Key Takeaways
- The Oklahoma Data Privacy Act grants residents new rights to access, correct, delete, and opt out of the sale of their personal data.
- Broad exemptions for nonprofits, financial institutions, and state agencies may limit the law’s effectiveness and leave gaps in consumer protection.
- Oklahoma law adds to a growing state-level patchwork, highlighting the absence of a federal baseline that ensures uniform data protections.
What Happened
On March 20, Oklahoma signed Senate Bill 546 into law, establishing new consumer rights regarding personal data. This legislation establishes defined requirements for businesses that collect and process personal information of Oklahoma residents.
Effective in 2027, “Oklahomans will be able to access, correct, delete, and obtain copies of their personal data” and also have the option of opting out of the sale of their personal data as well as some targeted advertising practices. The Oklahoma Attorney General is responsible for enforcement should businesses fail to comply.
Privacy and Governance Concerns
This law applies to (a) businesses operating in Oklahoma that process the data of more than 100,000 consumers or (b) process the data of 25,000 consumers while deriving a majority of their revenue from selling that data. Applicable businesses are required to provide transparent privacy notices, maintain adequate data security practices, and obtain consumer consent before processing sensitive personal information.
The exemptions to this law include the following entities: state agencies and political subdivisions; financial institutions; covered entities and business associates; nonprofit organizations; higher education institutions; and individuals processing data in their personal capacity. This may be an opportunity for increased transparency and accountability in the future.
In terms of this legislation, a “consumer” means an individual who is a resident of Oklahoma acting only in their capacity as an individual or in the household context and does not encompass those acting in a commercial or employment context. Consumers may initiate an authenticated consumer request within 45 days, and this law requires data controllers to respond to these requests within 45 days. This policy addresses a current regulatory gap and affirms consumer rights.
Why It Matters / Policy Considerations
This policy contributes to the growing patchwork of state-level data protection frameworks developing in the absence of a federal privacy law. A federal law would resolve this issue by establishing a uniform baseline for companies currently operating under 50 different frameworks. This also creates an inconsistency in which one may receive greater data privacy protections depending on the state in which they live, despite all being citizens of the same country. A federal baseline would set a standard and allow for states to increase protections as they wish.
