open-agreements 0.7.7 → 0.8.0

package/skills/legal-explainers/data-privacy-law-explainer/content/ohio.md

@@ -0,0 +1,171 @@
+---
+jurisdiction: "Ohio"
+slug: ohio
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-11"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/ohio
+license: CC BY 4.0
+stale: false
+---
+
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/ohio · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+
+# Ohio Consumer Privacy Law[^about]
+
+Ohio has no comprehensive consumer-privacy statute. The operative framework is the 45-day breach-notification law (Ohio Rev. Code § 1349.19), enforced exclusively by the Attorney General, plus the Consumer Sales Practices Act, the chapter 1354 cybersecurity safe harbor, and the federal overlay.
+
+
+## At a glance
+
+| Question | Ohio |
+| --- | --- |
+| **Law coverage** | No comprehensive law |
+| **Summary** | Ohio regulates consumer data by sector, not comprehensively — the operative duties are 45-day breach notification under Ohio Rev. Code § 1349.19 (Attorney General enforced, no private right of action) and truthful data practices under the Consumer Sales Practices Act, while the Ohio Data Protection Act (ch. 1354) gives a business that maintains a written cybersecurity program conforming to a recognized framework an affirmative defense to data-breach tort claims. |
+| **Main law** | Ohio Rev. Code § 1349.19 (data-breach notification) plus ch. 1354 (Ohio Data Protection Act cybersecurity safe harbor) and ch. 1345 (Consumer Sales Practices Act) — Ohio has no comprehensive consumer-privacy law |
+| **Privacy policy required?** | No Ohio statute mandates a consumer privacy policy or fixes its contents; the federal overlay (FTC Act § 5, GLBA, HIPAA, COPPA) supplies the notice duties, and a policy that misstates practices is a deceptive act under the Consumer Sales Practices Act |
+| **Who does it cover?** | Any person or business entity that conducts business in Ohio and owns or licenses computerized personal information of Ohio residents — no revenue or data-volume threshold; HIPAA covered entities and federally regulated financial institutions are exempt from the breach statute |
+| **Can consumers sue?** | Limited path |
+| **Privacy policy rule** | No state policy checklist |
+| **Consent for sensitive data?** | No special rule |
+| **Browser opt-out signals?** | Not required |
+| **Lawsuit detail** | Not under the breach statute — Ohio Rev. Code § 1349.192 gives the Attorney General exclusive enforcement authority; the Consumer Sales Practices Act allows individual suits, but treble damages and class actions are gated on a prior rule or published court decision |
+| **Who enforces it?** | Ohio Attorney General (breach notification and Consumer Sales Practices Act); superintendent of insurance for insurance licensees under ch. 3965 |
+
+## Which privacy laws apply to your business in Ohio? {#which-privacy-laws-apply}
+
+**Short answer.** There is no comprehensive Ohio consumer-privacy law — Ohio regulates data by sector. The one across-the-board state duty is breach notification: any person that owns or licenses computerized data including personal information of Ohio residents must disclose a qualifying breach [^q1-breach-duty]. Around that sit the Consumer Sales Practices Act, which bans unfair or deceptive acts in consumer transactions and is how the Attorney General reaches privacy misrepresentations [^q1-cspa-deception], and the Ohio Data Protection Act, which rewards — but does not require — a written cybersecurity program with an affirmative defense to data-breach tort claims [^q1-dpa-defense].
+
+Because Ohio has never enacted an omnibus privacy statute, its residents have no general state-law rights to access, delete, correct, or port their personal data, no right to opt out of sale or targeted advertising, and no universal opt-out-signal mechanism; businesses face no state notice-at-collection, consent, or data-protection-assessment duties. The omnibus push has failed twice — HB 376 in the 134th General Assembly was reported by committee but died without a floor vote, and HB 345 in the 135th died after referral to committee — and no consumer-data omnibus is pending in the current General Assembly. One naming trap deserves a flag: the 2026 bill styled the *Ohio Privacy Act* (House Bill 801, introduced March 31, 2026 and referred to committee) is sometimes misread as a consumer omnibus, but as introduced it would restrict data collection and out-of-state data sharing by state government agencies only and would impose no duties on private businesses.
+
+What fills the gap is layered. The breach statute sets the statewide incident-response duty and is enforced exclusively by the Attorney General, a point developed in the enforcement prong below. The Consumer Sales Practices Act supplies the general deception hook for privacy promises. Chapter 1354 — the feature that most distinguishes Ohio — offers a voluntary litigation safe harbor for businesses that build a conforming written cybersecurity program, covered in its own question below. Insurance licensees carry an extra sectoral layer: chapter 3965 requires each licensee to develop, implement, and maintain a comprehensive written information security program based on its risk assessment [^q1-insurance-program]. Ohio also has a narrow payment-transaction rule that restricts recording credit-card account numbers when a check or draft is presented, and telephone or Social Security account numbers when payment is made by card, check, bill of exchange, or draft [^q1-payment-recording]; it is not a general privacy policy or data-use statute. And the federal overlay does the day-to-day work a state omnibus would otherwise do: FTC Act § 5 reaches deceptive or unfair data practices nationwide, GLBA governs financial institutions, HIPAA governs covered health entities, and COPPA governs services directed to children under 13. A program built to that overlay plus the breach statute upgrades, rather than restarts, if Ohio later enacts a comprehensive law.
+
+## What must your Ohio privacy policy contain? {#privacy-policy-contents}
+
+**Short answer.** No Ohio statute requires a general consumer privacy policy or fixes what it must say. The governing rule is that whatever you publish has to be true: FTC Act § 5 declares unfair or deceptive acts or practices unlawful [^q2-ftc5], and the Consumer Sales Practices Act applies the same ban under state law, so a policy that misstates how you collect, use, share, retain, or secure data is a deceptive act a supplier may not commit [^q2-cspa-deception]. Where a federal sectoral regime applies, that regime supplies the contents — a HIPAA covered entity, for example, must give individuals adequate notice of the uses and disclosures of their protected health information and of their rights and the entity's duties [^q2-hipaa-notice].
+
+The state and federal deception standards run together by design: Ohio courts construing the Consumer Sales Practices Act must give due consideration and great weight to FTC orders, rules, and federal-court interpretations of the FTC Act [^q2-cspa-ftc-construction], so FTC privacy-enforcement materials are especially persuasive in Ohio CSPA analysis. In practice the drafting question in Ohio is less *what must be included* and more *does the policy match actual practice*. Build the policy from the overlay that applies to you: the GLBA privacy-notice rules if you are a financial institution — which may not disclose nonpublic personal information to nonaffiliated third parties without first giving the consumer a compliant notice [^q2-glba-notice] — the HIPAA Notice of Privacy Practices if you are a covered entity, and a COPPA notice if your service is directed to children under 13. For everyone else, follow best practice: describe the categories of data collected, the purposes, the third parties you share with, and how users exercise any choices you offer — then honor it, because in Ohio the enforceable obligation is consistency between the statement and the conduct, not any state-mandated checklist.
+
+## What must your contracts with vendors say? {#vendor-contracts}
+
+**Short answer.** Ohio has no omnibus data-processing-agreement requirement — no state statute prescribes controller-to-processor terms, audit rights, deletion clauses, or subprocessor flow-downs for general commercial contracts. The breach statute touches vendors at one point: a custodian that stores computerized personal information on another person's behalf must notify that other person of a breach in an expeditious manner [^q3-custodian-notice]. Beyond that, vendor data terms come from the sectoral regimes that apply to your business.
+
+Where a federal or sectoral regime is in scope, it supplies the contracting obligations: the GLBA Safeguards Rule requires financial institutions to oversee service providers by requiring them by contract to implement and maintain appropriate safeguards [^q3-glba-safeguards], and HIPAA requires a written business-associate contract with mandatory data-protection, breach-reporting, and subcontractor terms before protected health information is shared [^q3-hipaa-baa]. Insurance licensees have a state-law analogue: chapter 3965 requires a licensee to make its third-party service providers implement appropriate administrative, technical, and physical measures to protect nonpublic information [^q3-insurance-vendor]. Outside those verticals, the prudent move is to carry the same protections forward as best practice — processing limited to documented instructions, confidentiality, reasonable security, prompt breach notification back to your business, and return or deletion of data at the end of the engagement — even though no Ohio statute compels them. Two Ohio-specific reasons to insist on the security and notification clauses anyway: the 45-day breach clock in the next prong starts running on *your* discovery or notification, so a slow vendor consumes your compliance window; and a vendor whose weak controls cause a breach can expose you to the tort claims that the chapter 1354 safe harbor — covered below — is designed to answer.
+
+## When must you notify people of a data breach in Ohio? {#breach-notification}
+
+**Short answer.** Within forty-five days of discovering the breach. A reportable breach is unauthorized access to and acquisition of computerized data that compromises personal information and causes — or is reasonably believed to cause — a material risk of identity theft or other fraud to an Ohio resident [^q4-trigger]. Once the duty triggers, disclosure must be made in the most expedient time possible and no later than forty-five days after discovery or notification of the breach, subject to law-enforcement delay and to measures needed to determine the breach's scope and restore the system [^q4-timing].
+
+Ohio's *personal information* definition is narrow by post-2019 standards: a resident's name combined with an unencrypted, unredacted Social Security number, driver's license or state ID number, or financial-account or card number with its access code [^q4-personal-info]. Biometric data, health data, and standalone login credentials are not on the list, and encryption or redaction takes data out of the definition entirely — so a properly encrypted breach generally triggers no Ohio notice duty. The risk-of-harm qualifier matters too: access without a material risk of identity theft or other fraud is not a reportable breach.
+
+Notice may be written, electronic (if that is your primary way of communicating with the resident), or by telephone [^q4-methods]. Substitute notice is available where contact information is insufficient, costs would exceed roughly a quarter-million dollars, or the affected class exceeds half a million people, and a separate lower-cost substitute track exists for businesses with ten or fewer employees [^q4-substitute-notice]. Two omissions stand out against most states' statutes: the section prescribes no mandatory content elements for the notice and imposes no duty to notify the Attorney General. It does require notifying the nationwide consumer reporting agencies when more than one thousand Ohio residents must be told of a single breach [^q4-cra], and any waiver of the section is void as against public policy.
+
+The exemptions are unusually broad. Federally regulated financial institutions that are subject to federal breach-notice obligations and examination are exempt from the section [^q4-exempt-fi], and the statute does not apply at all to HIPAA covered entities [^q4-exempt-hipaa] — those organizations answer to their federal regulators instead. Insurance licensees carry an additional, much faster state clock: a cybersecurity event meeting chapter 3965's criteria must be reported to the superintendent of insurance as promptly as possible and no later than three business days after the determination [^q4-insurance-event]; when that superintendent notice is required, the licensee must also comply with § 1349.19 as applicable and give the superintendent a copy of the consumer notice [^q4-insurance-consumer-notice].
