On March 20, 2026, Oklahoma Governor Kevin Stitt signed into law Senate Bill 546, the Oklahoma Computer Data Privacy Act (OCDPA). The new law makes Oklahoma the latest state to adopt comprehensive consumer privacy and data protection requirements. Largely aligned with other state consumer privacy laws passed to date, and supported by the U.S. Chamber of Commerce[1] for providing “strong privacy protections” with business-friendly “consistency and workability small businesses require to provide innovative products and services”, the OCDPA adds to the growing patchwork of U.S. state privacy laws and will take effect on January 1, 2027.
Covered Entities
The OCDPA applies to controllers and processors that conduct business in Oklahoma or produce products or services targeted to state residents, and meet one of the following thresholds:
- Control or process personal information of at least 100,000 Oklahoma consumers; or
- Control or process personal information of at least 25,000 Oklahoma consumers and derive more than 50% of their revenue from selling personal information.
Similar to other state privacy laws, the OCDPA provides carveouts for HIPAA-covered entities, nonprofits, and institutions of higher education. Specific types of personal data are also exempt, including protected health information, medical records, and personal data subject to the Fair Credit Reporting Act (FCRA), the Driver's Privacy Protection Act (DPPA), or the Family Educational Rights and Privacy Act (FERPA).
Consumer Rights
Under the OCDPA, Oklahoma consumers have the following rights:
- Right to Access: Confirming whether a controller is processing their data and accessing said data
- Right to Correct: Rectifying inaccuracies in their personal data
- Right to Delete: Requesting the deletion of personal data provided by or obtained about them
- Right to Portability: Obtaining a copy of their data in a portable and readily usable format
- Right to Opt-Out: Withdrawing from processing for targeted advertising, the sale of personal data, or certain types of profiling.
Notably, unlike the California Consumer Privacy Act (CCPA) and Colorado Privacy Act (CPA), Oklahoma does not require controllers to honor automated opt-out preference signals (such as Global Privacy Control) or allow a consumer to exercise their rights via an authorized agent. Instead, under Sec. 6(A), controllers must provide two or more "secure and reliable methods" for submission, which must reflect how consumers normally interact with the controller. Additionally, Oklahoma limits the definition of “sale” to transactions involving direct monetary exchange, diverging from states such as California that more broadly extend the term to include any disclosure of personal data for “valuable consideration.”
Should a consumer wish to enforce their rights, controllers must respond within 45 days, with a single 45-day extension available when reasonably necessary. Responses must be provided free of charge, though this applies up to twice per consumer per year. Importantly, the OCDPA also requires controllers to establish a formal appeal process, giving consumers a path to challenge a denied or unsatisfied request, with controllers obligated to respond to those appeals within 60 days.
Sensitive Data
The OCDPA strictly prohibits controllers from processing sensitive data (defined to include racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship status, genetic/biometric data used for identification, and precise geolocation) without consumer consent. For known children (defined as under 13), sensitive data must be processed in accordance with the Children's Online Privacy Protection Act (COPPA).
Controller Requirements
The OCDPA imposes a suite of affirmative obligations on covered entities:
- Data Minimization: Controllers must limit data collection to what is adequate, relevant, and reasonably necessary for the disclosed purposes.
- Data Security: Businesses must implement reasonable administrative, technical, and physical security practices to protect data confidentiality.
- Processor Contracts: Relationships between controllers and processors must be governed by a written contract that includes clear processing instructions and confidentiality duties.
Data Protection Assessments
Mirroring similar frameworks in place across multiple U.S. states with comprehensive data privacy laws, the OCDPA requires controllers to conduct and document data protection assessments before processing personal data for targeted advertising, selling personal data, profiling that poses a foreseeable risk of harm (such as unfair treatment, financial or physical injury, or privacy intrusion), processing sensitive data, or engaging in any activity presenting a heightened risk to consumers. These assessments must be provided to the Oklahoma Attorney General (OAG) upon request and remain confidential and exempt from public disclosure.
Privacy Notices
Controllers must provide a "reasonably accessible and clear" privacy notice. This notice must disclose: the categories of personal data processed (including sensitive data); purpose of the processing; how consumers may exercise their rights and appeal decisions; and the categories of third parties with whom data is shared.
Enforcement
The OAG has exclusive authority to enforce the act. Several dynamics warrant close attention:
- Permanent Cure Period: Before bringing an action, the OAG must provide a 30-day written notice. Unlike some other states, this "right to cure" is a permanent feature and does not phase out.
- Civil Penalties: Violations that remain uncured or breaches of a written statement to the OAG are subject to a civil penalty of up to $7,500 per violation.
- No Private Right of Action: The OCDPA explicitly states that it shall not be construed as providing a basis for a private right of action for any violation.
Final Thoughts
While the passage of state consumer privacy laws lulled, the passage of OCDPA shows that the momentum for these laws has not stopped. As Oklahoma joins the growing list of states establishing comprehensive data protection frameworks, companies operating nationwide should take stock of overlapping obligations and areas of divergence: particularly in definitions, consumer rights mechanisms, and enforcement structures. Our firm will continue to monitor developments in Oklahoma and other states considering enacting or amending comprehensive data privacy legislation.
