At a Glance
- Effective January 1, 2027, the OCDPA applies to businesses processing data on at least 100,000 Oklahoma consumers annually, or 25,000 consumers where data sales account for more than 50 percent of gross revenue.
- The law uses an opt-out model: businesses may collect and process personal data without prior consent, provided consumers have clear means to opt out of targeted advertising, data sales, and profiling in furtherance of decisions that produce legal or similarly significant effects.
- Affirmative consent is required before processing sensitive personal data — including biometric data, precise geolocation, and data belonging to known children under 13.
- Oklahoma’s “sale” definition covers monetary consideration only, which exempts many common data-sharing arrangements from the opt-out requirement.
- Enforcement rests with the Oklahoma Attorney General; civil penalties reach up to USD 7,500 per violation, with a permanent cure period.
- The OCDPA closely tracks Virginia’s VCDPA and Texas’s TDPSA, but omits GPC signal support and the right to revoke consent.
Oklahoma became the first state to enact new comprehensive data privacy legislation in 2026. Senate Bill 546, signed into law on March 20, 2026, establishes the Oklahoma Consumer Data Privacy Act, and adds a 20th state-level privacy law to a landscape that U.S. businesses are already navigating at scale.
For compliance teams managing obligations across multiple jurisdictions, the OCDPA will be recognizable territory. Oklahoma has adopted the same broadly business-friendly model used in Virginia and Texas: opt-out architecture for most processing, affirmative consent for sensitive data, and AG-only enforcement with a built-in cure opportunity.
But the law has meaningful specifics that distinguish it from its predecessors, including a narrower biometric data definition, a Texas-aligned consent standard, and no requirement to honor browser-based opt-out signals like Global Privacy Control.
Businesses with operations or customers in Oklahoma need to map those specifics against their existing compliance programs before the January 1, 2027 effective date.
This guide covers who the OCDPA applies to, what it requires of businesses and their processors, what rights it extends to Oklahoma consumers, and the practical steps multi-state compliance programs should take to prepare.
What Is Oklahoma’s Consumer Data Privacy Act (OCDPA)?
The Oklahoma Consumer Data Privacy Act establishes a framework of consumer rights over personal data and corresponding obligations for the businesses that collect and process it.
The law follows the Virginia Consumer Data Protection Act (VCDPA) model, which has now been adopted with variations across a number of other U.S. states.
Like other U.S. state-level data privacy laws operating on this model, the OCDPA uses an opt-out consent model. Organizations may collect and use personal data without obtaining prior consent from each individual in most cases, provided consumers are given clear and accessible means to opt out of specific uses. These uses are primarily targeted advertising and data sales, and consumers must be informed about how their data is handled.
Key Definitions Under the OCDPA
The OCDPA defines terms that determine the scope of its obligations. Understanding these definitions is the starting point for assessing whether and how the law applies to your organization.
Personal Data
Personal data under the OCDPA is any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual.
The definition includes pseudonymous data when used in conjunction with additional information that reasonably links it to an individual. De-identified data and publicly available information are excluded.
Unlike many comparable state laws, the OCDPA does not enumerate specific examples of personal data, though common categories such as name, email address, phone number, Social Security number, and driver’s license number fall within scope.
Sensitive Data
Sensitive data is a subcategory of personal data subject to heightened protections. Controllers may not process it without affirmative prior consumer consent. The OCDPA categorizes the following as sensitive data:
Racial or ethnic origin
Religious beliefs
Mental or physical health condition or diagnosis
Sexual orientation
Citizenship or immigration status
Genetic or biometric data processed for the purpose of uniquely identifying an individual
Personal data collected from a known child under 13 years of age
Precise geolocation data, defined as information that identifies an individual’s location within a radius of 1,750 feet
Biometric Data
The OCDPA’s biometric data definition excludes photographs, video, audio recordings, and data derived from them, unless that derived data is generated for the purpose of identifying a specific individual.
This aligns with Connecticut’s formulation and is narrower than Virginia or Texas, both of which exclude photo- and video-derived data without that qualifier. Businesses processing image or video data for identification purposes should treat that data as biometric data in scope under Oklahoma’s law.
Consumer
A consumer under the OCDPA is an Oklahoma resident acting in an individual or household context. Individuals acting in a commercial or employment context are excluded from the definition.
Controller and Processor
A controller is an individual or legal entity that determines the purpose and means of processing personal data.
A processor is an entity that processes personal data on behalf of a controller, typically third-party vendors such as analytics providers, cloud storage services, or advertising platforms.
Oklahoma’s law requires controller-processor relationships to be governed by a written contract specifying processing instructions, data types, duration, and the obligations of each party.
Sale of Personal Data
The OCDPA defines “sale” as the exchange of personal data for monetary consideration by a controller to a third party. This definition covers monetary consideration only, not other forms of valuable consideration.
The narrower scope means that many common data-sharing arrangements in the digital advertising ecosystem, such as sharing data in exchange for services or access, fall outside the opt-out requirement under Oklahoma’s law.
Consent
The OCDPA adopts the Texas Data Privacy and Security Act (TDPSA) definition of consent: a clear, affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow processing.
