The Oklahoma Data Privacy Act (OKDPA), signed into law in March 2026, gives Oklahoma residents new rights over their personal data and creates compliance obligations for thousands of businesses.

Oklahoma SB 546 is largely modeled on the framework first established by Virginia's Consumer Data Protection Act, making it familiar territory for businesses already navigating the wave of state-level privacy laws. 

Here's what businesses need to know.

When Does the OKDPA Go Into Effect?

The Oklahoma Data Privacy Act goes into effect on January 1, 2027.

Who Must Comply with the Oklahoma Data Privacy Act?

The OKDPA applies to controllers and processors that conduct business in Oklahoma — or that produce products or services targeted to Oklahoma residents — and that, during a calendar year, either:

1. Control or process the personal data of at least 100,000 consumers, or
2. Control or process the personal data of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal data.

Like most state privacy laws, the OKDPA includes broad exemptions. The following entities are not covered by the law:

• State agencies and political subdivisions of Oklahoma
• Financial institutions and data subject to the Gramm-Leach-Bliley Act (GLBA)
• Covered entities and business associates regulated under HIPAA
• Nonprofit organizations
• Institutions of higher education

A wide range of data types are also exempt, including protected health information, employee and job applicant data, and information governed by the Fair Credit Reporting Act, among others.

Oklahoma Consumer Rights Under the OKDPA

The OKDPA grants Oklahoma residents the following rights with respect to their personal data:

• Right to Know — Consumers can confirm whether a controller is processing their personal data and request access to it.
• Right to Correct — Consumers can request that inaccuracies in their personal data be corrected.
• Right to Delete — Consumers can request deletion of personal data provided by or collected about them.
• Right to Portability — Where data is available in digital format and processed by automated means, consumers can request a portable copy that can be transmitted to another controller.
• Right to Opt Out — Consumers can opt out of the processing of their personal data for purposes of:
  
  • Targeted advertising
  • The sale of personal data
  • Profiling in furtherance of decisions that produce legal or similarly significant effects (such as decisions about financial services, employment, housing, or healthcare)

Controllers are also required to establish an appeal process, giving consumers a path to challenge a denied request. If an appeal is denied, the controller must provide the consumer with a link to the Attorney General's online complaint mechanism.

How Much Do Violations Cost?

Controllers or processors that continue to violate the OKDPA after a 30-day cure period — or that breach a written cure statement provided to the Attorney General — face civil penalties of up to $7,500 per violation. Courts may also award attorney fees and other expenses to the state. 

Get Compliant with TrueVault

With the Oklahoma Data Privacy Act taking effect January 1, 2027, businesses that meet the thresholds have time to prepare — but not unlimited time. Compliance requires updating privacy notices, building consumer request workflows, establishing appeal processes, and conducting data protection assessments for higher-risk activities.

TrueVault helps businesses get compliant with the OKDPA and every other state privacy law — without needing a dedicated legal team to do it. Sign up today and get compliant tomorrow.

‍