Oklahoma enacted a new comprehensive privacy law that takes effect on January 1, 2027. For companies that already comply with a Virginia-style privacy law, Oklahoma largely represents a low-lift add-on, not a ground-up rebuild. The law skips the more aggressive provisions seen in Minnesota or Maryland—and even the recent children’s privacy provisions added in Colorado and Connecticut.  

That said, companies will still need to confirm applicability, update notices, and extend assessments and consumer-request workflows to Oklahoma residents. But compliance planning is simplified because there is no rulemaking—what you see is what you get.  

What companies are subject to the law? 

The law applies to controllers and their processors (with both concepts being defined the same way as other state privacy laws). A controller must comply with the law if they:

• Control or process personal information on 100,000 Oklahoma consumers; or
• Control or process personal information on 25,000 Oklahoma consumers and derive more than 50% of their revenue from selling personal information. 

This tracks with the approach of many other states when setting applicability thresholds. But, notably, it breaks from the geographically (and ideologically) close states of Texas and Nebraska, who apply their privacy laws to all companies, except small businesses and other exempted entities.

The law also includes a familiar, and generous, set of exemptions. The standard smattering of data-level exemptions—such as B2B data, employee details, and protected health information—are present. And entity exemptions, after being disfavored in more recent laws, make a comeback with carveouts for nonprofits as well as HIPAA and GLBA-regulated entities. 

How does Oklahoma break the mold? 

In short, it doesn’t. Oklahoma generally follows the standard privacy framework, but there are a few business-friendly twists:  

• Curtailed Opt Outs. Excludes a requirement to honor opt-out preference signals
• Indefinite Cure Period. Includes no sunset for the cure period
• Limited Sales Definition. Limits “sales” to exchanges of money for information

What are controllers’ obligations? 

Oklahoma imposes the standard obligations on controllers—e.g., notice, consumer rights, data minimization, reasonable safeguards, purpose limitations, and processor contracts. Controllers also must conduct data protection assessments, but both the triggers and content mirror those used in most other states. And, like nearly every other state, a controller generally must obtain the consumer’s consent before processing their sensitive data.

The law does not embrace some of the more novel developments we have seen in recent states, such as data inventories, enhanced data minimization, and prohibitions on selling precise geolocation data.

What are consumers’ rights? 

Consumers get nearly the standard bucket of rights. Like nearly every other state, the law provides consumers with the right to (1) access, correct, and delete their personal information and (2) opt out of sales, targeted advertising, and certain profiling. The law also provides consumers with a right to appeal when a controller denies their request.  

But the devil is in the details. Unlike most states, there is no requirement for a controller to honor an opt-out preference signal or allow a consumer to exercise their opt-out rights using an authorized agent. And Oklahoma employs a narrower concept of sale by focusing on exchanges for money without also including transfers for “valuable consideration.”  

How is the law enforced? 

There is no private right of action; the Oklahoma attorney general has exclusive enforcement authority and can seek up to $7,500 per violation. Before bringing a claim, however, the attorney general must give a company notice and 30 days to cure the violation. And unlike some other states, the cure period is a permanent feature of the law—it does not sunset.    

What can businesses do to get ready? 

The quickly approaching effective date (January 1, 2027) means that there is little time to waste. Luckily, the uplift should be relatively simple for companies with a privacy program tailored to other states’ laws. And the work can start now because there is no rulemaking that could add new complexities. 

Next steps for businesses include: 

• Assess Applicability. Assess whether you process sufficient data on Oklahoma residents
• Update Privacy Policy. Add Oklahoma to state-specific disclosures
• Align Website Practices. Update any geo-targeted features, such as unique cookie banners showing only in certain states, to apply in Oklahoma
• Revise Consumer-Request Workflow. Ensure request intake and appeals process covers Oklahoma residents 

In sum, Oklahoma’s new privacy law is evolutionary, not revolutionary. The law positions Oklahoma squarely within the mainstream of U.S. comprehensive privacy laws. Companies with mature privacy programs aligned to the Virginia model will face modest incremental compliance work, primarily around documentation and coverage confirmation.