Oklahoma Consumer Data Privacy Act (OCDPA): What Oklahomans and Businesses Need to Know

Oklahoma Consumer Data Privacy Act (OCDPA): What Oklahomans and Businesses Need to Know

A new statewide privacy law takes effect in 2027—bringing meaningful consumer rights while remaining comparatively business-friendly.

Oklahoma has officially become the 20^th state to enact a modern data privacy law. On March 20, 2026, Governor Kevin Stitt signed the Oklahoma Consumer Data Privacy Act (OCDPA) into law. The OCDPA takes effect on January 1, 2027, and establishes consumer data privacy rights and business obligations related to personal data.

For Oklahomans, the headline is straightforward: the OCDPA provides meaningful privacy protections and clearer rules around how organizations collect, use, and share personal data. At the same time, as the Wilson Elser team has noted in its early analysis of the statute, Oklahoma’s approach is relatively business friendly, with some requirements and protections that are looser than those found in certain other state privacy laws.

Consumer rights under the OCDPA

• Right to confirm and access: Consumers can ask whether a controller is processing their personal data and obtain access to that data (subject to exceptions).

• Right to delete: Consumers can request deletion of personal data provided by or obtained about the consumer (subject to exceptions).

• Right to correct: Consumers can request correction of inaccuracies in their personal data, taking into account the nature of the data and the purposes of processing.

• Right to data portability: Consumers can obtain a copy of their personal data in a portable and (where feasible) readily usable format to transmit to another entity.

• Right to opt out of certain processing: Consumers can opt out of (1) targeted advertising, (2) the sale of personal data, and (3) certain profiling.

• Right to appeal: If a controller denies a consumer request, the consumer typically must be provided a process to appeal that decision.

As with other state privacy statutes, these rights are not unlimited. Controllers may need to verify the requester’s identity, and the law includes exceptions that can narrow or limit how (and whether) a request must be fulfilled. For readers who want to review the details, the enrolled version of SB 546 contains the full text of the OCDPA.

Broad exemptions limit the law’s reach. One reason the OCDPA is viewed as more business friendly is that it contains significant exemptions. While the details matter, the statute broadly excludes (among others):

• Nonprofits

• Covered entities and business associates governed by the Health Insurance Portability and Accountability Act (HIPAA)

• Financial institutions subject to Title V of the Gramm-Leach-Bliley Act (GLBA)

• Higher education institutions

• State agencies

Practically, these exemptions mean a lot of organizations may already be covered by other laws—or may not be regulated by a privacy statute at all. Healthcare and financial services organizations, for example, are often subject to HIPAA or GLBA instead of the OCDPA. Nonprofits are a bit different: many don’t collect or use sensitive personal data in the first place, and as a result may fall outside the scope of the OCDPA and other privacy-specific regulations altogether.  

Oklahoma’s privacy trajectory: OCDPA + updated breach notification

The OCDPA does not stand alone. Oklahoma has also recently amended its Security Breach Notification Act (SB 626). Taken together, these developments signal a clear policy direction: stronger baseline rules for how personal information is handled, and clearer obligations when security incidents occur. In that sense, the OCDPA—coupled with the updated breach-notification framework—helps bring Oklahoma into the modern data protection era.

Enforcement

The Oklahoma Attorney General’s Office is responsible for enforcing the OCDPA. That means businesses should expect any early compliance questions—and any enforcement activity—to come from the Attorney General (rather than through private lawsuits).

Importantly, the OCDPA includes a 30-day opportunity to cure: before the Attorney General brings an action, the office must provide notice of the alleged violation and allow the business 30 days to address it. If the issue is not cured within that window (or if it recurs), the Attorney General may pursue enforcement, including civil penalties. Separately, the Attorney General also has enforcement authority under Oklahoma’s Security Breach Notification Act, but the OCDPA’s cure period is a key feature for businesses planning their compliance approach.

Practical takeaways (2026-2027 planning)

• For businesses affected by this law: Use the runway before January 1, 2027 to determine whether you are covered, map your data flows, and implement the action items in the Business Recommendation Checklist below.

• For consumers: Expect more transparency and more control—especially the ability to access, delete, correct, and opt out of certain uses of personal data.

• For both: Watch for guidance and enforcement posture as the effective date approaches; implementation details often shape how these laws operate in day-to-day practice.

‍

Business Recommendation Checklist

If your organization may be a covered “controller” or “processor” under the OCDPA, use 2026 to build a practical compliance foundation that you can operate (and evidence) by January 1, 2027:

• Confirm applicability and roles: Determine whether you meet coverage thresholds and whether you act as a controller, processor, or both (and for which products/services).

• Inventory and map personal data: Document what personal data you collect, where it comes from, where it goes (including vendors), retention periods, and the purposes for processing.

• Govern data privacy: Implement a documented privacy program and designate a Privacy Officer (or comparable role) accountable for day-to-day oversight, escalation, and compliance sign-off.

• Minimize data collected: Apply data-minimization principles by collecting only what you need for defined purposes, limiting access, and setting retention schedules to delete or de-identify data when it’s no longer needed.

• Update privacy notices: Ensure disclosures align to actual practices (categories of data, purposes, sharing/sale, targeted advertising, consumer rights, and how to exercise them).

• Design consumer request workflows: Build an intake-to-response workflow that addresses identity verification, timelines, tracking, and an appeal process.

• Implement opt-out controls: Make it easy for consumers to opt out of targeted advertising, sale of personal data, and relevant profiling; align marketing/adtech configurations accordingly.

• Protect personal data deliberately: Implement administrative, physical, and technical safeguards for protecting personal data appropriate to the volume and nature of the personal data at issue.

• Vendor and contract readiness: Review processor/vendor agreements to ensure required privacy and security terms are in place and that downstream sharing is documented.

• Security and incident response alignment: Coordinate privacy and security so your safeguards, logging, and breach response processes support both the OCDPA and Oklahoma’s updated breach-notification obligations.

• Train and document: Train teams who handle personal data (customer support, marketing, IT, HR) and maintain documentation to demonstrate compliance if questions arise.

With the OCDPA now on the books, Oklahoma joins the growing number of states treating privacy as a consumer right. The law’s broad exemptions and comparatively flexible structure may ease the burden on some organizations, but it still represents a meaningful shift toward standardized privacy rights for Oklahomans—and it is worth preparing for well before the January 1, 2027 effective date.

‍