# Oklahoma Consumer Privacy Law (OKCDPA)[^about] The Oklahoma Consumer Data Privacy Act (SB 546) takes effect January 1, 2027, bringing consumer rights, notice, consent, and contracting duties with exclusive Attorney General enforcement — while the state's overhauled Security Breach Notification Act has already applied since January 1, 2026. ## Which privacy laws apply to your business in Oklahoma — and when? {#which-privacy-laws-apply} **Short answer.** Two regimes, on two different clocks. The Oklahoma Consumer Data Privacy Act (OKCDPA, Senate Bill 546) takes effect January 1, 2027 and will apply to a controller or processor that does business in Oklahoma or targets products or services to Oklahoma residents and that processes personal data of at least 100,000 consumers a year, or at least 25,000 consumers while deriving over fifty percent of gross revenue from the sale of personal data [^stat-314-apply]. The state's Security Breach Notification Act is on a faster clock: it was overhauled effective January 1, 2026, so the new breach rules already bind businesses today [^stat-166-breach-date]. The practical takeaway is that an Oklahoma compliance program has a now-workstream and a next-January workstream. Now: the rewritten breach act (notice duties, expanded data elements, and penalties keyed to reasonable safeguards, covered below) and the Oklahoma Consumer Protection Act, the state's general deception statute, which reaches a misrepresentation, omission or other practice that could reasonably be expected to deceive — including a privacy policy that misstates what you actually do with data [^stat-752-udap]. Next January: the OKCDPA's full controller-processor regime. The OKCDPA's volume thresholds mean many small Oklahoma businesses will fall outside it entirely, and its protections run only to a *consumer* — a resident acting in an individual or household context, expressly excluding people acting in a commercial or employment context, so employee and B2B data are out of scope [^stat-300-consumer]. Entity-level carve-outs (state agencies, GLBA financial institutions, HIPAA covered entities, nonprofits, higher education) are covered in the federal-overlay question below. As of last review, Title 75A was not yet published on the state's official statute portal, so this page cites the enrolled session law (SB 546) for every OKCDPA provision. ## What must your Oklahoma privacy policy contain? {#privacy-policy-contents} **Short answer.** From January 1, 2027, the OKCDPA fixes the contents directly. A controller must provide a reasonably accessible and clear privacy notice that lists the categories of personal data processed (including any sensitive data), the purposes of processing, how consumers exercise their rights and appeal a refusal, the categories of personal data shared with third parties, and the categories of those third parties [^stat-307-notice]. Treat the five items of the statutory list as a checklist that must appear on the face of the policy. Two further drafting points are Oklahoma-specific. First, if you sell personal data to third parties or process it for targeted advertising, the notice itself must clearly and conspicuously disclose that processing and how a consumer can opt out of it [^stat-307-optout]. Second, the policy has to connect to a working intake pipeline: a controller must offer two or more secure and reliable ways to submit rights requests, may not force consumers to create a new account to use them, and — if it maintains a website — must provide a request mechanism there (an exclusively online business with a direct consumer relationship may instead offer an email address) [^stat-305-methods]. Until the act takes effect, no Oklahoma statute prescribes general privacy-policy contents — but whatever you publish must be true today, because a policy that misstates your practices is reachable as a deceptive trade practice under the Oklahoma Consumer Protection Act covered above. ## What must your contracts with processors say? {#vendor-contracts} **Short answer.** From January 1, 2027, every processing arrangement needs paper behind it: a contract between the controller and the processor must govern the processing and must include clear processing instructions, the nature and purpose of processing, the type of data, the duration, and the rights and obligations of both parties [^stat-308-contract]. The statute then adds the familiar processor commitments — confidentiality for everyone touching the data, deletion or return of personal data at the controller's direction when the engagement ends, making compliance information available to the controller, cooperating with reasonable assessments, and flowing the same terms down to any subcontractor by written contract. A processor may substitute an independent assessment against a recognized control framework for controller-run audits, and the contract does not shift statutory liability: each party keeps the liabilities its role carries. Processors also owe affirmative help — a processor must adhere to the controller's instructions and assist the controller in meeting its duties under the act, including responding to consumer rights requests, securing personal data, and supplying what the controller needs for data protection assessments — and the statute expressly ties that assistance to breach notification under the Security Breach Notification Act, knitting the 2027 regime to the breach law already in force [^stat-308-assist]. A compliant data processing agreement drafted to the common multistate template will usually satisfy this section, but check each statutory element against the contract rather than assuming. ## What rights do Oklahoma consumers get — and is there a universal opt-out? {#consumer-rights-and-opt-outs} **Short answer.