Oklahoma Consumer Data Privacy Act SB546 Business Guide

On March 20, 2026, Governor Kevin Stitt signed Senate Bill 546 into law, creating the Oklahoma Consumer Data Privacy Act (OCDPA). Oklahoma joins a growing roster of states that have adopted comprehensive consumer data privacy frameworks, and the law takes effect on January 1, 2027.

For Oklahoma business owners, the obvious questions are practical ones. Does this apply to my company? What do I have to do? How much will it cost if I get it wrong? And how does this fit into the rest of my compliance picture, especially if I already deal with HIPAA, the Gramm-Leach-Bliley Act, or other privacy regimes?

This guide answers those questions in plain English. We will walk through who is covered (and who is not), what rights Oklahoma consumers can now exercise, what your business must do to comply, what penalties look like, and a realistic timeline for getting your house in order before the January 2027 effective date.

Table of Contents

• What the OCDPA Is and Why It Matters
• Who Is Covered: The Two-Part Test
• Who Is Exempt: Entity and Data Carve-Outs
• Five Rights Oklahoma Consumers Now Have
• What Controllers Must Do
• Sensitive Data and Opt-In Consent
• Processor Contracts and Vendor Management
• Data Protection Assessments
• Enforcement, Penalties, and the Cure Period
• Oklahoma Context: What This Means Locally
• How the OCDPA Compares to Other State Laws
• Your Compliance Roadmap to January 2027
• Common Mistakes to Avoid
• Frequently Asked Questions

What the OCDPA Is and Why It Matters

The OCDPA is Oklahoma’s first comprehensive consumer data privacy statute. Sponsored by Senator Brent Howard and Representative Josh West, it represents seven years of legislative work and five drafts before passage. The result is a law that gives Oklahoma residents new rights over how businesses collect, use, share, and sell their personal data, and it gives the Oklahoma Attorney General the authority to enforce those rights.

If you have been tracking the broader privacy landscape, the OCDPA will look familiar. It is closely modeled on Virginia’s Consumer Data Protection Act, which has become the template for most of the privacy laws passed outside California. Legal commentators have described the OCDPA as “business-friendly” relative to its peers because of its higher applicability thresholds, narrow definition of “sale,” broad exemptions, and a permanent right-to-cure period.

That said, “business-friendly” is a comparative term. If your business meets the thresholds, the operational lift to comply is real. You will need a written privacy notice that meets specific content requirements, processes for honoring consumer requests within tight timelines, vendor contracts with mandatory provisions, and documented risk assessments for certain types of data processing.

Who Is Covered: The Two-Part Test

The OCDPA does not apply to every business that touches Oklahoma. It applies to entities that satisfy both a jurisdictional test and a volume threshold.

Part One: The Jurisdictional Test

Your business is potentially covered if you either:

• Conduct business in Oklahoma, or
• Produce a product or service that is targeted to Oklahoma residents.

“Targeted to Oklahoma residents” is broader than physical presence. An online retailer based in another state that ships to Oklahoma customers, runs Oklahoma-specific marketing, or hosts an Oklahoma-targeted website can fall within the law even with no physical operations here.

Part Two: The Volume Threshold

Even if you meet the jurisdictional test, the OCDPA only applies if, during a calendar year, you also:

• Control or process the personal data of at least 100,000 Oklahoma consumers, OR
• Control or process the personal data of at least 25,000 Oklahoma consumers AND derive more than 50 percent of your gross revenue from selling personal data.

Two things stand out about these thresholds. First, the 100,000-consumer threshold is calculated using only Oklahoma residents, not your nationwide consumer base. Second, the 50 percent revenue threshold is unusually high. Most other state privacy laws use a 25 percent revenue trigger, so the OCDPA is calibrated to focus on businesses whose primary commercial activity is data sales.

What “Personal Data” Means

Personal data under the OCDPA is broad: any information that is linked or reasonably linkable to an identified or identifiable individual. That includes names, email addresses, IP addresses, device identifiers, online activity records, and similar information. It also includes pseudonymous data when paired with information that re-identifies the individual.

