{"id":18412,"date":"2026-05-15T17:28:57","date_gmt":"2026-05-15T15:28:57","guid":{"rendered":"https:\/\/www.cookiebot.com\/us\/?p=18412"},"modified":"2026-05-15T17:46:22","modified_gmt":"2026-05-15T15:46:22","slug":"oklahoma-consumer-data-privacy-act-ocdpa","status":"publish","type":"post","link":"https:\/\/www.cookiebot.com\/us\/oklahoma-consumer-data-privacy-act-ocdpa\/","title":{"rendered":"Oklahoma Consumer Data Privacy Act (OCDPA): A Compliance Guide for U.S. Businesses"},"content":{"rendered":"\n<div class=\"cb-spacer\" style=\"--cb-height--d:40px;;--cb-height--t:40px;;--cb-height--m:40px;\">\n<\/div>\n\n\n<div class=\"cb-key-takeaways\">\n    <div class=\"cb-key-takeaways__container\">\n        <h2            class=\"cb-key-takeaways__title cb-key-takeaways__heading-variation like-h3\"\n        >At a Glance<\/h2>\n        <div class=\"cb-key-takeaways__content\">\n            <div class=\"cb-key-takeaways__content__inner\">\n                                <div id=\"cb-key-takeaways-accordion-1\" class=\"cb-accordion-item cb-accordion-item--opened\">\n                    <span class=\"cb-accordion-item__title no-default-margin\">\n                        <button\n                            class=\"cb-accordion-item__button\"\n                            type=\"button\"\n                            id=\"cb-key-takeaways-accordion-1-button\"\n                            aria-expanded=\"true\"\n                            aria-controls=\"cb-key-takeaways-accordion-1-content\"\n                        >Key Takeaways<\/button>\n                    <\/span>\n                    <div\n                        class=\"cb-accordion-item__content\"\n                        id=\"cb-key-takeaways-accordion-1-content\"\n                        aria-labelledby=\"cb-key-takeaways-accordion-1-button\"\n                    >\n                        <div class=\"cb-accordion-item__content__inner\">\n                            \n\n<ul class=\"wp-block-list\">\n<li><strong>Effective date: <\/strong>January 1, 2027. Enacted as Senate Bill 546 and signed into law March 20, 2026, the OCDPA was the first new comprehensive U.S. state privacy law of 2026.<\/li>\n\n\n\n<li><strong>Scope: <\/strong>Applies to businesses that process personal data of 100,000 or more Oklahoma consumers annually, or 25,000 or more consumers where over 50 percent of gross revenue comes from selling personal data.<\/li>\n\n\n\n<li><strong>Consent model: <\/strong>Opt-out for targeted advertising and data sales; affirmative consent required before processing sensitive personal data, including precise geolocation, biometric data, and data from known children under 13.<\/li>\n\n\n\n<li><strong>Consumer rights: <\/strong>Access, correction, deletion, portability, opt-out of targeted advertising, data sales, profiling in furtherance of decisions that produce legal or similarly significant effects, and nondiscrimination. No private right of action; no right to revoke consent; no authorized-agent provisions.<\/li>\n\n\n\n<li><strong>Enforcement: <\/strong>Exclusive to the Oklahoma Attorney General. Civil penalties up to USD 7,500 per violation. A 30-day permanent cure period applies before any action can be brought.<\/li>\n\n\n\n<li><strong>Key distinctions: <\/strong>The OCDPA's definition of \"sale\" covers monetary consideration only, exempting many common data-sharing arrangements. The law does not require businesses to honor Global Privacy Control signals, and does not include a right to revoke consent once given.<\/li>\n<\/ul>\n\n                        <\/div>\n                    <\/div>\n                <\/div>\n            <\/div>\n        <\/div>\n    <\/div>\n<\/div>\n\n\n\n<p>Oklahoma's comprehensive data privacy law (<a href=\"https:\/\/www.oklegislature.gov\/cf_pdf\/2025-26%20ENR\/SB\/SB546%20ENR.PDF\" target=\"_blank\" rel=\"noreferrer noopener\">SB 546<\/a>) was the first new U.S. state privacy legislation enacted in 2026, after no new comprehensive state privacy laws were passed in 2025.<\/p>\n\n\n\n<p>The law follows the opt-out consent model used across other states with privacy laws to date, but comes with its own definitions and thresholds that businesses directing products or services at Oklahoma residents need to examine carefully.<\/p>\n\n\n\n<p>For businesses, the OCDPA is relevant because websites and other touchpoints routinely collect personal data through contact forms, analytics tools, advertising cookies, and similar means. They may well meet the law's applicability thresholds without realizing it.<\/p>\n\n\n\n<p>Notable features include a narrower biometric data definition than comparable laws in Virginia or Texas, the adoption of the Texas definition of consent, a permanent cure period for enforcement, and the absence of support for opt-out signals such as Global Privacy Control, despite support for the GPC and other Universal Opt-Out Mechanisms expanding.<\/p>\n\n\n\n<p>This guide covers what the OCDPA requires, who it applies to, what rights Oklahoma consumers gain, and the practical steps website owners should take before the January 1, 2027 effective date.