Oklahoma Biometric Privacy Laws: Collection, Consent & Penalties (2026)
Oklahoma does not have a dedicated biometric privacy law. Unlike Illinois or Texas, there is no single statute governing how private businesses collect, store, or use fingerprints, facial scans, or other biometric identifiers.
What Oklahoma does have is a patchwork of protections that has expanded significantly since 2025. The revised Security Breach Notification Act now treats biometric data as protected personal information. A new comprehensive privacy law classifies biometric data as sensitive. And a longstanding state government standard restricts how agencies handle biometric identifiers.
For businesses and residents, understanding how these pieces fit together is essential. Here is what Oklahoma law requires as of 2026.
The Security Breach Notification Act and SB 626
Oklahoma's primary biometric data protection comes from the Security Breach Notification Act, codified at 24 O.S. Sections 161 through 166. Before SB 626 took effect on January 1, 2026, the law only covered Social Security numbers, driver's license numbers, and financial account numbers in combination with a person's name.
SB 626 rewrote the definition of "personal information" under 24 O.S. Section 162 to include "unique biometric data such as a fingerprint, retina or iris image, or other unique physical or digital representation of biometric data to authenticate a specific individual."
The expanded definition also added electronic identifiers or routing codes that permit access to financial accounts, medical information, and health insurance information. This brought Oklahoma's breach notification law closer to the standards set by states with more comprehensive data protection frameworks.
What Triggers a Notification Obligation
Under the revised law, an entity that owns or licenses computerized data containing personal information must notify any Oklahoma resident whose unencrypted and unredacted biometric data was accessed or acquired by an unauthorized person, if the breach causes or is reasonably believed to cause identity theft or fraud.
The notification must be made without unreasonable delay. Entities may delay notification only to determine the scope of the breach and restore the integrity of the system, or when law enforcement requests a delay during an active investigation.
Attorney General Notification Requirements
When a breach affects 500 or more Oklahoma residents, the entity must also notify the Oklahoma Attorney General within 60 days after providing notice to affected individuals. When a breach of a credit bureau system affects 1,000 or more residents, credit bureau notification is also required.
The AG notice must include the breach date, the date the entity determined the breach occurred, the nature of the breach, the types of personal information compromised, the number of affected Oklahoma residents, the estimated monetary impact if it can be determined, and a description of the reasonable safeguards the entity had in place.
Penalties and Enforcement
Only the Attorney General or a district attorney may bring an enforcement action under the Act. There is no private right of action; individuals cannot sue for breach notification violations.
Civil penalties are capped at $150,000 per breach for entities that violated the Act. If an entity failed to maintain reasonable safeguards but did provide timely notice, the penalty cap drops to $75,000 per breach plus actual damages.
The Reasonable Safeguards Affirmative Defense
SB 626 introduced what may be its most consequential provision for businesses: the "reasonable safeguards" affirmative defense. An entity that can demonstrate it had implemented reasonable safeguards before the breach occurred, and met all statutory notification deadlines, can avoid civil penalties entirely.
The statute defines "reasonable safeguards" as policies and practices that ensure personal information is secure, considering the entity's size and the type and amount of personal information it holds. Examples include conducting risk assessments, maintaining layered technical and physical defenses, training employees on data security, and having an incident response plan.
Safe Harbor for Regulated Entities
Entities already subject to breach notification requirements under the Gramm-Leach-Bliley Act (GLBA), the Oklahoma Hospital Cybersecurity Protection Act, or HIPAA are deemed compliant with the individual notification provisions. These entities still must provide the required Attorney General notice.
The Oklahoma Consumer Data Privacy Act (SB 546)
On March 20, 2026, Governor Kevin Stitt signed SB 546, creating the Oklahoma Consumer Data Privacy Act (OCDPA). The law takes effect on January 1, 2027, and adds a second layer of biometric protection.
The OCDPA classifies biometric data as sensitive personal data. Under the Act, "sensitive data" includes "genetic or biometric data that is processed for the purpose of uniquely identifying an individual." The law specifies that biometric data does not include photographs, video or audio recordings, or data generated from those recordings, unless that data is generated specifically to identify a particular individual.
Consent Requirements
Controllers must obtain affirmative consent before processing biometric data. The OCDPA defines valid consent as "a statement written by electronic means, or any other unambiguous affirmative action." Consent cannot be obtained through general terms of service acceptance or through dark patterns.
This is a higher standard than the breach notification law, which does not address consent at all. Starting in 2027, any business collecting biometric data from Oklahoma consumers will need affirmative consent, not just a duty to report breaches.
Consumer Rights
Oklahoma residents gain the right to access, correct, and delete their biometric data, obtain a copy of it, and opt out of targeted advertising or profiling based on that data. Controllers must respond within 45 days, with one 45-day extension permitted. Consumers may appeal denied requests.
