Oklahoma Becomes the 20th State to Enact Privacy Law

Last week, Oklahoma’s Senate Bill 546 was passed by both legislative chambers, and later on was signed by the Governor. The new act will take effect on 1 July 2027. This development makes Oklahoma the 20^th US state to enact comprehensive consumer data privacy law, following years of legislative discussions.

Scope and Applicability

Similarly to other US state laws (see here our comparative guidance on the key rights under the prior 19 state laws), the new act applies to controllers or processors, that, during a calendar year:

• Control or process the personal data of at least 100,000 Oklahoman residents; or
• Control or process the personal data of at least 25,000 Oklahoman residents and derive over 50% of gross revenue from the sale of personal data.

 
The act includes several exemptions, including for certain financial institutions, covered entities and business associates subject to HIPAA, non-profit organizations, institutions of higher educations and more.

The act provides data subjects in Oklahoma with a new framework, which includes, inter alia, the following –

Consumer Rights

The act grants data subjects with several data-related rights, including:

• The right to confirm whether their personal data is being processed and to access such data;
• The right to rectify;
• The right to delete personal data;
• The right to obtain a copy of personal data;
• The right to opt out of targeted advertising, the sale of personal data and profiling.

 
The act sets that controllers must respond to consumer requests within 45 days, with a possible 45 day extension where reasonably necessary due to complexity and volume.

In addition, the act requires controllers to establish an appeal mechanism, allowing consumers to challenge refusals to act on their requests within a reasonable period.

Controller Obligations

The act imposes several obligations on controllers, including –

• Adhering to data minimization principles, ensuring personal data is adequate, relevant and reasonably necessary for disclosed purposes;
• Implementing appropriate administrative, technical and physical safeguards to protect the confidentiality, integrity and accessibility of personal data;
• Ensuring that personal data is not processed –
• For purposes that are not incompatible with those disclosed;
• In violation of anti-discrimination laws; or
• In a manner that discriminates against consumers for exercising their rights.

 
Controllers are also required to obtain consumer consent prior to processing sensitive data, and to comply with applicable children’s privacy laws (e.g., COPPA).

Privacy Notice Requirements

Controllers must provide a clear and accessible privacy notice and reflect on it information related to their data collection and processing practices. This includes, inter alia, information related to –

• Categories of personal data processed;
• Purpose of processing;
• Instruction on how consumers can exercise their rights;
• Categories of personal data shared with third parties; and
• Categories of third parties receiving the data.

Data Protection Impact Assessments (DPIAs)

Controllers are required to conduct and document data protection impact assessment for certain high-risk processing activities, including:

• Targeted advertising;
• The sale of personal data;
• Profiling that presents a foreseeable risk of –
• Unfair or deceptive treatment of unlawful disparate impact;
• Financial, physical or reputational damage;
• Intrusion upon consumers’ privacy; or
• Other substantial harm.
• Processing of sensitive data;
• Any processing activities that present a heightened risk of harm to consumers.

 
It should be noted that the act includes specific requirements regarding the content and methodology to conduct such assessments.

Enforcement

The act will be enforced exclusively by the Oklahoma Attorney General, and it expressly provides that it does not grant a private right of action. The Attorney General is required to provide a 30 day notice and opportunity to cure any alleged violation prior to initiating enforcement action.

Where a violation is not cured within this period, or in cases involving breaches of written cure statement, the Attorney General may initiate proceedings and seek civil penalties of up to USD 7,500 per violation.

Companies providing services to consumers in the United States should evaluate their exposure to this additional data protection regulatory regimes in Oklahoma. Feel free to contact us if you have any questions regarding the new act ‎and its practical implications.