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-is-the-oklahoma-consumer-data-privacy-act-ocdpa\"><strong>What Is the Oklahoma Consumer Data Privacy Act (OCDPA)?<\/strong><\/h2>\n\n\n\n<p>The Oklahoma Consumer Data Privacy Act (OCDPA), enacted through Senate Bill 546, creates rights for Oklahoma residents over their personal data and establishes corresponding obligations for the businesses that collect and use it.<\/p>\n\n\n\n<p>Governor Kevin Stitt signed the law on March 20, 2026. It takes effect on January 1, 2027, giving businesses less lead time than most comparable state privacy frameworks have provided.<\/p>\n\n\n\n<p>Like other <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/us-data-privacy-laws-by-state\/\" target=\"_blank\" rel=\"noreferrer noopener\">U.S. state-level data privacy laws<\/a>, the OCDPA uses an opt-out consent model. Organizations can generally collect and process personal data without prior consent, but must give consumers clear means to opt out of targeted advertising and data sales, and must obtain affirmative consent before processing sensitive personal data, which includes data belonging to children.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-key-ocdpa-definitions\"><strong>Key OCDPA Definitions<\/strong><\/h2>\n\n\n\n<p>Understanding how the OCDPA defines its core terms is essential for determining whether and how your business is covered.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-personal-data\"><strong>Personal Data<\/strong><\/h3>\n\n\n\n<p>The OCDPA defines personal data as any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual.&nbsp;<\/p>\n\n\n\n<p>This includes pseudonymous data when used alongside additional information that could link it to a specific person. De-identified data and publicly available information are excluded.<\/p>\n\n\n\n<p>Unlike many other U.S. state privacy laws, the OCDPA does not enumerate specific examples of personal data. Common types that websites collect include names, email addresses, phone numbers, and device identifiers.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-sensitive-data\"><strong>Sensitive Data<\/strong><\/h3>\n\n\n\n<p>Sensitive data requires heightened protection. Controllers may not process it without affirmative consumer consent. Under the OCDPA, sensitive data includes personal data that reveals:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Racial or ethnic origin<\/li>\n\n\n\n<li>Religious beliefs<\/li>\n\n\n\n<li>Mental or physical health condition or diagnosis<\/li>\n\n\n\n<li>Sexual orientation<\/li>\n\n\n\n<li>Citizenship or immigration status<\/li>\n\n\n\n<li>Genetic or biometric data processed for the purpose of uniquely identifying an individual<\/li>\n\n\n\n<li>Personal data collected from a known child (under 13 years of age)<\/li>\n\n\n\n<li>Precise geolocation data (within a radius of 1,750 feet)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-biometric-data\"><strong>Biometric Data<\/strong><\/h3>\n\n\n\n<p>The OCDPA's biometric data definition excludes photographs, video, audio recordings, and data derived from them, unless that data is generated for the purpose of identifying a specific individual. This mirrors Connecticut's law, but is narrower than the exclusions in Virginia or Texas, which omit photo- and video-derived data without that qualifier.<\/p>\n\n\n\n<p>The practical implication is that businesses processing image or video data for identification purposes should treat that data as biometric data in scope under the OCDPA.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-consumer\"><strong>Consumer<\/strong><\/h3>\n\n\n\n<p>A consumer is an individual who is an Oklahoma resident acting in a personal or household context. The definition excludes individuals acting in a commercial or employment capacity.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-controller\"><strong>Controller<\/strong><\/h3>\n\n\n\n<p>A controller is the entity that determines the purpose and means of processing personal data \u2014 most businesses subject to the law will be controllers. The OCDPA requires the relationship between controllers and processors to be governed by a written contract. Controllers are responsible for ensuring that processors they engage handle personal data in accordance with the law's requirements.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-processor\"><strong>Processor<\/strong><\/h3>\n\n\n\n<p>A processor handles personal data on behalf of a controller, such as a third-party analytics provider or cloud storage service, under contract.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-sale-of-personal-data\"><strong>Sale of Personal Data<\/strong><\/h3>\n\n\n\n<p>Sale of personal data means the exchange of personal data for monetary consideration by a controller to a third party. This covers monetary consideration only and not other forms of valuable consideration. This is narrower than some comparable state laws and exempts many common data-sharing arrangements in the advertising ecosystem from opt-out requirements.