** From January 1, 2027, Oklahoma consumers get the now-standard set: to confirm processing and access their personal data, to correct inaccuracies, to delete personal data provided by or obtained about them, to obtain a portable digital copy, and to opt out of processing for targeted advertising, the *sale* of personal data, or profiling that produces legal or similarly significant effects [^stat-301-rights]. There is no universal opt-out mechanism: the staged act contains no browser-level preference-signal requirement, so that point is an inference from statutory silence; opt-outs operate through requests submitted to the controller [^stat-301-request]. The mechanics matter for operations planning. A controller must respond within 45 days of receipt, extendable once by another 45 days when reasonably necessary, and responses are free up to twice a year per consumer (a controller may charge for, or decline, manifestly unfounded, excessive, or repetitive requests — and bears the burden of showing that) [^stat-302-deadline]. A refusal must come with appeal instructions, and the controller must decide the appeal in writing within 60 days, routing denials onward to the Attorney General's complaint mechanism [^stat-303-appeal]. None of this can be contracted away: any contract term that waives or limits these consumer rights is void as contrary to public policy [^stat-304-nowaiver]. The absence of a universal opt-out-signal duty is a real drafting difference from several other state acts — an Oklahoma-only compliance posture does not need signal-recognition plumbing, though a multistate program will usually have it anyway. The act also gives de-identified and pseudonymous data their own rules. Controllers holding de-identified data must take reasonable measures against association with an individual, publicly commit not to reidentify it, and bind recipients by contract; the act does not force reidentification or special retention just to match a rights request; and certain access, correction, deletion, portability, and Section 306 controller duties do not apply to properly separated pseudonymous data [^stat-310-deidentified]. ## Do you need consent to process sensitive data in Oklahoma? {#sensitive-data-consent} **Short answer.** Yes, once the OKCDPA takes effect on January 1, 2027. A controller may not process a consumer's sensitive data without consent, and must handle a known child's data in accordance with the federal Children's Online Privacy Protection Act [^stat-306-consent]. Sensitive data covers personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data processed to uniquely identify someone; a known child's data; and precise geolocation [^stat-300-sensitive]. Consent is defined demandingly: a clear affirmative act signifying freely given, specific, informed, and unambiguous agreement — and the definition expressly excludes accepting a broad terms-of-use document, hovering over or closing content, and agreement obtained through *dark patterns* [^stat-300-consent-def]. So a pre-checked box or a consent buried in onboarding terms does not work. Sensitive-data processing also triggers paperwork: it is one of the activities requiring a documented data protection assessment, alongside targeted advertising, the sale of personal data, certain risky profiling, and any processing presenting a heightened risk of harm — assessments the Attorney General can demand through a civil investigative demand, though they stay confidential, exempt from the state's open-records law, and do not waive privilege or work-product protection [^stat-309-assessment]. Those assessment duties apply only to processing activities that commence on or after the OKCDPA effective date and are not retroactive [^stat-309-assessment]. The same section that houses the consent rule also sets two immediate baseline duties for all personal data: collect only what is adequate, relevant, and reasonably necessary for the disclosed purposes, and maintain reasonable administrative, technical, and physical security appropriate to the data's volume and nature [^stat-306-duties]. It separately bars incompatible-purpose processing without consent, unlawful-discrimination processing, and discrimination for rights exercise, with a loyalty-program carve-out [^stat-306-limits]. ## When must you notify people of a data breach in Oklahoma? {#breach-notification} **Short answer.** This duty applies today — Oklahoma rewrote its Security Breach Notification Act effective January 1, 2026. An individual or entity that owns or licenses computerized personal information must notify any Oklahoma resident whose unencrypted and unredacted personal information was, or is reasonably believed to have been, accessed and acquired by an unauthorized person, where the breach causes or is reasonably believed to cause identity theft or other fraud — and the disclosure must be made without unreasonable delay [^stat-163-resident-notice]. The rewrite also added a regulator's clock: the Attorney General must be notified without unreasonable delay, and no more than 60 days after residents are notified [^stat-163-ag-notice], unless the breach affects fewer than 500 Oklahoma residents [^stat-163-small-exempt]. Three changes in the current text deserve attention in an incident-response plan. First, the data elements are broader than the old name-plus-number list: *personal information* now includes electronic identifiers or routing codes combined with credentials that would permit access to a financial account, and unique biometric data such as a fingerprint or retina or iris image used to authenticate a specific individual — so a credential-stuffing or biometric incident can be notifiable when it involves the statutory first-name-or-initial-plus-last-name combination, one of those data elements, and the breach/risk trigger [^stat-162-elements]. Second, the statute now defines *reasonable safeguards* — risk assessments, layered technical and physical defenses, employee training, and an incident response plan, scaled to the entity's size and data — and, as the enforcement question below explains, having reasonable safeguards and giving the required notice is what shields you from civil penalties after a breach [^stat-162-safeguards]. Third, the act keeps its interoperability valves: an entity following its own consistent notification procedures under an information privacy or security policy is deemed compliant, as are financial institutions following federal interagency guidance and entities following HIPAA or the state hospital-cybersecurity act — but the deemed-compliance routes for regulated entities still require the Attorney General notice [^stat-164-compliance]. The AG notice has fixed contents (breach date, determination date, nature, data types, resident count, estimated monetary impact, and the safeguards employed), so build that template before the incident, not during it [^stat-163-ag-notice]. ## Who enforces Oklahoma privacy law — and can consumers sue? {#enforcement-and-lawsuits} **Short answer.