Oklahoma Data Privacy Laws: OKCDPA, Breach Notification & Consumer Rights (2026)

Oklahoma governs consumer data privacy through two main laws: the Oklahoma Consumer Data Privacy Act (SB 546), signed March 20, 2026 and effective January 1, 2027, and the Security Breach Notification Act (24 O.S. sections 161-166). The OKCDPA grants residents rights to access, correct, delete, and opt out of data sales, with enforcement by the Attorney General.

Oklahoma took a significant step in 2026 by enacting its first comprehensive consumer data privacy law. Governor Kevin Stitt signed Senate Bill 546 on March 20, 2026, creating the Oklahoma Consumer Data Privacy Act (OKCDPA), which takes effect on January 1, 2027. Oklahoma becomes the 21st state to enact a comprehensive consumer privacy framework.

Until the OKCDPA takes effect, Oklahoma residents and businesses rely on a layered framework of state and federal protections. The Security Breach Notification Act (24 O.S. §§ 161-166), substantially strengthened by SB 626 effective January 1, 2026, governs how businesses must respond to data breaches. The Oklahoma Computer Crimes Act (21 O.S. §§ 1951-1958) addresses criminal conduct involving computers and data. The Insurance Data Security Act (36 O.S. §§ 670-679), enacted in 2024, imposes cybersecurity standards on the insurance sector.

Federal law fills much of the remaining gap. HIPAA, GLBA, COPPA, the FTC Act, and the newly enforced TAKE IT DOWN Act all apply to Oklahoma businesses and residents. This guide covers each of these frameworks in turn and explains what the OKCDPA will require beginning in 2027.

This article covers data privacy laws as they apply in Oklahoma. For Oklahoma's recording consent rules, see Oklahoma Recording Laws.

Oklahoma Consumer Data Privacy Act (SB 546, Effective January 1, 2027)

Oklahoma enacted comprehensive consumer privacy legislation when Governor Stitt signed Senate Bill 546 on March 20, 2026. The law was authored in the House by Majority Floor Leader Josh West (R-Grove) and in the Senate by Sen. Brent Howard (R-Altus). It takes effect January 1, 2027.

Who Must Comply

The OKCDPA applies to controllers and processors that conduct business in Oklahoma or produce products or services targeted to Oklahoma residents, and that during a calendar year either:

• Control or process the personal data of at least 100,000 Oklahoma consumers, OR
• Control or process the personal data of at least 25,000 Oklahoma consumers while deriving more than 50% of gross revenue from the sale of personal data

The law applies only in individual and household contexts. Employment and commercial contexts are excluded.

Exemptions

The following are exempt from the OKCDPA:

• State agencies and political subdivisions
• Nonprofit organizations
• Institutions of higher education
• Covered entities and business associates subject to HIPAA
• Financial institutions and data subject to GLBA
• Consumer reporting agencies and data subject to FCRA
• Data subject to FERPA and the Driver's Privacy Protection Act

Consumer Rights

Oklahoma residents have five primary rights under the OKCDPA once it takes effect:

1. Right to confirm and access: Confirm whether a controller is processing personal data about them and obtain a copy of that data
2. Right to correct: Request correction of inaccurate personal data
3. Right to delete: Request deletion of personal data the controller holds
4. Right to data portability: Obtain a portable copy of personal data in a format that allows transfer to another controller
5. Right to opt out: Opt out of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects

Controllers must respond to consumer requests within 45 days. One 45-day extension is permitted for complex requests. Consumers may appeal a denied request, and controllers must provide a mechanism for that appeal.

Sensitive Data

Controllers must obtain the consumer's consent before processing sensitive personal data. The OKCDPA defines sensitive data as personal data revealing:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnosis
• Sexual orientation
• Citizenship or immigration status
• Genetic or biometric data processed to uniquely identify an individual
• Personal data collected from a known child
• Precise geolocation data

The biometric data definition excludes physical or digital photographs and video recordings unless the data is specifically generated for the purpose of identifying an individual.

Controller and Processor Obligations

Controllers must implement reasonable data security practices, provide a clear and accessible privacy notice, conduct data protection assessments for high-risk activities (including targeted advertising, data sales, certain profiling, and sensitive data processing), and establish contracts with processors governing data processing activities.

Processors must assist controllers in meeting consumer rights obligations, maintain appropriate security safeguards, and include required contractual provisions in their agreements with controllers.

The law does not require recognition of universal opt-out preference signals such as the Global Privacy Control.

Enforcement and Penalties

The Oklahoma Attorney General has exclusive enforcement authority. There is no private right of action under the OKCDPA.

Before initiating an enforcement action, the AG must provide the alleged violator a written notice and a permanent 30-day right to cure the identified violation. This cure period does not sunset, distinguishing Oklahoma from states such as Connecticut and Colorado where cure periods expire.

