Oklahoma Enacts Comprehensive Privacy Law

Read Time: 5 minutes

Key Takeaways: On March 20, 2026, Oklahoma Governor Kevin Stitt signed the Oklahoma Consumer Data Privacy Act (“OCDPA”) into law. The OCDPA will become effective on January 1, 2027. With the OCDPA’s enactment, there are now 21 comprehensive state privacy laws in effect across the United States. Businesses should carefully evaluate their data practices and ensure compliance with all applicable state privacy laws, as the regulatory landscape continues to evolve.

Applicability and Scope

The OCDPA applies to businesses operating within Oklahoma or producing products or services targeted to Oklahoma residents, provided the business:  

  • during a calendar year, controls or processes personal data of at least 100,000 Oklahoma consumers; or
  • derives more than 50 percent of gross revenue from the sale of personal data and controls or processes the personal data of at least 25,000 Oklahoma consumers.

Notably, the OCDPA’s 50 percent threshold for revenue derived from the sale of personal data is significantly higher than comparable provisions in most other state privacy laws, which typically impose a 25 percent threshold. As a result, the OCDPA's applicability criteria may exempt a broader range of data-driven businesses that would otherwise fall within the scope of other state privacy laws.

Like other state privacy laws except for the California Consumer Privacy Act, “consumer” does not include employees or business-to-business contacts. The OCDPA exempts data subject to Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) or the Gramm-Leach-Bliley Act (“GLBA”) and also provides entity-level exemptions for nonprofit organizations, state agencies and political subdivisions, covered entities and business associates under HIPAA, institutions of higher education, and individuals processing personal data for purely personal or household activities.

Requirements

The OCDPA outlines several responsibilities for data controllers:

  • Data Minimization and Security:
    • Controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purposes. Controllers must also establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data at issue.
  • Transparency Obligations:
    • Controllers must provide consumers with a reasonably accessible and clear privacy notice that includes the categories of personal data processed (including sensitive data), the purpose for processing, how consumers may exercise their rights, the categories of personal data shared with third parties, and the categories of third parties with whom data is shared. If a controller sells personal data or processes data for targeted advertising, the controller must clearly and conspicuously disclose such processing and the manner in which consumers may opt out.
  • Sensitive Data: Controllers may not process sensitive data without consumer consent or, in the case of a known child, without compliance with the Children's Online Privacy Protection Act of 1998 (“COPPA”).
    • Sensitive data is defined as personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data processed for the purpose of uniquely identifying an individual; personal data collected from a known child; or precise geolocation data.
    • Precise geolocation data is defined as information derived from technology, including GPS coordinates, that directly identifies the specific location of an individual with precision and accuracy within a radius of 1,750 feet.
  • Non-Discrimination: Controllers may not discriminate against consumers for exercising their rights under the OCDPA, including by denying goods or services or charging different prices.
  • Data Protection Assessments: The OCDPA requires controllers to conduct and document data protection assessments prior to processing personal data for targeted advertising, selling personal data, conducting profiling where there is a reasonably foreseeable risk of harm (such as a risk of unfair or deceptive treatment, financial or physical injury, or intrusion upon private affairs), processing sensitive data, and engaging in any processing activities that present a heightened risk of harm to consumers. These assessments must be made available to the Attorney General upon written request and are confidential and exempt from public disclosure.

Consumer Rights

Oklahoma consumers have the following rights:

  • Right to confirm whether a controller is processing the consumer’s personal data and to access such data;
  • Right to correct inaccurate personal data;
  • Right to delete personal data;
  • Right to obtain a copy of the consumer’s personal data;
  • Right to opt out of the processing of personal data for purposes of targeted advertising; the sale of personal data; or profiling that has certain significant consequences.

Controllers must respond to consumer requests within 45 days, with the possibility of a 45-day extension when reasonably necessary. Controllers must provide information in response to consumer requests free of charge up to twice annually per consumer. The OCDPA also requires controllers to establish an appeal process for consumers whose requests are denied and respond to appeals within 60 days.

Enforcement

The Oklahoma Attorney General has exclusive authority to enforce the OCDPA. The Attorney General may bring a civil action against businesses that violate the law and impose civil penalties of up to $7,500 per violation. Courts may also award reasonable attorney fees and other expenses incurred in investigating and bringing an action.

Prior to bringing an action, the Attorney General must provide the controller or processor with 30 days’ written notice identifying the alleged violations. If the controller or processor cures the violation within that 30-day period and provides a written statement confirming the cure and that no further violations will occur, the Attorney General may not bring an action. Unlike many other state privacy laws, the cure period does not sunset. Notably, there is no private right of action under the OCDPA.

Koley Jessen is committed to staying informed about developments related to state privacy laws and will offer guidance as new information emerges. If you are unsure about your company’s compliance needs or the steps required to adhere to state privacy laws, please contact one of the specialists in Koley Jessen’s Data Privacy and Security Practice Area for expert assistance.

*Special thanks to Summer Associate Tyler Tschida for his contributions to this article.

This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Related Services

Explore Our

Newsroom


Learn about the latest legal news, firm announcements, and upcoming events on the topics important to you and your business.

View All Insights
A close-up view of a modern bridge against a clear sky. The bridge features a sleek, curved design with an underside illuminated by warm sunlight, creating a contrast of light and shadow. The railing and cables are visible, adding to the architectural det
Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

vestibule29