Applicability and Enforcement
The OCDPA applies to entities that conduct business in Oklahoma or target Oklahoma residents and either control or process personal data of at least 100,000 Oklahoma consumers, or at least 25,000 consumers where more than 50% of gross revenue comes from selling personal data.
The Attorney General has exclusive enforcement authority. Penalties reach up to $7,500 per violation after a mandatory 30-day right-to-cure period.
Oklahoma State Agency Biometric Standards
Oklahoma state agencies operate under a separate Biometric Data Security Standard published by the Office of Management and Enterprise Services (OMES), pursuant to 51 O.S. Sections 151-172.
The standard requires that state agencies not collect biometric data without prior consent from the individual. That consent must inform the person of why the biometric information is being collected and provide details about collection, storage, and use practices.
Agencies are prohibited from selling, leasing, trading, or otherwise profiting from an individual's biometric data. They also cannot disclose or disseminate biometric identifiers unless required by law. All biometric data must be encrypted at rest and in transit, meeting NIST FIPS 140-2 standards.
The REAL ID Biometric Data Provision
Oklahoma has one of the nation's strongest positions on biometric data in the government identification context. Under 47 O.S. Section 6-110.3, enacted in 2007, the state prohibits sharing biometric data collected during the driver's license process with the federal government, except as strictly required by the REAL ID Act of 2005.
This statute contains its own broad definition of biometric data: voice data, iris recognition data, retinal scans, fingerprints and palm prints, behavioral characteristics of handwritten signatures, keystroke dynamics, hand geometry, and DNA/RNA. Any biometric data previously collected for motor vehicle purposes must be retrieved and deleted from all state databases.
As of early 2026, Oklahoma legislators have filed suit to block the transfer of personal identification data to a national REAL ID database, continuing the state's resistance to federal biometric data collection.
How This Compares to Other States
Oklahoma's biometric protections rank in the middle of the pack nationally. The state lacks a standalone biometric privacy law with a private right of action like Illinois BIPA or an AG-enforced biometric statute like Texas CUBI.
| Feature | Oklahoma | Illinois (BIPA) | Texas (CUBI) |
|---|---|---|---|
| Standalone biometric law | No | Yes | Yes |
| Private right of action | No | Yes | No |
| Consent required for collection | Yes (OCDPA, 2027) | Yes (written release) | Yes (informed consent) |
| Breach notification for biometric data | Yes (since Jan. 2026) | Yes | Yes |
| Max penalty per incident | $150,000/breach | $5,000/violation | $25,000/violation |
| Comprehensive privacy law | Yes (OCDPA, 2027) | No | Yes (TDPSA) |
The SB 626 amendments and the upcoming OCDPA move Oklahoma from a state with almost no biometric protection to one with meaningful, if not leading, safeguards.
What Employers and Businesses Should Know
Oklahoma businesses collecting biometric data, whether for employee timekeeping, building access, customer verification, or any other purpose, face a shifting compliance landscape.
Right now (2026): The breach notification law requires reasonable safeguards for biometric data and timely notification if a breach occurs. There is no consent requirement under state law for private sector biometric collection, but the OMES standard applies to state agency contractors handling biometric data on the government's behalf.
Starting January 1, 2027: The OCDPA will require affirmative consent before processing biometric data for businesses meeting the applicability thresholds. Businesses should begin building consent mechanisms and data inventory processes now.
Practical steps include documenting what biometric data is collected and why, implementing encryption and access controls meeting reasonable safeguards standards, establishing a breach response plan that meets the 60-day AG notification deadline, and preparing consent workflows for the OCDPA's January 2027 effective date.
More Oklahoma Laws
- Oklahoma Recording Laws
- Oklahoma Recording Laws
- Oklahoma Recording Laws
- Oklahoma Data Privacy Laws
- Oklahoma Lemon Laws
- Oklahoma Recording Laws
- Oklahoma Recording Laws
- Oklahoma Recording Laws
This article provides general legal information about Oklahoma biometric privacy laws. It is not legal advice. If you need guidance about biometric data collection, storage, or compliance obligations in Oklahoma, consult a qualified attorney licensed in the state.
Related: Oklahoma Data Privacy Laws | Oklahoma Data Breach Notification Laws | Data Privacy Laws by State
Sources and References
- SB 626 Enrolled (Security Breach Notification Act Amendments)(oklegislature.gov).gov
- SB 626 Bill Information(oklegislature.gov).gov
- SB 546 Bill Information (Oklahoma Consumer Data Privacy Act)(oklegislature.gov).gov
- 47 O.S. 6-110.3 (REAL ID Biometric Data Prohibition)(oscn.net).gov
- OMES Biometric Data Security Standard(oklahoma.gov).gov
- Oklahoma Attorney General - Consumer Protection(oag.ok.gov).gov
- Oklahoma Legislators Seek Emergency Court Order on Personal Data Transfer(oksenate.gov).gov
- NIST FIPS 140-2 Security Requirements for Cryptographic Modules(csrc.nist.gov).gov
- OMES Policy, Standards & Publications(oklahoma.gov).gov