State Privacy Laws: Oklahoma
A summary of privacy laws in Oklahoma.
Overview
The Oklahoma Consumer Data Privacy Act (OCDPA) makes Oklahoma one of the states to adopt a comprehensive consumer data privacy law in 2026. The OCDPA provides the core consumer rights found in most state frameworks but takes a notably more business-friendly approach in its construction: the definition of "sale" is narrow (covering only exchanges for monetary consideration), the law includes broad exemptions, and there is no universal opt-out requirement, meaning businesses are not obligated to honor opt-out preference signals like the Global Privacy Control.
Key Dates
- Signed into law: March 20, 2026
- Effective date: January 1, 2027
Thresholds
The OCDPA applies to entities that conduct business in Oklahoma, or produce products or services targeted to Oklahoma residents, and during a calendar year meet at least one of the following:
- control or process the personal data of at least 100,000 Oklahoma consumers; or
- control or process the personal data of at least 25,000 Oklahoma consumers and derive more than 50% of gross revenue from the sale of personal data.
Consumer Rights
- The right to confirm whether a controller is processing their personal data and to access that data.
- The right to correct inaccuracies in their personal data.
- The right to delete their personal data.
- The right to obtain a portable copy of their personal data.
- The right to opt out of the processing of their personal data for the purposes of targeted advertising, the sale of their personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.
- The right to appeal a controller's denial of a request.
Sensitive Data
The law defines sensitive data to include personal data revealing:
- Racial or ethnic origin
- Religious beliefs
- A mental or physical health diagnosis
- Sexual orientation
- Citizenship or immigration status
- Genetic or biometric data processed to uniquely identify an individual
- Personal data collected from a known child (under 13 years of age)
- Precise geolocation data
Penalties
Violations are enforced exclusively by the Oklahoma Attorney General, with civil penalties of up to $7,500 per violation. There is no private right of action. A 30-day right to cure applies and does not sunset.
Configure Your Consent Banner for OCDPA
Regions are used to customize the behavior and experience based on an individual user’s location. As an example, this allows you to provide different experiences to users based on regional differences (like GDPR in the EU vs. OCDPA in Oklahoma). When a user visits your site, we will automatically determine their location and will match them to the most granular region rule that you have setup in Concord. This can go down to the state/province level, which allows for different experiences for different laws (like OCDPA in Oklahoma).
Recommended Consent Settings
Based on the current laws, we recommend the following regional settings:
- Consent Mode: Implied
- Blocking Mode: Strict
- Google Consent Mode V2: Advanced
- Consent Duration: 12 months
- Enable Limit Sensitive Information: Enabled
- Enable Do Not Sell Consent: Enabled
- Enable Global Privacy Control: Enabled
For step-by-step instruction on how to configure your consent banner for different geographical regions within the Concord app, see our help document Configure Your Consent Banner for Different Geographical Regions.
While you can get as granular as you want, we typically recommend a single global policy that meets the strictest guidelines across regions, or higher splits (like separate GDPR and United States regions, only adding additional regions for stricter states like California if needed). If you have any questions on how and why to configure your regions in certain ways, please reach out to our support team.