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-consent\"><strong>Consent<\/strong><\/h3>\n\n\n\n<p>Consent means a clear, affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to allow the processing of their personal data.&nbsp;<\/p>\n\n\n\n<p>What does not constitute consent?<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Acceptance of general or broad terms of use alongside unrelated information<\/li>\n\n\n\n<li>Hovering over, muting, pausing, or closing a piece of content<\/li>\n\n\n\n<li>Consent obtained through <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/dark-patterns-and-how-they-affect-consent\/\" target=\"_blank\" rel=\"noreferrer noopener\">dark patterns<\/a> or manipulative design<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-who-does-the-oklahoma-privacy-law-apply-to\"><strong>Who Does the Oklahoma Privacy Law Apply To?<\/strong><\/h2>\n\n\n\n<p>The OCDPA applies to controllers and processors doing business in Oklahoma or directing products and services at Oklahoma residents. A business must comply if it meets either of the following thresholds:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Controls or processes the personal data of at least 100,000 Oklahoma consumers in a calendar year, or<\/li>\n\n\n\n<li>Controls or processes the personal data of at least 25,000 consumers and derives more than 50 percent of its gross revenue from the sale of personal data<\/li>\n<\/ul>\n\n\n\n<p>Oklahoma does not include an annual revenue threshold, unlike California and Tennessee, which apply a third threshold to companies earning at least USD 25 million annually. Businesses whose traffic includes a substantial Oklahoma audience should assess whether their data processing volumes meet these thresholds.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-exemptions-to-the-ocdpa\"><strong>Exemptions to the OCDPA<\/strong><\/h3>\n\n\n\n<p>The OCDPA exempts certain entities from its requirements, including state agencies, nonprofits, higher education institutions, financial institutions subject to the <a href=\"https:\/\/www.cookiebot.com\/us\/gramm-leach-bliley-act-glba\/\">Gramm-Leach-Bliley Act (GLBA)<\/a>, and individuals processing data for purely personal or household purposes.<\/p>\n\n\n\n<p>Certain categories of data are also excluded regardless of who holds them, including protected health information regulated under the <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/health-insurance-portability-and-accountability-act-hipaa\/\" target=\"_blank\" rel=\"noreferrer noopener\">Health Insurance Portability and Accountability Act (HIPAA)<\/a>, employee and job applicant data, emergency contact information, student data regulated under FERPA, and data covered by the Fair Credit Reporting Act (FCRA).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-rights-does-the-ocdpa-grant-oklahoma-consumers\"><strong>What Rights Does the OCDPA Grant Oklahoma Consumers?<\/strong><\/h2>\n\n\n\n<p>The OCDPA grants Oklahoma residents the following rights over their personal data, which are exercised through a verified consumer request:<\/p>\n\n\n\n<div class=\"cb-article-list-timeline cb-article-list-timeline--empty-header cb-article-list-timeline--no-image cb-ctx--base\" style=\"\" data-manual-enabling=\"false\" style=\"--items-count: 6\">\n        <div class=\"cb-article-list-timeline__list\">\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                            <h3 class=\"cb-article-list-timeline__item-title\">                        Right to access                        <\/h3>                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p><span style=\"font-weight: 400;\">Confirm whether a controller is processing their personal data, and obtain a copy of it<\/span><\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                            <h3 class=\"cb-article-list-timeline__item-title\">                        Right to correct                        <\/h3>                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p><span style=\"font-weight: 400;\">Have inaccuracies in their personal data corrected<\/span><\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                            <h3 class=\"cb-article-list-timeline__item-title\">                        Right to delete                        <\/h3>                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p><span style=\"font-weight: 400;\">Have personal data provided by or obtained about them deleted<\/span><\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                            <h3 class=\"cb-article-list-timeline__item-title\">                        Right to portability                        <\/h3>                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p><span style=\"font-weight: 400;\">Obtain a portable, usable copy of personal data previously provided to the controller, where processing is automated<\/span><\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                            <h3 class=\"cb-article-list-timeline__item-title\">                        Right to opt out                        <\/h3>                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p><span