Oklahoma Data Privacy Laws: Breach Notification & Consumer Rights (2026)

Oklahoma takes a sector-specific approach to data privacy rather than relying on a single comprehensive privacy statute. The state protects personal information through its Security Breach Notification Act, the Oklahoma Computer Crimes Act, insurance data security requirements, and student data privacy protections.

As of March 2026, Oklahoma is on the verge of joining the growing number of states with comprehensive consumer data privacy legislation. Senate Bill 546 passed the Oklahoma House on an 84-4 vote in February 2026 and awaits final Senate concurrence before heading to Governor Stitt's desk.

Until that law takes effect, Oklahoma residents and businesses must navigate a patchwork of existing state and federal protections. This guide covers every major Oklahoma data privacy law currently in force.

Oklahoma Security Breach Notification Act (24 O.S. §§ 161-166)

The Security Breach Notification Act is Oklahoma's primary data breach law. Originally enacted in 2006, the legislature substantially updated it through Senate Bill 626, signed into law on May 28, 2025, with all amendments taking effect January 1, 2026.

The act applies to any individual or entity that owns or licenses computerized data containing personal information about Oklahoma residents.

What Qualifies as Personal Information

Under 24 O.S. § 162, personal information means a resident's first name or first initial and last name combined with one or more of the following unencrypted data elements:

• Social Security number
• Driver's license number or state identification card number
• Financial account number, credit card number, or debit card number combined with any required security code, access code, or password
• Government-issued unique identification numbers such as passport numbers
• Electronic identifiers or credentials that permit access to financial accounts, including routing codes combined with passwords or access codes
• Biometric data, including fingerprints, retina scans, and iris scans
• Medical information and health insurance information

The 2026 amendments significantly expanded this definition. Before SB 626, the law only covered Social Security numbers, driver's license numbers, and financial account numbers. The addition of biometric data, medical information, and electronic credentials reflects the evolving landscape of digital identity theft.

Personal information does not include data lawfully obtained from publicly available sources or from federal, state, or local government records made available to the general public.

What Triggers the Notification Requirement

A "breach of the security of a system" means the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information.

Two important qualifiers apply. First, good-faith acquisition of personal information by an employee or agent of the entity does not constitute a breach, provided the information is not used or subject to further unauthorized disclosure. Second, encrypted data is excluded from the notification requirement unless the encryption key was also compromised.

Notification Requirements and Timeline

Under 24 O.S. § 163, entities must provide notice without unreasonable delay after discovering a breach. The law permits a reasonable delay only when necessary to:

• Determine the scope of the breach
• Restore the integrity of the system
• Cooperate with law enforcement investigations

Individual notice must be provided to each affected Oklahoma resident. The notice must include the date of the breach, a description of the personal information involved, and steps the individual can take to protect themselves.

Attorney General Notification

SB 626 introduced a new requirement for Attorney General notification. If a breach affects 500 or more Oklahoma residents, the entity must notify the Oklahoma Attorney General within 60 days after individual notifications are mailed.

The AG notification must include:

• The date of the breach
• The date the breach was determined to have occurred
• The nature of the breach
• The types of personal information exposed or stolen
• The number of Oklahoma residents affected
• A description of reasonable safeguards in place at the time of the breach

Substitute Notice

An entity that maintains its own notification procedures as part of an information privacy or security policy may follow those procedures instead, provided they are consistent with the timing requirements of the act.

Financial institutions that comply with the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice are deemed in compliance. Entities that follow notification procedures established by their primary or functional federal regulator also satisfy the state requirements.

Penalties and Enforcement

The Oklahoma Attorney General or a district attorney may enforce violations of the act. Penalties include actual damages and a civil penalty of up to $150,000 per breach or series of similar breaches discovered in a single investigation.

A critical addition from SB 626 is the reasonable safeguards affirmative defense. Entities that demonstrate they had implemented reasonable security safeguards at the time of the breach can reduce the maximum penalty from $150,000 to $75,000 per breach.

Reasonable safeguards are defined as security measures appropriate to the entity's size and data profile, including:

• Regular risk assessments
• Layered technical and physical defenses
• Employee training programs
• A documented incident response plan

Oklahoma Computer Crimes Act (21 O.S. §§ 1951-1958)

The Oklahoma Computer Crimes Act addresses criminal conduct involving computers, computer systems, and data. This law protects Oklahoma residents by criminalizing unauthorized access to systems that may contain personal information.