+
+## Can a written cybersecurity program give you an affirmative defense in Ohio data-breach lawsuits? {#cybersecurity-safe-harbor}
+
+**Short answer.** Yes — this is Ohio's distinctive feature and the most actionable item in this note. Under the Ohio Data Protection Act (chapter 1354, the first state law of its kind), a covered entity that creates, maintains, and complies with a written cybersecurity program containing administrative, technical, and physical safeguards that reasonably conforms to an industry-recognized cybersecurity framework can seek the defense; for restricted-information breach claims, the program must protect both personal information and restricted information [^q5-dpa-optin]. A qualifying program gives an affirmative defense to tort claims alleging that a failure to implement reasonable security controls caused a data breach concerning personal information, or concerning personal or restricted information when the broader track is satisfied [^q5-dpa-defense].
+
+The reach is broad: a *covered entity* is any business that accesses, maintains, communicates, or processes personal or restricted information through systems located in or outside Ohio [^q5-dpa-covered-entity] — no size threshold. The qualifying frameworks are enumerated: the NIST Cybersecurity Framework, NIST Special Publications 800-171 or 800-53/53a, FedRAMP, the CIS Critical Security Controls, or the ISO/IEC 27000 family [^q5-dpa-frameworks]; regulated entities may instead use the security requirements of HIPAA, GLBA, FISMA, or HITECH [^q5-dpa-regulated-frameworks], and PCI DSS qualifies only when paired with another listed framework [^q5-dpa-pci]. When those frameworks or standards are revised or amended, the program generally has one year to conform to the revision [^q5-dpa-revision]. The program does not have to be one-size-fits-all: its scale and scope are appropriate if based on the entity's size and complexity, the nature of its activities, the sensitivity of the information, the cost and availability of security tools, and the resources available [^q5-dpa-scale] — a sliding scale that puts the defense within reach of small businesses.
+
+Two design points keep the chapter's character clear. First, it is an incentive statute: it speaks of a covered entity *seeking* an affirmative defense rather than imposing a universal Ohio security program [^q5-dpa-optin]. Chapter 1354 is framed as an affirmative-defense statute, not an independent private cause of action; other Ohio, federal, or contract duties may still require security controls. Second, the chapter creates no right to sue: it cannot be construed to provide a private right of action, including a class action, for any practice it regulates [^q5-dpa-no-pra]. Counsel should also note the defense's limits. It answers causes of action *sounding in tort* brought under Ohio law or in Ohio courts [^q5-dpa-defense] — contract claims, statutory claims, and out-of-state actions are outside its text — and it is an affirmative defense, so the business bears the burden of proving conformity. No reported Ohio appellate decision applying the defense appears to have tested what *reasonably conforms* requires, so the practical move is to document conformity contemporaneously: a written program mapped clause-by-clause to the chosen framework, dated reviews, and proof the program was actually complied with, not just adopted.
+
+## Can a consumer sue your business in Ohio over privacy? {#consumer-lawsuit}
+
+**Short answer.** Not under the breach statute. The Attorney General has exclusive authority to bring a civil action — including injunctions and civil penalties — for a failure to comply with the breach-notification law [^q6-ag-exclusive], so consumers cannot sue for a late or omitted breach notice. The Consumer Sales Practices Act is the partial exception: a consumer may bring an individual action to rescind the transaction or recover actual economic damages plus up to five thousand dollars in noneconomic damages [^q6-cspa-individual], but treble damages and any class action are available only where a prior Attorney General rule or a prior publicly available Ohio court decision had already declared the specific practice deceptive or unconscionable [^q6-cspa-gate].
+
+The breach-statute enforcement machinery has real teeth despite the absence of consumer suits. The Attorney General may investigate on complaints or on the office's own inquiry, with oath, subpoena, and document powers [^q6-ag-investigation]. On a finding of intentional or reckless noncompliance, daily civil penalties escalate with time: up to one thousand dollars per day of noncompliance [^q6-penalty-base], rising to five thousand dollars per day after sixty days and ten thousand dollars per day from the ninety-first day on [^q6-penalty-escalator] — so a breach concealed for months compounds quickly, and violators are also liable for the Attorney General's investigation costs.
+
+On the Consumer Sales Practices Act side, the Attorney General may seek declaratory judgments and injunctions where an act or practice violates the chapter and action is in the public interest [^q6-ag-cspa]. Attorney General class relief is separately gated to specified § 1345.02 practices, prior Attorney General rules, or prior publicly available Ohio court decisions [^q6-ag-cspa-class]. For private plaintiffs, the § 1345.09(B) gate is the controlling reality for data claims: because no prior Ohio rule or published decision appears to have declared a specific data-privacy or data-security practice deceptive, novel privacy claims start in the individual-action tier — actual economic damages, capped noneconomic damages, no trebling, no class — until a first rule or decision exists. There is a scoping question beneath even that: the statute reaches only a *consumer transaction* — a transfer of goods, a service, or an intangible to an individual for primarily personal, family, or household purposes [^q6-consumer-transaction] — and whether a zero-price, ad-funded online service fits that definition has no settled Ohio appellate answer. Post-breach plaintiffs therefore typically plead common-law negligence — which is exactly the claim the chapter 1354 affirmative defense covered above is built to answer — making the written-cybersecurity-program decision the practical center of Ohio privacy risk management.
+
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-11. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Ohio. This article synthesizes Ohio primary law and is not legal advice from a Ohio-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+
+[^q1-breach-duty]: **Ohio Rev. Code § 1349.19** — "Any person that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system, following its discovery or notification of the breach of the security of the system, to any resident of this state whose personal information was, or reasonably is believed to have been, accessed and acquired by an unauthorized person if the access and acquisition by the unauthorized person causes or reasonably is believed will cause a material risk of identity theft or other fraud to the resident." *Ohio Rev. Code § 1349.19(B)(1).* <https://codes.ohio.gov/ohio-revised-code/section-1349.19>
+
+[^q1-cspa-deception]: **Ohio Rev. Code § 1345.02** — "No supplier shall commit an unfair or deceptive act or practice in connection with a consumer transaction. Such an unfair or deceptive act or practice by a supplier violates this section whether it occurs before, during, or after the transaction." *Ohio Rev. Code § 1345.02(A).* <https://codes.ohio.gov/ohio-revised-code/section-1345.02>
+
+[^q1-dpa-defense]: **Ohio Rev. Code § 1354.02** — "A covered entity that satisfies divisions (A)(1), (B), and (C) of this section is entitled to an affirmative defense to any cause of action sounding in tort that is brought under the laws of this state or in the courts of this state and that alleges that the failure to implement reasonable information security controls resulted in a data breach concerning personal information." *Ohio Rev. Code § 1354.02(D)(1).* <https://codes.ohio.gov/ohio-revised-code/section-1354.02>
+
+[^q1-insurance-program]: **Ohio Rev. Code § 3965.02** — "Each licensee shall develop, implement, and maintain a comprehensive written information security program based on the licensee's risk assessment." *Ohio Rev. Code § 3965.02(A).* <https://codes.ohio.gov/ohio-revised-code/section-3965.02>
+
+[^q1-payment-recording]: **Ohio Rev. Code § 1349.17** — "(A) No person shall record or cause to be recorded either of the following" *Ohio Rev. Code § 1349.17(A).* <https://codes.ohio.gov/ohio-revised-code/section-1349.17>
+
+[^q2-ftc5]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* <https://www.law.cornell.edu/uscode/text/15/45#:~:text=Unfair%20methods%20of%20competition%20in,commerce%2C%20are%20hereby%20declared%20unlawful.>
+
+[^q2-cspa-deception]: **Ohio Rev. Code § 1345.02** — "No supplier shall commit an unfair or deceptive act or practice in connection with a consumer transaction." *Ohio Rev. Code § 1345.02(A).* <https://codes.ohio.gov/ohio-revised-code/section-1345.02>
+
+[^q2-hipaa-notice]: **HIPAA Notice of Privacy Practices** — "an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information" *45 C.F.R. § 164.520(a)(1).* <https://www.law.cornell.edu/cfr/text/45/164.520#:~:text=an%20individual%20has%20a%20right,respect%20to%20protected%20health%20information>
+
+[^q2-cspa-ftc-construction]: **Ohio Rev. Code § 1345.02(C)** — "In construing division (A) of this section, the court shall give due consideration and great weight to federal trade commission orders, trade regulation rules and guides, and the federal courts' interpretations of subsection 45 (a)(1) of the ‘Federal Trade Commission Act,’ 38 Stat. 717 (1914), 15 U.S.C.A. 41, as amended." *Ohio Rev. Code § 1345.02(C).* <https://codes.ohio.gov/ohio-revised-code/section-1345.02>
+
+[^q2-glba-notice]: **GLBA privacy notice** — "Except as otherwise provided in this subchapter, a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title." *15 U.S.C. § 6802(a).* <https://www.law.cornell.edu/uscode/text/15/6802#:~:text=Except%20as%20otherwise%20provided%20in,section%206803%20of%20this%20title.>
+
+[^q3-custodian-notice]: **Ohio Rev. Code § 1349.19(C)** — "Any person that, on behalf of or at the direction of another person or on behalf of or at the direction of any governmental entity, is the custodian of or stores computerized data that includes personal information shall notify that other person or governmental entity of any breach of the security of the system in an expeditious manner, if the personal information was, or reasonably is believed to have been, accessed and acquired by an unauthorized person and if the access and acquisition by the unauthorized person causes or reasonably is believed will cause a material risk of identity theft or other fraud to a resident of this state." *Ohio Rev. Code § 1349.19(C).* <https://codes.ohio.gov/ohio-revised-code/section-1349.19>
+
+[^q3-glba-safeguards]: **GLBA Safeguards Rule** — "Oversee service providers, by: (1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; (2) Requiring your service providers by contract to implement and maintain such safeguards; and (3) Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards." *16 C.F.R. § 314.4(f)(2).* <https://www.law.cornell.edu/cfr/text/16/314.4#:~:text=Oversee%20service%20providers%2C%20by%3A%20(1),continued%20adequacy%20of%20their%20safeguards.>
+
+[^q3-hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410; (D) In accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information;" *45 C.F.R. § 164.504(e)(2).* <https://www.law.cornell.edu/cfr/text/45/164.504#:~:text=A%20contract%20between%20the%20covered,with%20respect%20to%20such%20information%3B>
+
+[^q3-insurance-vendor]: **Ohio Rev. Code § 3965.02(F)** — "A licensee shall require a third-party service provider to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to, or held by, the third-party service provider." *Ohio Rev. Code § 3965.02(F)(2).* <https://codes.ohio.gov/ohio-revised-code/section-3965.02>
+
+[^q4-trigger]: **Ohio Rev. Code § 1349.19(A)(1)** — "‘Breach of the security of the system’ means unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of personal information owned or licensed by a person and that causes, reasonably is believed to have caused, or reasonably is believed will cause a material risk of identity theft or other fraud to the person or property of a resident of this state." *Ohio Rev. Code § 1349.19(A)(1)(a).* <https://codes.ohio.gov/ohio-revised-code/section-1349.19>