** Under the OKCDPA, enforcement belongs to one office: the Attorney General has exclusive authority to enforce the act [^stat-311-ag], and the act creates no private right of action for an OKCDPA violation or as an OKCDPA-based theory under another law [^stat-313-nopra]. Before suing, the Attorney General must give 30 days' written notice identifying the alleged violations, and may not sue at all if the business cures within that window and provides the required written statement and supporting documentation [^stat-312-cure]. After an uncured violation, civil penalties run up to $7,500 per violation [^stat-313-penalty]. Three Oklahoma-specific features round out the picture. First, the 30-day cure right has no sunset — Section 312 contains no cure expiration date, so the cure-first posture appears permanent rather than a transition-period grace [^stat-312-cure]. Second, the staged act contains no rulemaking grant: the office's only specified implementation duties are to post controller, processor, and consumer-rights information on its website and to run an online complaint mechanism, so the statutory text is the whole rulebook [^stat-311-ag]. Third, the regimes that govern today have sharper teeth than the OKCDPA's. Under the breach act, the Attorney General or a district attorney may recover actual damages plus a civil penalty of up to $150,000 per breach or related series of breaches, except that violations by state-chartered or state-licensed financial institutions are enforced exclusively by the primary state regulator [^stat-165-enforcement] — but an entity that used reasonable safeguards and gave proper notice is not subject to civil penalties and can plead that as an affirmative defense, while one that failed on safeguards but noticed properly faces actual damages and a $75,000 penalty instead of the full amount [^stat-165-defense]. And the Oklahoma Consumer Protection Act — the deception backstop that already reaches privacy misrepresentations — does carry a private right of action: an aggrieved consumer may sue for actual damages, costs, and attorney fees [^stat-761-pra]. So while neither privacy-specific statute lets consumers sue, a privacy promise broken in a consumer transaction can still land a business in front of a private plaintiff today. ## How do federal privacy laws interact with Oklahoma's new privacy act? {#federal-overlay} **Short answer.** Mostly by switching the OKCDPA off. The act does not apply at the entity level to state agencies, GLBA financial institutions, HIPAA covered entities and business associates, nonprofits, or institutions of higher education [^stat-314-exemptions] — and at the data level it exempts information already governed by federal regimes, including HIPAA protected health information, FCRA consumer-report data, and data handled under the Driver's Privacy Protection Act and FERPA [^stat-315-data-exempt]. The structure matters for scoping. The GLBA carve-out is written as *a financial institution or data subject to* Title V — both the institution and the data are out — and the HIPAA carve-out removes the covered entity or business associate wholesale, not just its health records [^stat-314-exemptions]. The data-level list in the companion section then covers federally regulated information held by businesses that are otherwise in scope: health records and research data, credit-report information under the FCRA, motor-vehicle data under the DPPA, education records under FERPA, Farm Credit Act data, and employment-context data [^stat-315-data-exempt]. For children's data the act borrows the federal standard outright: a controller or processor that complies with COPPA's verifiable parental consent requirements is deemed compliant with any parental-consent requirement under the act [^stat-316-coppa]. For businesses within FTC jurisdiction, Section 5 of the FTC Act remains a federal backdrop for unfair or deceptive acts or practices in or affecting commerce [^fed-ftc5]. The practical scoping exercise for 2027: first check whether your entity is carved out wholesale; if not, segment the federally regulated data streams out of OKCDPA scope and run the act's rights, notice, consent, and contracting duties on the remainder. [^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org) · Maintained by [UseJunior](https://usejunior.com). Last reviewed 2026-06-11. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Oklahoma. This article synthesizes Oklahoma primary law and is not legal advice from a Oklahoma-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship. [^stat-314-apply]: **75A O.S. § 314(A) (SB 546)** — "The provisions of this act apply only to a controller or processor who: 1. Conducts business in this state or produces a product or service targeted to the residents of this state; and 2. During a calendar year, either: a. controls or processes personal data of at least one hundred thousand (100,000) consumers, or b. controls or processes personal data of at least twenty-five thousand (25,000) consumers and derives over fifty percent (50%) of gross revenue from the sale of personal data." *75A O.S. § 314(A) (SB 546, eff. Jan. 1, 2027).* [^stat-166-breach-date]: **24 O.S. § 166** — "The Security Breach Notification Act shall apply to the determination or notification of a breach of the security of the system that occurs on or after January 1, 2026." *24 O.S. § 166.* [^stat-752-udap]: **15 O.S. § 752 (Oklahoma Consumer Protection Act)** — "‘Deceptive trade practice’ means a misrepresentation, omission or other practice that has deceived or could reasonably be expected to deceive or mislead a person to the detriment of that person. Such a practice may occur before, during or after a consumer transaction is entered into and may be written or oral" *15 O.S. § 752(13).* [^stat-300-consumer]: **75A O.S. § 300(8) (SB 546)** — "‘Consumer’ means an individual who is a resident of this state acting only in an individual or household context. The term does not include an individual acting in a commercial or employment context" *75A O.S. § 300(8) (SB 546, eff. Jan. 1, 2027).* [^stat-307-notice]: **75A O.S. § 307(A) (SB 546)** — "A controller shall provide consumers with a reasonably accessible and clear privacy notice that includes: 1. The categories of personal data processed by the controller, including, if applicable, any sensitive data processed by the controller; 2. The purpose for processing personal data; 3. How consumers may exercise their consumer rights under Sections 2 through 6 of this act, including the process by which a consumer may appeal a controller's decision with regard to the consumer's request; 4. If applicable, the categories of personal data that the controller shares with third parties; and 5. If applicable, the categories of third parties with whom the controller shares personal data." *75A O.S. § 307(A) (SB 546, eff. Jan. 1, 2027).