Prohibited Acts Under 21 O.S. § 1953

Under 21 O.S. § 1953, it is unlawful to willfully and without authorization:

1. Gain or attempt to gain access to a computer, computer system, or computer network to damage, modify, alter, delete, or destroy data
2. Gain or attempt to gain access to copy or make use of data
3. Use a computer or network to devise or execute a scheme to defraud
4. Gain access to a computer system to obtain money, property, or services by false or fraudulent pretenses
5. Disrupt computer services to the public
6. Use or install malicious computer programs (malware, viruses, ransomware)
7. Destroy or alter computer equipment used in law enforcement
8. Use a computer to threaten, intimidate, or harass
9. Use a computer to engage in identity theft
10. Gain unauthorized access to government computer systems
11. Intercept electronic communications without authorization

The law was last significantly amended by House Bill 1759, effective November 1, 2021, which updated provisions to address modern cybercrime methods.

Criminal Penalties Under 21 O.S. § 1955

The Computer Crimes Act distinguishes between felony and misdemeanor offenses based on the specific prohibited act:

Felony violations (paragraphs 1, 2, 3, 6, 7, 9, 10, and 11 of § 1953) carry:

• A fine of not less than $5,000 and not more than $100,000
• Imprisonment in the State Penitentiary for up to 10 years
• Or both fine and imprisonment

Misdemeanor violations (paragraphs 4, 5, and 8 of § 1953) carry:

• A fine of not more than $5,000
• Imprisonment in the county jail for up to 30 days
• Or both fine and imprisonment

Civil Remedies

In addition to criminal penalties, the Computer Crimes Act provides for civil actions. Victims of computer crimes may pursue civil remedies for damages resulting from unauthorized access, data theft, or system disruption.

Oklahoma Consumer Protection and Privacy

Consumer Protection Act

The Oklahoma Consumer Protection Unit within the Attorney General's office enforces state and federal laws protecting consumers against deceptive, unfair, and fraudulent business practices. While this is not a data privacy law specifically, it provides a framework for enforcement when businesses mishandle consumer data in deceptive ways.

The Consumer Protection Act (15 O.S. §§ 751-765) prohibits deceptive trade practices, which can include misleading privacy policies or failure to honor data protection commitments made to consumers. The Attorney General can bring enforcement actions and recover reasonable expenses, including attorney fees, court costs, and investigatory costs.

Identity Theft Protections

Oklahoma criminalizes identity theft under 21 O.S. § 1533.1, which makes it a felony to fraudulently obtain or use another person's personal identifying information. This statute works alongside the Computer Crimes Act to address digital identity crimes.

The prosecution window for identity theft cases extends to five years after the discovery of the crime under 21 O.S. §§ 1531-1533.3, giving law enforcement additional time to investigate complex data theft operations.

Oklahoma Insurance Data Security Act (36 O.S. §§ 670-679)

Enacted in 2024, the Insurance Data Security Act establishes cybersecurity standards for insurers, producers, and other licensees regulated by the Oklahoma Insurance Commissioner.

Key requirements include:

• Information Security Program: Non-exempt licensees must develop, implement, and maintain a comprehensive information security program
• Cybersecurity Event Notification: Licensees must notify the Oklahoma Insurance Commissioner within three business days of determining a cybersecurity event has occurred, when the event has a reasonable likelihood of materially harming operations or involves nonpublic information affecting 250 or more Oklahoma consumers
• Investigation and Record Retention: Licensees must promptly investigate cybersecurity events and maintain records for at least five years
• Risk Assessments: Regular risk assessments are required to identify threats and vulnerabilities

Exemptions: Licensees with less than $5 million in gross annual revenue are exempt. Entities already compliant with HIPAA or the Gramm-Leach-Bliley Act's Title V information security requirements are not required to comply with certain provisions.

The compliance timeline requires licensees to meet core requirements within one year of the effective date (by July 1, 2025) and full compliance with access controls and authentication measures within two years (by July 1, 2026).

Student Data Privacy Protections

Oklahoma protects student data through both federal compliance and state-specific provisions. Under 74 O.S. § 3106.4, the state requires compliance with the Family Educational Rights and Privacy Act (FERPA).

The Oklahoma State Department of Education enforces additional protections that:

• Restrict data access to individuals whose assigned duties require it
• Limit the transfer of student data across state lines
• Require development of a security plan and regular security audits
• Bind vendors to comply with privacy and security provisions
• Establish transparency with oversight by the State Board of Education, legislature, and governor

Oklahoma also enacted the Parent Data Sovereignty Act of 2026, which provides that all personally identifiable educational data relating to a minor child is the property of the parent until the student reaches eighteen years of age.

Federal Privacy Laws That Apply in Oklahoma

Because Oklahoma does not yet have a comprehensive consumer data privacy law, federal statutes provide much of the baseline privacy protection for state residents.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA applies to healthcare providers, health plans, and healthcare clearinghouses operating in Oklahoma. The Oklahoma State Department of Health is subject to HIPAA's Privacy Rule and Security Rule requirements.

