Oklahoma Governor Kevin Stitt signed Senate Bill 546 into law on March 20, 2026, ratifying the Oklahoma Consumer Data Privacy Act (OCDPA). Similar to other recent state privacy laws, the Act provides Oklahoma residents with new rights over their personal data and establishes responsibilities for businesses that collect, process, and use such data.
House Majority Floor Leader Josh West had this to say about the motivation behind the new legislation:
"In the age of the internet, personal data is valuable currency. People deserve to know how their data is being used and have the ability to make decisions about that information. Senate Bill 546 gives Oklahomans meaningful control over their own data while establishing clear standards for businesses operating in our state."
Businesses have 7 months to prepare for these upcoming changes, as the Oklahoma Consumer Data Privacy Act takes effect on January 1, 2027. We’ll cover key elements of the Act below, including who it applies to, what rights are granted to Oklahoma residents and consumers, and enforcement details.
What Oklahoma companies should know about the Oklahoma Consumer Data Privacy Act?
Applicability
This legislation pertains to entities that meet the following parameters:
- The business conducts business in Oklahoma or manufactures products or services intended for Oklahoma residents.
- During a calendar year, the business met one of the following thresholds:
- Controlled or processed personal data of 100,000 or more Oklahoma consumers, OR
- Controlled or processed personal data of 25,000 or more Oklahoma consumers and obtained more than 50% of gross revenue from the sale of personal data.
Keep in mind that heightened obligations are involved when processing “sensitive data,” which can include, but is not limited to precise geolocation information, racial or ethnic origin, religious beliefs, health data, and children’s personal information.
Duties
Controller and processor obligations under the Oklahoma Consumer Data Privacy Act include:
- Data Security: Controllers must establish and maintain data security practices in administrative, technical, and physical settings.
- Sensitive Data Processing: Controllers are required to obtain consumer consent for processing sensitive data. In the case of a minor, the Children’s Online Privacy Protection Act (COPPA) also applies.
- Transparency: Controllers must supply consumers with a reasonably accessible and clear privacy notice that (1) categorizes personal data processed, (2) lists the purpose for processing, (3) explains consumers’ rights, and (4) identifies the third-party entities receiving shared data and what data is shared.
- Processor Oversight: A contract between controller and processor is required; the contract must include details on rights and obligations of both parties, subcontractor flow-down requirements, and acknowledgment and confirmation of OCDPA compliance, among other items.
- Non-Discrimination: Controllers cannot discriminate against consumers for exercising their rights under OCDPA.
- Data Protection Assessments: Controllers are obligated to conduct and document these assessments before engaging in any data processing activities that may present a heightened harm risk to consumers.
- Data Minimization: Controllers can only collect adequate, relevant, and reasonably necessary pieces of personal information; an additional opt-in consent is required to collect non-essential information.
What Oklahoma consumers should know about the Oklahoma Consumer Data Privacy Act
Under Senate Bill 546, Oklahoma consumers will receive several rights regarding their personal data:
- Right to Access: Consumers have the authority to check if a business is handling their personal data properly and can request a copy for their own records.
- Right to Correction: Consumers may request that inaccuracies in their personal data be corrected.
- Right to Deletion: Consumers have the right to request the deletion of any personal data provided by or obtained about them.
- Right to Data Portability: Consumers are able to request a portable copy of their personal data, maintained digitally.
- Right to Opt-Out: Consumers can decline targeted ads, refuse the sale of their personal data, and avoid profiling that could lead to personal or legal consequences.
- Unlike other states’ privacy laws that include other forms of valuable consideration, “sale” is narrowly defined in this context as only applying to exchanges involving monetary consideration.
Enforcement & exemptions
Enforcement
The Oklahoma Attorney General holds the sole authority to enforce the Act, and there is no option for a private right of action. The Attorney General is required to provide written notice and a 30-day cure period before taking any enforcement action and may not proceed with enforcement for violations that are corrected within the 30-day window. The 30-day cure period is permanent and does not expire, unlike some other states with cure periods that sunset after a certain number of years. Civil penalties per violation can reach up to $7,500.
Exemptions
Like privacy laws in other states, there are several noteworthy exemptions at both entity and data levels.
Entity-level exemptions include:
- Higher education institutions
- State agencies and political subdivisions, as well as service providers acting on their behalf
- Those governed by the Health Insurance Portability and Accountability Act (HIPAA)
- Financial institutions that are subject to Title V of the Gramm-Leach-Bliley Act (GLBA)
- Nonprofits
- Individuals who are processing data for personal activities
Data-level exemptions include, but are not limited to, employment-related data, emergency contact data, and any data governed by:
- HIPAA
- GLBA
- Fair Credit Reporting Act (FCRA)
- Family Educational Rights and Privacy Act (FERPA)
To read the full text of the Oklahoma Consumer Data Privacy Act, click here.
This content is for informational purposes only and shall not constitute legal opinion or advice. Consult your legal counsel to ensure compliance.