Civil penalties reach up to $7,500 per violation. The AG maintains a public complaint mechanism for consumers.

Oklahoma Security Breach Notification Act (24 O.S. §§ 161-166)

The Security Breach Notification Act is Oklahoma's primary breach response law. Originally enacted in 2006, the legislature substantially updated it through Senate Bill 626, signed May 28, 2025, with all amendments effective January 1, 2026.

The act applies to any individual or entity that owns or licenses computerized data containing personal information about Oklahoma residents.

What Qualifies as Personal Information

Personal information means a resident's first name or first initial and last name combined with one or more of the following unencrypted data elements:

• Social Security number
• Driver's license number or state identification card number
• Financial account number, credit card number, or debit card number combined with any required security code, access code, or password
• Government-issued unique identification numbers such as passport numbers
• Electronic identifiers or credentials that permit access to financial accounts, including routing codes combined with passwords or access codes
• Biometric data, including fingerprints, retina scans, and iris scans
• Medical information and health insurance information

The 2026 amendments expanded this definition significantly. Before SB 626, the law covered only Social Security numbers, driver's license numbers, and financial account numbers. The addition of biometric data, medical information, and electronic credentials reflects the evolving landscape of digital identity theft.

Personal information does not include data lawfully obtained from publicly available sources or from federal, state, or local government records made available to the general public.

What Triggers the Notification Requirement

A breach of the security of a system means the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information.

Two qualifiers apply. First, good-faith acquisition of personal information by an employee or agent of the entity does not constitute a breach, provided the information is not used or subject to further unauthorized disclosure. Second, encrypted data is excluded from the notification requirement unless the encryption key was also compromised.

Notification Requirements and Timeline

Under the act, entities must provide notice without unreasonable delay after discovering a breach. The law permits a reasonable delay only when necessary to determine the scope of the breach, restore system integrity, or cooperate with a law enforcement investigation.

Individual notice must be provided to each affected Oklahoma resident. The notice must include the date of the breach, a description of the personal information involved, and steps the individual can take to protect themselves.

Attorney General Notification

SB 626 introduced an AG notification requirement. If a breach affects 500 or more Oklahoma residents, the entity must notify the Oklahoma Attorney General within 60 days after individual notifications are mailed.

The AG notification must include the date of the breach, the date the breach was determined to have occurred, the nature of the breach, the types of personal information exposed, the number of Oklahoma residents affected, and a description of reasonable safeguards in place at the time of the breach.

Substitute Notice

An entity that maintains its own notification procedures as part of an information privacy or security policy may follow those procedures instead, provided they are consistent with the timing requirements of the act. Financial institutions that comply with Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information satisfy the state requirements.

Penalties and Enforcement

The Oklahoma Attorney General or a district attorney may enforce violations. Penalties include actual damages and a civil penalty of up to $150,000 per breach or series of similar breaches discovered in a single investigation.

A key feature of SB 626 is the reasonable safeguards affirmative defense. Entities that demonstrate they had implemented reasonable security safeguards at the time of the breach can reduce the maximum penalty from $150,000 to $75,000 per breach. Reasonable safeguards include regular risk assessments, layered technical and physical defenses, employee training programs, and a documented incident response plan.

Oklahoma Computer Crimes Act (21 O.S. §§ 1951-1958)

The Oklahoma Computer Crimes Act addresses criminal conduct involving computers, computer systems, and data. It was last significantly amended by House Bill 1759, effective November 1, 2021, which updated provisions to address modern cybercrime methods.

Prohibited Acts

Under 21 O.S. § 1953, it is unlawful to willfully and without authorization:

1. Gain or attempt to gain access to a computer system to damage, modify, alter, delete, or destroy data
2. Gain or attempt to gain access to copy or make use of data
3. Use a computer or network to devise or execute a scheme to defraud
4. Gain access to a computer system to obtain money, property, or services by false or fraudulent pretenses
5. Disrupt computer services to the public
6. Use or install malicious computer programs (malware, viruses, ransomware)
7. Destroy or alter computer equipment used in law enforcement
8. Use a computer to threaten, intimidate, or harass
9. Use a computer to engage in identity theft
10. Gain unauthorized access to government computer systems
11. Intercept electronic communications without authorization

Criminal Penalties

The act distinguishes between felony and misdemeanor offenses based on the specific prohibited act.

Felony violations (paragraphs 1, 2, 3, 6, 7, 9, 10, and 11 of § 1953) carry:

• A fine of not less than $5,000 and not more than $100,000
• Imprisonment in the State Penitentiary for up to 10 years
• Or both fine and imprisonment

Misdemeanor violations (paragraphs 4, 5, and 8 of § 1953) carry:

• A fine of not more than $5,000
• Imprisonment in the county jail for up to 30 days
• Or both fine and imprisonment

Civil Remedies

In addition to criminal penalties, the act provides for civil actions. Victims of computer crimes may pursue civil remedies for damages resulting from unauthorized access, data theft, or system disruption.