The definition specifically excludes de-identified data and publicly available information, which gives businesses some breathing room around marketing data and aggregated analytics, provided the de-identification is genuine and irreversible.

What “Consumer” Does Not Mean

An important wrinkle: the OCDPA defines “consumer” to mean only Oklahoma residents acting in an individual or household capacity. It does not cover individuals acting in a commercial or employment context. That means:

• Employee data is generally outside the OCDPA’s scope.
• Job applicant data is outside the scope.
• Data about your business contacts (vendors, B2B customer representatives) is outside the scope.

This is a meaningful distinction. California’s CCPA, by contrast, does cover employee and B2B data. If your operations span multiple states, you cannot assume that an Oklahoma-only carve-out for HR data extends to your California or Texas operations.

Who Is Exempt: Entity and Data Carve-Outs

Even covered businesses get the benefit of broad exemptions. The OCDPA recognizes two categories: entity-level exemptions (where the entire business is outside the law) and data-level exemptions (where specific categories of data are excluded, regardless of who holds them).

Entity-Level Exemptions

The following types of organizations are not subject to the OCDPA at all:

• State agencies and political subdivisions of Oklahoma
• Financial institutions and data subject to Title V of the Gramm-Leach-Bliley Act (GLBA)
• Covered entities and business associates governed by the Health Insurance Portability and Accountability Act (HIPAA)
• Nonprofit organizations
• Institutions of higher education

The HIPAA exemption is particularly broad. Unlike some states that require HIPAA-covered entities to comply with privacy obligations for any non-PHI data they collect, Oklahoma exempts those entities entirely. The same is true for nonprofits, which are subject to comprehensive privacy laws in some states like Colorado but not in Oklahoma.

Data-Level Exemptions

Even when a business is otherwise covered, certain categories of data are removed from the OCDPA’s reach:

• Protected health information under HIPAA
• Data regulated by the Fair Credit Reporting Act (FCRA)
• Data regulated by the Family Educational Rights and Privacy Act (FERPA)
• Data regulated by the Driver’s Privacy Protection Act
• Data processed in connection with employment, applications for employment, or independent contractor relationships
• Data processed for purposes covered by the Farm Credit Act and Controlled Substances Act

Five Rights Oklahoma Consumers Now Have

The heart of the OCDPA is the set of rights it gives to Oklahoma consumers. If your business is a covered controller, you must build processes to honor each of these rights when a verified consumer makes a request.

1. The Right to Confirm and Access

Consumers can ask whether you are processing their personal data and, if so, get access to that data. This is the foundational right that makes the others possible: a consumer cannot meaningfully ask you to delete or correct data without first knowing what you have.

2. The Right to Correct

Consumers can request that you correct inaccuracies in their personal data, taking into account the nature of the data and the purposes for which it is processed.

3. The Right to Delete

Consumers can request the deletion of personal data you have provided or obtained about them. Note the breadth: this is not limited to data the consumer gave you directly; it extends to data you obtained from third parties or inferred about them.

4. The Right to Data Portability

If the data is available in a digital format, consumers can obtain a copy of the personal data they previously provided to you, in a portable and (to the extent technically feasible) readily usable format.

5. The Right to Opt Out

Consumers can opt out of the processing of their personal data for any of three specific purposes:

• Targeted advertising (advertising selected based on personal data obtained from the consumer’s activities over time and across non-affiliated websites)
• The sale of personal data (defined in the OCDPA narrowly, as exchanges for monetary consideration only)
• Profiling in furtherance of decisions that produce legal or similarly significant effects (for example, decisions about credit, employment, housing, or healthcare)

Response Timelines and the Appeal Process

You have 45 days from receipt of a verifiable consumer request to respond. A single 45-day extension is available when reasonably necessary, provided you notify the consumer of the extension and the reason for it within the original window.

You must also build and document an appeal process. If you decline to act on a request, the consumer has the right to appeal that decision, and you have 60 days to respond to the appeal. If the appeal is denied, you must give the consumer information about how to submit a complaint to the Oklahoma Attorney General.

