Oklahoma enacts comprehensive data privacy law

Alert
|
10 min read
F. Paul Pittman |
Hope Anderson |
Abdul M. Hafiz

A comprehensive bill strengthening data privacy protections for Oklahomans has been signed into law. Senate Bill 546 (the “Oklahoma Data Privacy Act” or the “Act”) will become effective January 1, 2027. The Act establishes new consumer rights regarding personal data and creates clear rules for businesses that collect and process information from Oklahoma residents, including rights available to consumers under similar US state data privacy laws. Oklahoma’s enactment continues the rapid national momentum in state-level consumer data privacy regulation. In this latest in our series of articles on US State Data Privacy Laws, we summarize the key components of the Oklahoma Data Privacy Act.

To Whom Does the Oklahoma Data Privacy Act Apply?

The Act applies only to a controller or processor who conducts business in Oklahoma or produces a product or service targeted to Oklahoma residents, and who, during a calendar year, either (a) controls or processes personal data of at least 100,000 consumers, or (b) controls or processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data.

The Act does not apply to state agencies or political subdivisions of the state; financial institutions; data subject to the Gramm-Leach-Bliley Act; covered entities or business associates governed by the Health Insurance Portability and Accountability Act (HIPAA); nonprofit organizations; institutions of higher education; or personal data processed in the course of a purely personal or household activity.

Certain categories of data are also exempt from the Act, including protected health information under HIPAA, health records, consumer credit-reporting data regulated by the Fair Credit Reporting Act, personal data collected or processed in compliance with the Driver’s Privacy Protection Act, and personal data regulated by the Family Educational Rights and Privacy Act.

What Rights Does the Oklahoma Data Privacy Act Give to Consumers?

A “consumer” under the Act means an individual who is a resident of Oklahoma acting only in an individual or household context and does not include an individual acting in a commercial or employment context. Oklahoma consumers will gain rights that are largely consistent with other states’ data privacy regimes. Consumers may:

  • confirm whether a controller is processing their personal data and accessing that personal data;
  • correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of processing;
  • delete personal data provided by or obtained about the consumer;
  • obtain a copy of their personal data, in a portable and, to the extent technically feasible, readily usable format, where processing is carried out by automated means; and
  • opt out of the processing of their personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

A controller must respond to an authenticated consumer request within 45 days, with the option to extend that period once by an additional 45 days, provided the controller informs the consumer of the extension within the initial 45-day period.

Controllers must establish a process for consumers to appeal the controller’s refusal to act on a request within a reasonable period of time. The appeal process must be conspicuously available and similar to the process for initiating consumer rights requests. If a controller denies an appeal, it must inform the consumer in writing of the reason for its decision within 60 days of receipt of the appeal and provide the consumer with an online mechanism through which the consumer may contact the Oklahoma Attorney General to submit a complaint.

What Obligations Does the Oklahoma Data Privacy Act Impose on Controllers and Processors?

Key Definitions

Under the Oklahoma Data Privacy Act, “personal data” means any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual, including pseudonymous data when used in conjunction with additional information that reasonably links the data to an individual. The term does not include de-identified data or publicly available information.

In addition, sensitive data is defined as personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data processed for the purpose of uniquely identifying an individual; personal data collected from a known child; or precise geolocation data.

Notably, the Act defines the “sale of personal data” as the exchange of personal data for monetary consideration by the controller to a third party. This is a narrower definition than that used in California, Connecticut, Nebraska, New Hampshire, Maryland and Minnesota, which encompasses exchanges for other valuable consideration such as permitting third parties to track website users for targeted advertising.  

Controller Obligations

Controllers must provide consumers with a reasonably accessible and clear privacy notice that includes: the categories of personal data processed (including any sensitive data); the purpose for processing personal data; how consumers may exercise their rights and appeal a controller’s decision; the categories of personal data shared with third parties (if applicable); and the categories of third parties with whom the controller shares personal data (if applicable).

If a controller sells personal data to third parties or processes personal data for targeted advertising, it must clearly and conspicuously disclose this in the privacy notice and provide consumers with the manner in which they may opt out.

Controllers must also:

  • limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which it is processed, as disclosed to the consumer;
  • establish, implement and maintain reasonable administrative, technical and physical data security practices appropriate to the volume and nature of the personal data at issue;
  • not process personal data for a purpose that is neither reasonably necessary to nor compatible with the disclosed purpose unless the controller obtains the consumer’s consent;
  • not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers;
  • not discriminate against a consumer for exercising any consumer rights under the Act, including by denying goods or services, charging different prices, or providing a different level of quality; and
  • not process the sensitive data of a consumer without obtaining the consumer’s consent, or, in the case of a known child, without processing that data in accordance with the Children’s Online Privacy Protection Act (COPPA).

Controllers must conduct and document a data protection assessment for each of the following processing activities: 

  • processing personal data for targeted advertising; the sale of personal data; processing personal data for profiling,
  • where the profiling presents a reasonably foreseeable risk of unfair or deceptive treatment or unlawful disparate impact on consumers, financial, physical, or reputational injury, or a privacy intrusion offensive to a reasonable person;
  • processing sensitive data; and
  • any other processing activities that present a heightened risk of harm to consumers. 

Controllers must make data protection assessments available to the Oklahoma Attorney General upon written request pursuant to a civil investigation demand.