style=\"font-weight: 400;\">Of targeted advertising, the sale of personal data, and profiling in furtherance of decisions with legal or similarly significant effects<\/span><\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item cb-article-list-timeline__item--last\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                            <h3 class=\"cb-article-list-timeline__item-title\">                        Right to nondiscrimination                        <\/h3>                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p><span style=\"font-weight: 400;\">Cannot be penalized for exercising their rights \u2014 by being denied services, charged higher prices, or given a lower quality of service<\/span><\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <\/div>\n<\/div>\n\n\n\n<p>The OCDPA does not include a private right of action, a right to limit use of sensitive personal information, or provisions for authorized agents to submit requests on a consumer's behalf.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-responding-to-consumer-requests\"><strong>Responding to Consumer Requests<\/strong><\/h3>\n\n\n\n<p>Controllers must provide at least two secure methods through which consumers can submit rights requests. Consumers may not be required to create a new account solely for this purpose.<\/p>\n\n\n\n<p>Controllers have 45 days to respond to authenticated requests, with a possible 45-day extension when reasonably necessary \u2014 provided the consumer is notified within the initial period. Responses must be free of charge for up to two requests per consumer per year.<\/p>\n\n\n\n<p>If a request is denied, the controller must establish an appeal process. The controller then has 60 days to provide a written explanation of its decision. If the appeal is also denied, the consumer must be directed to the Oklahoma Attorney General's online complaint mechanism.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-does-the-ocdpa-require-honoring-global-privacy-control-gpc-signals\"><strong>Does the OCDPA Require Honoring Global Privacy Control (GPC) Signals?<\/strong><\/h3>\n\n\n\n<p>The OCDPA does not require businesses to honor opt-out preference signals such as <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/what-is-global-privacy-control\/\" target=\"_blank\" rel=\"noreferrer noopener\">Global Privacy Control (GPC)<\/a>. As of early 2026, 12 states require businesses to honor GPC or comparable Universal Opt-Out Mechanism signals. Oklahoma is not among them.<\/p>\n\n\n<div class=\"cta-block cta-block--size-m cta-block--has-shield cb-ctx--blue\">\n            <img decoding=\"async\"\n            class=\"cta-block__shield\"\n            src=\"\/wp-content\/themes\/cookiebot\/img\/backgrounds\/cta-shield.svg\"\n            alt=\"Cookiebot bg shield\"\n            width=\"930\"\n            height=\"929\"\n            loading=\"lazy\">\n        <div class=\"cta-block__glass\">\n        <div class=\"cta-block__inner\">\n            <div class=\"cta-block__left-column\">\n                                                    <h2 class=\"cta-block__title no-default-margin like-h2\">\n                        Manage personal data collection, consent, and user preferences with Cookiebot                    <\/h2>\n                                                    <div class=\"cta-block__description like-text-md\">\n                        <p><span style=\"font-weight: 400;\">In 5 minutes you can customize your cookie banner for your brand and relevant regulations. Then start your 14-day free trial to see it in action.<\/span><\/p>\n                    <\/div>\n                                                                                                                <div class=\"cta-block__buttons\">\n                                                    <div class=\"cta-block__buttons__button-wp\">\n                                <a id=\"6edd02e2-d253-49b8-8c16-2c435a2a4fae\" class=\"cb-button cb-button-size-l cb-button-contained  no-default-link-decoration cb-button-icon-right cta-block__buttons__button\" href=\"https:\/\/www.cookiebot.com\/en\/cmp-interactive-demo-builder\/\" target=\"\">\n<span>Try It Now<\/span><\/a>\n                                                            <\/div>\n                                                                        <\/div>\n                                                                                <\/div>\n                    <\/div>\n    <\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-sensitive-data-and-consent-requirements\"><strong>Sensitive Data and Consent Requirements<\/strong><\/h2>\n\n\n\n<p>Affirmative, informed consent is required before any sensitive personal data may be processed. This covers health information, racial origin, citizenship status, sexual orientation, biometric and genetic data, precise geolocation data, and data collected from known children under 13.<\/p>\n\n\n\n<p>Oklahoma uses the Texas Data Privacy and Security Act's definition of consent, which means passive or implied signals are not sufficient. Acceptance of broad terms of use, and user actions such as hovering over or closing content, do not constitute consent.