What the OCPA does for you

Under Oklahoma's new consumer privacy law (OCPA), you have the right to know what personal data companies collect about you, correct inaccuracies, request deletion, and obtain a portable copy of your data. You can also opt out of the sale of your data, targeted advertising, and certain automated decision-making. These rights take effect January 1, 2027, and apply to businesses that meet specific size thresholds.

Your rights under the OCPA

Right to Know

You have the right to confirm whether a business is processing your personal data and to access that data. You can ask a covered business what personal information it holds about you and receive a copy of it.

Exceptions: Does not apply to de-identified data or publicly available information; Does not apply to pseudonymous data where the controller keeps identifying information separately with effective technical controls; Business may decline if it cannot reasonably associate the request with your personal data; Free responses limited to twice per year; excessive or repetitive requests may incur a reasonable fee.

Source: ENR. S. B. NO. 546, Section 2(B)(1) (codified as Okla. Stat. tit. 75A, § 301(B)(1))

Right to Delete

You have the right to request that a covered business delete personal data it has collected about you or obtained from other sources.

Exceptions: Does not apply to data necessary to complete a transaction or perform a contract with you; Does not apply to data required to be retained by law; Does not apply to data used for security incident detection, fraud prevention, or legal defense; Does not apply to data used for certain research purposes governed by an IRB; For data obtained from third-party sources, business may comply by retaining a minimal deletion record instead of full deletion.

Source: ENR. S. B. NO. 546, Section 2(B)(3) (codified as Okla. Stat. tit. 75A, § 301(B)(3))

Right to Correct

You have the right to request that a covered business correct inaccuracies in your personal data, taking into account the nature of the data and its purpose.

Exceptions: Corrections must be considered in light of the nature and purpose of the data.

Source: ENR. S. B. NO. 546, Section 2(B)(2) (codified as Okla. Stat. tit. 75A, § 301(B)(2))

Right to Opt Out of Sales

You have the right to opt out of the sale of your personal data to third parties for money. Once you opt out, the business must stop selling your data.

Exceptions: Does not apply to transfers of data to service providers acting on the business's behalf; Does not apply to disclosures made at your direction; Does not apply to transfers as part of a merger or acquisition; Does not apply to data you intentionally made publicly available.

Source: ENR. S. B. NO. 546, Section 2(B)(5)(b) (codified as Okla. Stat. tit. 75A, § 301(B)(5)(b))

Right to Opt Out of Processing

You have the right to opt out of your personal data being used for targeted advertising — ads selected based on your activity across different websites and apps over time.

Exceptions: Does not apply to ads based on your activity within a single company's own websites; Does not apply to ads based on your current search query or website visit context; Does not apply to ads in direct response to your own request for information; Does not apply to processing solely for measuring or reporting ad performance.

Source: ENR. S. B. NO. 546, Section 2(B)(5)(a) (codified as Okla. Stat. tit. 75A, § 301(B)(5)(a))

Right to Opt Out of Automated Decisions

You have the right to opt out of profiling — automated processing of your data — when it is used to make decisions that have significant effects on you, such as decisions about credit, housing, insurance, employment, health care, or education.

Exceptions: Only applies to profiling in furtherance of decisions producing legal or similarly significant effects; Does not apply to profiling that does not produce legal or similarly significant effects.

Source: ENR. S. B. NO. 546, Section 2(B)(5)(c) (codified as Okla. Stat. tit. 75A, § 301(B)(5)(c))

Right to Data Portability

If your data is available in digital format, you have the right to receive a copy of personal data you previously provided to a business in a portable, easy-to-use format so you can transfer it to another company.

Exceptions: Only applies to data available in digital format; Only applies to data you previously provided to the controller; Only applies where processing is carried out by automated means; Does not apply to de-identified data or publicly available information.

Source: ENR. S. B. NO. 546, Section 2(B)(4) (codified as Okla. Stat. tit. 75A, § 301(B)(4))

Right to Non-Discrimination

A business cannot penalize you for exercising your privacy rights. It cannot deny you goods or services, charge you higher prices, or give you worse quality service just because you exercised your rights under this law.

Exceptions: A business may offer a different price or level of service if you opt out and this is directly related to your data's value, or if it is part of a voluntary loyalty or rewards program; A business is not required to provide a product or service that requires data you ask it not to collect.

