Oklahoma Consumer Data Privacy Act (OCDPA): A Compliance Guide for U.S. Businesses

Oklahoma's comprehensive data privacy law (SB 546) was the first new U.S. state privacy legislation enacted in 2026, after no new comprehensive state privacy laws were passed in 2025.

The law follows the opt-out consent model used across other states with privacy laws to date, but comes with its own definitions and thresholds that businesses directing products or services at Oklahoma residents need to examine carefully.

For businesses, the OCDPA is relevant because websites and other touchpoints routinely collect personal data through contact forms, analytics tools, advertising cookies, and similar means. They may well meet the law's applicability thresholds without realizing it.

Notable features include a narrower biometric data definition than comparable laws in Virginia or Texas, the adoption of the Texas definition of consent, a permanent cure period for enforcement, and the absence of support for opt-out signals such as Global Privacy Control, despite support for the GPC and other Universal Opt-Out Mechanisms expanding.

This guide covers what the OCDPA requires, who it applies to, what rights Oklahoma consumers gain, and the practical steps website owners should take before the January 1, 2027 effective date.

What Is the Oklahoma Consumer Data Privacy Act (OCDPA)?

The Oklahoma Consumer Data Privacy Act (OCDPA), enacted through Senate Bill 546, creates rights for Oklahoma residents over their personal data and establishes corresponding obligations for the businesses that collect and use it.

Governor Kevin Stitt signed the law on March 20, 2026. It takes effect on January 1, 2027, giving businesses less lead time than most comparable state privacy frameworks have provided.

Like other U.S. state-level data privacy laws, the OCDPA uses an opt-out consent model. Organizations can generally collect and process personal data without prior consent, but must give consumers clear means to opt out of targeted advertising and data sales, and must obtain affirmative consent before processing sensitive personal data, which includes data belonging to children.

Key OCDPA Definitions

Understanding how the OCDPA defines its core terms is essential for determining whether and how your business is covered. 

Personal Data

The OCDPA defines personal data as any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual. 

This includes pseudonymous data when used alongside additional information that could link it to a specific person. De-identified data and publicly available information are excluded.

Unlike many other U.S. state privacy laws, the OCDPA does not enumerate specific examples of personal data. Common types that websites collect include names, email addresses, phone numbers, and device identifiers.

Sensitive Data

Sensitive data requires heightened protection. Controllers may not process it without affirmative consumer consent. Under the OCDPA, sensitive data includes personal data that reveals:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health condition or diagnosis
• Sexual orientation
• Citizenship or immigration status
• Genetic or biometric data processed for the purpose of uniquely identifying an individual
• Personal data collected from a known child (under 13 years of age)
• Precise geolocation data (within a radius of 1,750 feet)

Biometric Data

The OCDPA's biometric data definition excludes photographs, video, audio recordings, and data derived from them, unless that data is generated for the purpose of identifying a specific individual. This mirrors Connecticut's law, but is narrower than the exclusions in Virginia or Texas, which omit photo- and video-derived data without that qualifier.

The practical implication is that businesses processing image or video data for identification purposes should treat that data as biometric data in scope under the OCDPA.

Consumer

A consumer is an individual who is an Oklahoma resident acting in a personal or household context. The definition excludes individuals acting in a commercial or employment capacity.

Controller

A controller is the entity that determines the purpose and means of processing personal data — most businesses subject to the law will be controllers. The OCDPA requires the relationship between controllers and processors to be governed by a written contract. Controllers are responsible for ensuring that processors they engage handle personal data in accordance with the law's requirements.

Processor

A processor handles personal data on behalf of a controller, such as a third-party analytics provider or cloud storage service, under contract. 

Sale of Personal Data

Sale of personal data means the exchange of personal data for monetary consideration by a controller to a third party. This covers monetary consideration only and not other forms of valuable consideration. This is narrower than some comparable state laws and exempts many common data-sharing arrangements in the advertising ecosystem from opt-out requirements.

Consent

Consent means a clear, affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to allow the processing of their personal data. 

What does not constitute consent?