Consent may be expressed through a written statement, including by electronic means, or through any other unambiguous affirmative action.
The definition explicitly excludes:
- Acceptance of general or broad terms of use that contain descriptions of personal data processing alongside other, unrelated information
- Hovering over, muting, pausing, or closing content
- Consent obtained through the use of dark patterns
Businesses relying on passive or implied signals to infer sensitive data consent should review those practices against this standard.
Targeted Advertising
Targeted advertising under the OCDPA means displaying ads selected based on personal data obtained or inferred from a consumer’s activities over time and across non-affiliated websites or applications, to predict preferences or interests. Consumers have an opt-out right for this activity.
Who Does the OCDPA Apply To?
The OCDPA applies to controllers and processors doing business in Oklahoma or directing products and services at Oklahoma residents. A business must comply if it meets either of the following thresholds:
- Controls or processes the personal data of at least 100,000 Oklahoma consumers in a calendar year, or
- Controls or processes the personal data of at least 25,000 consumers and derives more than 50 percent of its gross revenue from the sale of personal data
Oklahoma has not included an annual revenue threshold — unlike California and Tennessee, which impose a third trigger for companies earning at least USD 25 million annually.
Entity-Level Exemptions
OCDPA exemptions align with those of other state privacy laws, and apply to:
- State agencies
- Nonprofits
- Higher education institutions
- Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
- Individuals processing data in purely personal or household contexts
- Organizations working with data already regulated under federal laws such as HIPAA
Data-Level Exemptions
Certain data categories fall outside the OCDPA’s scope regardless of the entity processing them, including:
- Protected health information under HIPAA
- Employee and job applicant data
- Emergency contact information
- Student data under FERPA
- Data regulated under the Fair Credit Reporting Act (FCRA)
Consumer Rights Under the OCDPA
The OCDPA grants Oklahoma consumers several rights over their personal data, which can be exercised by submitting a verified request to the controller:
Right to access
Confirm whether a controller is processing their personal data, and obtain access to it
Right to correct
Have inaccuracies in their personal data corrected
Right to delete
Request deletion of personal data provided by or obtained about the consumer
Right to portability
Obtain a copy of personal data previously provided to the controller, in a portable and readily usable format, where processing is carried out by automated means
Right to opt out
Of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects
Right to nondiscrimination
Consumers cannot be denied goods or services, charged different prices, or provided a different quality of service for exercising their rights
The OCDPA does not include a private right of action, and enforcement rests solely with the Attorney General. It also does not provide a right to limit use of sensitive personal information (though prior consent is required before that processing can occur) and does not include provisions for authorized agents acting on a consumer’s behalf.
Responding to Consumer Rights Requests
Oklahoma’s law requires businesses to provide at least two secure methods through which consumers can submit rights requests. Controllers may not require consumers to create a new account solely to submit a request.
Where authentication cannot be completed using commercially reasonable efforts, the controller is not obligated to comply but may request additional information to verify the consumer’s identity.
Controllers must respond to authenticated requests within 45 days, with a possible extension of an additional 45 days when reasonably necessary, provided the consumer is notified within the initial 45-day window. Responses must be provided free of charge, up to twice per year per consumer.
Controllers must establish an appeal process for denied requests. Once an appeal is received, the controller has 60 days to provide a written explanation of its decision. If the appeal is denied, the consumer must be directed to the Oklahoma Attorney General’s online complaint mechanism.
Global Privacy Control: Not Required Under the OCDPA
Oklahoma’s law does not require businesses to honor browser-based opt-out preference signals such as Global Privacy Control (GPC). As of early 2026, 12 states require businesses to honor GPC or a comparable Universal Opt-Out Mechanism.
Businesses operating across those states should maintain signal-honoring capabilities in their consent infrastructure regardless of Oklahoma’s position, both for current obligations in other jurisdictions and to avoid configuration gaps if Oklahoma’s law is amended.
Sensitive Data and Consent Requirements
The OCDPA requires affirmative consent before processing any category of sensitive personal data. This includes:
- Health information
- Racial or ethnic origin
- Immigration status
- Biometric data
- Precise geolocation
- Personal data belonging to known children under 13
Oklahoma’s consent standard excludes passive signals as valid consent for sensitive data processing, including acceptance of broad terms, hovering, or closing content.
One notable gap compared to other state laws: the OCDPA does not give consumers the right to revoke consent once granted. This means businesses do not need to build revocation workflows specifically for Oklahoma, though they should assess whether comparable obligations in other states require those workflows to exist regardless.
Children’s Data
The OCDPA requires that companies processing the personal data of known children under 13 do so in accordance with the federal Children’s Online Privacy Protection Act (COPPA).
Oklahoma does not introduce enhanced protections beyond COPPA, and does not include specific provisions for minors aged 13 to 16, which is a gap that consumer advocates have noted.