+
+[^q4-timing]: **Ohio Rev. Code § 1349.19(B)(2)** — "The person shall make the disclosure described in division (B)(1) of this section in the most expedient time possible but not later than forty-five days following its discovery or notification of the breach in the security of the system, subject to the legitimate needs of law enforcement activities described in division (D) of this section and consistent with any measures necessary to determine the scope of the breach, including which residents' personal information was accessed and acquired, and to restore the reasonable integrity of the data system." *Ohio Rev. Code § 1349.19(B)(2).* <https://codes.ohio.gov/ohio-revised-code/section-1349.19>
+
+[^q4-personal-info]: **Ohio Rev. Code § 1349.19(A)(7)** — "‘Personal information’ means an individual's name, consisting of the individual's first name or first initial and last name, in combination with and linked to any one or more of the following data elements, when the data elements are not encrypted, redacted, or altered by any method or technology in such a manner that the data elements are unreadable:(i) Social security number;(ii) Driver's license number or state identification card number;(iii) Account number or credit or debit card number, in combination with and linked to any required security code, access code, or password that would permit access to an individual's financial account." *Ohio Rev. Code § 1349.19(A)(7)(a).* <https://codes.ohio.gov/ohio-revised-code/section-1349.19>
+
+[^q4-methods]: **Ohio Rev. Code § 1349.19(E)** — "For purposes of this section, a person may disclose or make a notification by any of the following methods:(1) Written notice;(2) Electronic notice, if the person's primary method of communication with the resident to whom the disclosure must be made is by electronic means;(3) Telephone notice;" *Ohio Rev. Code § 1349.19(E).* <https://codes.ohio.gov/ohio-revised-code/section-1349.19>
+
+[^q4-substitute-notice]: **Ohio Rev. Code § 1349.19(E)** — "(4) Substitute notice in accordance with this division, if the person required to disclose demonstrates that the person does not have sufficient contact information to provide notice in a manner described in division (E)(1), (2), or (3) of this section, or that the cost of providing disclosure or notice to residents to whom disclosure or notification is required would exceed two hundred fifty thousand dollars, or that the affected class of subject residents to whom disclosure or notification is required exceeds five hundred thousand persons. Substitute notice under this division shall consist of all of the following:(a) Electronic mail notice if the person has an electronic mail address for the resident to whom the disclosure must be made;(b) Conspicuous posting of the disclosure or notice on the person's web site, if the person maintains one;(c) Notification to major media outlets, to the extent that the cumulative total of the readership, viewing audience, or listening audience of all of the outlets so notified equals or exceeds seventy-five per cent of the population of this state.(5) Substitute notice in accordance with this division, if the person required to disclose demonstrates that the person is a business entity with ten employees or fewer and that the cost of providing the disclosures or notices to residents to whom disclosure or notification is required will exceed ten thousand dollars. Substitute notice under this division shall consist of all of the following:(a) Notification by a paid advertisement in a local newspaper that is distributed in the geographic area in which the business entity is located, which advertisement shall be of sufficient size that it covers at least one-quarter of a page in the newspaper and shall be published in the newspaper at least once a week for three consecutive weeks;(b) Conspicuous posting of the disclosure or notice on the business entity's web site, if the entity maintains one;(c) Notification to major media outlets in the geographic area in which the business entity is located." *Ohio Rev. Code § 1349.19(E)(4)-(5).* <https://codes.ohio.gov/ohio-revised-code/section-1349.19>
+
+[^q4-cra]: **Ohio Rev. Code § 1349.19(G)** — "If a person discovers circumstances that require disclosure under this section to more than one thousand residents of this state involved in a single occurrence of a breach of the security of the system, the person shall notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the disclosure given by the person to the residents of this state." *Ohio Rev. Code § 1349.19(G).* <https://codes.ohio.gov/ohio-revised-code/section-1349.19>
+
+[^q4-exempt-fi]: **Ohio Rev. Code § 1349.19(F)(1)** — "A financial institution, trust company, or credit union or any affiliate of a financial institution, trust company, or credit union that is required by federal law, including, but not limited to, any federal statute, regulation, regulatory guidance, or other regulatory action, to notify its customers of an information security breach with respect to information about those customers and that is subject to examination by its functional government regulatory agency for compliance with the applicable federal law, is exempt from the requirements of this section." *Ohio Rev. Code § 1349.19(F)(1).* <https://codes.ohio.gov/ohio-revised-code/section-1349.19>
+
+[^q4-exempt-hipaa]: **Ohio Rev. Code § 1349.19(F)(2)** — "This section does not apply to any person or entity that is a covered entity as defined in 45 C.F.R. 160.103, as amended." *Ohio Rev. Code § 1349.19(F)(2).* <https://codes.ohio.gov/ohio-revised-code/section-1349.19>
+
+[^q4-insurance-event]: **Ohio Rev. Code § 3965.04** — "Each licensee shall notify the superintendent of insurance as promptly as possible after a determination that a cybersecurity event involving nonpublic information in the possession of the licensee has occurred, but in no event later than three business days after that determination, when either of the following criteria has been met:" *Ohio Rev. Code § 3965.04(A).* <https://codes.ohio.gov/ohio-revised-code/section-3965.04>
+
+[^q4-insurance-consumer-notice]: **Ohio Rev. Code § 3965.04** — "A licensee shall comply with section 1349.19 of the Revised Code as applicable and provide a copy of the notice sent to consumers under that section to the superintendent, when the licensee is required to notify the superintendent under division (A) of this section." *Ohio Rev. Code § 3965.04(C).* <https://codes.ohio.gov/ohio-revised-code/section-3965.04>
+
+[^q5-dpa-optin]: **Ohio Rev. Code § 1354.02(A)** — "A covered entity seeking an affirmative defense under sections 1354.01 to 1354.05 of the Revised Code shall do one of the following: (1) Create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information and that reasonably conforms to an industry recognized cybersecurity framework, as described in section 1354.03 of the Revised Code; or (2) Create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of both personal information and restricted information and that reasonably conforms to an industry recognized cybersecurity framework, as described in section 1354.03 of the Revised Code." *Ohio Rev. Code § 1354.02(A).* <https://codes.ohio.gov/ohio-revised-code/section-1354.02>
+
+[^q5-dpa-defense]: **Ohio Rev. Code § 1354.02(D)** — "A covered entity that satisfies divisions (A)(1), (B), and (C) of this section is entitled to an affirmative defense to any cause of action sounding in tort that is brought under the laws of this state or in the courts of this state and that alleges that the failure to implement reasonable information security controls resulted in a data breach concerning personal information. (2) A covered entity that satisfies divisions (A)(2), (B), and (C) of this section is entitled to an affirmative defense to any cause of action sounding in tort that is brought under the laws of this state or in the courts of this state and that alleges that the failure to implement reasonable information security controls resulted in a data breach concerning personal information or restricted information." *Ohio Rev. Code § 1354.02(D)(1)-(2).* <https://codes.ohio.gov/ohio-revised-code/section-1354.02>
+
+[^q5-dpa-covered-entity]: **Ohio Rev. Code § 1354.01** — "‘Covered entity’ means a business that accesses, maintains, communicates, or processes personal information or restricted information in or through one or more systems, networks, or services located in or outside this state." *Ohio Rev. Code § 1354.01(B).* <https://codes.ohio.gov/ohio-revised-code/section-1354.01>
+
+[^q5-dpa-frameworks]: **Ohio Rev. Code § 1354.03** — "The cybersecurity program reasonably conforms to the current version of any of the following or any combination of the following, subject to divisions (A)(2) and (D) of this section:(a) The ‘framework for improving critical infrastructure cybersecurity’ developed by the ‘national institute of standards and technology’ (NIST);(b) ‘NIST special publication 800-171’;(c) ‘NIST special publications 800-53 and 800-53a’;(d) The ‘federal risk and authorization management program (FedRAMP) security assessment framework’;(e) The ‘center for internet security critical security controls for effective cyber defense’;(f) The ‘international organization for standardization/international electrotechnical commission 27000 family - information security management systems.’" *Ohio Rev. Code § 1354.03(A)(1).* <https://codes.ohio.gov/ohio-revised-code/section-1354.03>
+
+[^q5-dpa-regulated-frameworks]: **Ohio Rev. Code § 1354.03(B)** — "The covered entity is regulated by the state, by the federal government, or both, or is otherwise subject to the requirements of any of the laws or regulations listed below, and the cybersecurity program reasonably conforms to the entirety of the current version of any of the following, subject to division (B)(2) of this section:(a) The security requirements of the ‘Health Insurance Portability and Accountability Act of 1996,’ as set forth in 45 CFR Part 164 Subpart C;(b) Title V of the ‘Gramm-Leach-Bliley Act of 1999,’ Public Law 106-102, as amended;(c) The ‘Federal Information Security Modernization Act of 2014,’ Public Law 113-283;(d) The ‘Health Information Technology for Economic and Clinical Health Act,’ as set forth in 45 CFR part 162." *Ohio Rev. Code § 1354.03(B)(1).* <https://codes.ohio.gov/ohio-revised-code/section-1354.03>
+
+[^q5-dpa-pci]: **Ohio Rev. Code § 1354.03(C)** — "The cybersecurity program reasonably complies with both the current version of the ‘payment card industry (PCI) data security standard’ and conforms to the current version of another applicable industry recognized cybersecurity framework listed in division (A) of this section, subject to divisions (C)(2) and (D) of this section." *Ohio Rev. Code § 1354.03(C)(1).* <https://codes.ohio.gov/ohio-revised-code/section-1354.03>
+
+[^q5-dpa-revision]: **Ohio Rev. Code § 1354.03** — "When a final revision to a framework listed in division (A)(1) of this section is published, a covered entity whose cybersecurity program reasonably conforms to that framework shall reasonably conform to the revised framework not later than one year after the publication date stated in the revision.(B)(1) The covered entity is regulated by the state, by the federal government, or both, or is otherwise subject to the requirements of any of the laws or regulations listed below, and the cybersecurity program reasonably conforms to the entirety of the current version of any of the following, subject to division (B)(2) of this section:(a) The security requirements of the ‘Health Insurance Portability and Accountability Act of 1996,’ as set forth in 45 CFR Part 164 Subpart C;(b) Title V of the ‘Gramm-Leach-Bliley Act of 1999,’ Public Law 106-102, as amended;(c) The ‘Federal Information Security Modernization Act of 2014,’ Public Law 113-283;(d) The ‘Health Information Technology for Economic and Clinical Health Act,’ as set forth in 45 CFR part 162.(2) When a framework listed in division (B)(1) of this section is amended, a covered entity whose cybersecurity program reasonably conforms to that framework shall reasonably conform to the amended framework not later than one year after the effective date of the amended framework.(C)(1) The cybersecurity program reasonably complies with both the current version of the ‘payment card industry (PCI) data security standard’ and conforms to the current version of another applicable industry recognized cybersecurity framework listed in division (A) of this section, subject to divisions (C)(2) and (D) of this section.(2) When a final revision to the ‘PCI data security standard’ is published, a covered entity whose cybersecurity program reasonably complies with that standard shall reasonably comply with the revised standard not later than one year after the publication date stated in the revision.(D) If a covered entity's cybersecurity program reasonably conforms to a combination of industry recognized cybersecurity frameworks, or complies with a standard, as in the case of the payment card industry (PCI) data security standard, as described in division (A) or (C) of this section, and two or more of those frameworks are revised, the covered entity whose cybersecurity program reasonably conforms to or complies with, as applicable, those frameworks shall reasonably conform to or comply with, as applicable, all of the revised frameworks not later than one year after the latest publication date stated in the revisions." *Ohio Rev. Code § 1354.03(A)(2), (B)(2), (C)(2), (D).* <https://codes.ohio.gov/ohio-revised-code/section-1354.03>