Under 63 O.S. § 1-502.2, Oklahoma state law makes it unlawful for a covered entity to use or disclose protected health information except as authorized under HIPAA. This effectively incorporates the federal standard into state law.

Gramm-Leach-Bliley Act (GLBA)

The GLBA requires financial institutions operating in Oklahoma to explain their information-sharing practices to customers and to safeguard sensitive data. Oklahoma's Insurance Data Security Act explicitly recognizes GLBA compliance as satisfying certain state requirements.

Children's Online Privacy Protection Act (COPPA)

COPPA applies to websites and online services directed at children under 13 or that knowingly collect personal information from children under 13. Oklahoma businesses operating online platforms must comply with COPPA's parental consent and data minimization requirements.

Federal Trade Commission Act (Section 5)

The FTC Act's prohibition on unfair or deceptive trade practices serves as a de facto federal privacy law. The FTC has brought enforcement actions against companies for failing to protect consumer data, violating their own privacy policies, or engaging in deceptive data collection practices.

Pending Comprehensive Privacy Law: Senate Bill 546

Oklahoma's most significant pending privacy legislation is Senate Bill 546, which would establish the state's first comprehensive consumer data privacy framework.

Current Status

The Oklahoma House approved final passage of SB 546 on February 19, 2026, with an 84-4 vote. The bill now requires concurrence from the Senate, which passed a different version in 2025 that carried over to the 2026 legislative session. State Representative Josh West, the bill's primary House sponsor, has expressed confidence that the bill will receive Senate concurrence and the governor's signature.

If enacted, SB 546 would take effect on January 1, 2027.

Who Must Comply

SB 546 would apply to businesses that:

• Control or process the personal data of at least 100,000 Oklahoma consumers, OR
• Control or process the personal data of at least 25,000 consumers while deriving at least 50% of gross revenue from the sale of personal data

Consumer Rights Under SB 546

The bill would grant Oklahoma consumers the following rights:

• Right to Know: Access the personal data a controller has collected about them
• Right to Delete: Request deletion of personal data
• Right to Correct: Request correction of inaccurate personal data
• Right to Data Portability: Obtain their personal data in a portable format
• Right to Opt Out: Opt out of the sale of personal data, targeted advertising, and profiling

Parents and legal guardians may exercise these rights on behalf of children.

Controller Obligations

Data controllers under SB 546 must:

• Respond to consumer requests within 45 days, with one possible 45-day extension
• Provide a clear and accessible privacy notice disclosing categories of personal data processed
• Clearly disclose if personal data is sold to third parties or processed for targeted advertising
• Implement reasonable data security practices

Enforcement

SB 546 would be enforced exclusively by the Oklahoma Attorney General. There is no private right of action. The AG can recover reasonable expenses including attorney fees, court costs, and investigatory costs.

Practical Compliance Steps for Oklahoma Businesses

Given Oklahoma's evolving privacy landscape, businesses should take the following steps to prepare for compliance:

Immediate Requirements (Now in Effect):

1. Review and update data breach response plans to comply with the amended Security Breach Notification Act
2. Implement reasonable security safeguards to qualify for the affirmative defense
3. Identify all data types that now qualify as personal information under the expanded SB 626 definitions
4. Establish a process for notifying the Attorney General within 60 days when breaches affect 500 or more residents

Prepare for SB 546 (Projected Effective Date: January 1, 2027):

1. Conduct a data inventory to determine what personal data you collect and process
2. Draft or update your privacy notice to meet the bill's disclosure requirements
3. Build systems to handle consumer rights requests within the 45-day response window
4. Evaluate whether you meet the applicability thresholds

Ongoing Best Practices:

1. Conduct regular risk assessments
2. Train employees on data handling and breach recognition
3. Maintain incident response documentation
4. Monitor Oklahoma legislative activity for additional privacy requirements

Sources and References

• Oklahoma Security Breach Notification Act - SB 626 Enrolled
• 24 O.S. § 162 - Definitions
• 24 O.S. § 163 - Duty to Provide Notice of Breach
• Oklahoma Computer Crimes Act - Title 21
• 21 O.S. § 1953 - Prohibited Acts
• 21 O.S. § 1955 - Penalties and Civil Actions
• Oklahoma Insurance Data Security Act
• Oklahoma Attorney General Consumer Protection Unit
• Oklahoma Student Data Privacy and Security
• Senate Bill 546 - Comprehensive Privacy Legislation
• NCSL Security Breach Notification Laws
• Oklahoma State Government Privacy Policy

More Oklahoma Laws

• Oklahoma Hit and Run Laws
• Oklahoma Recording Laws
• Oklahoma Whistleblower Laws
• Oklahoma Child Support Laws
• Oklahoma Dog Bite Laws
• Oklahoma Statute of Limitations
• Oklahoma Sexting Laws
• Oklahoma Lemon Laws