On March 20, the governor of Oklahoma signed into law the Oklahoma Data Privacy Act, establishing comprehensive consumer data privacy protections for state residents. The law applies to controllers and processors that conduct business in Oklahoma or target products or services to Oklahoma residents and that, during a calendar year, either: (i) process personal data of at least 100,000 consumers; or (ii) process personal data of at least 25,000 consumers while also deriving more than 50 percent of gross revenue from the sale of personal data. Among others, the law exempts financial institutions and data subject to the GLBA, as well as personal data regulated by the FCRA. It grants consumers the right to confirm whether a controller is processing their personal data and to access that data, correct inaccuracies, request deletion, obtain a portable copy, and opt out of processing for targeted advertising, the sale of personal data, or profiling that produces a legal or similarly significant effect. Controllers must respond to consumer requests within 45 days, with the option of extending the response period by an additional 45 days.

The law requires controllers to obtain consent before processing “sensitive data,” which is defined as a type of personal data that includes information revealing: (i) racial or ethnic origin, religious beliefs, health diagnoses, sexual orientation, citizenship or immigration status; (ii) genetic or biometric data; (iii) data from a known child; and (iv) precise geolocation data. Controllers must also provide a clear privacy notice disclosing the categories of personal data processed, the purposes of processing, how consumers may exercise their rights, and the categories of third parties with whom data is shared. The law does not create a private right of action and provides the state attorney general with exclusive enforcement authority. Controllers or processors that fail to cure violations within 30 days of written notice face civil penalties of up to $7,500 per violation. The law takes effect on January 1, 2027.