+
+[^q5-dpa-scale]: **Ohio Rev. Code § 1354.02(C)** — "The scale and scope of a covered entity's cybersecurity program under division (A) (1) or (2) of this section, as applicable, is appropriate if it is based on all of the following factors: (1) The size and complexity of the covered entity; (2) The nature and scope of the activities of the covered entity; (3) The sensitivity of the information to be protected; (4) The cost and availability of tools to improve information security and reduce vulnerabilities; (5) The resources available to the covered entity." *Ohio Rev. Code § 1354.02(C).* <https://codes.ohio.gov/ohio-revised-code/section-1354.02>
+
+[^q5-dpa-no-pra]: **Ohio Rev. Code § 1354.04** — "Sections 1354.01 to 1354.05 of the Revised Code shall not be construed to provide a private right of action, including a class action, with respect to any act or practice regulated under those sections." *Ohio Rev. Code § 1354.04.* <https://codes.ohio.gov/ohio-revised-code/section-1354.04>
+
+[^q6-ag-exclusive]: **Ohio Rev. Code § 1349.192** — "The attorney general shall have the exclusive authority to bring a civil action in a court of common pleas for appropriate relief under this section, including a temporary restraining order, preliminary or permanent injunction, and civil penalties, if it appears that a state agency or an agency of a political subdivision has failed or is failing to comply with section 1347.12 of the Revised Code or that a person has failed or is failing to comply with section 1349.19 of the Revised Code." *Ohio Rev. Code § 1349.192(A)(1).* <https://codes.ohio.gov/ohio-revised-code/section-1349.192>
+
+[^q6-cspa-individual]: **Ohio Rev. Code § 1345.09(A)** — "Where the violation was an act prohibited by section 1345.02, 1345.03, or 1345.031 of the Revised Code, the consumer may, in an individual action, rescind the transaction or recover the consumer's actual economic damages plus an amount not exceeding five thousand dollars in noneconomic damages." *Ohio Rev. Code § 1345.09(A).* <https://codes.ohio.gov/ohio-revised-code/section-1345.09>
+
+[^q6-cspa-gate]: **Ohio Rev. Code § 1345.09(B)** — "Where the violation was an act or practice declared to be deceptive or unconscionable by rule adopted under division (B)(2) of section 1345.05 of the Revised Code before the consumer transaction on which the action is based, or an act or practice determined by a court of this state to violate section 1345.02, 1345.03, or 1345.031 of the Revised Code and committed after the decision containing the determination has been made available for public inspection under division (A)(3) of section 1345.05 of the Revised Code, the consumer may rescind the transaction or recover, but not in a class action, three times the amount of the consumer's actual economic damages or two hundred dollars, whichever is greater, plus an amount not exceeding five thousand dollars in noneconomic damages or recover damages or other appropriate relief in a class action under Civil Rule 23, as amended." *Ohio Rev. Code § 1345.09(B).* <https://codes.ohio.gov/ohio-revised-code/section-1345.09>
+
+[^q6-ag-investigation]: **Ohio Rev. Code § 1349.191** — "The attorney general may conduct an investigation if the attorney general, based on complaints or the attorney general's own inquiries, has reason to believe that a state agency or an agency of a political subdivision has failed or is failing to comply with section 1347.12 of the Revised Code or that a person has failed or is failing to comply with section 1349.19 of the Revised Code." *Ohio Rev. Code § 1349.191(B).* <https://codes.ohio.gov/ohio-revised-code/section-1349.191>
+
+[^q6-penalty-base]: **Ohio Rev. Code § 1349.192(A)(1)(a)** — "For each day that the state agency, agency of a political subdivision, or person has intentionally or recklessly failed to comply with the applicable section, subject to divisions (A)(1)(b) and (c) of this section, a civil penalty of up to one thousand dollars for each day the agency or person fails to comply with the section;" *Ohio Rev. Code § 1349.192(A)(1)(a).* <https://codes.ohio.gov/ohio-revised-code/section-1349.192>
+
+[^q6-penalty-escalator]: **Ohio Rev. Code § 1349.192(A)(1)(c)** — "If the state agency, agency of a political subdivision, or person has intentionally or recklessly failed to comply with the applicable section for more than ninety days, a civil penalty in the amount specified in division (A)(1)(a) of this section for each day of the first sixty days that the agency or person fails to comply with the section, a civil penalty of up to five thousand dollars for each day commencing with the sixty-first day and continuing through the ninetieth day that the agency or person fails to comply with the section, and, for each day commencing with the ninety-first day that the state agency, agency of a political subdivision, or person has failed to comply with the section, a civil penalty of up to ten thousand dollars for each such day the agency or person fails to comply with the section." *Ohio Rev. Code § 1349.192(A)(1)(c).* <https://codes.ohio.gov/ohio-revised-code/section-1349.192>
+
+[^q6-ag-cspa]: **Ohio Rev. Code § 1345.07** — "If the attorney general, by the attorney general's own inquiries or as a result of complaints, has reasonable cause to believe that a supplier has engaged or is engaging in an act or practice that violates this chapter, and that the action would be in the public interest, the attorney general may bring any of the following:(1) An action to obtain a declaratory judgment that the act or practice violates section 1345.02, 1345.03, or 1345.031 of the Revised Code;(2)(a) An action, with notice as required by Civil Rule 65, to obtain a temporary restraining order, preliminary injunction, or permanent injunction to restrain the act or practice." *Ohio Rev. Code § 1345.07(A)(1)-(2).* <https://codes.ohio.gov/ohio-revised-code/section-1345.07>
+
+[^q6-ag-cspa-class]: **Ohio Rev. Code § 1345.07** — "A class action under Civil Rule 23, as amended, on behalf of consumers who have engaged in consumer transactions in this state for damage caused by:(a) An act or practice enumerated in division (B), (D), or (G) of section 1345.02 of the Revised Code;(b) Violation of a rule adopted under division (B)(2) of section 1345.05 of the Revised Code before the consumer transaction on which the action is based;(c) An act or practice determined by a court of this state to violate section 1345.02, 1345.03, or 1345.031 of the Revised Code and committed after the decision containing the determination has been made available for public inspection under division (A)(3) of section 1345.05 of the Revised Code." *Ohio Rev. Code § 1345.07(A)(3).* <https://codes.ohio.gov/ohio-revised-code/section-1345.07>
+
+[^q6-consumer-transaction]: **Ohio Rev. Code § 1345.01** — "‘Consumer transaction’ means a sale, lease, assignment, award by chance, or other transfer of an item of goods, a service, a franchise, or an intangible, to an individual for purposes that are primarily personal, family, or household, or solicitation to supply any of these things." *Ohio Rev. Code § 1345.01(A).* <https://codes.ohio.gov/ohio-revised-code/section-1345.01>

package/skills/legal-explainers/data-privacy-law-explainer/content/oklahoma.md

@@ -0,0 +1,168 @@
+---
+jurisdiction: "Oklahoma"
+slug: oklahoma
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-11"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/oklahoma
+license: CC BY 4.0
+stale: false
+---
+
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/oklahoma · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+
+# Oklahoma Consumer Privacy Law (OKCDPA)[^about]
+
+The Oklahoma Consumer Data Privacy Act (SB 546) takes effect January 1, 2027, bringing consumer rights, notice, consent, and contracting duties with exclusive Attorney General enforcement — while the state's overhauled Security Breach Notification Act has already applied since January 1, 2026.
+
+
+## At a glance
+
+| Question | Oklahoma |
+| --- | --- |
+| **Law coverage** | No comprehensive law |
+| **Summary** | The Oklahoma Consumer Data Privacy Act (SB 546) does not take effect until January 1, 2027, but the state's rewritten Security Breach Notification Act — Attorney General notice for breaches affecting 500 or more residents, biometric and credential data elements, and penalties keyed to reasonable safeguards — has applied since January 1, 2026, so breach readiness is due now and OKCDPA compliance next January. |
+| **Main law** | Oklahoma Consumer Data Privacy Act, 75A O.S. §§ 300–320 (SB 546, effective January 1, 2027); until then, the Security Breach Notification Act, 24 O.S. §§ 161–166 (as rewritten effective January 1, 2026) plus the Oklahoma Consumer Protection Act |
+| **Privacy policy required?** | Yes from January 1, 2027 — a reasonably accessible and clear privacy notice with statutorily fixed contents, plus conspicuous opt-out disclosures for data sales and targeted advertising |
+| **Who does it cover?** | From 2027, controllers and processors doing business in Oklahoma (or targeting Oklahoma residents) that process personal data of 100,000+ consumers a year — or 25,000+ consumers while deriving over half of gross revenue from selling personal data; the breach act already covers any individual or entity owning, licensing, or maintaining computerized personal information, with duties depending on that role |
+| **Can consumers sue?** | Limited path |
+| **Privacy policy rule** | No state policy checklist |
+| **Consent for sensitive data?** | No special rule |
+| **Browser opt-out signals?** | Not required |
+| **Lawsuit detail** | No — the OKCDPA expressly bars private suits and the breach act is enforced by the Attorney General or district attorneys, but the Oklahoma Consumer Protection Act gives consumers a private damages action for deceptive practices |
+| **Who enforces it?** | Oklahoma Attorney General (exclusive under the OKCDPA; district attorneys share breach-act and consumer-protection enforcement) |
+| **Future effective law** | Oklahoma Consumer Data Privacy Act, effective 2027-01-01 (Law coverage: Comprehensive law; Privacy policy rule: Policy contents fixed by law; Consent for sensitive data?: Consent required first) — Current buckets stay on Oklahoma's breach-notification and consumer-protection baseline until the OKCDPA takes effect. |
+
+## Which privacy laws apply to your business in Oklahoma — and when? {#which-privacy-laws-apply}
+
+**Short answer.** Two regimes, on two different clocks. The Oklahoma Consumer Data Privacy Act (OKCDPA, Senate Bill 546) takes effect January 1, 2027 and will apply to a controller or processor that does business in Oklahoma or targets products or services to Oklahoma residents and that processes personal data of at least 100,000 consumers a year, or at least 25,000 consumers while deriving over fifty percent of gross revenue from the sale of personal data [^stat-314-apply]. The state's Security Breach Notification Act is on a faster clock: it was overhauled effective January 1, 2026, so the new breach rules already bind businesses today [^stat-166-breach-date].
