Oklahoma Enacts Data Privacy Law

Oklahoma recently enacted a comprehensive consumer data privacy law (the Act), which will become effective on January 1, 2027.  This comes after multiple other states have enacted similar laws in recent years.

Scope

The Act applies to “controllers” and “processors” conducting business in Oklahoma or producing a product or service targeted to Oklahoma residents and during the calendar year either controls or processes the personal data of: (i) at least 100,000 consumers; or (ii) at least 25,000 consumers and derives over 50% of its gross revenue from personal data selling.  “Personal data” is defined, in part, as “any information including sensitive data that is linked or reasonably linkable to an identified or identifiable individual,” but excludes “de-identified data or publicly available information.”

The Act does not apply to certain entities, including, among others, (i) financial institutions or data subject to Title V of the Gramm-Leach-Bliley Act; (ii) nonprofits; and (iii) covered entities and business associates governed by 45 C.F.R. Parts 160 and 164 established by HIPAA and the HITECH Act.  Also, certain kinds of data are exempt, for example, protected health information under HIPAA, health records, and personal information related to credit, if the activity is regulated by and authorized under the Fair Credit Reporting Act.

Consumer Rights

The Act grants consumers certain rights with respect to their personal data.  Consumers may request: (i) confirmation of whether the controller is processing the consumer’s personal data and access to that data; (ii) correction of inaccuracies; (iii) deletion of the data obtained about or provided by the consumer; (iv) a copy of the personal data processed by the controller in a portable and, if feasible, readily usable format for the data to be transmitted to another controller; and (v) an opt-out of any processing for targeted advertising, profiling, or sale of the consumer’s personal data.

The controller must reply to a consumer’s request within 45 days of receipt, but can extend this time once by 45 days, if reasonably necessary and the consumer is informed of the extension and reason for the extension within the original 45-day time period.  Responses to a consumer’s reasonable requests are required to be provided for free twice a year.

Notice Requirements and Other Obligations

The Act has notice requirements.  Controllers must provide a privacy notice to consumers including the following: (i) the categories of personal data processed; (ii) the purpose for processing the personal data; (iii) how to exercise their consumer rights, including appeals of a controller’s decision on the consumer’s request; (iv) if the controller shares information with third parties, the categories of the third parties and the categories of the personal data shared; and (v) if applicable, the right to opt out of the personal data being sold and processed for targeted advertising.

The Act also imposes other requirements, including specific requirements for contracts between controllers and processors, and requirements on controllers to conduct and document a data protection assessment on processing activities involving personal data.

Penalties and Enforcement

There is no private right of action in the Act.  The Act does provide for a notice and cure period when the Attorney General alleges violations of the Act.