When does the Oklahoma privacy law take effect?

The Oklahoma Consumer Data Privacy Act (OKCDPA), signed on March 20, 2026, takes effect on January 1, 2027. Oklahoma is the 20th state to enact a comprehensive consumer data privacy law.

What is the cure period under the OKCDPA?

The OKCDPA provides a permanent 30-day cure period that does not sunset. Businesses have 30 days to cure alleged violations after being notified by the Oklahoma Attorney General before penalties may be imposed.

Does Oklahoma allow a private right of action?

No. The OKCDPA does not include a private right of action. Only the Oklahoma Attorney General may enforce the law, with penalties of up to $7,500 per violation plus attorneys' fees and investigative costs.

What makes the OKCDPA unique compared to other state privacy laws?

The OKCDPA explicitly prohibits dark patterns — consent obtained through manipulative interface design is invalid. It also provides special treatment for pseudonymous data, exempting it from data minimization rules when identifying information is kept separately secured. The law uses a narrow "sale" definition limited to monetary exchanges, excluding affiliate disclosures and M&A transfers.

Oklahoma Privacy Law

Q: Who does the OKCDPA apply to?

The OKCDPA applies to businesses conducting business in Oklahoma or targeting Oklahoma residents that process personal data of at least 100,000 consumers, or at least 25,000 consumers while deriving over 50% of gross revenue from selling personal data. Government entities, nonprofits, GLBA-regulated financial institutions, HIPAA-covered entities, and higher education institutions are exempt.

Oklahoma Consumer Data Privacy Act

Effective: January 1, 2027Pending

Overview

The Oklahoma Consumer Data Privacy Act (OKCDPA), enacted as Senate Bill 546, was signed into law by Governor Kevin Stitt on March 20, 2026, making Oklahoma the 20th state to pass a comprehensive consumer data privacy law. The law takes effect on January 1, 2027. The OKCDPA grants Oklahoma consumers the right to access, correct, delete, and obtain a portable copy of their personal data. Consumers can opt out of the sale of personal data, targeted advertising, and profiling that produces legal or similarly significant effects. Controllers must respond to consumer requests within 45 days, with one possible 45-day extension. The law prohibits dark patterns — consent obtained through manipulative interface design, hovering, muting, pausing, or closing content is not valid. The law applies to businesses conducting business in Oklahoma or targeting Oklahoma residents that process personal data of at least 100,000 consumers, or process data of at least 25,000 consumers while deriving over 50% of gross revenue from selling personal data. The OKCDPA follows the Virginia model closely, with enforcement vested exclusively in the Oklahoma Attorney General. It includes a permanent 30-day cure period and penalties of up to $7,500 per violation. There is no private right of action. Entity-level exemptions cover government entities, nonprofits, GLBA-regulated financial institutions, HIPAA-covered entities, and higher education institutions.

Applicability Thresholds

Conditions are joined by OR — meeting ANY one triggers applicability.

100,000+

Oklahoma consumers' data processed

25,000+ consumers

AND 50%+ revenue from data sales

Consumer Rights

Right to Access

Right to Delete

Right to Correct

Data Portability

Opt-Out of Sale

Opt-Out of Targeted Ads

Opt-Out of Profiling

Limit Sensitive Data Use

Right to Appeal

Private Right of Action

Key Changes in 2025-2026

Law signed March 20, 2026 — businesses have until January 1, 2027 to achieve compliance
Oklahoma becomes the 20th state with a comprehensive consumer data privacy law
Dark patterns explicitly prohibited — manipulative consent mechanisms are invalid
Pseudonymous data receives special treatment: exempt from data minimization rules when identifying information kept separately secured
Data protection impact assessments required for targeted advertising, data sales, sensitive profiling, and high-risk processing
Oklahoma AG expected to develop enforcement guidance and compliance resources during 2026 preparation period

Enforcement Details

Enforced By

Oklahoma Attorney General

Penalty Per Violation

$7,500

Cure Period

30 days

Private Right of Action

No — AG enforcement only

Sensitive Data Categories

Consent model: opt-in

Racial or ethnic originReligious beliefsMental or physical health diagnosisSexual orientationCitizenship or immigration statusGenetic dataBiometric data for identificationPrecise geolocation dataPersonal data of a known child

Universal Opt-Out / GPC Requirements

No Universal Opt-Out Requirement

The OKCDPA does not require businesses to honor universal opt-out mechanisms. Businesses may voluntarily support GPC and similar signals.

Minor / Child Protections

The OKCDPA requires opt-in consent before processing personal data of known children under 13. For minors aged 13-17, businesses must obtain consent before processing their data for targeted advertising or sale of personal data.

Compliance Checklist

1Determine applicability based on Oklahoma consumer data processing volumes and revenue from data sales
2Update privacy notices with all required OKCDPA disclosures including categories of data collected and purposes
3Implement opt-out mechanisms for data sales, targeted advertising, and profiling
4Obtain opt-in consent for processing sensitive personal data including precise geolocation (within 1,750-foot radius)
5Conduct data protection impact assessments for targeted advertising, data sales, sensitive profiling, and high-risk processing
6Create consumer rights request processes with a 45-day response period and provide at least two submission methods
7Establish an appeals process for denied consumer rights requests with a 60-day response requirement
8Implement data minimization practices — collect only data adequate, relevant, and reasonably necessary
9Audit consent flows to eliminate dark patterns — ensure no manipulative design, hovering, muting, or pausing techniques
10Review data sale practices against OKCDPA narrow definition: only monetary exchanges qualify as sales

Oklahoma Privacy Law FAQ

Official Resources

Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.