+
+The practical takeaway is that an Oklahoma compliance program has a now-workstream and a next-January workstream. Now: the rewritten breach act (notice duties, expanded data elements, and penalties keyed to reasonable safeguards, covered below) and the Oklahoma Consumer Protection Act, the state's general deception statute, which reaches a misrepresentation, omission or other practice that could reasonably be expected to deceive — including a privacy policy that misstates what you actually do with data [^stat-752-udap]. Next January: the OKCDPA's full controller-processor regime. The OKCDPA's volume thresholds mean many small Oklahoma businesses will fall outside it entirely, and its protections run only to a *consumer* — a resident acting in an individual or household context, expressly excluding people acting in a commercial or employment context, so employee and B2B data are out of scope [^stat-300-consumer]. Entity-level carve-outs (state agencies, GLBA financial institutions, HIPAA covered entities, nonprofits, higher education) are covered in the federal-overlay question below. As of last review, Title 75A was not yet published on the state's official statute portal, so this page cites the enrolled session law (SB 546) for every OKCDPA provision.
+
+## What must your Oklahoma privacy policy contain? {#privacy-policy-contents}
+
+**Short answer.** From January 1, 2027, the OKCDPA fixes the contents directly. A controller must provide a reasonably accessible and clear privacy notice that lists the categories of personal data processed (including any sensitive data), the purposes of processing, how consumers exercise their rights and appeal a refusal, the categories of personal data shared with third parties, and the categories of those third parties [^stat-307-notice].
+
+Treat the five items of the statutory list as a checklist that must appear on the face of the policy. Two further drafting points are Oklahoma-specific. First, if you sell personal data to third parties or process it for targeted advertising, the notice itself must clearly and conspicuously disclose that processing and how a consumer can opt out of it [^stat-307-optout]. Second, the policy has to connect to a working intake pipeline: a controller must offer two or more secure and reliable ways to submit rights requests, may not force consumers to create a new account to use them, and — if it maintains a website — must provide a request mechanism there (an exclusively online business with a direct consumer relationship may instead offer an email address) [^stat-305-methods]. Until the act takes effect, no Oklahoma statute prescribes general privacy-policy contents — but whatever you publish must be true today, because a policy that misstates your practices is reachable as a deceptive trade practice under the Oklahoma Consumer Protection Act covered above.
+
+## What must your contracts with processors say? {#vendor-contracts}
+
+**Short answer.** From January 1, 2027, every processing arrangement needs paper behind it: a contract between the controller and the processor must govern the processing and must include clear processing instructions, the nature and purpose of processing, the type of data, the duration, and the rights and obligations of both parties [^stat-308-contract].
+
+The statute then adds the familiar processor commitments — confidentiality for everyone touching the data, deletion or return of personal data at the controller's direction when the engagement ends, making compliance information available to the controller, cooperating with reasonable assessments, and flowing the same terms down to any subcontractor by written contract. A processor may substitute an independent assessment against a recognized control framework for controller-run audits, and the contract does not shift statutory liability: each party keeps the liabilities its role carries. Processors also owe affirmative help — a processor must adhere to the controller's instructions and assist the controller in meeting its duties under the act, including responding to consumer rights requests, securing personal data, and supplying what the controller needs for data protection assessments — and the statute expressly ties that assistance to breach notification under the Security Breach Notification Act, knitting the 2027 regime to the breach law already in force [^stat-308-assist]. A compliant data processing agreement drafted to the common multistate template will usually satisfy this section, but check each statutory element against the contract rather than assuming.
+
+## What rights do Oklahoma consumers get — and is there a universal opt-out? {#consumer-rights-and-opt-outs}
+
+**Short answer.** From January 1, 2027, Oklahoma consumers get the now-standard set: to confirm processing and access their personal data, to correct inaccuracies, to delete personal data provided by or obtained about them, to obtain a portable digital copy, and to opt out of processing for targeted advertising, the *sale* of personal data, or profiling that produces legal or similarly significant effects [^stat-301-rights]. There is no universal opt-out mechanism: the staged act contains no browser-level preference-signal requirement, so that point is an inference from statutory silence; opt-outs operate through requests submitted to the controller [^stat-301-request].
+
+The mechanics matter for operations planning. A controller must respond within 45 days of receipt, extendable once by another 45 days when reasonably necessary, and responses are free up to twice a year per consumer (a controller may charge for, or decline, manifestly unfounded, excessive, or repetitive requests — and bears the burden of showing that) [^stat-302-deadline]. A refusal must come with appeal instructions, and the controller must decide the appeal in writing within 60 days, routing denials onward to the Attorney General's complaint mechanism [^stat-303-appeal]. None of this can be contracted away: any contract term that waives or limits these consumer rights is void as contrary to public policy [^stat-304-nowaiver]. The absence of a universal opt-out-signal duty is a real drafting difference from several other state acts — an Oklahoma-only compliance posture does not need signal-recognition plumbing, though a multistate program will usually have it anyway.
+
+The act also gives de-identified and pseudonymous data their own rules. Controllers holding de-identified data must take reasonable measures against association with an individual, publicly commit not to reidentify it, and bind recipients by contract; the act does not force reidentification or special retention just to match a rights request; and certain access, correction, deletion, portability, and Section 306 controller duties do not apply to properly separated pseudonymous data [^stat-310-deidentified].
+
+## Do you need consent to process sensitive data in Oklahoma? {#sensitive-data-consent}
+
+**Short answer.** Yes, once the OKCDPA takes effect on January 1, 2027. A controller may not process a consumer's sensitive data without consent, and must handle a known child's data in accordance with the federal Children's Online Privacy Protection Act [^stat-306-consent]. Sensitive data covers personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data processed to uniquely identify someone; a known child's data; and precise geolocation [^stat-300-sensitive].
+
+Consent is defined demandingly: a clear affirmative act signifying freely given, specific, informed, and unambiguous agreement — and the definition expressly excludes accepting a broad terms-of-use document, hovering over or closing content, and agreement obtained through *dark patterns* [^stat-300-consent-def]. So a pre-checked box or a consent buried in onboarding terms does not work. Sensitive-data processing also triggers paperwork: it is one of the activities requiring a documented data protection assessment, alongside targeted advertising, the sale of personal data, certain risky profiling, and any processing presenting a heightened risk of harm — assessments the Attorney General can demand through a civil investigative demand, though they stay confidential, exempt from the state's open-records law, and do not waive privilege or work-product protection [^stat-309-assessment]. Those assessment duties apply only to processing activities that commence on or after the OKCDPA effective date and are not retroactive [^stat-309-assessment]. The same section that houses the consent rule also sets two immediate baseline duties for all personal data: collect only what is adequate, relevant, and reasonably necessary for the disclosed purposes, and maintain reasonable administrative, technical, and physical security appropriate to the data's volume and nature [^stat-306-duties]. It separately bars incompatible-purpose processing without consent, unlawful-discrimination processing, and discrimination for rights exercise, with a loyalty-program carve-out [^stat-306-limits].
+
+## When must you notify people of a data breach in Oklahoma? {#breach-notification}
+
+**Short answer.** This duty applies today — Oklahoma rewrote its Security Breach Notification Act effective January 1, 2026. An individual or entity that owns or licenses computerized personal information must notify any Oklahoma resident whose unencrypted and unredacted personal information was, or is reasonably believed to have been, accessed and acquired by an unauthorized person, where the breach causes or is reasonably believed to cause identity theft or other fraud — and the disclosure must be made without unreasonable delay [^stat-163-resident-notice]. The rewrite also added a regulator's clock: the Attorney General must be notified without unreasonable delay, and no more than 60 days after residents are notified [^stat-163-ag-notice], unless the breach affects fewer than 500 Oklahoma residents [^stat-163-small-exempt].
+
+Three changes in the current text deserve attention in an incident-response plan. First, the data elements are broader than the old name-plus-number list: *personal information* now includes electronic identifiers or routing codes combined with credentials that would permit access to a financial account, and unique biometric data such as a fingerprint or retina or iris image used to authenticate a specific individual — so a credential-stuffing or biometric incident can be notifiable when it involves the statutory first-name-or-initial-plus-last-name combination, one of those data elements, and the breach/risk trigger [^stat-162-elements]. Second, the statute now defines *reasonable safeguards* — risk assessments, layered technical and physical defenses, employee training, and an incident response plan, scaled to the entity's size and data — and, as the enforcement question below explains, having reasonable safeguards and giving the required notice is what shields you from civil penalties after a breach [^stat-162-safeguards]. Third, the act keeps its interoperability valves: an entity following its own consistent notification procedures under an information privacy or security policy is deemed compliant, as are financial institutions following federal interagency guidance and entities following HIPAA or the state hospital-cybersecurity act — but the deemed-compliance routes for regulated entities still require the Attorney General notice [^stat-164-compliance]. The AG notice has fixed contents (breach date, determination date, nature, data types, resident count, estimated monetary impact, and the safeguards employed), so build that template before the incident, not during it [^stat-163-ag-notice].
+
+## Who enforces Oklahoma privacy law — and can consumers sue? {#enforcement-and-lawsuits}
+
+**Short answer.** Under the OKCDPA, enforcement belongs to one office: the Attorney General has exclusive authority to enforce the act [^stat-311-ag], and the act creates no private right of action for an OKCDPA violation or as an OKCDPA-based theory under another law [^stat-313-nopra]. Before suing, the Attorney General must give 30 days' written notice identifying the alleged violations, and may not sue at all if the business cures within that window and provides the required written statement and supporting documentation [^stat-312-cure]. After an uncured violation, civil penalties run up to $7,500 per violation [^stat-313-penalty].
+
+Three Oklahoma-specific features round out the picture. First, the 30-day cure right has no sunset — Section 312 contains no cure expiration date, so the cure-first posture appears permanent rather than a transition-period grace [^stat-312-cure]. Second, the staged act contains no rulemaking grant: the office's only specified implementation duties are to post controller, processor, and consumer-rights information on its website and to run an online complaint mechanism, so the statutory text is the whole rulebook [^stat-311-ag]. Third, the regimes that govern today have sharper teeth than the OKCDPA's. Under the breach act, the Attorney General or a district attorney may recover actual damages plus a civil penalty of up to $150,000 per breach or related series of breaches, except that violations by state-chartered or state-licensed financial institutions are enforced exclusively by the primary state regulator [^stat-165-enforcement] — but an entity that used reasonable safeguards and gave proper notice is not subject to civil penalties and can plead that as an affirmative defense, while one that failed on safeguards but noticed properly faces actual damages and a $75,000 penalty instead of the full amount [^stat-165-defense]. And the Oklahoma Consumer Protection Act — the deception backstop that already reaches privacy misrepresentations — does carry a private right of action: an aggrieved consumer may sue for actual damages, costs, and attorney fees [^stat-761-pra]. So while neither privacy-specific statute lets consumers sue, a privacy promise broken in a consumer transaction can still land a business in front of a private plaintiff today.