Oklahoma Insurance Data Security Act (36 O.S. §§ 670-679)

Enacted in 2024, the Insurance Data Security Act establishes cybersecurity standards for insurers, insurance producers, and other licensees regulated by the Oklahoma Insurance Commissioner.

Key Requirements

Non-exempt licensees must develop, implement, and maintain a comprehensive information security program appropriate to the size and complexity of their operations. Specific requirements include:

• Information Security Program: A written program with administrative, technical, and physical safeguards for nonpublic information
• Risk Assessments: Annual assessments to identify threats and evaluate the sufficiency of current safeguards
• Cybersecurity Event Notification: Licensees must notify the Oklahoma Insurance Commissioner within three business days of determining a cybersecurity event has occurred, when the event materially harms operations or involves nonpublic information affecting 250 or more Oklahoma consumers
• Record Retention: Incident records must be maintained for at least five years
• Annual Attestation: Oklahoma domestic insurers must file a Data Security Attestation form with the Oklahoma Insurance Department by April 15 each year (the first deadline was July 1, 2025)

Exemptions

Licensees with less than $5 million in gross annual revenue are exempt. Entities already compliant with HIPAA or GLBA's Title V information security requirements are not required to comply with certain provisions.

Compliance Timeline

The act took effect July 1, 2024. Licensees had one year to come into compliance with most requirements (primary deadline: July 1, 2025). Compliance with the access controls and authentication provisions of 36 O.S. § 673(F) was required within two years of the effective date (July 1, 2026).

Consumer Protection and Privacy Enforcement

AG Drummond and Consumer Protection

The Oklahoma Attorney General Consumer Protection Unit enforces state and federal laws protecting consumers against deceptive, unfair, and fraudulent business practices. The Consumer Protection Act (15 O.S. §§ 751-765) prohibits deceptive trade practices, which can include misleading privacy policies or failure to honor data protection commitments made to consumers.

In May 2026, AG Gentner Drummond filed suit against Temu in Cleveland County District Court under the Oklahoma Consumer Protection Act, alleging the Chinese e-commerce platform secretly harvested users' precise location, microphone, camera, and private app activity without knowledge or consent and transmitted that data to entities tied to the Chinese Communist Party. The lawsuit seeks an injunction, civil penalties, restitution, and disgorgement.

Identity Theft Protections

Oklahoma criminalizes identity theft under 21 O.S. § 1533.1, which makes it a felony to fraudulently obtain or use another person's personal identifying information. The prosecution window extends to five years after the discovery of the crime under 21 O.S. §§ 1531-1533.3, giving investigators additional time to pursue complex data theft operations.

Student Data Privacy

Student Data Accessibility, Transparency and Accountability Act

The Student Data Accessibility, Transparency and Accountability Act (70 O.S. § 3-168), enacted in 2013, establishes foundational protections for student data maintained by the Oklahoma State Department of Education. It restricts data access to individuals whose assigned duties require it, limits transfer of student data across state lines, requires a security plan and regular audits, and binds vendors through contractual privacy and security provisions.

FERPA Compliance

Oklahoma schools must comply with the Family Educational Rights and Privacy Act (FERPA), which restricts disclosure of student education records and grants parents inspection and amendment rights. The Oklahoma State Department of Education oversees compliance and maintains additional data access and vendor management standards.

Federal Privacy Laws That Apply in Oklahoma

Because the OKCDPA does not take effect until January 1, 2027, federal statutes provide much of the current baseline privacy protection for Oklahoma residents.

TAKE IT DOWN Act (Pub. L. 119-12)

The TAKE IT DOWN Act, signed May 19, 2025, creates a federal right requiring covered online platforms to remove nonconsensual intimate images (NCII), including AI-generated deepfakes, within 48 hours of a valid removal request. The platform must also make reasonable efforts to identify and remove known identical copies.

The FTC began enforcing the Act's platform obligations on May 19, 2026. Covered platforms that fail to maintain a functioning notice-and-removal process face civil penalties of more than $53,000 per violation. FTC Chairman Andrew Ferguson sent compliance reminder letters to major platforms including Alphabet, Amazon, Apple, Meta, Microsoft, Snapchat, TikTok, and X in advance of the enforcement deadline.

For Oklahoma residents, the Act provides a direct federal remedy for the distribution of intimate images without consent, a gap that no Oklahoma-specific state statute fully addressed.

HIPAA

HIPAA applies to healthcare providers, health plans, and healthcare clearinghouses operating in Oklahoma. Under 63 O.S. § 1-502.2, Oklahoma law makes it unlawful for a covered entity to use or disclose protected health information except as authorized under HIPAA, effectively incorporating the federal standard. The Oklahoma State Department of Health is itself subject to HIPAA's Privacy Rule and Security Rule requirements.