&nbsp;<\/p>\n\n\n\n<p>Website owners using cookie banners or consent interfaces to capture sensitive data consent should confirm that those interfaces meet this standard.<\/p>\n\n\n\n<p>Unlike several comparable state laws, the OCDPA does not give consumers a right to revoke consent once it has been given.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-children-s-data-and-coppa\"><strong>Children's Data and COPPA<\/strong><\/h3>\n\n\n\n<p>The OCDPA classifies personal data collected from known children under 13 as sensitive data, requiring affirmative parental or guardian consent before processing. Processing must also comply with the federal <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/childrens-online-protection-act-coppa\/\" target=\"_blank\" rel=\"noreferrer noopener\">Children's Online Privacy Protection Act (COPPA)<\/a>.<\/p>\n\n\n\n<p>The law does not include specific provisions for minors aged 13 to 16, which some consumer advocates have noted as a gap. Several other state privacy laws do include heightened consent requirements for minors in this age range.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-must-businesses-do-to-comply-with-the-ocdpa\"><strong>What Must Businesses Do to Comply with the OCDPA?<\/strong><\/h2>\n\n\n\n<p>The OCDPA's core obligations will be familiar to businesses already complying with other state privacy frameworks. Key requirements include transparency, data minimization, reasonable security, written processor contracts, and data protection assessments for high-risk activities.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-privacy-notice-requirements\"><strong>Privacy Notice Requirements<\/strong><\/h3>\n\n\n\n<p>Controllers must publish a clear, accessible <a href=\"https:\/\/www.cookiebot.com\/en\/privacy-policy\/\">privacy notice<\/a> that includes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Categories of personal data processed, including any sensitive data<\/li>\n\n\n\n<li>Purposes for which personal data is processed<\/li>\n\n\n\n<li>Categories of personal data shared with third parties, if any<\/li>\n\n\n\n<li>Categories of third parties with whom data is shared, if any<\/li>\n\n\n\n<li>Whether the controller sells personal data or processes it for targeted advertising<\/li>\n\n\n\n<li>How consumers can exercise their rights, including the appeal process<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-data-protection-assessments\"><strong>Data Protection Assessments<\/strong><\/h3>\n\n\n\n<p>Controllers must conduct data protection assessments before engaging in high-risk processing activities. These include targeted advertising, data sales, certain profiling activities, processing sensitive data, and any processing that presents a reasonably foreseeable risk of harm to consumers.<\/p>\n\n\n\n<p>Assessments apply only to processing activities that commence on or after January 1, 2027 and are not retroactive. Businesses already running assessments under comparable state laws should be able to extend those frameworks to cover Oklahoma without substantial additional effort.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-processor-contract-requirements\"><strong>Processor Contract Requirements<\/strong><\/h3>\n\n\n\n<p>Where personal data is shared with third-party vendors or processors, the relationship must be governed by a written contract specifying:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Instructions for processing<\/li>\n\n\n\n<li>Nature and purpose of the processing<\/li>\n\n\n\n<li>Type of data being processed<\/li>\n\n\n\n<li>Duration of the processing arrangement<\/li>\n\n\n\n<li>Rights and obligations of both parties<\/li>\n<\/ul>\n\n\n\n<p>The contract must require the processor to maintain confidentiality, delete or return data on request, cooperate with audits, and requiring that any subprocessors it engages are bound by equivalent obligations. Any contractual provision that purports to waive or limit a consumer's rights under the OCDPA is void and unenforceable.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-dark-patterns-prohibition\"><strong>Dark Patterns Prohibition<\/strong><\/h3>\n\n\n\n<p>The OCDPA explicitly prohibits dark patterns in consent interfaces. The law defines a dark pattern (also called \u201cnudging\u201d) as a user interface designed or manipulated to substantially subvert or impair user autonomy, decision-making, or choice. It incorporates the FTC's definition of the term by reference.<\/p>\n\n\n\n<p>Website owners should review consent banners, opt-out flows, and cookie preference interfaces to ensure that design choices are not manipulative and that declining consent is no more difficult than accepting it.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-use-of-de-identified-data\"><strong>Use of De-identified Data<\/strong><\/h3>\n\n\n\n<p>Controllers using de-identified data retain obligations under the OCDPA. They must take reasonable measures to prevent re-identification, make a public commitment not to re-identify data, and contractually require any recipients of de-identified data to observe equivalent restrictions.