+
+## How do federal privacy laws interact with Oklahoma's new privacy act? {#federal-overlay}
+
+**Short answer.** Mostly by switching the OKCDPA off. The act does not apply at the entity level to state agencies, GLBA financial institutions, HIPAA covered entities and business associates, nonprofits, or institutions of higher education [^stat-314-exemptions] — and at the data level it exempts information already governed by federal regimes, including HIPAA protected health information, FCRA consumer-report data, and data handled under the Driver's Privacy Protection Act and FERPA [^stat-315-data-exempt].
+
+The structure matters for scoping. The GLBA carve-out is written as *a financial institution or data subject to* Title V — both the institution and the data are out — and the HIPAA carve-out removes the covered entity or business associate wholesale, not just its health records [^stat-314-exemptions]. The data-level list in the companion section then covers federally regulated information held by businesses that are otherwise in scope: health records and research data, credit-report information under the FCRA, motor-vehicle data under the DPPA, education records under FERPA, Farm Credit Act data, and employment-context data [^stat-315-data-exempt]. For children's data the act borrows the federal standard outright: a controller or processor that complies with COPPA's verifiable parental consent requirements is deemed compliant with any parental-consent requirement under the act [^stat-316-coppa]. For businesses within FTC jurisdiction, Section 5 of the FTC Act remains a federal backdrop for unfair or deceptive acts or practices in or affecting commerce [^fed-ftc5]. The practical scoping exercise for 2027: first check whether your entity is carved out wholesale; if not, segment the federally regulated data streams out of OKCDPA scope and run the act's rights, notice, consent, and contracting duties on the remainder.
+
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-11. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Oklahoma. This article synthesizes Oklahoma primary law and is not legal advice from a Oklahoma-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+
+[^stat-314-apply]: **75A O.S. § 314(A) (SB 546)** — "The provisions of this act apply only to a controller or processor who: 1. Conducts business in this state or produces a product or service targeted to the residents of this state; and 2. During a calendar year, either: a. controls or processes personal data of at least one hundred thousand (100,000) consumers, or b. controls or processes personal data of at least twenty-five thousand (25,000) consumers and derives over fifty percent (50%) of gross revenue from the sale of personal data." *75A O.S. § 314(A) (SB 546, eff. Jan. 1, 2027).* <https://www.oklegislature.gov/cf_pdf/2025-26%20ENR/SB/SB546%20ENR.PDF>
+
+[^stat-166-breach-date]: **24 O.S. § 166** — "The Security Breach Notification Act shall apply to the determination or notification of a breach of the security of the system that occurs on or after January 1, 2026." *24 O.S. § 166.* <https://www.oscn.net/applications/oscn/DeliverDocument.asp?CiteID=452240>
+
+[^stat-752-udap]: **15 O.S. § 752 (Oklahoma Consumer Protection Act)** — "‘Deceptive trade practice’ means a misrepresentation, omission or other practice that has deceived or could reasonably be expected to deceive or mislead a person to the detriment of that person. Such a practice may occur before, during or after a consumer transaction is entered into and may be written or oral" *15 O.S. § 752(13).* <https://oksenate.gov/sites/default/files/2022-05/os15.pdf>
+
+[^stat-300-consumer]: **75A O.S. § 300(8) (SB 546)** — "‘Consumer’ means an individual who is a resident of this state acting only in an individual or household context. The term does not include an individual acting in a commercial or employment context" *75A O.S. § 300(8) (SB 546, eff. Jan. 1, 2027).* <https://www.oklegislature.gov/cf_pdf/2025-26%20ENR/SB/SB546%20ENR.PDF>
+
+[^stat-307-notice]: **75A O.S. § 307(A) (SB 546)** — "A controller shall provide consumers with a reasonably accessible and clear privacy notice that includes: 1. The categories of personal data processed by the controller, including, if applicable, any sensitive data processed by the controller; 2. The purpose for processing personal data; 3. How consumers may exercise their consumer rights under Sections 2 through 6 of this act, including the process by which a consumer may appeal a controller's decision with regard to the consumer's request; 4. If applicable, the categories of personal data that the controller shares with third parties; and 5. If applicable, the categories of third parties with whom the controller shares personal data." *75A O.S. § 307(A) (SB 546, eff. Jan. 1, 2027).* <https://www.oklegislature.gov/cf_pdf/2025-26%20ENR/SB/SB546%20ENR.PDF>
+
+[^stat-307-optout]: **75A O.S. § 307(B) (SB 546)** — "If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose on the notice required by subsection A of this section such process and the manner in which a consumer may exercise the right to opt out of such process." *75A O.S. § 307(B) (SB 546, eff. Jan. 1, 2027).* <https://www.oklegislature.gov/cf_pdf/2025-26%20ENR/SB/SB546%20ENR.PDF>
+
+[^stat-305-methods]: **75A O.S. § 305 (SB 546)** — "A controller shall establish two or more secure and reliable methods to enable consumers to submit a request to exercise their consumer rights under this act. The methods shall consider: 1. The ways in which consumers normally interact with the controller; 2. The necessity for secure and reliable communications of those requests; and 3. The ability of the controller to authenticate the identity of the consumer making the request. B. A controller shall not require a consumer to create a new account to exercise the consumer’s rights under this act but may require a consumer to use an existing account. C. Except as provided by subsection D of this section, if the controller maintains an Internet website, the controller shall provide a mechanism on the website for consumers to submit requests for information required to be disclosed under this act. D. A controller that operates exclusively online and has a direct relationship with a consumer from whom the controller collects personal information shall only be required to provide an electronic mail address for the submission of requests described by subsection C of this section." *75A O.S. § 305 (SB 546, eff. Jan. 1, 2027).* <https://www.oklegislature.gov/cf_pdf/2025-26%20ENR/SB/SB546%20ENR.PDF>
+
+[^stat-308-contract]: **75A O.S. § 308(B)-(D) (SB 546)** — "A contract between a controller and a processor shall govern the processor’s data processing procedures with respect to processing performed on behalf of the controller. The contract shall include: 1. Clear instructions for processing data; 2. The nature and purpose of processing; 3. The type of data subject to processing; 4. The duration of processing; 5. The rights and obligations of both parties; and 6. A requirement that the processor shall: a. ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data, b. at the controller’s direction, delete or return all personal data to the controller as requested after the provision of the service is completed, unless retention of the personal data is required by law, c. make available to the controller, upon reasonable request, all information in the processor’s possession necessary to demonstrate the processor’s compliance with the requirements of this act, d. allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor, and e. engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the requirements of the processor with respect to the personal data. C. Notwithstanding the requirement described by subparagraph d of paragraph 6 of subsection B of this section, a processor, in the alternative, may arrange for a qualified and independent assessor to conduct an assessment of the processor’s policies and technical and organizational measures in support of the requirements under this act using an appropriate and accepted control standard or framework and assessment procedure. The processor shall provide a report of the assessment to the controller on request. D. The provisions of this section shall not be construed to relieve a controller or a processor from the liabilities imposed on the controller or processor due to its role in the processing relationship as described by this act." *75A O.S. § 308(B) (SB 546, eff. Jan. 1, 2027).* <https://www.oklegislature.gov/cf_pdf/2025-26%20ENR/SB/SB546%20ENR.PDF>
+
+[^stat-308-assist]: **75A O.S. § 308(A) (SB 546)** — "A processor shall adhere to the instructions of a controller and shall assist the controller in meeting or complying with the controller’s duties or requirements under this act, including: 1. Taking into account the nature of processing and the information available to the processor, assisting the controller in responding to consumer rights requests submitted under Section 2 of this act by using appropriate technical and organizational measures, as reasonably practicable; 2. Taking into account the nature of processing and the information available to the processor, assisting the controller with regard to complying with the requirement relating to the security of processing personal data and to the notification of a breach of security of the processor’s system under the Security Breach Notification Act, Section 161 et seq. of Title 24 of the Oklahoma Statutes; and 3. Providing necessary information to enable the controller to conduct and document data protection assessments under Section 10 of this act." *75A O.S. § 308(A) (SB 546, eff. Jan. 1, 2027).* <https://www.oklegislature.gov/cf_pdf/2025-26%20ENR/SB/SB546%20ENR.PDF>
+
+[^stat-301-rights]: **75A O.S. § 301(B) (SB 546)** — "A controller shall comply with an authenticated consumer request to exercise the right to: 1. Confirm whether a controller is processing the consumer’s personal data and to access the personal data; 2. Correct inaccuracies in the consumer’s personal data, considering the nature of the personal data and the purposes of the processing of the consumer’s personal data; 3. Delete personal data provided by or obtained about the consumer; 4. If the data is available in a digital format, obtain a copy of the consumer’s personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means; or 5. Opt out of the processing of the personal data for purposes of: a. targeted advertising, b. the sale of personal data, or c. profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer." *75A O.S. § 301(B) (SB 546, eff. Jan. 1, 2027).* <https://www.oklegislature.gov/cf_pdf/2025-26%20ENR/SB/SB546%20ENR.PDF>
+
+[^stat-301-request]: **75A O.S. § 301(A) (SB 546)** — "A consumer is entitled to exercise the consumer rights authorized by this section at any time by submitting a request to a controller specifying the consumer rights the consumer wishes to exercise. With respect to the processing of personal data belonging to a known child, a parent or legal guardian of the child may exercise the consumer rights on behalf of the child." *75A O.S. § 301(A) (SB 546, eff. Jan. 1, 2027).* <https://www.oklegislature.gov/cf_pdf/2025-26%20ENR/SB/SB546%20ENR.PDF>
+
+[^stat-302-deadline]: **75A O.S. § 302 (SB 546)** — "A controller shall respond to the consumer request no later than forty-five (45) days after the date of receipt of the request. The controller may extend the response period once by an additional forty-five (45) days when reasonably necessary, considering the complexity and number of the consumer’s requests. The controller shall inform the consumer of an extension within the initial forty-five-day response period and of the reason for the extension. C. If a controller declines to take action regarding the consumer’s request, the controller shall inform the consumer no later than the forty-five (45) days after the date of receipt of the request of the justification for declining to take action and provide instructions on how to appeal the decision in accordance with Section 4 of this act. D. A controller shall provide information in response to a consumer request free of charge, up to twice annually per consumer. If a request from a consumer is manifestly unfounded, excessive, or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or may decline to act on the request. The controller shall bear the burden of demonstrating for purposes of this subsection that a request is manifestly unfounded, excessive, or repetitive." *75A O.S. § 302(B) (SB 546, eff. Jan. 1, 2027).* <https://www.oklegislature.gov/cf_pdf/2025-26%20ENR/SB/SB546%20ENR.PDF>
+
