Sooner Rather Than Later: Oklahoma Stakes Its Claim in Consumer Privacy

Firm Publication

On March 20, Oklahoma became the twenty-first state to enact comprehensive consumer privacy legislation when Governor Kevin Stitt signed S.B. 546 into law.

The Oklahoma Consumer Data Privacy Act (OCDPA) will take effect on January 1, 2027. Oklahoma joins a growing roster of states in imposing obligations upon businesses that control or process personal data and in granting consumers certain rights over the personal data they provide. The OCDPA mirrors several states’ data privacy laws, particularly Virginia’s Consumer Data Protection Act (VCDPA). However, the OCDPA contains several distinct provisions that require review by businesses operating in Oklahoma or targeting its residents.

Notably, the OCDPA is generally considered business-friendly compared to many of its counterparts, featuring broad exemptions, a narrow definition of “sale” that is limited to exchanges or personal data for monetary consideration only, and a permanent right-to-cure period.

Threshold Requirements and Exemptions

The OCDPA applies to any person that conducts business in Oklahoma or produces products or services targeted at Oklahoma residents and that, in a calendar year, does either of the following:

  • Controls or processes the personal data of at least 100,000 Oklahoma consumers.
  • Controls or processes the personal data of at least 25,000 Oklahoma consumers and derives more than 50% of its gross revenue from the sale of personal data.

The OCDPA provides several exemptions at both the entity and data levels. Entity-level exemptions apply to state agencies and political subdivisions of Oklahoma (including their service providers), financial institutions subject to Title V of the Gramm-Leach-Bliley Act (GLBA), covered entities and business associates governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), nonprofit organizations, institutions of higher education, and individuals processing personal data for purely personal or household activities.

The OCDPA also adopts standard data-level exemptions, including protected health information under HIPAA; nonpublic personal information under the GLBA; data regulated by the Fair Credit Reporting Act (FCRA); data regulated by the Family Educational Rights and Privacy Act (FERPA); employee and job applicant data; and data covered by the Driver’s Privacy Protection Act, the Farm Credit Act, and the Controlled Substances Act. In addition, the OCDPA’s definition of “consumer” excludes individuals acting in a commercial or employment context, which effectively removes employee and business contact information and similar commercial data from the OCDPA’s scope.

Consumer Rights

The OCDPA grants consumers a set of rights with respect to their personal data held by “Controllers.” A controller refers to a person or entity that determines the purposes and means of processing personal data. Under the OCDPA, Controllers must honor a consumer’s right to:

  • Confirm whether the Controller is processing their personal data.
  • Access their data and obtain a copy.
  • Correct inaccuracies in their personal data.
  • Require the Controller to delete their personal data.
  • Obtain a copy of their personal data in a portable and readily usable format.
  • Opt out of the processing of personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.

Controllers must respond to consumer requests within 45 days (with a single 45-day extension permitted if reasonably necessary).

One notable gap between the OCDPA and more consumer-protective state data privacy laws is the absence of any requirement for Controllers to recognize universal opt-out preference signals, such as the Global Privacy Control (GPC). The OCDPA also does not authorize agents to exercise opt-out rights on behalf of consumers, placing the burden of exercising these rights squarely on individual consumers.

The OCDPA requires Controllers to maintain an appeal process for consumers whose requests are denied, with a response deadline of 60 days. If the appeal is denied, the Controller must direct the consumer to the Oklahoma Attorney General’s online complaint mechanism.

Controller Obligations and Privacy Notice

The OCDPA imposes a range of obligations on Controllers that are broadly consistent with the VCDPA framework. Controllers must practice data minimization, limiting the collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purposes of processing. The OCDPA also requires Controllers to establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data at issue, with the goal of protecting the confidentiality, integrity, and accessibility of consumers’ personal data and reducing reasonably foreseeable risks of harm. Processing personal data for purposes that are neither reasonably necessary for, nor compatible with, the disclosed processing purposes is prohibited unless the Controller first obtains the consumer’s consent.

Controllers under the OCDPA must provide consumers with a reasonably accessible and clear privacy notice. The privacy notice must include the following:

  • The categories of personal data processed.
  • The purpose(s) for such processing.
  • The steps required to exercise consumer rights under the OCDPA.
  • The categories of personal data shared with third parties.
  • The categories of third parties with whom the Controller shares personal data.
  • Where a Controller sells personal data or processes personal data for targeted advertising, the Controller must clearly and conspicuously disclose such processing and the manner in which a consumer may opt out.
  • The process by which a consumer may appeal a Controller’s decision with regard to the consumer’s request.

The OCDPA also requires Controllers to enter into contracts with processors that set forth clear instructions for processing, the nature and purpose of the processing, the type of data subject to processing, the duration of processing, the rights and obligations of both parties, confidentiality obligations, data return or deletion obligations upon termination, and subcontractor flow-down requirements.