* [^stat-307-optout]: **75A O.S. § 307(B) (SB 546)** — "If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose on the notice required by subsection A of this section such process and the manner in which a consumer may exercise the right to opt out of such process." *75A O.S. § 307(B) (SB 546, eff. Jan. 1, 2027).* [^stat-305-methods]: **75A O.S. § 305 (SB 546)** — "A controller shall establish two or more secure and reliable methods to enable consumers to submit a request to exercise their consumer rights under this act. The methods shall consider: 1. The ways in which consumers normally interact with the controller; 2. The necessity for secure and reliable communications of those requests; and 3. The ability of the controller to authenticate the identity of the consumer making the request. B. A controller shall not require a consumer to create a new account to exercise the consumer’s rights under this act but may require a consumer to use an existing account. C. Except as provided by subsection D of this section, if the controller maintains an Internet website, the controller shall provide a mechanism on the website for consumers to submit requests for information required to be disclosed under this act. D. A controller that operates exclusively online and has a direct relationship with a consumer from whom the controller collects personal information shall only be required to provide an electronic mail address for the submission of requests described by subsection C of this section." *75A O.S. § 305 (SB 546, eff. Jan. 1, 2027).* [^stat-308-contract]: **75A O.S. § 308(B)-(D) (SB 546)** — "A contract between a controller and a processor shall govern the processor’s data processing procedures with respect to processing performed on behalf of the controller. The contract shall include: 1. Clear instructions for processing data; 2. The nature and purpose of processing; 3. The type of data subject to processing; 4. The duration of processing; 5. The rights and obligations of both parties; and 6. A requirement that the processor shall: a. ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data, b. at the controller’s direction, delete or return all personal data to the controller as requested after the provision of the service is completed, unless retention of the personal data is required by law, c. make available to the controller, upon reasonable request, all information in the processor’s possession necessary to demonstrate the processor’s compliance with the requirements of this act, d. allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor, and e. engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the requirements of the processor with respect to the personal data. C. Notwithstanding the requirement described by subparagraph d of paragraph 6 of subsection B of this section, a processor, in the alternative, may arrange for a qualified and independent assessor to conduct an assessment of the processor’s policies and technical and organizational measures in support of the requirements under this act using an appropriate and accepted control standard or framework and assessment procedure. The processor shall provide a report of the assessment to the controller on request. D. The provisions of this section shall not be construed to relieve a controller or a processor from the liabilities imposed on the controller or processor due to its role in the processing relationship as described by this act." *75A O.S. § 308(B) (SB 546, eff. Jan. 1, 2027).* [^stat-308-assist]: **75A O.S. § 308(A) (SB 546)** — "A processor shall adhere to the instructions of a controller and shall assist the controller in meeting or complying with the controller’s duties or requirements under this act, including: 1. Taking into account the nature of processing and the information available to the processor, assisting the controller in responding to consumer rights requests submitted under Section 2 of this act by using appropriate technical and organizational measures, as reasonably practicable; 2. Taking into account the nature of processing and the information available to the processor, assisting the controller with regard to complying with the requirement relating to the security of processing personal data and to the notification of a breach of security of the processor’s system under the Security Breach Notification Act, Section 161 et seq. of Title 24 of the Oklahoma Statutes; and 3. Providing necessary information to enable the controller to conduct and document data protection assessments under Section 10 of this act." *75A O.S. § 308(A) (SB 546, eff. Jan. 1, 2027).* [^stat-301-rights]: **75A O.S. § 301(B) (SB 546)** — "A controller shall comply with an authenticated consumer request to exercise the right to: 1. Confirm whether a controller is processing the consumer’s personal data and to access the personal data; 2. Correct inaccuracies in the consumer’s personal data, considering the nature of the personal data and the purposes of the processing of the consumer’s personal data; 3. Delete personal data provided by or obtained about the consumer; 4. If the data is available in a digital format, obtain a copy of the consumer’s personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means; or 5. Opt out of the processing of the personal data for purposes of: a. targeted advertising, b. the sale of personal data, or c. profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer." *75A O.S. § 301(B) (SB 546, eff. Jan. 1, 2027).* [^stat-301-request]: **75A O.S. § 301(A) (SB 546)** — "A consumer is entitled to exercise the consumer rights authorized by this section at any time by submitting a request to a controller specifying the consumer rights the consumer wishes to exercise. With respect to the processing of personal data belonging to a known child, a parent or legal guardian of the child may exercise the consumer rights on behalf of the child." *75A O.S. § 301(A) (SB 546, eff. Jan. 1, 2027).