+[^stat-303-appeal]: **75A O.S. § 303 (SB 546)** — "A controller shall establish a process for a consumer to appeal the controller’s refusal to take action on a request within a reasonable period of time after the consumer’s receipt of the decision under subsection C of Section 3 of this act. The appeal process shall be conspicuously available and similar to the process for initiating action to exercise consumer rights by submitting a request under Section 2 of this act. B. A controller shall inform the consumer in writing of any action taken or not taken in response to an appeal under this section no later than sixty (60) days after the date of receipt of the appeal including a written explanation of the reason or reasons for the decision. If the controller denies an appeal, the controller shall provide the consumer with the online mechanism described by subsection B of Section 12 of this act through which the consumer may contact the Attorney General to submit a complaint." *75A O.S. § 303(B) (SB 546, eff. Jan. 1, 2027).* <https://www.oklegislature.gov/cf_pdf/2025-26%20ENR/SB/SB546%20ENR.PDF>
+
+[^stat-304-nowaiver]: **75A O.S. § 304 (SB 546)** — "Any provision of a contract or agreement that waives or limits a consumer right described by Section 2, 3, or 4 of this act shall be deemed to be contrary to public policy and shall be void and unenforceable." *75A O.S. § 304 (SB 546, eff. Jan. 1, 2027).* <https://www.oklegislature.gov/cf_pdf/2025-26%20ENR/SB/SB546%20ENR.PDF>
+
+[^stat-310-deidentified]: **75A O.S. § 310 (SB 546)** — "A controller in possession of de-identified data shall: 1. Take reasonable measures to ensure that the data cannot be associated with an individual; 2. Publicly commit to process such data only in a de-identified fashion and not attempt to reidentify the data; and 3. Contractually obligate any recipient of the de-identified data to comply with the requirements of this subsection. B. The provisions of this act shall not be construed to require a controller or processor to: 1. Reidentify de-identified data or pseudonymous data; 2. Maintain data in identifiable form or obtain, retain, or access any data or technology for the purpose of allowing the controller or processor to associate a consumer request with personal data; or 3. Comply with an authenticated consumer rights request under Section 2 of this act, if the controller: a. is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data, b. does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data or associate the personal data with other personal data about the same specific consumer, and c. does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted by this section. C. The consumer rights under paragraphs 1 through 4 of subsection B of Section 2 of this act and controller duties under Section 7 of this act shall not apply to pseudonymous data in cases in which the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information. D. A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breach of the contractual commitments." *75A O.S. § 310 (SB 546, eff. Jan. 1, 2027).* <https://www.oklegislature.gov/cf_pdf/2025-26%20ENR/SB/SB546%20ENR.PDF>
+
+[^stat-306-consent]: **75A O.S. § 306(B) (SB 546)** — "A controller shall not: 1. Except as otherwise provided by this act, process personal data for a purpose that is neither reasonably necessary to nor compatible with the disclosed purpose for which the personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent; 2. Process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers; 3. Discriminate against a consumer for exercising any consumer rights contained in this act, including by denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer; or 4. Process the sensitive data of a consumer without obtaining the consumer’s consent or, in the case of processing the sensitive data of a known child, without processing that data in accordance with the Children’s Online Privacy Protection Act of 1998." *75A O.S. § 306(B)(4) (SB 546, eff. Jan. 1, 2027).* <https://www.oklegislature.gov/cf_pdf/2025-26%20ENR/SB/SB546%20ENR.PDF>
+
+[^stat-300-sensitive]: **75A O.S. § 300(29) (SB 546)** — "‘Sensitive data’ means a category of personal data. The term includes: a. personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, b. genetic or biometric data that is processed for the purpose of uniquely identifying an individual, c. personal data collected from a known child, or d. precise geolocation data" *75A O.S. § 300(29) (SB 546, eff. Jan. 1, 2027).* <https://www.oklegislature.gov/cf_pdf/2025-26%20ENR/SB/SB546%20ENR.PDF>
+
+[^stat-300-consent-def]: **75A O.S. § 300(7) (SB 546)** — "‘Consent’, when referring to a consumer, means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. The term includes, but is not limited to, a written statement, including a statement written by electronic means, or any other unambiguous affirmative action. The term does not include: a. acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information, b. hovering over, muting, pausing, or closing a given piece of content, or c. agreement obtained through the use of dark patterns" *75A O.S. § 300(7) (SB 546, eff. Jan. 1, 2027).* <https://www.oklegislature.gov/cf_pdf/2025-26%20ENR/SB/SB546%20ENR.PDF>
+
+[^stat-309-assessment]: **75A O.S. § 309(A), (C), (D), (G) (SB 546)** — "A controller shall conduct and document a data protection assessment of each of the following processing activities involving personal data: 1. The processing of personal data for purposes of targeted advertising; 2. The sale of personal data; 3. The processing of personal data for purposes of profiling, if the profiling presents a reasonably foreseeable risk of: a. unfair or deceptive treatment of or unlawful disparate impact on consumers, b. financial, physical, or reputational injury to consumers, c. a physical or other intrusion on the solitude or seclusion, or the private affairs or concerns, of consumers, if the intrusion would be offensive to a reasonable person, or d. other substantial injury to consumers; 4. The processing of sensitive data; and 5. Any processing activities involving personal data that present a heightened risk of harm to consumers. B. A data protection assessment conducted under subsection A of this section shall: 1. Identify and weigh the direct or indirect benefits that may flow from the processing to the controller, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with that processing, as mitigated by safeguards that can be employed by the controller to reduce the risks; and 2. Factor into the assessment the: a. use of de-identified data, b. reasonable expectations of consumers, c. context of the processing, and d. relationship between the controller and the consumer whose personal data will be processed. C. A controller shall make a data protection assessment available to the Attorney General upon written request pursuant to a civil investigation demand. D. A data protection assessment shall be confidential and exempt from public inspection and copying under the Oklahoma Open Records Act, Section 24A.1 et seq. of Title 51 of the Oklahoma Statutes. Disclosure of a data protection assessment in compliance with a request from the Attorney General shall not constitute a waiver of attorney-client privilege or work product protection with respect to the assessment and any information contained in the assessment. E. A single data protection assessment may address a comparable set of processing operations that include similar activities. F. A data protection assessment conducted by a controller for the purpose of compliance with other laws or regulations may constitute compliance with the requirements of this section if the assessment has a reasonably comparable scope and effect. G. A data protection assessment as required by this section shall apply to processing activities that commence on or after the effective date of this act and shall not be retroactive." *75A O.S. § 309(A) (SB 546, eff. Jan. 1, 2027).* <https://www.oklegislature.gov/cf_pdf/2025-26%20ENR/SB/SB546%20ENR.PDF>
+
+[^stat-306-duties]: **75A O.S. § 306(A) (SB 546)** — "A controller shall: 1. Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which that personal data is processed, as disclosed to the consumer; and 2. For purposes of protecting the confidentiality, integrity, and accessibility of personal data, establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue." *75A O.S. § 306(A) (SB 546, eff. Jan. 1, 2027).* <https://www.oklegislature.gov/cf_pdf/2025-26%20ENR/SB/SB546%20ENR.PDF>
+
+[^stat-306-limits]: **75A O.S. § 306(B)-(C) (SB 546)** — "A controller shall not: 1. Except as otherwise provided by this act, process personal data for a purpose that is neither reasonably necessary to nor compatible with the disclosed purpose for which the personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent; 2. Process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers; 3. Discriminate against a consumer for exercising any consumer rights contained in this act, including by denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer; or 4. Process the sensitive data of a consumer without obtaining the consumer’s consent or, in the case of processing the sensitive data of a known child, without processing that data in accordance with the Children’s Online Privacy Protection Act of 1998. C. Paragraph 3 of subsection B of this section shall not be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the consumer has exercised the consumer’s right to opt out under Section 2 of this act or the offer is related to a consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program." *75A O.S. § 306(B)-(C) (SB 546, eff. Jan. 1, 2027).* <https://www.oklegislature.gov/cf_pdf/2025-26%20ENR/SB/SB546%20ENR.PDF>
+
+[^stat-163-resident-notice]: **24 O.S. § 163(A)** — "An individual or entity that owns or licenses computerized data that includes personal information shall provide notice of any breach of the security of the system following determination or notification of the breach of the security of the system to any resident of this state whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state. Except as provided in subsection D of this section or in order to take any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the system, the disclosure shall be made without unreasonable delay." *24 O.S. § 163(A).* <https://www.oscn.net/applications/oscn/DeliverDocument.asp?CiteID=452237>
+
+[^stat-163-ag-notice]: **24 O.S. § 163(E)(1)** — "An individual or entity required to provide notice in accordance with subsection A or B of this section shall also provide notice to the Attorney General of such breach without unreasonable delay but in no event more than sixty (60) days after providing notice to impacted residents of this state as required by this section. The notice shall include the date of the breach, the date of its determination, the nature of the breach, the type of personal information exposed, the number of residents of this state affected, the estimated monetary impact of the breach to the extent such impact can be determined, and any reasonable safeguards the entity employs." *24 O.S. § 163(E)(1).* <https://www.oscn.net/applications/oscn/DeliverDocument.asp?CiteID=452237>
+
+[^stat-163-small-exempt]: **24 O.S. § 163(E)(2)** — "A breach of a security system where fewer than five hundred (500) residents of this state are affected within a single breach shall be exempt from the notice requirements of paragraph 1 of this subsection. 3. A breach of a security system maintained by a credit bureau where fewer than one thousand (1,000) residents of this state are affected within a single breach shall be exempt from the notice requirements of paragraph 1 of this subsection." *24 O.S. § 163(E)(2).* <https://www.oscn.net/applications/oscn/DeliverDocument.asp?CiteID=452237>
+
+[^stat-162-elements]: **24 O.S. § 162(6)** — "‘Personal information’ means an individual’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the individual if any of the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable or are encrypted, redacted, or otherwise altered by any method or technology but the keys to unencrypt, unredact, or otherwise read the data elements have been obtained through the breach of security: a. social security number, b. driver license number or other unique identification number created or collected by a government entity, c. financial account number, or credit card or debit card number, in combination with any required expiration date, security code, access code, or password that would permit access to an individual’s financial account, d. unique electronic identifier or routing code in combination with any required security code, access code, or password that would permit access to an individual’s financial account, or e. unique biometric data such as a fingerprint, retina or iris image, or other unique physical or digital representation of biometric data to authenticate a specific individual." *24 O.S. § 162(6)(d)–(e).* <https://www.oscn.net/applications/oscn/DeliverDocument.asp?CiteID=452236>
+
+[^stat-162-safeguards]: **24 O.S. § 162(8)** — "‘Reasonable safeguards’ means policies and practices that ensure personal information is secure, taking into consideration an entity's size and the type and amount of personal information. The term includes, but is not limited to, conducting risk assessments, implementing technical and physical layered defenses, employee training on handling personal information, and establishing an incident response plan" *24 O.S. § 162(8).* <https://www.oscn.net/applications/oscn/DeliverDocument.asp?CiteID=452236>
