If your company has received a consumer data request from a Oklahoma resident, you need to understand what the law requires, how quickly you must respond, and what information must be redacted before you send the response. This guide covers the Oklahoma Computer Data Privacy Act (OCDPA) in practical terms — what it means for your business, not just what the statute says.
These requests are formally known as Data Subject Access Requests (DSARs) under European law, or consumer privacy requests under U.S. state law. Regardless of the terminology, the obligation is the same: locate the consumer's personal data, review it, redact third-party personal information, and respond within the statutory deadline.
For a comparison of all US state privacy laws, see our comprehensive comparison page. For state-specific guidance, see our guides for California, Virginia, Colorado.
The Oklahoma Computer Data Privacy Act (OCDPA) (Okla. Stat. tit. 24, Senate Bill 546) took effect on November 1, 2026.
Applicability thresholds: Conducts business in Oklahoma or produces products or services targeted to Oklahoma residents, AND either: (a) controls or processes personal data of 100,000 or more Oklahoma consumers, OR (b) controls or processes personal data of 25,000 or more Oklahoma consumers and derives over 50% of gross revenue from the sale of personal data.
Exemptions: State and local government entities, nonprofits, HIPAA-covered entities, GLBA-covered financial institutions, institutions of higher education, data processed pursuant to FCRA, FERPA, and COPPA. Entities already compliant with HIPAA or GLBA are deemed compliant for data governed by those laws.
Physical presence: No physical presence required. Applies to entities that conduct business in Oklahoma or target Oklahoma residents.
Practical note: If you are unsure whether your business meets the thresholds, consult with your legal team. The penalties for non-compliance are significant, and "we didn't know the law applied to us" is not a recognized defense.
Under the OCDPA, Oklahoma consumers have the following rights regarding their personal data:
Oklahoma's law closely follows the Virginia/Connecticut model. Sensitive data — including racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, precise geolocation, and data of known children — requires opt-in consent before processing. The law was signed by the Governor on March 20, 2026.
You have 45 calendar days from receipt of the request to provide a substantive response.
Extensions: One additional 45-day extension if reasonably necessary. The controller must inform the consumer of the extension and the reason within the initial 45-day period.
When the clock starts: The clock starts upon receipt of the request. The controller must authenticate the consumer's identity before fulfilling the request.
If the controller declines a request, it must inform the consumer without undue delay, provide the reason, and offer instructions for appealing the decision. The controller has 60 days to respond to an appeal.
Critical point: The deadline runs from when you receive the request, not from when you finish verifying the consumer's identity. Do not wait to begin processing until verification is complete — start locating and reviewing the data immediately.
When you compile documents for a consumer data request response, you will inevitably find personal information belonging to other people — colleagues, clients, family members, business contacts. This third-party data must be redacted before you send the response to the requesting consumer.
Some categories of information require case-by-case assessment:
The entire point of a consumer data request is to give the individual access to their own data. Do not redact the requester's personal information. This includes their name, email, phone number, address, employment records, transaction history, and any other data that relates to them specifically.
This is what makes data request redaction different from standard document redaction. You are performing selective redaction: keeping one person's data while removing everyone else's. Automated tools that simply blank out all PII will over-redact and produce an unusable response.
Penalties: Up to $7,500 per violation.
Enforcement: Oklahoma Attorney General (exclusive enforcement authority). No private right of action. Only the AG can bring enforcement actions.
Cure period: 30-day cure period.
Signed March 20, 2026, effective November 1, 2026. No enforcement actions yet. Oklahoma is the 21st state to enact a comprehensive consumer privacy law, following the Virginia/Connecticut model with standard thresholds and AG-only enforcement.
Risk note: Even where a cure period exists, it typically applies only to the first violation. A pattern of non-compliance or a failure to cure within the allowed period can result in full penalties. The cost of responding correctly the first time is significantly lower than the cost of enforcement.
SafeRedact automates the most time-consuming part of responding to consumer data requests: identifying and redacting third-party personal information across thousands of documents.
Need to respond to a data privacy request?
SafeRedact detects and removes third-party PII from documents automatically. Files never leave your browser.