* [^stat-302-deadline]: **75A O.S. § 302 (SB 546)** — "A controller shall respond to the consumer request no later than forty-five (45) days after the date of receipt of the request. The controller may extend the response period once by an additional forty-five (45) days when reasonably necessary, considering the complexity and number of the consumer’s requests. The controller shall inform the consumer of an extension within the initial forty-five-day response period and of the reason for the extension. C. If a controller declines to take action regarding the consumer’s request, the controller shall inform the consumer no later than the forty-five (45) days after the date of receipt of the request of the justification for declining to take action and provide instructions on how to appeal the decision in accordance with Section 4 of this act. D. A controller shall provide information in response to a consumer request free of charge, up to twice annually per consumer. If a request from a consumer is manifestly unfounded, excessive, or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or may decline to act on the request. The controller shall bear the burden of demonstrating for purposes of this subsection that a request is manifestly unfounded, excessive, or repetitive." *75A O.S. § 302(B) (SB 546, eff. Jan. 1, 2027).* [^stat-303-appeal]: **75A O.S. § 303 (SB 546)** — "A controller shall establish a process for a consumer to appeal the controller’s refusal to take action on a request within a reasonable period of time after the consumer’s receipt of the decision under subsection C of Section 3 of this act. The appeal process shall be conspicuously available and similar to the process for initiating action to exercise consumer rights by submitting a request under Section 2 of this act. B. A controller shall inform the consumer in writing of any action taken or not taken in response to an appeal under this section no later than sixty (60) days after the date of receipt of the appeal including a written explanation of the reason or reasons for the decision. If the controller denies an appeal, the controller shall provide the consumer with the online mechanism described by subsection B of Section 12 of this act through which the consumer may contact the Attorney General to submit a complaint." *75A O.S. § 303(B) (SB 546, eff. Jan. 1, 2027).* [^stat-304-nowaiver]: **75A O.S. § 304 (SB 546)** — "Any provision of a contract or agreement that waives or limits a consumer right described by Section 2, 3, or 4 of this act shall be deemed to be contrary to public policy and shall be void and unenforceable." *75A O.S. § 304 (SB 546, eff. Jan. 1, 2027).* [^stat-310-deidentified]: **75A O.S. § 310 (SB 546)** — "A controller in possession of de-identified data shall: 1. Take reasonable measures to ensure that the data cannot be associated with an individual; 2. Publicly commit to process such data only in a de-identified fashion and not attempt to reidentify the data; and 3. Contractually obligate any recipient of the de-identified data to comply with the requirements of this subsection. B. The provisions of this act shall not be construed to require a controller or processor to: 1. Reidentify de-identified data or pseudonymous data; 2. Maintain data in identifiable form or obtain, retain, or access any data or technology for the purpose of allowing the controller or processor to associate a consumer request with personal data; or 3. Comply with an authenticated consumer rights request under Section 2 of this act, if the controller: a. is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data, b. does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data or associate the personal data with other personal data about the same specific consumer, and c. does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted by this section. C. The consumer rights under paragraphs 1 through 4 of subsection B of Section 2 of this act and controller duties under Section 7 of this act shall not apply to pseudonymous data in cases in which the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information. D. A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breach of the contractual commitments." *75A O.S. § 310 (SB 546, eff. Jan. 1, 2027).* [^stat-306-consent]: **75A O.S. § 306(B) (SB 546)** — "A controller shall not: 1. Except as otherwise provided by this act, process personal data for a purpose that is neither reasonably necessary to nor compatible with the disclosed purpose for which the personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent; 2. Process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers; 3. Discriminate against a consumer for exercising any consumer rights contained in this act, including by denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer; or 4. Process the sensitive data of a consumer without obtaining the consumer’s consent or, in the case of processing the sensitive data of a known child, without processing that data in accordance with the Children’s Online Privacy Protection Act of 1998." *75A O.S. § 306(B)(4) (SB 546, eff. Jan. 1, 2027).* [^stat-300-sensitive]: **75A O.S. § 300(29) (SB 546)** — "‘Sensitive data’ means a category of personal data. The term includes: a. personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, b. genetic or biometric data that is processed for the purpose of uniquely identifying an individual, c. personal data collected from a known child, or d. precise geolocation data" *75A O.S. § 300(29) (SB 546, eff. Jan. 1, 2027).* [^stat-300-consent-def]: **75A O.S. § 300(7) (SB 546)** — "‘Consent’, when referring to a consumer, means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. The term includes, but is not limited to, a written statement, including a statement written by electronic means, or any other unambiguous affirmative action. The term does not include: a. acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information, b. hovering over, muting, pausing, or closing a given piece of content, or c. agreement obtained through the use of dark patterns" *75A O.S. § 300(7) (SB 546, eff. Jan. 1, 2027).