A PYMNTS Company

Oklahoma Joins 20 Other States With Comprehensive Consumer Privacy Laws

By  |  March 26, 2026

Oklahoma last week joined California, Colorado, Maryland and more than a dozen other states in enacting comprehensive consumer privacy legislation. Gov. Kevin Stitt signed the Oklahoma Consumer Data Privacy Act (OKCDPA) on March 20, which will take effect Jan. 1, 2027.

    Get the Full Story

    Complete the form to unlock this article and enjoy unlimited free access to all PYMNTS content — no additional logins required.

    yesSubscribe to our daily newsletter, PYMNTS Today.

    By completing this form, you agree to receive marketing communications from PYMNTS and to the sharing of your information with our sponsor, if applicable, in accordance with our Privacy Policy and Terms and Conditions.

    As in other states, the OKCDPA applies to organizations that control or process data and do business in Oklahoma, or produce products or services that target Oklahoma residents. However, the Sooner state law sets somewhat higher volume thresholds than some other states. The act applies to entities that control or process sensitive personal data on at least 100,000 Oklahoma residents, or 25,000 residents if the business derives 50% or more of its gross revenue from the sale of personal data.

    According to the Hunton Andrews Kurth law firm, the OKCDPA, like privacy laws in other states, also includes a number of exemptions, including for entities already subject to HIPAA or GLBA, non-profits and educational institutions.

    WHAT’S NEXT IN ANTITRUST AND TECHNOLOGY REGULATION 

    Enactment of the Oklahoma law brings the number of states with comprehensive consumer privacy statutes to 21, according to a tally kept by Bloomberg Law. It comes as states try to fill the void left by the absence of comprehensive federal data privacy protection.

    As in other states, the OKCDPA imposes various requirements on organizations that control sensitive private data, including data minimization, data protection assessments, obtaining consent, responding to consumer rights requests, implementing reasonable safeguards, and providing a privacy notice with specified content.

    Related: More Than 20 States Now Have Privacy Laws. Is Your Company Keeping Up? 

    As for organizations that process data collected by others, the law requires them to comply with the instructions of the collector/controller of the data and assist them in fulfilling their own obligations under the law, such as responding to consumer rights requests, implementing data security safeguards and assisting with data breach notification. It also requires that certain consent be included in any agreement between a controller and a processor regarding the processing of personal data.

    The law provides Oklahoma consumers with the right to access, correct and delete their personal data; obtain a copy of their personal data; and opt out of targeted advertising and profiling. Businesses have 45 days to respond to consumer requests, with a possible 45-day extension depending on the request’s complexity. They also must offer consumers a means to appeal the denial of a request.

    The law does not create a private right of action, however. Enforcement authority is vested exclusively in the state attorney general. Violations of the law can lead to fines of up to $7,500 per violation, but the law affords businesses a 30-day “right-to-cure” grace period before fines can be levied.