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-targeted-advertising-and-data-sales-under-the-ocdpa\"><strong>Targeted Advertising and Data Sales Under the OCDPA<\/strong><\/h2>\n\n\n\n<p>The OCDPA applies an opt-out model to targeted advertising and data sales, which is consistent with most other U.S. state privacy laws. Businesses must give consumers a clear means to opt out of these activities and must disclose whether they engage in them in their privacy notices.<\/p>\n\n\n\n<p>Importantly, the OCDPA's definition of \"sale\" is limited to exchanges for monetary consideration. It does not extend to other forms of valuable consideration, which means many common data-sharing arrangements in the digital advertising ecosystem \u2014 such as ad targeting in exchange for services \u2014 fall outside the opt-out requirement.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-ocdpa-enforcement\"><strong>OCDPA Enforcement<\/strong><\/h2>\n\n\n\n<p>Enforcement rests exclusively with the Oklahoma Attorney General. There is no private right of action, meaning individual consumers cannot bring lawsuits directly against businesses under the OCDPA.<\/p>\n\n\n\n<p>Before bringing an enforcement action, the Attorney General must notify the alleged violator and allow 30 days to cure the violation. Unlike the cure periods in several other state laws, this one does not sunset; it applies permanently.<\/p>\n\n\n\n<p>Civil penalties can reach USD 7,500 per violation. There is no statutory escalator for willful or intentional violations. The Attorney General may also seek injunctive relief, and courts may award reasonable attorneys' fees and litigation costs.<\/p>\n\n\n\n<p>The Attorney General is required to publish guidance on controller and processor obligations and consumer rights, and to provide a complaint submission mechanism for consumers. This is a provision modeled on the equivalent section in Texas's consumer data privacy law.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-businesses-can-prepare-for-the-ocdpa\"><strong>How Businesses Can Prepare for the OCDPA<\/strong><\/h2>\n\n\n\n<p>Businesses already compliant with Virginia's Consumer Data Protection Act, Texas's Data Privacy and Security Act, or similar state frameworks will find the OCDPA's core structure familiar. Scope thresholds, consumer rights, and assessment obligations are closely aligned.&nbsp;<\/p>\n\n\n\n<p>The primary areas requiring attention are the OCDPA's narrower sale definition, its biometric data rules, and the absence of GPC signal requirements.<\/p>\n\n\n\n<p>The following steps should be completed before January 1, 2027:<\/p>\n\n\n\n<div class=\"cb-article-list-timeline cb-article-list-timeline--empty-header cb-article-list-timeline--no-image cb-ctx--base\" style=\"\" data-manual-enabling=\"false\" style=\"--items-count: 6\">\n        <div class=\"cb-article-list-timeline__list\">\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                            <h3 class=\"cb-article-list-timeline__item-title\">                        Assess applicability                        <\/h3>                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p><span style=\"font-weight: 400;\">Audit the volume of Oklahoma consumer data processed against the 100,000-consumer and 25,000-consumer\/50 percent-revenue thresholds.<\/span><\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                            <h3 class=\"cb-article-list-timeline__item-title\">                        Review your privacy notice                        <\/h3>                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p><span style=\"font-weight: 400;\">Confirm it includes OCDPA-required disclosures, including opt-out rights for data sales and targeted advertising.<\/span><\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                            <h3 class=\"cb-article-list-timeline__item-title\">                        Verify consumer request workflows                        <\/h3>                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p><span style=\"font-weight: 400;\">Confirm that data subject request processes, including the appeal pathway and referral mechanism to the AG complaint system, are operational by the effective date.<\/span><\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                            <h3 class=\"cb-article-list-timeline__item-title\">                        Audit consent flows for sensitive data                        <\/h3>                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p><span style=\"font-weight: 400;\">Confirm that affirmative consent is captured and documented for all sensitive data categories, including children's data, before processing begins.<\/span><\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                            <h3 class=\"cb-article-list-timeline__item-title\">                        Check consent interfaces for dark patterns                        <\/h3>                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p><span style=\"font-weight: 400;\">Review cookie banners and opt-out mechanisms to ensure they meet the OCDPA's standards for clear design that is not manipulative.