Unlike a number of other state data privacy laws, the Oklahoma Data Privacy Act does not require controllers to allow consumers to opt out of processing their personal data by using universal opt-out mechanisms (“UOOMs”).

Processor Obligations

Processors must adhere to the instructions of a controller and assist the controller in meeting its obligations under the Act, including assisting with consumer rights requests, ensuring security of personal data processing, supporting breach notification obligations under Oklahoma’s Security Breach Notification Act, and providing information necessary for the controller to conduct data protection assessments.

Contractual Requirements

A contract between a controller and processor must govern the processor’s data processing procedures and must include clear instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract must also require the processor to ensure that each person processing personal data is subject to a duty of confidentiality; delete or return all personal data to the controller as requested after the provision of services; make available all information necessary to demonstrate compliance; allow and cooperate with reasonable assessments by the controller; and engage any subcontractor pursuant to a written contract requiring compliance with the processor’s obligations.

Any provision of a contract or agreement that waives or limits a consumer right under the Act is contrary to public policy and shall be void and unenforceable.

Enforcement

The Oklahoma Attorney General has exclusive authority to enforce the provisions of the Act. The Act does not provide a basis for a private right of action.

Before bringing an enforcement action, the Attorney General must notify the controller or processor in writing of the specific provisions it alleges have been violated. The Attorney General may not bring an action if, within 30 days of that notice, the controller or processor cures the identified violation and provides the Attorney General a written statement that it has cured the violation, with supporting documentation, and represents that no further violations will occur.

A controller or processor that violates the Act following the cure period, or that breaches a written statement provided to the Attorney General, is liable for a civil penalty not to exceed $7,500 per violation. The Attorney General may bring an action to recover a civil penalty, seek injunctive relief, or pursue both. The court may also award reasonable attorney’s fees and other expenses incurred in investigating and bringing an action.

Notably, the 30-day cure period is a permanent feature of the Act and is not scheduled for sunset. This is consistent with the approach taken by Kentucky and Nebraska but contrasts with laws like New Hampshire’s, which phase out automatic cure rights after an initial period.

Key Aspects of the Oklahoma Data Privacy Act

Narrower Definition of “Sale” of Personal Data.

The Act limits the definition of “sale of personal data” to exchanges of personal data for monetary consideration by the controller to a third party. Unlike California, Connecticut, Nebraska, New Hampshire, Maryland, and Minnesota, Oklahoma’s definition does not extend to exchanges for “other valuable consideration.” This distinction is operationally significant for businesses whose data-sharing arrangements with advertising technology partners or data brokers may not involve direct monetary compensation but may still qualify as a “sale” under broader state regimes.

No Requirement to Honor Universal Opt-Out Mechanisms.

The Oklahoma Data Privacy Act does not require controllers to recognize universal opt-out mechanisms (“UOOMs”). Businesses that have implemented UOOM-compatible infrastructure to comply with other states’ laws should note that Oklahoma does not mandate this functionality, though deploying it voluntarily may support a consistent, multi-state compliance posture.

Permanent 30-Day Cure Provision.

The Act affords controllers and processors a 30-day period to cure noticed violations before the Attorney General may initiate enforcement. This cure right is not time-limited and will remain available after the law’s effective date, providing businesses  with an additional runway to remediate compliance gaps — but only where the controller subsequently commits in writing that no further violations will occur.

Consent Required for Sensitive Data Processing.

Controllers may not process a consumer’s sensitive data without first obtaining the consumer’s consent, or, in the case of a known child, without complying with COPPA. Businesses processing categories such as biometric data, geolocation data, health diagnosis information, or data collected from children must review and update their consent mechanisms accordingly.

Data Protection Assessment Obligations.

Controllers must document data protection assessments for targeted advertising, the sale of personal data, processing of sensitive data, profiling that presents a heightened risk, and other high-risk processing activities. Notably, a data protection assessment conducted by a controller for purposes of compliance with other laws or regulations may constitute compliance with this requirement if the assessment has a reasonably comparable scope and effect. Businesses with existing assessment programs under laws such as GDPR or the California Consumer Privacy Act may be able to leverage those assessments for Oklahoma compliance purposes.

No Private Right of Action.

The Act expressly provides that it shall not be construed as providing a basis for a private right of action for a violation of the Act or any other provision of law. Enforcement is exclusively vested in the Attorney General, limiting litigation exposure to businesses but underscoring the importance of proactive regulatory compliance.

Contractual Waiver of Consumer Rights Is Void.

Any contractual provision that purports to waive or limit a consumer’s rights under the Act is contrary to public policy and shall be void and unenforceable. Businesses should review their existing consumer-facing agreements and terms of service to identify and remove any provisions that could be read to limit consumer rights under the Act.

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2026 White & Case LLP

Contacts

F. Paul Pittman
F. Paul Pittman
Partner|Washington, DC
Services
Data, Privacy & Cybersecurity, Fintech & Digital Assets, Technology, Mergers & Acquisitions, Life Sciences and Healthcare, Privacy Advisory and Compliance
Hope Anderson
Hope Anderson
Partner|Los Angeles
Services
Data, Privacy & Cybersecurity, Technology, Artificial Intelligence (AI), Privacy Advisory and Compliance, AI Regulatory, Content and non-privacy data regulation
Abdul M. Hafiz
Abdul M. Hafiz
Associate|Washington, DC
Services
Data, Privacy & Cybersecurity, Litigation, Life Sciences and Healthcare
Top