* [^stat-309-assessment]: **75A O.S. § 309(A), (C), (D), (G) (SB 546)** — "A controller shall conduct and document a data protection assessment of each of the following processing activities involving personal data: 1. The processing of personal data for purposes of targeted advertising; 2. The sale of personal data; 3. The processing of personal data for purposes of profiling, if the profiling presents a reasonably foreseeable risk of: a. unfair or deceptive treatment of or unlawful disparate impact on consumers, b. financial, physical, or reputational injury to consumers, c. a physical or other intrusion on the solitude or seclusion, or the private affairs or concerns, of consumers, if the intrusion would be offensive to a reasonable person, or d. other substantial injury to consumers; 4. The processing of sensitive data; and 5. Any processing activities involving personal data that present a heightened risk of harm to consumers. B. A data protection assessment conducted under subsection A of this section shall: 1. Identify and weigh the direct or indirect benefits that may flow from the processing to the controller, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with that processing, as mitigated by safeguards that can be employed by the controller to reduce the risks; and 2. Factor into the assessment the: a. use of de-identified data, b. reasonable expectations of consumers, c. context of the processing, and d. relationship between the controller and the consumer whose personal data will be processed. C. A controller shall make a data protection assessment available to the Attorney General upon written request pursuant to a civil investigation demand. D. A data protection assessment shall be confidential and exempt from public inspection and copying under the Oklahoma Open Records Act, Section 24A.1 et seq. of Title 51 of the Oklahoma Statutes. Disclosure of a data protection assessment in compliance with a request from the Attorney General shall not constitute a waiver of attorney-client privilege or work product protection with respect to the assessment and any information contained in the assessment. E. A single data protection assessment may address a comparable set of processing operations that include similar activities. F. A data protection assessment conducted by a controller for the purpose of compliance with other laws or regulations may constitute compliance with the requirements of this section if the assessment has a reasonably comparable scope and effect. G. A data protection assessment as required by this section shall apply to processing activities that commence on or after the effective date of this act and shall not be retroactive." *75A O.S. § 309(A) (SB 546, eff. Jan. 1, 2027).* [^stat-306-duties]: **75A O.S. § 306(A) (SB 546)** — "A controller shall: 1. Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which that personal data is processed, as disclosed to the consumer; and 2. For purposes of protecting the confidentiality, integrity, and accessibility of personal data, establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue." *75A O.S. § 306(A) (SB 546, eff. Jan. 1, 2027).* [^stat-306-limits]: **75A O.S. § 306(B)-(C) (SB 546)** — "A controller shall not: 1. Except as otherwise provided by this act, process personal data for a purpose that is neither reasonably necessary to nor compatible with the disclosed purpose for which the personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent; 2. Process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers; 3. Discriminate against a consumer for exercising any consumer rights contained in this act, including by denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer; or 4. Process the sensitive data of a consumer without obtaining the consumer’s consent or, in the case of processing the sensitive data of a known child, without processing that data in accordance with the Children’s Online Privacy Protection Act of 1998. C. Paragraph 3 of subsection B of this section shall not be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the consumer has exercised the consumer’s right to opt out under Section 2 of this act or the offer is related to a consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program." *75A O.S. § 306(B)-(C) (SB 546, eff. Jan. 1, 2027).* [^stat-163-resident-notice]: **24 O.S. § 163(A)** — "An individual or entity that owns or licenses computerized data that includes personal information shall provide notice of any breach of the security of the system following determination or notification of the breach of the security of the system to any resident of this state whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state. Except as provided in subsection D of this section or in order to take any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the system, the disclosure shall be made without unreasonable delay." *24 O.S. § 163(A).* [^stat-163-ag-notice]: **24 O.S. § 163(E)(1)** — "An individual or entity required to provide notice in accordance with subsection A or B of this section shall also provide notice to the Attorney General of such breach without unreasonable delay but in no event more than sixty (60) days after providing notice to impacted residents of this state as required by this section. The notice shall include the date of the breach, the date of its determination, the nature of the breach, the type of personal information exposed, the number of residents of this state affected, the estimated monetary impact of the breach to the extent such impact can be determined, and any reasonable safeguards the entity employs." *24 O.S. § 163(E)(1).* [^stat-163-small-exempt]: **24 O.S. § 163(E)(2)** — "A breach of a security system where fewer than five hundred (500) residents of this state are affected within a single breach shall be exempt from the notice requirements of paragraph 1 of this subsection. 3. A breach of a security system maintained by a credit bureau where fewer than one thousand (1,000) residents of this state are affected within a single breach shall be exempt from the notice requirements of paragraph 1 of this subsection." *24 O.S. § 163(E)(2).* [^stat-162-elements]: **24 O.S. § 162(6)** — "‘Personal information’ means an individual’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the individual if any of the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable or are encrypted, redacted, or otherwise altered by any method or technology but the keys to unencrypt, unredact, or otherwise read the data elements have been obtained through the breach of security: a. social security number, b. driver license number or other unique identification number created or collected by a government entity, c. financial account number, or credit card or debit card number, in combination with any required expiration date, security code, access code, or password that would permit access to an individual’s financial account, d. unique electronic identifier or routing code in combination with any required security code, access code, or password that would permit access to an individual’s financial account, or e. unique biometric data such as a fingerprint, retina or iris image, or other unique physical or digital representation of biometric data to authenticate a specific individual." *24 O.S. § 162(6)(d)–(e).