Oklahoma Consumer Data Privacy Act (OCDPA): An Overview

Oklahoma’s comprehensive data privacy law (SB 546) was the first new U.S. state privacy legislation enacted in 2026, following a year in which no new comprehensive state privacy laws were passed.

For businesses already operating under Virginia’s Consumer Data Protection Act (VCDPA) or similar state frameworks, Oklahoma’s privacy law will cover familiar ground. The state has adopted the same broadly business-friendly model that now underpins privacy regulation across more than a dozen U.S. states.

That said, the OCDPA brings its own definitions, thresholds, and requirements that businesses operating in Oklahoma or directing products and services to Oklahoma residents need to understand. 

Notably, the law takes a broader approach to biometric data than many of its predecessors, adopts the Texas definition of consent, and omits several provisions found in other state laws, including the right to revoke consent and support for browser-based opt-out signals like Global Privacy Control (which have been gaining traction in other state laws). 

In this article, we cover who Oklahoma’s data privacy regulation applies to, what rights it grants consumers, what it requires of businesses, and the steps organizations should take before the January 1, 2027 effective date.

What Is the Oklahoma Consumer Data Privacy Act?

The Oklahoma Consumer Data Privacy Act (OCDPA), enacted through Senate Bill 546, establishes consumer rights over personal data and corresponding obligations for businesses that collect and process it.

Signed by Governor Kevin Stitt on March 20, 2026, the law takes effect on January 1, 2027, leaving businesses with a shorter window to prepare for compliance than in many other states. 

The OCDPA establishes rights for Oklahoma consumers over their personal data, alongside corresponding obligations for businesses that collect and process it. Consistent with other U.S. state-level data privacy laws, the OCDPA follows an opt-out consent model, meaning that in most cases organizations can collect and process personal data without prior consent, provided consumers are given clear means to opt out of certain uses and are informed about how their data is handled.

Definitions of Key Terms in the OCDPA

The OCDPA defines a variety of terms related to the data it protects and the processing activities it regulates.

Personal Data Under the OCDPA

The OCDPA defines personal data as any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual. The definition includes pseudonymous data, when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual. However, it excludes de-identified data and publicly available information.

Unlike many other U.S. state privacy laws, the OCDPA does not enumerate specific examples of personal data. But common types that businesses collect include a consumer’s name, email address, phone number, Social Security number, or driver’s license number.

Sensitive Data Under the OCDPA

Sensitive data is a category of personal data that requires heightened protections, and which controllers may not process without consumer consent. Under the OCDPA, sensitive data includes personal data that reveals:

Biometric Data Under the OCDPA

The OCDPA biometric data definition excludes photographs, video, audio recordings, and data derived from them, unless that data is generated for the purpose of identifying a specific individual. 

This mirrors Connecticut’s formulation and creates a narrower exception than Virginia or Texas, both of which exclude photo- and video-derived data without that qualifier. The practical effect is that businesses processing image or video data for identification purposes should treat that data as biometric data in scope under the OCDPA.

Consumer Under the OCDPA

The OCDPA defines a consumer as an individual who is a resident of Oklahoma, and acting only in an individual or household context. The definition does not include an individual acting in a commercial or employment context.

Processing Under the OCDPA

The OCDPA defines processing as any operation or set of operations performed by manual or automated means on personal data or on sets of personal data. This can include collection, use, storage, disclosure, analysis, deletion, or modification.

Controller Under the OCDPA

The OCDPA defines a controller as an individual or legal entity that, alone or jointly with others, determines the purpose and means of processing personal data. In practice, most businesses subject to the law will be controllers, as they are responsible for the obligations and consumer rights the law establishes. They provide instructions to processors and are responsible for maintaining privacy and security standards for personal data processing.

Processor Under the OCDPA

A processor is an individual or legal entity that processes personal data on behalf of a controller. Third-party vendors handling personal data on a business’s instructions, such as analytics providers, cloud storage services, and advertising platforms, are typically processors. The OCDPA requires the relationship between controllers and processors to be governed by a written contract.

Sale of Personal Data Under the OCDPA

Under the OCDPA, sale of personal data means the exchange of personal data for monetary consideration by a controller to a third party. This definition covers monetary consideration only, excluding exchanges for other valuable consideration, which is a narrower scope than some comparable state privacy laws.

Targeted Advertising Under the OCDPA

The OCDPA defines targeted advertising as displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across non-affiliated websites or online applications to predict their preferences or interests.

Consent Under the OCDPA

The OCDPA defines consent as a clear, affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of their personal data. Consent may be expressed through a written statement, including by electronic means, or through any other unambiguous affirmative action.

The definition excludes:

Who Does Oklahoma’s Privacy Law Apply To?

