On March 20, 2026, Governor Kevin Stitt signed SB 546 into law, making Oklahoma the 21st state to enact comprehensive consumer privacy legislation. The Oklahoma Consumer Data Privacy Act (OKCDPA) takes effect on January 1, 2027, and gives Oklahoma residents meaningful new rights over how businesses collect, use, and sell their personal data. Here's everything you need to know.
What Is the Oklahoma Consumer Data Privacy Act?
The OKCDPA is a comprehensive state privacy law modeled closely after the Virginia Consumer Data Protection Act and Connecticut's data privacy statute. It establishes a framework of consumer rights and business obligations designed to give Oklahoma residents more control over their personal information in the digital economy.
The law applies to businesses that conduct business in Oklahoma or produce products or services targeted at Oklahoma residents, and that meet at least one of the following thresholds:
- Process the personal data of 100,000 or more Oklahoma consumers during a calendar year, or
- Derive more than 50% of gross revenue from the sale of personal data and process the data of at least 25,000 Oklahoma consumers
This means the law primarily targets mid-to-large businesses and data brokers rather than small local companies. However, many of the businesses that hold the most personal data about you — people search sites, advertising networks, major retailers — will fall squarely within these thresholds.
Your Rights Under the OKCDPA
Starting January 1, 2027, Oklahoma consumers will have the following rights regarding their personal data:
- Right to access: You can confirm whether a business is processing your personal data and request a copy of that data.
- Right to correct: You can request that inaccurate personal data be corrected.
- Right to delete: You can request that a business delete personal data it has collected about you.
- Right to data portability: You can obtain a copy of your personal data in a portable, readily usable format.
- Right to opt out: You can opt out of the processing of your personal data for targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects.
Businesses must respond to consumer requests within 45 days, with the option to extend by an additional 45 days if reasonably necessary. If a business denies your request, you have the right to appeal, and the business must provide instructions on how to do so.
When Does the OKCDPA Take Effect?
The Oklahoma Consumer Data Privacy Act was signed into law on March 20, 2026, but it does not take effect until January 1, 2027. Until that date, the rights described in this guide cannot be formally enforced. However, many national businesses already comply with similar laws in other states and may honor Oklahoma requests voluntarily before the effective date.
What Data Is Covered?
The OKCDPA covers personal data, defined broadly as any information that is linked or reasonably linkable to an identified or identifiable individual. This includes names, addresses, phone numbers, email addresses, browsing history, purchase history, geolocation data, and much more.
The law distinguishes between regular personal data and sensitive data, which includes:
- Racial or ethnic origin
- Religious beliefs
- Health diagnoses
- Sexual orientation
- Citizenship or immigration status
- Genetic or biometric data used for identification
- Personal data of known children
- Precise geolocation data
Businesses must obtain explicit consent before processing sensitive data. This is a higher standard than what applies to regular personal data, where businesses can process data as long as they provide adequate notice and honor opt-out requests.
Important Scope Limitations
The OKCDPA only applies to data processed in an individual or household context. It does not cover data processed in a commercial, employment, or job applicant context. So your employer's HR files and your business-to-business interactions fall outside the law's protections.
Who Is Exempt?
Like most state privacy laws, the OKCDPA carves out several categories of organizations and data types:
- Financial institutions regulated under the Gramm-Leach-Bliley Act (GLBA)
- Healthcare entities covered by HIPAA
- Nonprofit organizations
- Institutions of higher education
- Data governed by federal laws like FERPA, FCRA, COPPA, and the Driver's Privacy Protection Act
These exemptions mean that your bank, your doctor's office, and your university are generally not subject to the OKCDPA — though they remain bound by the federal laws that already regulate their data practices.
No Private Right of Action
The OKCDPA does not allow individuals to sue businesses for privacy violations. Enforcement rests exclusively with the Oklahoma Attorney General. If a business violates your rights, your recourse is to file a complaint with the AG's office — not to take the company to court yourself. This makes it especially important to exercise your rights proactively and document any denials or failures to respond.
Enforcement and the Right to Cure
The Oklahoma Attorney General has exclusive enforcement authority under the OKCDPA. Before taking enforcement action, the AG must provide a business with a 30-day right-to-cure period, giving the company an opportunity to fix the violation and provide a written statement that the issue has been resolved and won't recur.
If the business fails to cure the violation within 30 days, the Attorney General can pursue civil penalties. This cure period is common in first-generation state privacy laws, though some states have started removing or narrowing it in more recent legislation.
How the OKCDPA Compares to Other State Laws
Oklahoma's law follows the Virginia/Connecticut model, which is generally considered more business-friendly than California's CCPA/CPRA framework. Key differences from California's approach include:
- No private right of action (California allows limited private lawsuits for data breaches)
- No dedicated privacy enforcement agency (California has the CPPA)
- A mandatory cure period before enforcement (California eliminated its cure period)
- Higher thresholds for applicability (California's thresholds are lower)
That said, the OKCDPA still represents a meaningful step forward for Oklahoma residents who previously had no comprehensive state privacy protections.
Protecting Your Privacy in Oklahoma Today
You don't have to wait until January 2027 to start protecting your personal data. Data brokers and people search sites are already publishing the names, addresses, phone numbers, and family details of millions of Oklahoma residents — and these sites are often not covered by the OKCDPA's exemptions.
Here's what you can do right now:
- Search for yourself online. Google your name along with your city or phone number. Check major people search sites like Spokeo, Whitepages, BeenVerified, and TruePeopleSearch to see what's publicly available.
- Submit opt-out requests. Each data broker has its own removal process. You'll need to visit each site individually, locate your listing, and follow their specific opt-out procedure.
- Monitor for re-listings. Data brokers regularly refresh their databases from public records and upstream aggregators. Your information will reappear unless you monitor and re-submit removal requests on an ongoing basis.
- Use a removal service. PrivacyOn monitors over 100 data broker sites, submits opt-out requests on your behalf, and continuously checks for re-listings. For Oklahoma residents dealing with dozens of brokers, this is the most practical way to maintain long-term privacy.
Looking Ahead
The OKCDPA marks an important milestone for digital privacy in Oklahoma, but the law is just one piece of the puzzle. Comprehensive data privacy requires both exercising your legal rights and taking proactive steps to reduce your digital footprint. As the January 2027 effective date approaches, Oklahoma residents should familiarize themselves with the law's provisions and start taking control of their personal data now — before the protections officially kick in.