight – Controllers must enter into a contract with processors that meets statutory criteria, setting forth clear instructions for processing data, the nature and purpose of the processing, the type of data subject to processing, the rights and obligations of both parties, confidentiality obligations, data return/deletion obligations, processor obligation to provide documentation demonstrating compliance with OCDPA, requiring the processor to cooperate with reasonable assessments by the controller or the controller’s designated assessor, and subcontractor flow-down requirements.
Data Protection Assessments – Controllers must conduct and document data protection assessments prior to processing personal data for targeted advertising, selling personal data, processing personal data for profiling where there is a reasonably foreseeable risk of substantial injury to consumers, processing sensitive data, and engaging in any other processing activities that present a heightened risk of harm to consumers. These assessments must be made available to the Attorney General upon written request and are confidential and exempt from public disclosure.
Children’s Data
Personal data collected from a known child is classified as sensitive data, which means controllers must obtain consent, or comply with COPPA, before processing it. The OCDPA does not contain the more robust children’s privacy protections (such as opt-in requirements for teenagers or requirements that controllers use reasonable care to avoid heightened risk of harm to minors) found in more recently enacted or recently amended state privacy laws in states like Connecticut.
No Global Privacy Control or Authorized Agent Provisions
The OCDPA does not require controllers to recognize universal opt-out mechanisms, such as Global Privacy Control (GPC). Nor does the law include any provisions regarding authorized agents to exercise opt-out rights on behalf of consumers. As a result, the burden of exercising opt-out rights rests with individual consumers, without the ability to signal their opt-out preferences automatically across multiple controllers or delegate their requests to privacy advocacy organizations.
Consumer Rights
Oklahoma consumers are granted the following rights:
- Right of Confirmation and Access: Consumers may confirm whether a controller is processing their personal data and access such data.
- Right to Correct: Consumers may correct inaccuracies in their personal data.
- Right to Delete: Consumers may request deletion of personal data provided by or obtained about them.
- Right to Data Portability: Consumers may obtain a copy of their personal data in a portable format, where technically feasible.
- Right to Opt Out: Consumers may opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.
All rights, including opt-out rights, are subject to authentication, which is a departure from California’s practice, where opt-outs are not subject to verification. Controllers must respond to consumer requests within 45 days, with the possibility of a 45-day extension when reasonably necessary. Controllers must provide information in response to consumer requests free of charge up to twice annually per consumer. The OCDPA also requires controllers to establish an appeal process for consumers whose requests are denied and to respond to appeals within 60 days. The rights of access, correction, deletion, and portability do not apply to pseudonymous data where the controller can demonstrate that any information necessary to identify the consumer is kept separately and subject to effective technical and organizational controls.
Enforcement
The Oklahoma Attorney General has exclusive enforcement authority under the OCDPA; there is no private right of action. Prior to bringing a civil action, the Attorney General must provide the controller or processor with 30 days’ written notice identifying the alleged violations. If the controller or processor cures the violation within the 30-day period and provides a written statement confirming the cure and that no further violations will occur, the Attorney General may not bring an action.
Unlike many other state privacy laws, where the cure period sunsets after a set number of years, the OCDPA’s 30-day cure period is permanent and does not sunset. The Attorney General may seek statutory damages of up to $7,500 per violation, and courts may also award reasonable attorney fees and other expenses incurred in investigating and bringing an action. The Attorney General is further required to post information on its website relating to the responsibilities of controllers and processors and consumer rights under the law, as well as a mechanism through which consumers can submit complaints.
Broader Context
For businesses already subject to comprehensive state privacy laws in other jurisdictions, the OCDPA’s business-friendly posture, including its higher revenue threshold, permanent cure period, lack of a universal opt-out mandate, and broad exemptions for nonprofits and other entities, means that existing privacy programs will likely require incremental updates rather than a wholesale overhaul. Companies should nevertheless confirm applicability, update privacy notices, data protection assessments, and data processing agreements to address Oklahoma-specific requirements and ensure that consumer request intake and appeals processes cover Oklahoma residents ahead of the January 1, 2027, effective date.