* [^stat-162-safeguards]: **24 O.S. § 162(8)** — "‘Reasonable safeguards’ means policies and practices that ensure personal information is secure, taking into consideration an entity's size and the type and amount of personal information. The term includes, but is not limited to, conducting risk assessments, implementing technical and physical layered defenses, employee training on handling personal information, and establishing an incident response plan" *24 O.S. § 162(8).* [^stat-164-compliance]: **24 O.S. § 164** — "An individual or entity that maintains its own notification procedures as part of an information privacy or security policy for the treatment of personal information and that are consistent with the timing requirements of the Security Breach Notification Act shall be deemed to be in compliance with the notification requirements of subsection A or B of Section 163 of this title if the individual or entity notifies residents of this state in accordance with its procedures in the event of a breach of security of the system. B. The following entities shall be deemed to be in compliance with the notification requirements of subsection A or B of Section 163 of this title if such entities provide notice to the Attorney General as required by subsection E of Section 163 of this title: 1. A financial institution that complies with the notification requirements prescribed by the Gramm-Leach-Bliley Act and the federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice; 2. An entity that complies with the notification requirements prescribed by the Oklahoma Hospital Cybersecurity Protection Act of 2023 or the Health Insurance Portability and Accountability Act of 1996 (HIPAA); and 3. An entity that complies with the notification requirements or procedures pursuant to the rules, regulations, procedures, or guidelines established by the primary or functional federal regulator of the entity." *24 O.S. § 164(A).* [^stat-311-ag]: **75A O.S. § 311 (SB 546)** — "The Attorney General has exclusive authority to enforce the provisions of this act. B. The Attorney General shall post on the Attorney General's Internet website: 1. Information relating to: a. the responsibilities of a controller under this act, b. the responsibilities of a processor under this act, and c. a consumer's rights under this act; and 2. An online mechanism through which a consumer may submit a complaint under this act to the Attorney General." *75A O.S. § 311 (SB 546, eff. Jan. 1, 2027).* [^stat-313-nopra]: **75A O.S. § 313(E) (SB 546)** — "Nothing in this act shall be construed as providing a basis for, or being subject to, a private right of action for a violation of this act or any other provision of law." *75A O.S. § 313(E) (SB 546, eff. Jan. 1, 2027).* [^stat-312-cure]: **75A O.S. § 312 (SB 546)** — "Before bringing an action under Section 14 of this act, the Attorney General shall notify the controller or processor in writing, no later than thirty (30) days before bringing the action, identifying the specific provisions of this act that the Attorney General alleges have been or are being violated. The Attorney General shall not bring an action against the controller or processor if: 1. Within the thirty-day period, the controller or processor cures the identified violation; and 2. The controller or processor provides the Attorney General a written statement that the controller or processor: a. cured the alleged violation, b. provided supportive documentation to show how the privacy violation was cured, and c. that no further violations will occur." *75A O.S. § 312 (SB 546, eff. Jan. 1, 2027).* [^stat-313-penalty]: **75A O.S. § 313(A) (SB 546)** — "A controller or processor who violates this act following the cure period described by Section 13 of this act or who breaches a written statement provided to the Attorney General under such section shall be liable for a civil penalty in an amount not to exceed Seven Thousand Five Hundred Dollars ($7,500.00) for each violation." *75A O.S. § 313(A) (SB 546, eff. Jan. 1, 2027).* [^stat-165-enforcement]: **24 O.S. § 165(B), (D)** — "Except as provided in subsection D of this section, the Attorney General or a district attorney shall have exclusive authority to bring an action and may obtain actual damages for a violation of the Security Breach Notification Act and a civil penalty not to exceed One Hundred Fifty Thousand Dollars ($150,000.00) per breach of the security of the system or series of breaches of a similar nature that are determined in a single investigation. Civil penalties shall be based upon the magnitude of the breach, the extent to which the behavior of the individual or entity contributed to the breach, and any failure to provide the notice required by Section 163 of this title. C. 1. An individual or entity that uses reasonable safeguards and provides notice as required by Section 163 or 164 of this title shall not be subject to civil penalties and may use such compliance as an affirmative defense in a civil action filed under the Security Breach Notification Act. 2. An individual or entity that fails to use reasonable safeguards but provides notice as required by Section 163 or 164 of this title shall not be subject to the civil penalty set forth in subsection B of this section but shall be subject to actual damages and a civil penalty of Seventy-five Thousand Dollars ($75,000.00). D. A violation of the Security Breach Notification Act by a state-chartered or state-licensed financial institution shall be enforceable exclusively by the primary state regulator of the financial institution." *24 O.S. § 165(B).* [^stat-165-defense]: **24 O.S. § 165(C)** — "An individual or entity that uses reasonable safeguards and provides notice as required by Section 163 or 164 of this title shall not be subject to civil penalties and may use such compliance as an affirmative defense in a civil action filed under the Security Breach Notification Act. 2. An individual or entity that fails to use reasonable safeguards but provides notice as required by Section 163 or 164 of this title shall not be subject to the civil penalty set forth in subsection B of this section but shall be subject to actual damages and a civil penalty of Seventy-five Thousand Dollars ($75,000.00)." *24 O.S. § 165(C).