• Acceptance of general or broad terms of use alongside unrelated information
• Hovering over, muting, pausing, or closing a piece of content
• Consent obtained through dark patterns or manipulative design

Who Does the Oklahoma Privacy Law Apply To?

The OCDPA applies to controllers and processors doing business in Oklahoma or directing products and services at Oklahoma residents. A business must comply if it meets either of the following thresholds:

• Controls or processes the personal data of at least 100,000 Oklahoma consumers in a calendar year, or
• Controls or processes the personal data of at least 25,000 consumers and derives more than 50 percent of its gross revenue from the sale of personal data

Oklahoma does not include an annual revenue threshold, unlike California and Tennessee, which apply a third threshold to companies earning at least USD 25 million annually. Businesses whose traffic includes a substantial Oklahoma audience should assess whether their data processing volumes meet these thresholds.

Exemptions to the OCDPA

The OCDPA exempts certain entities from its requirements, including state agencies, nonprofits, higher education institutions, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), and individuals processing data for purely personal or household purposes.

Certain categories of data are also excluded regardless of who holds them, including protected health information regulated under the Health Insurance Portability and Accountability Act (HIPAA), employee and job applicant data, emergency contact information, student data regulated under FERPA, and data covered by the Fair Credit Reporting Act (FCRA).

What Rights Does the OCDPA Grant Oklahoma Consumers?

The OCDPA grants Oklahoma residents the following rights over their personal data, which are exercised through a verified consumer request:

The OCDPA does not include a private right of action, a right to limit use of sensitive personal information, or provisions for authorized agents to submit requests on a consumer's behalf.

Responding to Consumer Requests

Controllers must provide at least two secure methods through which consumers can submit rights requests. Consumers may not be required to create a new account solely for this purpose.

Controllers have 45 days to respond to authenticated requests, with a possible 45-day extension when reasonably necessary — provided the consumer is notified within the initial period. Responses must be free of charge for up to two requests per consumer per year.

If a request is denied, the controller must establish an appeal process. The controller then has 60 days to provide a written explanation of its decision. If the appeal is also denied, the consumer must be directed to the Oklahoma Attorney General's online complaint mechanism.

Does the OCDPA Require Honoring Global Privacy Control (GPC) Signals?

The OCDPA does not require businesses to honor opt-out preference signals such as Global Privacy Control (GPC). As of early 2026, 12 states require businesses to honor GPC or comparable Universal Opt-Out Mechanism signals. Oklahoma is not among them.

Manage personal data collection, consent, and user preferences with Cookiebot

In 5 minutes you can customize your cookie banner for your brand and relevant regulations. Then start your 14-day free trial to see it in action.

Try It Now

Sensitive Data and Consent Requirements

Affirmative, informed consent is required before any sensitive personal data may be processed. This covers health information, racial origin, citizenship status, sexual orientation, biometric and genetic data, precise geolocation data, and data collected from known children under 13.

Oklahoma uses the Texas Data Privacy and Security Act's definition of consent, which means passive or implied signals are not sufficient. Acceptance of broad terms of use, and user actions such as hovering over or closing content, do not constitute consent. 

Website owners using cookie banners or consent interfaces to capture sensitive data consent should confirm that those interfaces meet this standard.

Unlike several comparable state laws, the OCDPA does not give consumers a right to revoke consent once it has been given.

Children's Data and COPPA

The OCDPA classifies personal data collected from known children under 13 as sensitive data, requiring affirmative parental or guardian consent before processing. Processing must also comply with the federal Children's Online Privacy Protection Act (COPPA).

The law does not include specific provisions for minors aged 13 to 16, which some consumer advocates have noted as a gap. Several other state privacy laws do include heightened consent requirements for minors in this age range.

What Must Businesses Do to Comply with the OCDPA?

The OCDPA's core obligations will be familiar to businesses already complying with other state privacy frameworks. Key requirements include transparency, data minimization, reasonable security, written processor contracts, and data protection assessments for high-risk activities.

