Privacy & Cybersecurity Law Blog

On March 20, 2026, Oklahoma Governor Kevin Stitt signed SB 546 into law, enacting the Oklahoma Consumer Data Privacy Act (the “OKCDPA” or the “Act”). The OKCDPA will take effect on January 1, 2027.

Applicability

The OKCDPA applies to controllers or processors that:

• conduct business in Oklahoma, or produce products or services targeted to Oklahoma residents; and
• annually control or process the personal data of either at least (1) 100,000 Oklahoma consumers or (2) 25,000 Oklahoma consumers, and derive over 50% of gross revenue from the sale (for monetary consideration only) of personal data.

The OKCDPA applies only to Oklahoma consumers acting in an individual or household context, and not in a commercial or employment context. The Act contains numerous exemptions, including for data and entities subject to the GLBA and HIPAA, nonprofit organizations, and higher education institutions.

Controller Obligations

The OKCDPA contains requirements for controllers that largely mirror other comprehensive state privacy laws, such as obligations relating to data minimization, data protection assessments, obtaining consent to process sensitive data, responding to consumer rights requests, implementing reasonable safeguards, and providing a privacy notice with certain specified content.

Processor Obligations

Like other comprehensive state privacy laws, a processor must process personal data pursuant to the instructions of the data controller and assist the controller with its duties under the Act, including with respect to responding to consumer rights requests, implementing data security safeguards and assisting with data breach notification (pursuant to Oklahoma’s data breach notification law), and conduct data protection assessments. The Act also requires certain content to be included in agreements between controllers and processors with respect to the processing of personal data.

Consumer Rights

The OKCDPA generally follows the model set by other comprehensive state privacy laws with respect to the privacy rights provided to Oklahoma consumers, namely the right to access, correct, and delete their personal data; obtain a copy of their personal data; and opt out of targeted advertising, the sale of their personal data, and profiling. Businesses must respond to consumers’ requests within 45 days, with one possible 45-day extension, depending on the complexity of the request. Businesses also must offer consumers a method to appeal denied requests.

Enforcement and Penalties

The Oklahoma Attorney General has exclusive authority to enforce the Act. Notably, the Act provides a mandatory 30-day “right to cure” period for alleged violations, with no sunset. Violations of the Act may result in up to $7,500 per violation.