The OKCDPA grants residents rights to access, correct, delete, and obtain copies of their personal data. Consumers can opt out of data sales, targeted advertising, and profiling. Businesses must respond to requests within 45 days (extendable to 90 days), provide privacy notices, implement data minimization practices, conduct privacy assessments, secure data, and obtain consent before processing sensitive information. The law mirrors business-friendly statutes like Virginia's CDPA and Colorado's law, with narrower definitions of "sale" and no expanded privacy protections for children beyond age 13. The statute does not require businesses to honor universal opt-out signals.
Oklahoma's law arrives after a two-year pause in new state privacy legislation and amid stalled federal efforts overshadowed by AI regulation debates. The statute expands the U.S. patchwork of state-level privacy rules now covering 20 or 21 states. Attorneys should monitor implementation timelines and how the Oklahoma Attorney General's office interprets key definitions, particularly around data sales and sensitive information categories, as these interpretations may influence enforcement patterns across similar state regimes.