Two practical points worth noting:

• Responses are free up to twice per consumer per year. Beyond that, you can charge a reasonable fee or decline to act for excessive or manifestly unfounded requests.
• The OCDPA does not include authorized agent provisions. With a narrow exception for parents acting on behalf of children, consumers must exercise their rights directly.

What Controllers Must Do

Beyond responding to consumer requests, the OCDPA imposes affirmative duties on every covered controller. Most of these are familiar from other state privacy laws, but they require concrete operational changes.

Provide a Compliant Privacy Notice

You must publish a reasonably accessible, clear, and meaningful privacy notice that includes:

• The categories of personal data you process
• The purposes for which you process each category
• How consumers can exercise their rights, including how to appeal
• The categories of personal data you share with third parties
• The categories of third parties with whom you share personal data

If you sell personal data or process it for targeted advertising, your notice must say so explicitly and provide a clear mechanism for consumers to opt out. A bare “we may share your data with partners” line in a 2018-vintage privacy policy will not cut it.

Practice Data Minimization

Collection of personal data must be limited to what is adequate, relevant, and reasonably necessary in relation to the purposes you have disclosed to consumers. Translation: if you do not have a clear reason to collect a piece of data, do not collect it. The era of “collect everything, decide later” is incompatible with modern privacy laws.

Use Data Only for Disclosed Purposes

You cannot process personal data for purposes that are neither reasonably necessary to nor compatible with the purposes you disclosed at collection, unless you obtain the consumer’s consent. If your disclosed purpose is “to ship products you order,” you cannot quietly add “and to train our AI model” later without going back for consent.

Maintain Reasonable Security

Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices. The standard is contextual: appropriate to the volume and nature of the personal data at issue. A NIST-aligned security program, encryption of sensitive data at rest and in transit, access controls, and a documented incident response plan are baseline expectations for most covered businesses.

Do Not Discriminate Against Rights-Exercisers

You cannot deny goods or services, charge different prices, or provide a different level of quality to a consumer because they exercised their rights under the OCDPA. There are limited exceptions for legitimate loyalty programs and for cases where the data is genuinely required to provide the requested product or service.

Avoid Dark Patterns

The OCDPA explicitly prohibits the use of dark patterns to obtain consent. Dark patterns are user interface design choices that manipulate or trick consumers into taking actions they did not intend, like double-negative consent prompts, pre-checked opt-in boxes, or buttons designed to make “accept all” obviously larger than “decline.” If your consent flow would embarrass you in front of a regulator, redesign it.

Sensitive Data and Opt-In Consent

One of the most consequential parts of the OCDPA is its treatment of “sensitive data.” Unlike non-sensitive personal data, which uses an opt-out model, sensitive data requires opt-in consent before processing.

What Counts as Sensitive Data

Under the OCDPA, sensitive data includes:

• Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status
• Genetic or biometric data processed for the purpose of uniquely identifying an individual
• Personal data collected from a known child (defined as a child under 13)
• Precise geolocation data

What “Consent” Actually Means

This is where many businesses stumble. Consent under the OCDPA is a clear affirmative act reflecting a freely given, specific, informed, and unambiguous agreement. It explicitly does not include:

• Acceptance of broad terms of use that contain data-processing language alongside unrelated terms
• Hovering over, muting, pausing, or closing content
• Anything obtained through dark patterns

So if your consent mechanism for processing sensitive data is buried inside a 14-page terms of service or relies on the user “continuing to browse,” it is not consent under this statute.

Children’s Data

For known children, sensitive data must be processed in accordance with the federal Children’s Online Privacy Protection Act (COPPA). If your business has any chance of collecting data from users under 13 (some e-commerce, gaming, education, and family-oriented services), this provision deserves careful attention from counsel.

Processor Contracts and Vendor Management

The OCDPA distinguishes between two roles. A controller is the entity that determines the purposes and means of processing personal data (your business, in most cases). A processor is the entity that processes personal data on behalf of the controller (your CRM provider, your email marketing platform, your analytics vendor, your cloud host, and so on).

