Oklahoma Passes Privacy Law

Oklahoma is the first state since 2024 to pass its own data privacy law (SB 546). Pending the signature of Governor Kevin Stitt, the Oklahoma privacy law will take effect on January 1, 2027. Some unique elements of the Oklahoma law include no requirement to recognize universal opt-out mechanisms and no enhanced privacy protection for children.

Applicability

Oklahoma’s privacy law applies to any business that produces products or services for Oklahoma residents if they meet these criteria:

• Controls or processes personal data of at least 100,000 Oklahoma residents.
• Controls or processes personal data of at least 25,000 Oklahoma residents and derives over 50% of gross revenue from the sale of personal data.

There are exemptions for organizations and data covered by the GLBA and HIPAA. Exemptions are also in place for:

• Nonprofits
• Institutions of higher education
• State agencies and local governments
• Personal data collected and used for Controlled Substances Act purposes
  

Consumer Rights

Oklahoma’s privacy bill provides consumers with the following rights:

• Confirm whether a controller is processing the personal data, and to access the personal data
• Correct inaccurate data.
• Delete personal data
• Obtain a copy of their data in a portable and readily usable format that allows the consumer to transmit the data to another controller without hindrance (applies if the processing is carried out by automated means).
• Opt out of the processing of the personal data for purposes of:
  • Targeted advertising 
  • The sale of personal data
  • Profiling

Business Obligations

The Oklahoma privacy law places the following requirements and restrictions on businesses:

• Limit the collection of personal data to what is adequate, relevant, and reasonably necessary
• Provide consumers with two or more methods to submit a request to exercise their rights. If a business has a website, it must provide a mechanism for submitting requests on the website. Businesses cannot require consumers to create a new account to exercise their privacy rights.
• Establish data security practices to protect personal data.
• Discriminate against a consumer for exercising any consumer rights.
• Process the sensitive data of a consumer without the consumer’s consent. The Oklahoma law defines sensitive data as:
  • Racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status
  • Genetic or biometric data that is processed for uniquely identifying an individual
  • Personal data collected from a known child
  • Precise geolocation data
• Take measures to ensure any de-identified data in its possession cannot be associated with an individual.
• A contract between a controller and a processor must govern the processor’s data processing procedures.  The contract shall include:
  • Clear instructions for processing data
  • The nature and purpose of processing
  • The type of data subject to processing 
  • The duration of processing
  • The rights and obligations of both parties

Businesses must respond to consumer requests within 45 days. A 45-day extension is permitted for complex requests. If a business declines a request, it must provide its justification and instructions for appealing the decision within 45 days.

Privacy Notices

The Oklahoma privacy law requires businesses to provide consumers with a “reasonably accessible and clear” privacy notice that includes:

• The categories of personal data processed
• The purpose for processing personal data
• How consumers may exercise their consumer rights
• The categories of personal data that the controller shares with third parties
• The categories of third parties the controller shares personal data with
• How consumers can opt out of the selling of their data for targeted advertising

Data Protection Assessments

The law requires businesses to conduct and document a Data Protection Assessment of each of the following processing activities:

• Processing data for targeted advertising
• The sale of personal data
• Processing data for profiling
• Processing sensitive data
• Processing data that presents a heightened risk of consumer harm

A controller shall make a Data Protection Assessment available to the Attorney General upon written request.

Enforcement

Enforcement is the responsibility of the Oklahoma Attorney General. There is no private right of action. There is a 30-day right-to-cure period that does not expire. Penalties can be up to $ 7,500 per violation.

CompliancePoint can help your organization comply with GDPR, CCPA, and all other state privacy laws. Reach out to us at connect@compliancepoint.com to learn more about our privacy services.