Source: ENR. S. B. NO. 546, Section 7(B)(3) and Section 7(C) (codified as Okla. Stat. tit. 75A, § 306(B)(3), (C))

Right to Limit Sensitive Data

Companies must obtain your consent before processing your sensitive personal data. Sensitive data includes information about your race or ethnicity, religious beliefs, health or mental health diagnoses, sexual orientation, immigration status, genetic or biometric data, precise location, and data collected from children.

Exceptions: Processing of a known child's sensitive data must comply with COPPA rather than requiring separate consent; Certain health-related sensitive data is exempt if already covered by HIPAA.

Source: ENR. S. B. NO. 546, Section 7(B)(4) (codified as Okla. Stat. tit. 75A, § 306(B)(4))

How to exercise your rights

1. See which data brokers have your information. Optery scans 200+ brokers to show you what’s exposed. Start a free scan →
2. Submit a OCPA deletion or opt-out request. Covered businesses have 45 days to respond (ENR. S. B. NO. 546, Section 3 (codified as Okla. Stat. tit. 75A, § 302)), with up to 45 additional days if they invoke the extension provision.
3. Let Optery automate the whole process. We submit opt-out and deletion requests on your behalf, track compliance, and resubmit whenever brokers re-add your data. Sign up free →

Authorized agents

The OCPA does not mention authorized agents (Oklahoma Consumer Privacy Act (SB 546, effective January 1, 2027)). This means data brokers are not required to honor privacy requests submitted by someone other than you personally. Optery can help you submit requests directly — we prepare everything for you; you hit send.

Enforcement and penalties

The OCPA is enforced by Oklahoma Attorney General. If a business violates this law, the Oklahoma Attorney General can give it 30 days to fix the problem. If the business fails to cure the violation or breaks a written promise to do so, it can be fined up to $7,500 per violation. The AG can also seek court orders to stop ongoing violations. There is no private right of action — only the Attorney General can bring enforcement actions.

Who does the OCPA apply to?

This law applies to businesses that conduct business in Oklahoma or target products/services to Oklahoma residents AND either: (1) control or process personal data of at least 100,000 consumers per year, or (2) control or process personal data of at least 25,000 consumers and derive more than 50% of gross revenue from selling personal data. The law does NOT apply to state agencies, financial institutions covered by Gramm-Leach-Bliley, HIPAA-covered entities, nonprofit organizations, institutions of higher education, or individuals acting in a purely personal or household capacity.

Frequently asked questions

Which businesses does this Oklahoma privacy law cover?

The law applies to businesses that operate in Oklahoma or target Oklahoma residents AND either process personal data of at least 100,000 consumers per year, or process personal data of at least 25,000 consumers and earn more than 50% of gross revenue from selling personal data (ENR. S. B. NO. 546, Section 15, Okla. Stat. tit. 75A, § 314). Nonprofits, state agencies, universities, and HIPAA-covered health entities are specifically exempt.

How long does a business have to respond to my privacy request?

A business must respond to your request within 45 days of receiving it (ENR. S. B. NO. 546, Section 3(B), Okla. Stat. tit. 75A, § 302(B)). It can extend this deadline by an additional 45 days if the request is complex, but it must notify you of the extension and the reason within the original 45-day window. If a business denies your request, it must explain why and tell you how to appeal.

What can I do if a business denies my privacy request?

If a business refuses your request, it must tell you why and provide instructions for appealing the decision (ENR. S. B. NO. 546, Section 3(C), Okla. Stat. tit. 75A, § 302(C)). You can appeal, and the business must respond to your appeal in writing within 60 days (ENR. S. B. NO. 546, Section 4(B), Okla. Stat. tit. 75A, § 303(B)). If the appeal is also denied, the business must give you a link to file a complaint with the Oklahoma Attorney General.

Can I sue a company directly for violating my privacy rights?

No. This law does not give you a private right of action — only the Oklahoma Attorney General can bring enforcement actions against businesses that violate this law (ENR. S. B. NO. 546, Section 14(E), Okla. Stat. tit. 75A, § 313(E)). If you believe your rights have been violated, you can file a complaint with the Attorney General through the online mechanism on the AG's website.

When does this law take effect?

Oklahoma's consumer privacy law takes effect on January 1, 2027 (ENR. S. B. NO. 546, Section 22). Until that date, businesses are not yet legally required to honor consumer rights requests under this specific law, though other laws may still apply to your personal data.

Official resources

• Full statute text (SB 546)
• Oklahoma Attorney General’s office
• Primary enforcement agency