If you are a controller, every relationship with a processor must be governed by a written contract that includes specific provisions. The contract must:

• Set out clear instructions for processing the data
• Identify the nature and purpose of the processing
• Identify the type of personal data subject to processing
• Specify the duration of processing
• Set out the rights and obligations of both parties
• Require the processor to ensure that anyone processing the data is bound by a duty of confidentiality
• Require the processor to delete or return all personal data at the controller’s request
• Require the processor to make available all information necessary to demonstrate compliance
• Allow and cooperate with reasonable assessments by the controller or its designee
• Require any subcontractors to meet the same obligations through written agreement

Most modern SaaS vendors already offer a Data Processing Addendum (DPA) that covers these provisions, but Oklahoma-specific updates may be necessary. The compliance burden is real: identifying every processor, mapping the data they touch, papering the contracts, and tracking subcontractor changes is a meaningful undertaking for any business with a complex tech stack.

Data Protection Assessments

For higher-risk processing activities, the OCDPA requires controllers to conduct and document a data protection assessment (sometimes called a DPA, but distinct from the vendor agreement of the same acronym). The assessment must weigh the benefits of the processing against the risks to consumers, taking into account safeguards, the context of processing, and consumer expectations.

You must conduct an assessment for any of the following:

• Processing personal data for purposes of targeted advertising
• The sale of personal data
• Processing personal data for purposes of profiling, where the profiling presents a reasonably foreseeable risk of unfair or deceptive treatment, financial or physical injury, intrusion into solitude, or other substantial injury to consumers
• Processing sensitive data
• Any processing activities that present a heightened risk of harm to consumers

Assessments are not public documents, but the Attorney General can request them as part of an investigation, and they are not protected from disclosure if requested. Treat them as serious internal compliance documents, not boilerplate.

Enforcement, Penalties, and the Cure Period

The OCDPA gives the Oklahoma Attorney General exclusive enforcement authority. There is no private right of action, meaning consumers cannot sue your business directly for OCDPA violations. This is a meaningful limitation that distinguishes the OCDPA from California’s CCPA, which permits private suits for certain data breaches.

The Cure Period

Before pursuing penalties, the Attorney General must provide written notice of an alleged violation and give the business 30 days to cure. If the business cures the violation within that window and provides a written statement that the violation has been cured and no further violations will occur, the AG cannot pursue the matter.

Notably, the OCDPA provides a permanent cure period, in contrast to states like California, Colorado, and Connecticut, where the cure period is sunsetting or has already expired. This is one of the more business-friendly features of the Oklahoma framework.

Penalties

If a business fails to cure within 30 days, or if it cures but then continues to violate the law, the Attorney General can seek:

• Civil penalties of up to $7,500 per violation
• Injunctive relief requiring the business to stop the violating conduct
• Recovery of reasonable expenses, including attorney’s fees, in connection with the action

The OCDPA does not specifically define what constitutes a single “violation.” A reasonable reading is that each affected consumer or each separate violative act could count as one violation, which means a single systemic failure affecting tens of thousands of Oklahoma consumers could expose the business to substantial aggregate liability. As privacy professionals have observed, businesses should not treat the cure period as a safety net, especially given how visible privacy enforcement has become.

Oklahoma Context: What This Means Locally

The OCDPA is a federal-style framework written by Oklahoma legislators for an Oklahoma economy that is more diverse than its national reputation suggests. Understanding how it lands in this state, both for business owners who are clearly covered and for those who are not, requires some local context.

Most Oklahoma SMBs Will Not Be Covered

The 100,000-Oklahoma-consumer threshold is high enough that the typical Edmond restaurant group, OKC professional services firm, Tulsa manufacturing operation, or Norman-based startup with regional reach is unlikely to be a covered controller in its first few years. That is a feature of the law, not a bug. Oklahoma legislators deliberately set the threshold to avoid imposing the framework on small businesses that lack compliance staff or budget.