Treatment of Sensitive Data and Children’s Data

Like the VCDPA, the OCDPA requires opt-in consent prior to the processing of “sensitive data.”  The OCDPA defines sensitive data to include:

  • Personal data revealing an individual’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status.
  • Genetic or biometric data processed for the purpose of uniquely identifying an individual.
  • Personal data collected from a known child (defined as a consumer younger than 13 years old).
  • Precise geolocation data.

If the consumer is a known child, the Controller must process such data in accordance with the Children’s Online Privacy Protection Act (COPPA). Notably, the OCDPA does not include any expanded protections specific to children’s data beyond the COPPA compliance requirement, nor does it provide consumers with an explicit right to revoke consent once given for sensitive data processing.

Data Protection Assessments

The OCDPA requires Controllers to conduct data protection assessments (DPAs) for high-risk processing activities, including targeted advertising, sales of personal data, profiling with a reasonably foreseeable risk of harm, processing sensitive data, and any other processing presenting heightened consumer risk. Each assessment must weigh the benefits of the use of data against potential consumer risks, considering available safeguards, de-identification measures, consumer expectations, and the Controller-consumer relationship. These requirements apply prospectively to processing activities commencing on or after January 1, 2027. The OCDPA does not require specialized DPAs for online services, products, or features directed at children.

Enforcement

The Oklahoma Attorney General holds exclusive enforcement authority under the OCDPA, and there is no private right of action. Prior to initiating any action, the Attorney General must provide 30 days’ written notice to the Controller or processor, identifying the specific provisions alleged to have been violated. If the Controller or processor cures the violation within that 30-day window and provides a written statement confirming the cure along with supportive documentation, and commits no further violations, the Attorney General cannot bring an action. Unlike other states’ laws, the OCDPA’s cure period is permanent and does not sunset. The Attorney General may seek civil penalties of up to $7,500 per violation, as well as reasonable attorney fees and investigative costs.

Effective Date

January 1, 2027: The OCDPA takes effect, and data protection assessment requirements apply to processing activities commencing on or after this date.

Our team will continue to monitor the OCDPA. If you have any questions about the OCDPA or other states’ privacy laws and how they could affect your business, please contact the authors.

Resource: Data Privacy Regulations by State

Data Privacy Regulations by State

The data privacy regulatory landscape continues to evolve rapidly across jurisdictions. Our privacy & data security attorneys are actively tracking new legislation and regulatory developments nationwide. We will continue to provide ongoing analysis as new regulations emerge. Access our interactive map to learn more about comprehensive state laws and consumer health data privacy requirements.

Related Professionals
Related Services
Firm Publication

On March 20, Oklahoma became the twenty-first state to enact comprehensive consumer privacy legislation when Governor Kevin Stitt signed S.B. 546 into law.

The Oklahoma Consumer Data Privacy Act (OCDPA) will take effect on January 1, 2027. Oklahoma joins a growing roster of states in imposing obligations upon businesses that control or process personal data and in granting consumers certain rights over the personal data they provide. The OCDPA mirrors several states’ data privacy laws, particularly Virginia’s Consumer Data Protection Act (VCDPA). However, the OCDPA contains several distinct provisions that require review by businesses operating in Oklahoma or targeting its residents.

Notably, the OCDPA is generally considered business-friendly compared to many of its counterparts, featuring broad exemptions, a narrow definition of “sale” that is limited to exchanges or personal data for monetary consideration only, and a permanent right-to-cure period.

Threshold Requirements and Exemptions

The OCDPA applies to any person that conducts business in Oklahoma or produces products or services targeted at Oklahoma residents and that, in a calendar year, does either of the following:

  • Controls or processes the personal data of at least 100,000 Oklahoma consumers.
  • Controls or processes the personal data of at least 25,000 Oklahoma consumers and derives more than 50% of its gross revenue from the sale of personal data.

The OCDPA provides several exemptions at both the entity and data levels. Entity-level exemptions apply to state agencies and political subdivisions of Oklahoma (including their service providers), financial institutions subject to Title V of the Gramm-Leach-Bliley Act (GLBA), covered entities and business associates governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), nonprofit organizations, institutions of higher education, and individuals processing personal data for purely personal or household activities.

The OCDPA also adopts standard data-level exemptions, including protected health information under HIPAA; nonpublic personal information under the GLBA; data regulated by the Fair Credit Reporting Act (FCRA); data regulated by the Family Educational Rights and Privacy Act (FERPA); employee and job applicant data; and data covered by the Driver’s Privacy Protection Act, the Farm Credit Act, and the Controlled Substances Act. In addition, the OCDPA’s definition of “consumer” excludes individuals acting in a commercial or employment context, which effectively removes employee and business contact information and similar commercial data from the OCDPA’s scope.