+
+[^stat-164-compliance]: **24 O.S. § 164** — "An individual or entity that maintains its own notification procedures as part of an information privacy or security policy for the treatment of personal information and that are consistent with the timing requirements of the Security Breach Notification Act shall be deemed to be in compliance with the notification requirements of subsection A or B of Section 163 of this title if the individual or entity notifies residents of this state in accordance with its procedures in the event of a breach of security of the system. B. The following entities shall be deemed to be in compliance with the notification requirements of subsection A or B of Section 163 of this title if such entities provide notice to the Attorney General as required by subsection E of Section 163 of this title: 1. A financial institution that complies with the notification requirements prescribed by the Gramm-Leach-Bliley Act and the federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice; 2. An entity that complies with the notification requirements prescribed by the Oklahoma Hospital Cybersecurity Protection Act of 2023 or the Health Insurance Portability and Accountability Act of 1996 (HIPAA); and 3. An entity that complies with the notification requirements or procedures pursuant to the rules, regulations, procedures, or guidelines established by the primary or functional federal regulator of the entity." *24 O.S. § 164(A).* <https://www.oscn.net/applications/oscn/DeliverDocument.asp?CiteID=452238>
+
+[^stat-311-ag]: **75A O.S. § 311 (SB 546)** — "The Attorney General has exclusive authority to enforce the provisions of this act. B. The Attorney General shall post on the Attorney General's Internet website: 1. Information relating to: a. the responsibilities of a controller under this act, b. the responsibilities of a processor under this act, and c. a consumer's rights under this act; and 2. An online mechanism through which a consumer may submit a complaint under this act to the Attorney General." *75A O.S. § 311 (SB 546, eff. Jan. 1, 2027).* <https://www.oklegislature.gov/cf_pdf/2025-26%20ENR/SB/SB546%20ENR.PDF>
+
+[^stat-313-nopra]: **75A O.S. § 313(E) (SB 546)** — "Nothing in this act shall be construed as providing a basis for, or being subject to, a private right of action for a violation of this act or any other provision of law." *75A O.S. § 313(E) (SB 546, eff. Jan. 1, 2027).* <https://www.oklegislature.gov/cf_pdf/2025-26%20ENR/SB/SB546%20ENR.PDF>
+
+[^stat-312-cure]: **75A O.S. § 312 (SB 546)** — "Before bringing an action under Section 14 of this act, the Attorney General shall notify the controller or processor in writing, no later than thirty (30) days before bringing the action, identifying the specific provisions of this act that the Attorney General alleges have been or are being violated. The Attorney General shall not bring an action against the controller or processor if: 1. Within the thirty-day period, the controller or processor cures the identified violation; and 2. The controller or processor provides the Attorney General a written statement that the controller or processor: a. cured the alleged violation, b. provided supportive documentation to show how the privacy violation was cured, and c. that no further violations will occur." *75A O.S. § 312 (SB 546, eff. Jan. 1, 2027).* <https://www.oklegislature.gov/cf_pdf/2025-26%20ENR/SB/SB546%20ENR.PDF>
+
+[^stat-313-penalty]: **75A O.S. § 313(A) (SB 546)** — "A controller or processor who violates this act following the cure period described by Section 13 of this act or who breaches a written statement provided to the Attorney General under such section shall be liable for a civil penalty in an amount not to exceed Seven Thousand Five Hundred Dollars ($7,500.00) for each violation." *75A O.S. § 313(A) (SB 546, eff. Jan. 1, 2027).* <https://www.oklegislature.gov/cf_pdf/2025-26%20ENR/SB/SB546%20ENR.PDF>
+
+[^stat-165-enforcement]: **24 O.S. § 165(B), (D)** — "Except as provided in subsection D of this section, the Attorney General or a district attorney shall have exclusive authority to bring an action and may obtain actual damages for a violation of the Security Breach Notification Act and a civil penalty not to exceed One Hundred Fifty Thousand Dollars ($150,000.00) per breach of the security of the system or series of breaches of a similar nature that are determined in a single investigation. Civil penalties shall be based upon the magnitude of the breach, the extent to which the behavior of the individual or entity contributed to the breach, and any failure to provide the notice required by Section 163 of this title. C. 1. An individual or entity that uses reasonable safeguards and provides notice as required by Section 163 or 164 of this title shall not be subject to civil penalties and may use such compliance as an affirmative defense in a civil action filed under the Security Breach Notification Act. 2. An individual or entity that fails to use reasonable safeguards but provides notice as required by Section 163 or 164 of this title shall not be subject to the civil penalty set forth in subsection B of this section but shall be subject to actual damages and a civil penalty of Seventy-five Thousand Dollars ($75,000.00). D. A violation of the Security Breach Notification Act by a state-chartered or state-licensed financial institution shall be enforceable exclusively by the primary state regulator of the financial institution." *24 O.S. § 165(B).* <https://www.oscn.net/applications/oscn/DeliverDocument.asp?CiteID=452239>
+
+[^stat-165-defense]: **24 O.S. § 165(C)** — "An individual or entity that uses reasonable safeguards and provides notice as required by Section 163 or 164 of this title shall not be subject to civil penalties and may use such compliance as an affirmative defense in a civil action filed under the Security Breach Notification Act. 2. An individual or entity that fails to use reasonable safeguards but provides notice as required by Section 163 or 164 of this title shall not be subject to the civil penalty set forth in subsection B of this section but shall be subject to actual damages and a civil penalty of Seventy-five Thousand Dollars ($75,000.00)." *24 O.S. § 165(C).* <https://www.oscn.net/applications/oscn/DeliverDocument.asp?CiteID=452239>
+
+[^stat-761-pra]: **15 O.S. § 761.1 (Oklahoma Consumer Protection Act)** — "The commission of any act or practice declared to be a violation of the Consumer Protection Act shall render the violator liable to the aggrieved consumer for the payment of actual damages sustained by the customer and costs of litigation including reasonable attorney's fees, and the aggrieved consumer shall have a private right of action for damages, including but not limited to, costs and attorney's fees." *15 O.S. § 761.1(A).* <https://www.oscn.net/applications/oscn/DeliverDocument.asp?CiteID=66266>
+
+[^stat-314-exemptions]: **75A O.S. § 314(B) (SB 546)** — "The provisions of this act shall not apply to: 1. A state agency or a political subdivision of this state, or a service provider processing data on behalf of a state agency or political subdivision of this state; 2. A financial institution or data subject to Title V of the Gramm-Leach-Bliley Act, 15 U.S.C., Section 6801 et seq.; 3. A covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, 45 C.F.R., Parts 160 and 164, established under the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C., Section 1320d et seq., and the Health Information Technology for Economic and Clinical Health Act, Division A of Title XIII and Division B of Title IV of the American Recovery and Reinvestment Act of 2009, Pub. L. No. 111-5; 4. A nonprofit organization; 5. An institution of higher education;" *75A O.S. § 314(B) (SB 546, eff. Jan. 1, 2027).* <https://www.oklegislature.gov/cf_pdf/2025-26%20ENR/SB/SB546%20ENR.PDF>
+
+[^stat-315-data-exempt]: **75A O.S. § 315 (SB 546)** — "The following information shall be exempt from this act: 1. Protected health information under the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C., Section 1320d et seq.; 2. Health records; 3. Patient identifying information for purposes of 42 U.S.C., Section 290dd-2; 4. Identifiable private information: a. for purposes of the federal policy for the protection of human subjects under 45 C.F.R., Part 46, b. collected as part of human subjects research under the good clinical practice guidelines issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use (ICH) or of the protection of human subjects under 21 C.F.R., Parts 50 and 56, or c. that is personal data used or shared in research conducted in accordance with the requirements set forth in this act or other research conducted in accordance with applicable law; 5. Information and documents created for purposes of the Health Care Quality Improvement Act of 1986, 42 U.S.C., Section 11101 et seq.; 6. Patient safety work product for purposes of the Patient Safety and Quality Improvement Act of 2005, 42 U.S.C., Section 299b-21 et seq.; 7. Information derived from any of the health care-related information listed in this section that is de-identified in accordance with the requirements for de-identification under the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C., Section 1320d et seq. or any regulation adopted thereunder; 8. Information originating from, and intermingled to be indistinguishable with, or information treated in the same manner as, information exempt under this section that is maintained by a covered entity or business associate as defined under the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C., Section 1320d et seq. or any regulation adopted thereunder, or by a program or a qualified service organization as defined under 42 U.S.C., Section 290dd-2 or any regulation adopted thereunder; 9. Information that is included in a limited data set as described by 45 C.F.R., Section 164.514(e), to the extent that the information is used, disclosed, and maintained in the manner specified by 45 C.F.R., Section 164.514(e); 10. Information collected or used only for public health activities and purposes as authorized under the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C., Section 1320d et seq.; 11. The collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency or furnisher that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that the activity is regulated by and authorized under the Fair Credit Reporting Act, 15 U.S.C., Section 1681 et seq.; 12. Personal data collected, processed, sold, or disclosed in compliance with the Driver’s Privacy Protection Act of 1994, 18 U.S.C., Section 2721 et seq.; 13. Personal data regulated by the Family Educational Rights and Privacy Act of 1974, 20 U.S.C., Section 1232g; 14. Personal data collected, processed, sold, or disclosed in compliance with the Farm Credit Act of 1971, 12 U.S.C., Section 2001 et seq.; 15. Data processed or maintained in the course of an individual applying to, being employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of such role; 16. Data processed or maintained as the emergency contact information of an individual under this act that is used for emergency contact purposes; or 17. Data that is processed or maintained and is necessary to retain to administer benefits for another individual that relates to an individual described by paragraph 15 of this section and used for the purposes of administering those benefits." *75A O.S. § 315 (SB 546, eff. Jan. 1, 2027).* <https://www.oklegislature.gov/cf_pdf/2025-26%20ENR/SB/SB546%20ENR.PDF>
+
+[^stat-316-coppa]: **75A O.S. § 316 (SB 546)** — "A controller or processor that complies with the verifiable parental consent requirements of the Children's Online Privacy Protection Act of 1998 with respect to data collected online shall be considered to be in compliance with any requirement to obtain parental consent under this act." *75A O.S. § 316 (SB 546, eff. Jan. 1, 2027).* <https://www.oklegislature.gov/cf_pdf/2025-26%20ENR/SB/SB546%20ENR.PDF>
+
+[^fed-ftc5]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful. (2) The Commission is hereby empowered and directed to prevent persons, partnerships, or corporations, except banks, savings and loan institutions described in section 57a(f)(3) of this title, Federal credit unions described in section 57a(f)(4) of this title, common carriers subject to the Acts to regulate commerce, air carriers and foreign air carriers subject to part A of subtitle VII of title 49, and persons, partnerships, or corporations insofar as they are subject to the Packers and Stockyards Act, 1921, as amended [7 U.S.C. 181 et seq.], except as provided in section 406(b) of said Act [7 U.S.C. 227(b)], from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce." *15 U.S.C. § 45(a)(1).* <https://www.law.cornell.edu/uscode/text/15/45#:~:text=Unfair%20methods%20of%20competition%20in,practices%20in%20or%20affecting%20commerce.>