That does not mean uncovered businesses can ignore the law entirely. Three reasons:

• Consumer expectations are shifting. Even if you are not legally required to honor a data deletion request, customers increasingly expect that you will. A privacy program signals professionalism and trust regardless of legal mandate.
• Growth changes coverage status. If your e-commerce business or SaaS platform crosses the 100,000-consumer line during a calendar year, you do not get a transition period. You should have the framework in place before you scale into it.
• B2B customers ask about privacy compliance. Larger Oklahoma companies that are covered will increasingly ask their vendors about privacy programs. A clean privacy posture is a sales asset.

Industries Most Likely to Be Covered

Across the OKC metro and the broader state, the businesses most likely to cross the OCDPA thresholds tend to fall into a handful of categories:

• E-commerce and direct-to-consumer brands with national customer bases
• SaaS and technology companies serving consumer markets
• Healthcare-adjacent businesses that are not HIPAA-covered (wellness apps, fitness platforms, certain health-tech startups)
• Marketing, adtech, and lead-generation companies, particularly those for whom data sales are a meaningful revenue stream
• Large retailers and franchisors with loyalty programs that touch significant numbers of Oklahoma consumers
• Media and content platforms with substantial user accounts

How the OCDPA Interacts With Oklahoma’s Other Laws

Oklahoma already has narrower privacy and security statutes on the books, including the Oklahoma Security Breach Notification Act and various sector-specific provisions. The OCDPA does not replace these laws. A business that suffers a data breach will still need to comply with breach notification obligations, even if the underlying data is exempt from the OCDPA itself.

Oklahoma’s general consumer protection statutes also remain in force. The OCDPA primarily addresses data practices; misrepresentations about those practices in a privacy notice can still trigger Oklahoma Consumer Protection Act exposure separately.

Oil & Gas, Energy, and Other Industries

For Oklahoma’s energy industry, the OCDPA’s direct effect is limited. Most upstream oil and gas operations do not touch consumer data at the volume required to trigger coverage, and royalty owner data is typically B2B or business-context data outside the consumer definition. That said, energy companies running consumer-facing programs (utility-style billing platforms, retail energy services, or consumer-facing apps) should run the threshold analysis honestly. The fact that your core business is energy does not exempt downstream consumer data from the OCDPA.

How the OCDPA Compares to Other State Laws

If you already comply with another state’s privacy law, the OCDPA will feel familiar but not identical. Here is how it differs from the major frameworks businesses are most likely to encounter.

Versus Virginia’s CDPA

The OCDPA is closely modeled on Virginia’s law, but with three notable differences. First, the revenue-share threshold is 50 percent in Oklahoma versus 50 percent in Virginia (so they match here). Second, Oklahoma’s permanent cure period is more generous than Virginia’s, where the cure period sunset on January 1, 2025. Third, Oklahoma’s “sale” definition is narrower; it captures only exchanges for monetary consideration, while Virginia includes other valuable consideration.

Versus California’s CCPA/CPRA

The differences here are larger. California uses lower thresholds, includes employee and B2B data, requires recognition of universal opt-out signals like the Global Privacy Control, has a dedicated privacy regulator (the CPPA), and includes a private right of action for certain data breaches. Compliance with the CCPA does not automatically equal compliance with the OCDPA, but a business that has built a robust California program will find Oklahoma compliance achievable.

Versus Texas, Tennessee, and Other Virginia-Model States

The OCDPA most closely resembles the Virginia-model states (Tennessee, Indiana, Texas, Iowa, and others). The structural design is the same: AG-only enforcement, no universal opt-out signal mandate, opt-in for sensitive data, opt-out for sales and targeted advertising, narrow sale definition, and entity-level exemptions for HIPAA-covered entities and nonprofits. For a multi-state business, the marginal cost of adding Oklahoma to an existing Virginia-style compliance program is modest compared to building from scratch.

Your Compliance Roadmap to January 2027

If your business is covered, here is a practical sequence for getting ready before the law takes effect. The whole project typically takes three to six months for a mid-sized business, longer for complex tech stacks.

Phase One: Threshold Analysis and Scoping (Month 1)

1. Confirm coverage. Run an honest analysis of how many Oklahoma consumers’ data you control or process annually. Include consumers from all channels: e-commerce, marketing lists, app users, account holders, and so on.
2. Identify your role. For each data flow, determine whether you are a controller, a processor, or both. The same business often plays both roles for different data sets.
3. Map exemptions. Identify which categories of your data are exempt (HIPAA PHI, FCRA-regulated data, employee data, etc.) and which are in scope.

Phase Two: Build the Foundation (Months 2-3)

1. Create or update a data inventory. Document what personal data you collect, where it lives, who has access, and how long you retain it.
2. Draft or update your privacy notice. Make sure it includes all OCDPA-required disclosures and that it is genuinely accessible (typically a footer link reachable from every page).
3. Review vendor contracts. Identify every processor, confirm a current DPA is in place, and update contracts that lack the required provisions.
4. Build a consumer request workflow. Create the intake mechanism (often a web form), the verification process, the routing to the right internal team, and the response template. Test it before January 1, 2027.

Phase Three: Operationalize (Months 4-5)

1. Train your team. Customer service, marketing, IT, and legal all touch consumer data. Each function needs to know its role.
2. Conduct data protection assessments. For any high-risk processing activities (targeted advertising, sales, profiling, sensitive data), document the assessment.
3. Audit consent flows. Especially for sensitive data and any cookie or tracking technology, confirm that your consent mechanism meets the OCDPA’s clear-affirmative-act standard.
4. Document your security program. Reasonable security is required. If you do not have a written information security program, build one.

Phase Four: Test and Launch (Month 6)

1. Run mock requests. Have a friendly tester submit access, deletion, correction, and opt-out requests to confirm the workflow handles them within 45 days.
2. Brief leadership. Make sure executives understand the framework, the penalties, and their role in incident response.
3. Document everything. If the AG ever investigates, your documentation is your defense. Save policies, procedures, training materials, request logs, and assessments.

Common Mistakes to Avoid

From watching how businesses have implemented similar laws in other states, several patterns of mistakes show up repeatedly. Being aware of them in advance can save substantial time and risk.

1. Treating the Privacy Notice as a Legal Document

A privacy notice is a transparency document, not a defensive legal one. It needs to be readable. The OCDPA explicitly requires it to be “clear and meaningful.” Long, dense, lawyer-drafted notices that try to permit every possible data use have lost favor with regulators in every state, and Oklahoma is no different.

2. Forgetting the Appeal Process

Many businesses build a request intake but forget the appeal process. The OCDPA specifically requires an appeal mechanism with a 60-day response window and information about how to complain to the AG. Build the appeal process at the same time as the intake process.

3. Confusing Opt-Out and Opt-In

Sensitive data is opt-in. Targeted advertising and sales of non-sensitive personal data are opt-out. Many businesses get this backward, either over-collecting consent for things that do not require it (annoying customers) or under-collecting consent for things that do (creating violations).

4. Overlooking Vendor Contracts

Compliance teams often focus on internal operations and forget that the OCDPA imposes specific contract requirements with processors. A spotless internal program paired with non-compliant vendor contracts is still non-compliant.

5. Assuming HIPAA or GLBA Covers Everything

Healthcare and financial businesses often assume that because they are HIPAA-covered or GLBA-covered, the OCDPA does not apply at all. That is true if every piece of data they handle falls under those frameworks, but most businesses also handle marketing data, website analytics, or other categories that fall outside the federal regimes. Run the analysis category by category.

6. Building Only for Oklahoma

This is the costliest mistake. Privacy law is moving in one direction across the country, and the marginal cost of building a national program versus an Oklahoma-only program is small. Companies that build narrowly often spend the same effort twice within 18 months when the next state passes legislation.

7. Treating the Cure Period as a Strategy

Some businesses plan to “wait and see” and rely on the 30-day cure period if the AG comes calling. This works exactly once. After the first cure, repeat violations are not curable, and an investigation creates costs (legal fees, internal disruption, reputation impact) far in excess of building the program correctly the first time.