Consumer Rights

The OCDPA grants consumers a set of rights with respect to their personal data held by “Controllers.” A controller refers to a person or entity that determines the purposes and means of processing personal data. Under the OCDPA, Controllers must honor a consumer’s right to:

  • Confirm whether the Controller is processing their personal data.
  • Access their data and obtain a copy.
  • Correct inaccuracies in their personal data.
  • Require the Controller to delete their personal data.
  • Obtain a copy of their personal data in a portable and readily usable format.
  • Opt out of the processing of personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.

Controllers must respond to consumer requests within 45 days (with a single 45-day extension permitted if reasonably necessary).

One notable gap between the OCDPA and more consumer-protective state data privacy laws is the absence of any requirement for Controllers to recognize universal opt-out preference signals, such as the Global Privacy Control (GPC). The OCDPA also does not authorize agents to exercise opt-out rights on behalf of consumers, placing the burden of exercising these rights squarely on individual consumers.

The OCDPA requires Controllers to maintain an appeal process for consumers whose requests are denied, with a response deadline of 60 days. If the appeal is denied, the Controller must direct the consumer to the Oklahoma Attorney General’s online complaint mechanism.

Controller Obligations and Privacy Notice

The OCDPA imposes a range of obligations on Controllers that are broadly consistent with the VCDPA framework. Controllers must practice data minimization, limiting the collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purposes of processing. The OCDPA also requires Controllers to establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data at issue, with the goal of protecting the confidentiality, integrity, and accessibility of consumers’ personal data and reducing reasonably foreseeable risks of harm. Processing personal data for purposes that are neither reasonably necessary for, nor compatible with, the disclosed processing purposes is prohibited unless the Controller first obtains the consumer’s consent.

Controllers under the OCDPA must provide consumers with a reasonably accessible and clear privacy notice. The privacy notice must include the following:

  • The categories of personal data processed.
  • The purpose(s) for such processing.
  • The steps required to exercise consumer rights under the OCDPA.
  • The categories of personal data shared with third parties.
  • The categories of third parties with whom the Controller shares personal data.
  • Where a Controller sells personal data or processes personal data for targeted advertising, the Controller must clearly and conspicuously disclose such processing and the manner in which a consumer may opt out.
  • The process by which a consumer may appeal a Controller’s decision with regard to the consumer’s request.

The OCDPA also requires Controllers to enter into contracts with processors that set forth clear instructions for processing, the nature and purpose of the processing, the type of data subject to processing, the duration of processing, the rights and obligations of both parties, confidentiality obligations, data return or deletion obligations upon termination, and subcontractor flow-down requirements.

Treatment of Sensitive Data and Children’s Data

Like the VCDPA, the OCDPA requires opt-in consent prior to the processing of “sensitive data.”  The OCDPA defines sensitive data to include:

  • Personal data revealing an individual’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status.
  • Genetic or biometric data processed for the purpose of uniquely identifying an individual.
  • Personal data collected from a known child (defined as a consumer younger than 13 years old).
  • Precise geolocation data.

If the consumer is a known child, the Controller must process such data in accordance with the Children’s Online Privacy Protection Act (COPPA). Notably, the OCDPA does not include any expanded protections specific to children’s data beyond the COPPA compliance requirement, nor does it provide consumers with an explicit right to revoke consent once given for sensitive data processing.

Data Protection Assessments

The OCDPA requires Controllers to conduct data protection assessments (DPAs) for high-risk processing activities, including targeted advertising, sales of personal data, profiling with a reasonably foreseeable risk of harm, processing sensitive data, and any other processing presenting heightened consumer risk. Each assessment must weigh the benefits of the use of data against potential consumer risks, considering available safeguards, de-identification measures, consumer expectations, and the Controller-consumer relationship. These requirements apply prospectively to processing activities commencing on or after January 1, 2027. The OCDPA does not require specialized DPAs for online services, products, or features directed at children.

Enforcement

The Oklahoma Attorney General holds exclusive enforcement authority under the OCDPA, and there is no private right of action. Prior to initiating any action, the Attorney General must provide 30 days’ written notice to the Controller or processor, identifying the specific provisions alleged to have been violated. If the Controller or processor cures the violation within that 30-day window and provides a written statement confirming the cure along with supportive documentation, and commits no further violations, the Attorney General cannot bring an action. Unlike other states’ laws, the OCDPA’s cure period is permanent and does not sunset. The Attorney General may seek civil penalties of up to $7,500 per violation, as well as reasonable attorney fees and investigative costs.

Effective Date

January 1, 2027: The OCDPA takes effect, and data protection assessment requirements apply to processing activities commencing on or after this date.

Our team will continue to monitor the OCDPA. If you have any questions about the OCDPA or other states’ privacy laws and how they could affect your business, please contact the authors.

Resource: Data Privacy Regulations by State

Data Privacy Regulations by State

The data privacy regulatory landscape continues to evolve rapidly across jurisdictions. Our privacy & data security attorneys are actively tracking new legislation and regulatory developments nationwide. We will continue to provide ongoing analysis as new regulations emerge. Access our interactive map to learn more about comprehensive state laws and consumer health data privacy requirements.

In Case You Missed It: