Oklahoma Consumer Data Privacy Act and What Businesses Need Before January 2027

Oklahoma enacted the Consumer Data Privacy Act, and it takes effect on January 1, 2027. Because the law is settled rather than pending, a covered business has a fixed period to prepare and should spend it on implementation instead of waiting on the legislature.

The Act covers a business that processes the personal data of at least 100,000 Oklahoma consumers in a year, or at least 25,000 consumers when more than half of its gross revenue comes from selling personal data. A business under both lines falls outside it, so the coverage check comes before any drafting.

Oklahoma grants a set of rights similar to other states' laws, namely access, correction, deletion, portability, an opt out of targeted advertising, sale, and profiling, and the right to an appeal when a request is denied, and each of those rights needs a working path behind it, a verification method, and a response process. A covered business should use the time before 2027 to confirm who receives requests, how appeals are handled, and whether the public notice matches the categories, purposes, and recipients in its data flow.

Sensitive data, targeted advertising, and sales raise the hardest questions, because they decide whether the notice needs more specific language and whether the request path can be described truthfully. The notice, opt out path, and internal rules have to line up, which is why a data map comes first, since a policy is only as accurate as a business's picture of which tools collect sensitive data, which forms ask for it, and which vendors receive it.

Covered businesses have time to prepare, but they should start now, especially those that handle location data, biometrics, health data, children's data, or heavy profiling, because those are the first places a mismatch surfaces between the page and the operation. Build the data map and the request workflow first, then write the privacy page to match.