* [^stat-761-pra]: **15 O.S. § 761.1 (Oklahoma Consumer Protection Act)** — "The commission of any act or practice declared to be a violation of the Consumer Protection Act shall render the violator liable to the aggrieved consumer for the payment of actual damages sustained by the customer and costs of litigation including reasonable attorney's fees, and the aggrieved consumer shall have a private right of action for damages, including but not limited to, costs and attorney's fees." *15 O.S. § 761.1(A).* [^stat-314-exemptions]: **75A O.S. § 314(B) (SB 546)** — "The provisions of this act shall not apply to: 1. A state agency or a political subdivision of this state, or a service provider processing data on behalf of a state agency or political subdivision of this state; 2. A financial institution or data subject to Title V of the Gramm-Leach-Bliley Act, 15 U.S.C., Section 6801 et seq.; 3. A covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, 45 C.F.R., Parts 160 and 164, established under the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C., Section 1320d et seq., and the Health Information Technology for Economic and Clinical Health Act, Division A of Title XIII and Division B of Title IV of the American Recovery and Reinvestment Act of 2009, Pub. L. No. 111-5; 4. A nonprofit organization; 5. An institution of higher education;" *75A O.S. § 314(B) (SB 546, eff. Jan. 1, 2027).* [^stat-315-data-exempt]: **75A O.S. § 315 (SB 546)** — "The following information shall be exempt from this act: 1. Protected health information under the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C., Section 1320d et seq.; 2. Health records; 3. Patient identifying information for purposes of 42 U.S.C., Section 290dd-2; 4. Identifiable private information: a. for purposes of the federal policy for the protection of human subjects under 45 C.F.R., Part 46, b. collected as part of human subjects research under the good clinical practice guidelines issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use (ICH) or of the protection of human subjects under 21 C.F.R., Parts 50 and 56, or c. that is personal data used or shared in research conducted in accordance with the requirements set forth in this act or other research conducted in accordance with applicable law; 5. Information and documents created for purposes of the Health Care Quality Improvement Act of 1986, 42 U.S.C., Section 11101 et seq.; 6. Patient safety work product for purposes of the Patient Safety and Quality Improvement Act of 2005, 42 U.S.C., Section 299b-21 et seq.; 7. Information derived from any of the health care-related information listed in this section that is de-identified in accordance with the requirements for de-identification under the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C., Section 1320d et seq. or any regulation adopted thereunder; 8. Information originating from, and intermingled to be indistinguishable with, or information treated in the same manner as, information exempt under this section that is maintained by a covered entity or business associate as defined under the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C., Section 1320d et seq. or any regulation adopted thereunder, or by a program or a qualified service organization as defined under 42 U.S.C., Section 290dd-2 or any regulation adopted thereunder; 9. Information that is included in a limited data set as described by 45 C.F.R., Section 164.514(e), to the extent that the information is used, disclosed, and maintained in the manner specified by 45 C.F.R., Section 164.514(e); 10. Information collected or used only for public health activities and purposes as authorized under the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C., Section 1320d et seq.; 11. The collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency or furnisher that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that the activity is regulated by and authorized under the Fair Credit Reporting Act, 15 U.S.C., Section 1681 et seq.; 12. Personal data collected, processed, sold, or disclosed in compliance with the Driver’s Privacy Protection Act of 1994, 18 U.S.C., Section 2721 et seq.; 13. Personal data regulated by the Family Educational Rights and Privacy Act of 1974, 20 U.S.C., Section 1232g; 14. Personal data collected, processed, sold, or disclosed in compliance with the Farm Credit Act of 1971, 12 U.S.C., Section 2001 et seq.; 15. Data processed or maintained in the course of an individual applying to, being employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of such role; 16. Data processed or maintained as the emergency contact information of an individual under this act that is used for emergency contact purposes; or 17. Data that is processed or maintained and is necessary to retain to administer benefits for another individual that relates to an individual described by paragraph 15 of this section and used for the purposes of administering those benefits." *75A O.S. § 315 (SB 546, eff. Jan. 1, 2027).* [^stat-316-coppa]: **75A O.S. § 316 (SB 546)** — "A controller or processor that complies with the verifiable parental consent requirements of the Children's Online Privacy Protection Act of 1998 with respect to data collected online shall be considered to be in compliance with any requirement to obtain parental consent under this act." *75A O.S. § 316 (SB 546, eff. Jan. 1, 2027).* [^fed-ftc5]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful. (2) The Commission is hereby empowered and directed to prevent persons, partnerships, or corporations, except banks, savings and loan institutions described in section 57a(f)(3) of this title, Federal credit unions described in section 57a(f)(4) of this title, common carriers subject to the Acts to regulate commerce, air carriers and foreign air carriers subject to part A of subtitle VII of title 49, and persons, partnerships, or corporations insofar as they are subject to the Packers and Stockyards Act, 1921, as amended [7 U.S.C. 181 et seq.], except as provided in section 406(b) of said Act [7 U.S.C. 227(b)], from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce." *15 U.S.C. § 45(a)(1).*