<\/span><\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item cb-article-list-timeline__item--last\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                            <h3 class=\"cb-article-list-timeline__item-title\">                        Confirm data protection assessment coverage                        <\/h3>                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p><span style=\"font-weight: 400;\">Ensure all high-risk processing activities commencing on or after January 1, 2027 have been assessed.<\/span><\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <\/div>\n<\/div>\n\n\n\n<p>A <a href=\"https:\/\/www.cookiebot.com\/en\/cookie-consent-solution\/\">consent management platform<\/a> such as Cookiebot\u2122 supports several of these steps, including compliant opt-out flows for targeted advertising and data sales, consent documentation, and geotargeted banner configurations that adapt to the specific requirements of each applicable U.S. state law.<\/p>\n\n\n<div class=\"cta-block cta-block--size-m cta-block--has-shield cb-ctx--blue\">\n            <img decoding=\"async\"\n            class=\"cta-block__shield\"\n            src=\"\/wp-content\/themes\/cookiebot\/img\/backgrounds\/cta-shield.svg\"\n            alt=\"Cookiebot bg shield\"\n            width=\"930\"\n            height=\"929\"\n            loading=\"lazy\">\n        <div class=\"cta-block__glass\">\n        <div class=\"cta-block__inner\">\n            <div class=\"cta-block__left-column\">\n                                                    <h2 class=\"cta-block__title no-default-margin like-h2\">\n                        One state's privacy rules or all of them? They all have specific requirements                    <\/h2>\n                                                    <div class=\"cta-block__description like-text-md\">\n                        <p><span style=\"font-weight: 400;\">Do you have privacy obligations only in the state where you're headquartered, or need coast-to-coast or global coverage? Find out what relevant laws say about consumer rights and what you need to do.<\/span><\/p>\n                    <\/div>\n                                                                                                                <div class=\"cta-block__buttons\">\n                                                    <div class=\"cta-block__buttons__button-wp\">\n                                <a id=\"45e6fbb3-915a-4afe-a098-fddeb1b4cbbc\" class=\"cb-button cb-button-size-l cb-button-contained  no-default-link-decoration cb-button-icon-right cta-block__buttons__button\" href=\"https:\/\/www.cookiebot.com\/en\/regulations-finder\/\" target=\"\">\n<span>Find My Regulations<\/span><\/a>\n                                                            <\/div>\n                                                                        <\/div>\n                                                                                <\/div>\n                    <\/div>\n    <\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>The Oklahoma Consumer Data Privacy Act takes effect January 1, 2027, bringing opt-out requirements for data sales and targeted advertising, affirmative consent for sensitive data, and AG-only enforcement with a permanent cure period.  Oklahoma\u2019s obligations closely track Virginia and Texas frameworks\u2014but its narrower \u201csale\u201d definition and absence of GPC support create specific operational considerations to address before the effective date.<\/p>\n","protected":false},"author":28,"featured_media":18413,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"editor_notices":[],"footnotes":""},"categories":[1],"tags":[],"class_list":["post-18412","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"acf":[],"thumbnail_status":false,"thumbnail_url":"https:\/\/www.cookiebot.com\/us\/wp-content\/uploads\/sites\/8\/2026\/05\/CB-Hero-Okahoma-OCDPA-770x513-1_1200x630_ffffff.png","_links":{"self":[{"href":"https:\/\/www.cookiebot.com\/us\/wp-json\/wp\/v2\/posts\/18412","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cookiebot.com\/us\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cookiebot.com\/us\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/us\/wp-json\/wp\/v2\/users\/28"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/us\/wp-json\/wp\/v2\/comments?post=18412"}],"version-history":[{"count":0,"href":"https:\/\/www.cookiebot.com\/us\/wp-json\/wp\/v2\/posts\/18412\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/us\/wp-json\/wp\/v2\/media\/18413"}],"wp:attachment":[{"href":"https:\/\/www.cookiebot.com\/us\/wp-json\/wp\/v2\/media?parent=18412"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cookiebot.com\/us\/wp-json\/wp\/v2\/categories?post=18412"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cookiebot.com\/us\/wp-json\/wp\/v2\/tags?post=18412"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}