The OCDPA applies to controllers and processors doing business in Oklahoma or directing products and services at Oklahoma residents. The applicability thresholds align with those in other states using a Virginia model. A business must comply if it meets either of the following conditions:

• Controls or processes the personal data of at least 100,000 Oklahoma consumers in a calendar year, or
• Controls or processes the personal data of at least 25,000 consumers and derives more than 50 percent of its gross revenue from the sale of personal data

Oklahoma’s law joins a number of states that have not included an annual revenue threshold. By contrast, states like California or Tennessee include a third applicable threshold for companies earning at least USD 25 million annually.

Exemptions to OCDPA compliance obligations

Exemptions apply to certain entities, including state agencies, nonprofits, higher education institutions, and financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), as well as individuals processing data in the course of a purely personal or household activity, and organizations working with data already regulated under federal laws such as HIPAA.

In addition to these entity-level exemptions, certain categories of data fall outside SB 546’s scope regardless of who holds them. These include protected health information regulated under the Health Insurance Portability and Accountability Act (HIPAA), employee and job applicant data, emergency contact information, student data regulated under the Family Educational Rights and Privacy Act (FERPA), and data regulated under the Fair Credit Reporting Act (FCRA).

As the U.S. state privacy law landscape continues to expand, businesses operating across multiple states should assess whether their existing compliance frameworks adequately address Oklahoma’s specific thresholds and definitions.

What Rights Do Oklahoma Consumers Have?

The OCDPA grants consumers several rights regarding their personal data, which can be exercised via submitting a verified request:

The OCDPA does not provide consumers with a private right of action, as California’s CCPA does, nor the right to limit use of their sensitive personal information (though prior consent is required for sensitive data processing).

Unlike a number of other state privacy laws, the OCDPA also does not have provisions for authorized agents. Such agents can make requests on consumers’ behalf, for example exercising privacy rights.

How Do Businesses Have to Respond to Consumer Requests?

Oklahoma’s privacy law requires businesses to provide at least two secure methods through which consumers can submit rights requests. Request intake processes and response workflows (including appeal pathways) need to be ready to meet requirements by the January 1, 2027 effective date.

Controllers may not require consumers to create a new account solely for the purpose of submitting a rights request.

If a controller cannot reasonably authenticate a consumer making a rights request using commercially reasonable efforts, the controller does not have to comply with the request. The controller may request that the consumer provide additional information that’s reasonably necessary to authenticate their identity and request.

Controllers must respond to authenticated consumer requests within 45 days, with a possible extension of an additional 45 days when reasonably necessary. If an extension is taken, the controller must inform the consumer within the initial 45-day period and explain the reason. 

Responses to consumer requests must be provided free of charge, up to twice per year per consumer. Controllers may decline to act on requests that are manifestly unfounded, excessive, or repetitive, or may charge a reasonable fee, provided they can demonstrate the basis for that characterization.

Controllers must also establish an appeal process for consumers whose requests are denied. Once an appeal is received, the controller has 60 days to respond with a written explanation of its decision. 

If the appeal is denied, the controller must direct the consumer to the Oklahoma Attorney General’s online complaint mechanism. 

Does the OCDPA Require Honoring Global Privacy Control Signals?

Oklahoma’s privacy regulation does not require businesses to honor opt-out preference signals such as Global Privacy Control (GPC). As of early 2026, 12 states do require businesses to honor the GPC or comparable Universal Opt-Out Mechanism.

What Counts as Sensitive Data Under Oklahoma’s Privacy Act?

Like other U.S. states with privacy laws in effect to date, the OCDPA does require prior informed consent from consumers before processing sensitive data. In addition to information about health, racial origin, citizenship status, and other factors, the personal data of known children under age 13 is categorized as sensitive, and thus prior consent from a parent or guardian is required before collecting or processing it.

The OCDPA has adopted the definition of consent in the Texas Data Privacy and Security Act (TDPSA). It specifies that consent does not include acceptance of general or broad terms of use, or actions such as hovering over, muting, or closing content. 

Businesses relying on passive or implied signals to infer consent for sensitive data processing should review those practices against this standard. Oklahoma’s privacy law also does not provide consumers with a right to revoke consent once given, which is a feature present in some comparable state laws.

Children’s Data and COPPA

The OCDPA requires companies processing the sensitive data of a known child to do so in accordance with the federal Children’s Online Privacy Protection Act (COPPA). This aligns with many other U.S. state privacy laws.

Oklahoma’s law does not introduce enhanced children’s protections beyond existing COPPA requirements, and contains no additional privacy rights for children above 13 years of age, which is a gap that consumer advocates have flagged. (Some laws have specific provisions and consent requirements for minors age 13 to 16, for example.)

What Are Businesses Required to Do to Comply with the OCDPA?