Business Obligations Under the OCDPA
The OCDPA’s controller and processor obligations are consistent with comparable state frameworks. The core requirements are:
- Data minimization: Collect and process only what is adequate, relevant, and reasonably necessary for the disclosed purpose
- Transparency: Provide a reasonably accessible privacy notice disclosing processing activities and consumer rights
- Reasonable security: Implement appropriate technical and organizational safeguards for personal data
- Processor contracts: Govern all processor relationships with a written agreement
- Data protection assessments: Conduct assessments for high-risk processing activities
Learn more: Understanding data privacy vs data security: Key differences explained
Privacy Notice Requirements
Controllers must publish a privacy notice that is reasonably accessible and clear. The notice must include:
- Categories of personal data processed, including sensitive data
- Purposes for processing
- Categories of third parties with whom data is shared
- Whether the controller sells personal data or processes it for targeted advertising
- How consumers may exercise their rights, including the appeal process
Data Protection Assessment Obligations
Businesses must conduct data protection assessments for high-risk activities, including:
- Targeted advertising
- Data sales
- Profiling that produces legal or significant effects
- Processing sensitive data
- Processing that presents a reasonably foreseeable risk of consumer harm
Assessments apply only to processing activities commencing on or after January 1, 2027 and are not retroactive.
Processor Contract Requirements
Where personal data is shared with third-party processors, Oklahoma requires the relationship to be governed by a written contract. Valid agreements must specify:
- Processing instructions
- Nature and purpose of processing
- Data types
- Processing duration
- Rights and obligations of both parties
Processor agreements must also require confidentiality, data deletion or return upon request, audit cooperation, and equivalent obligations for any subprocessors engaged.
Dark Patterns and Consent Interface Requirements
The OCDPA explicitly defines and prohibits dark patterns. These are user interfaces designed or manipulated to substantially subvert or impair user autonomy, decision-making, or choice, including any practice the Federal Trade Commission designates as a dark pattern.
Businesses should audit their consent interfaces and opt-out flows to confirm they are free from design elements that could be construed as manipulative before the law takes effect.
De-identified Data Obligations
Controllers using de-identified data retain obligations under the OCDPA despite the exclusion of such data from its scope. They must take reasonable measures to prevent re-identification, make a public commitment not to re-identify the data, and contractually bind any recipients of that data to equivalent restrictions.
Targeted Advertising and Data Sales Under the OCDPA
Oklahoma adopts an opt-out model for targeted advertising and data sales, consistent with most U.S. state privacy frameworks. As discussed above, the law’s definition of “sale” covers only monetary consideration, not other valuable consideration.
For businesses operating in digital advertising, this means that many data-sharing arrangements, including those involving non-monetary exchanges, are not subject to the opt-out requirement under the OCDPA.
Compliance teams should still assess whether comparable obligations apply in other states where such arrangements may be more broadly defined.
OCDPA Enforcement and Penalties
Oklahoma’s law assigns enforcement authority exclusively to the state Attorney General. There is no private right of action. Before bringing an enforcement action, the Attorney General must notify the alleged violator and allow 30 days to cure the violation. Unlike several other state privacy laws, this cure period does not sunset and remains available indefinitely.
Civil penalties reach up to USD 7,500 per violation, with no escalator for willful or intentional violations. Courts may also award injunctive relief and reasonable attorney fees in enforcement actions. The Attorney General is additionally required to publish guidance on controller and processor responsibilities and consumer rights, and to maintain a consumer complaint mechanism.
For U.S. businesses managing multi-state risk exposure, Oklahoma’s enforcement framework is relatively measured: a permanent cure period, no private litigation risk, and a penalty structure that tracks other Virginia-model states. The primary compliance risk for most organizations will be operational, including gaps in consumer request workflows, inadequate privacy notices, or consent flows that fail to capture affirmative consent for sensitive data.
How to Prepare for the OCDPA
For businesses already operating under the VCDPA, TDPSA, or comparable state frameworks, Oklahoma’s law should not require a complete overhaul of existing privacy programs. The scope thresholds, rights obligations, and assessment requirements track closely with those laws.
The window to the January 1, 2027 effective date, however, is shorter than many comparable laws provided at enactment, making early gap analysis important.
Multi-state compliance programs should prioritize the following before the effective date:
Applicability assessment
Audit Oklahoma consumer data volumes against the 100,000-consumer threshold and the 25,000-consumer/50-percent-revenue threshold
Privacy notice review
Confirm notices include required OCDPA disclosures, including opt-out information for data sales and targeted advertising
Consumer request workflows
Verify that data subject request processes — including appeal pathways — are operational and include at least two secure submission methods
Sensitive data consent audit
Confirm that affirmative consent is captured and documented for all sensitive personal data categories, including children’s data, prior to processing
Consent interface review
Check for dark patterns in consent UIs and opt-out mechanisms
Data protection assessments
Confirm that high-risk processing activities commencing on or after January 1, 2027 are covered by assessments meeting Oklahoma’s requirements
Processor contract review
Verify that vendor agreements meet the written contract requirements, including subprocessor obligations
The Usercentrics Consent Management Platform, with geotargeting capabilities, can support several of these steps by enabling state-specific opt-out flows, consent documentation, and banner configurations that adapt to each applicable law’s requirements.
Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.