Privacy Notice Requirements

Controllers must publish a clear, accessible privacy notice that includes:

• Categories of personal data processed, including any sensitive data
• Purposes for which personal data is processed
• Categories of personal data shared with third parties, if any
• Categories of third parties with whom data is shared, if any
• Whether the controller sells personal data or processes it for targeted advertising
• How consumers can exercise their rights, including the appeal process

Data Protection Assessments

Controllers must conduct data protection assessments before engaging in high-risk processing activities. These include targeted advertising, data sales, certain profiling activities, processing sensitive data, and any processing that presents a reasonably foreseeable risk of harm to consumers.

Assessments apply only to processing activities that commence on or after January 1, 2027 and are not retroactive. Businesses already running assessments under comparable state laws should be able to extend those frameworks to cover Oklahoma without substantial additional effort.

Processor Contract Requirements

Where personal data is shared with third-party vendors or processors, the relationship must be governed by a written contract specifying:

• Instructions for processing
• Nature and purpose of the processing
• Type of data being processed
• Duration of the processing arrangement
• Rights and obligations of both parties

The contract must require the processor to maintain confidentiality, delete or return data on request, cooperate with audits, and requiring that any subprocessors it engages are bound by equivalent obligations. Any contractual provision that purports to waive or limit a consumer's rights under the OCDPA is void and unenforceable.

Dark Patterns Prohibition

The OCDPA explicitly prohibits dark patterns in consent interfaces. The law defines a dark pattern (also called “nudging”) as a user interface designed or manipulated to substantially subvert or impair user autonomy, decision-making, or choice. It incorporates the FTC's definition of the term by reference.

Website owners should review consent banners, opt-out flows, and cookie preference interfaces to ensure that design choices are not manipulative and that declining consent is no more difficult than accepting it.

Use of De-identified Data

Controllers using de-identified data retain obligations under the OCDPA. They must take reasonable measures to prevent re-identification, make a public commitment not to re-identify data, and contractually require any recipients of de-identified data to observe equivalent restrictions.

Targeted Advertising and Data Sales Under the OCDPA

The OCDPA applies an opt-out model to targeted advertising and data sales, which is consistent with most other U.S. state privacy laws. Businesses must give consumers a clear means to opt out of these activities and must disclose whether they engage in them in their privacy notices.

Importantly, the OCDPA's definition of "sale" is limited to exchanges for monetary consideration. It does not extend to other forms of valuable consideration, which means many common data-sharing arrangements in the digital advertising ecosystem — such as ad targeting in exchange for services — fall outside the opt-out requirement.

OCDPA Enforcement

Enforcement rests exclusively with the Oklahoma Attorney General. There is no private right of action, meaning individual consumers cannot bring lawsuits directly against businesses under the OCDPA.

Before bringing an enforcement action, the Attorney General must notify the alleged violator and allow 30 days to cure the violation. Unlike the cure periods in several other state laws, this one does not sunset; it applies permanently.

Civil penalties can reach USD 7,500 per violation. There is no statutory escalator for willful or intentional violations. The Attorney General may also seek injunctive relief, and courts may award reasonable attorneys' fees and litigation costs.

The Attorney General is required to publish guidance on controller and processor obligations and consumer rights, and to provide a complaint submission mechanism for consumers. This is a provision modeled on the equivalent section in Texas's consumer data privacy law.

How Businesses Can Prepare for the OCDPA

Businesses already compliant with Virginia's Consumer Data Protection Act, Texas's Data Privacy and Security Act, or similar state frameworks will find the OCDPA's core structure familiar. Scope thresholds, consumer rights, and assessment obligations are closely aligned. 

The primary areas requiring attention are the OCDPA's narrower sale definition, its biometric data rules, and the absence of GPC signal requirements.

The following steps should be completed before January 1, 2027:

A consent management platform such as Cookiebot™ supports several of these steps, including compliant opt-out flows for targeted advertising and data sales, consent documentation, and geotargeted banner configurations that adapt to the specific requirements of each applicable U.S. state law.

One state's privacy rules or all of them? They all have specific requirements

Do you have privacy obligations only in the state where you're headquartered, or need coast-to-coast or global coverage? Find out what relevant laws say about consumer rights and what you need to do.

Find My Regulations