The OCDPA’s controller and processor obligations align with common requirements in other state privacy laws:

• Transparency
• Data minimization
• Reasonable security
• Processor contracts
• Data protection assessments for high-risk processing activities

Privacy Notice Requirements

Controllers must provide a reasonably accessible and clear privacy notice that includes:

• Categories of personal data processed, including any sensitive data
• Purpose(s) for processing personal data
• Categories of personal data that the controller shares with third parties, if any
• Categories of third parties with whom the controller shares personal data, if any
• Whether the controller sells personal data to third parties or processes it for targeted advertising
• How a consumer may exercise their rights, including the appeal process for a controller’s decision

Data Protection Assessment Obligations

Controllers must conduct data protection assessments for high-risk processing activities, including targeted advertising, sale of personal data, certain profiling activities, processing sensitive data, and processing that presents a reasonably foreseeable risk of harm to consumers. 

Organizations already conducting assessments under comparable state laws should be able to extend those frameworks to cover Oklahoma obligations without significant additional lift. Assessments apply only to processing activities that commence on or after January 1, 2027 and are not retroactive. 

Processor Contract Requirements

Where personal data is shared with third-party vendors or processors, Oklahoma’s privacy regulation requires those relationships to be governed by a written contract. A valid agreement must specify:

• Instructions for processing personal data
• Nature and purpose of the processing
• Type of data being processed
• Duration of processing
• Rights and obligations of both parties

The contract must require the processor to maintain confidentiality, delete or return data at the controller’s request, cooperate with audits or assessments, and require any subprocessors it engages are bound by equivalent obligations. 

The OCDPA also renders any contractual position void and unenforceable — whether in a processor agreement or otherwise — that purports to waive or limit a consumer’s rights under the law.

Dark Patterns and Consent Interface Rules

The OCDPA explicitly defines and prohibits the use of dark patterns. The law defines a “dark pattern” as a user interface designed or manipulated with the effect of substantially subverting or impairing user autonomy, decision-making, or choice, and includes any practice the Federal Trade Commission refers to as a dark pattern. 

Businesses should review their consent interfaces and opt-out flows to confirm they are free from design elements that could be construed as manipulative.

Controller Prohibitions

The OCDPA prohibits controllers from discriminating against consumers who exercise their privacy rights, including by denying goods or services, charging different prices, or providing a lower quality of service. 

Limited exceptions apply for voluntary loyalty programs or financial incentive schemes where any differential treatment is reasonably related to the value of the consumer’s data.

Use of De-identified Data

Controllers that use de-identified data retain obligations under the OCDPA. They must take reasonable measures to prevent re-identification, make a public commitment not to re-identify the data, and contractually require any recipients of de-identified data to observe equivalent restrictions. The exclusion of de-identified data from the OCDPA’s scope does not excuse controllers from these downstream obligations.

How Does the OCDPA Treat Targeted Advertising and Data Sales?

The OCDPA adopts an opt-out model for targeted advertising and data sales, which is consistent with most other U.S. state privacy laws. As noted, the law’s definition of “sale” is limited to exchanges for monetary consideration only, not other valuable consideration, which exempts many common data-sharing arrangements in the advertising ecosystem from the opt-out requirement.

OCDPA Enforcement

OCDPA enforcement is handled exclusively by Oklahoma’s Attorney General. As noted, there is no private right of action. Before bringing an action, the Attorney General must notify the alleged violator and allow 30 days to cure. Unlike several other states, this cure period does not sunset. 

Civil penalties are up to USD 7,500 per violation, with no escalator for willful or intentional violations. The Attorney General may also seek injunctive relief, and courts may award reasonable attorney fees and other litigation expenses in enforcement actions. 

The Attorney General is also required to publish information about controller and processor responsibilities and consumer rights on its website, and to provide a mechanism through which consumers can submit complaints directly. This is a provision that mirrors the equivalent section in Texas’s consumer data privacy law.

How Can Businesses Prepare for the Oklahoma Consumer Data Privacy Act?

For businesses already operating under Virginia’s Consumer Data Protection Act, Texas’s Data Privacy and Security Act, or comparable state frameworks, the OCDPA should not require a wholesale overhaul of existing privacy programs. Oklahoma’s requirements track closely with those laws on scope thresholds, data subject rights, and data protection assessment obligations.

Organizations should take the following steps before January 1, 2027:

A consent management platform such as Usercentrics supports several of these steps by enabling compliant opt-out flows, consent documentation, and geotargeted banner configurations that adapt to the specific requirements of each applicable state law.

William Newmark

Read bio

Stay in the loop

Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.

Contact

Email address

Subscribe

By subscribing to the Usercentrics Newsletter, you agree that your data may be used for information related to the products and services offered by Usercentrics. You can revoke your consent by using the unsubscribe link in a newsletter email or by sending your request to unsubscribe@usercentrics.com. See Privacy Policy