Gramm-Leach-Bliley Act (GLBA)

The GLBA requires financial institutions operating in Oklahoma to explain their information-sharing practices to customers and to safeguard sensitive data. Oklahoma's Insurance Data Security Act explicitly recognizes GLBA compliance as satisfying certain state requirements. The OKCDPA similarly exempts financial institutions covered by GLBA.

Children's Online Privacy Protection Act (COPPA)

COPPA applies to websites and online services directed at children under 13 or that knowingly collect personal information from children under 13. Oklahoma businesses operating online platforms must comply with COPPA's parental consent and data minimization requirements. Under the OKCDPA, controllers may satisfy the parental consent requirement for children's sensitive data by complying with COPPA.

FTC Act Section 5

The FTC Act's prohibition on unfair or deceptive trade practices functions as a de facto federal privacy law. The FTC has brought enforcement actions against companies for failing to protect consumer data, violating their own privacy policies, and engaging in deceptive data collection practices. Oklahoma AG Drummond's Temu lawsuit mirrors this theory at the state level.

Fair Credit Reporting Act (FCRA)

The FCRA governs how consumer reporting agencies collect, use, and disclose consumer credit information. The OKCDPA exempts data subject to the FCRA from its requirements. Oklahoma consumers who believe a credit reporting agency has mishandled their information may file complaints with the Consumer Financial Protection Bureau.

Practical Compliance Steps for Oklahoma Businesses

Current Requirements (Now in Effect)

1. Review and update data breach response plans to reflect the amended Security Breach Notification Act definitions under SB 626
2. Implement reasonable security safeguards to qualify for the affirmative defense under 24 O.S. § 163
3. Confirm that all personal information categories added by SB 626 (biometric, medical, health insurance, electronic credentials) are included in your breach response scope
4. Establish a process for notifying the AG within 60 days when breaches affect 500 or more residents
5. If you are an insurance licensee, confirm annual attestation has been filed with the Oklahoma Insurance Department by April 15
6. If you operate a covered online platform, confirm your TAKE IT DOWN Act notice-and-removal process was operational by May 19, 2026

Preparing for the OKCDPA (Effective January 1, 2027)

1. Assess whether your operations meet either applicability threshold (100,000 consumer threshold or 25,000/50% revenue threshold)
2. Conduct a data inventory to map personal data collected, processed, and shared
3. Draft or update your privacy notice to include the categories of personal data processed, purpose of processing, and consumer rights
4. Build internal systems to receive and respond to consumer rights requests within 45 days
5. Identify categories of sensitive data you collect and design consent workflows for those categories
6. Confirm processor contracts include the required obligations under the OKCDPA
7. Conduct data protection assessments for targeted advertising, data sales, profiling, and sensitive data processing activities

Ongoing Best Practices

1. Conduct annual risk assessments and document results
2. Train employees on breach recognition, data handling, and response procedures
3. Monitor Oklahoma legislative and AG activity for additional requirements
4. Review privacy policies annually for accuracy against actual data practices

How Oklahoma Residents Can Exercise Their Rights

Until January 1, 2027, Oklahoma residents do not have a comprehensive state consumer data privacy right. Federal rights apply where relevant:

• Data breach notice: If your personal information is involved in a breach affecting 500 or more Oklahomans, the entity must notify you directly and must report to the AG within 60 days
• HIPAA: Request access to or amendment of your medical records from any HIPAA-covered entity
• COPPA: Parents may request deletion of their child's personal information from online platforms subject to COPPA
• FTC complaints: File complaints about deceptive or unfair data practices at reportfraud.ftc.gov
• TAKE IT DOWN Act: Request removal of nonconsensual intimate images by submitting a notice to the platform's designated reporting mechanism

Beginning January 1, 2027, Oklahoma consumers subject to the OKCDPA may submit rights requests directly to covered controllers. If a controller denies your request, you may appeal, and if the appeal is denied, you may contact the AG's office, which maintains a public complaint mechanism.

More Oklahoma Laws

• Oklahoma AI Meeting Recording Laws
• Oklahoma Alimony Laws
• Oklahoma At-Will Employment Laws
• Oklahoma Car Accident Laws
• Oklahoma Car Seat Laws
• Oklahoma Child Custody Laws
• Oklahoma Child Support Laws
• Oklahoma Common Law Marriage Laws
• Oklahoma Deepfake Laws
• Oklahoma Divorce Laws
• Oklahoma Dog Bite Laws
• Oklahoma Emancipation Laws
• Oklahoma Expungement Laws
• Oklahoma Hit and Run Laws
• Oklahoma Landlord-Tenant Laws
• Oklahoma Lemon Laws