After a steady stream of state-level privacy statutes, capped by passage of the Rhode Island Data Transparency and Privacy Protection Act in June 2024, for nearly two years the pipeline ran dry. That drought ended on March 20, when Sooner State Governor Kevin Stitt signed into law the Oklahoma Consumer Data Privacy Act (OCDPA). With that, the list of states to have passed a comprehensive data privacy statute now stands (by my count) at 21.
At the federal level, meanwhile, the pickings remain slim. In late March, Representative Zoe Lofgren (D-CA) for the fourth time introduced the Online Protection Act, the shortcomings of which I rehashed in a contemporaneous post to the Free State Foundation blog. Beyond that, hopeful eyes can look only to the House Commerce Committee Privacy Working Group, which was created in February 2025 and sought public input a month later. As I noted in a January Perspectives from FSF Scholars, reporting at that time suggested that the working group could release a draft bill … "soon."
The bad news, of course, is that it further expands that "patchwork," thereby compounding compliance headaches for companies – especially smaller companies and start-ups – and making it even more challenging for consumers to comprehend their rights.
* * *
More targeted than other state laws, the OCDPA applies only to businesses operating in Oklahoma or targeting Oklahoma residents that control or process the personal data of either (1) 100,000 or more Oklahoma consumers, or (2) at least 25,000 Oklahoma consumers while deriving over 50 percent of their gross revenue from the "sale" of personal data. (By comparison, that threshold is lower – 25 percent – in most state laws.) In addition, the ODCPA defines "sale" relatively narrowly – that is, only where personal data is exchanged for monetary consideration.
The law establishes a now-familiar set of consumer rights: to access and confirm the processing of personal data, to correct inaccuracies, to delete, and to obtain a portable copy. In addition, consumers can opt out of the processing of personal data for targeted advertising, the sale of their personal data, and profiling.
"Sensitive data" – defined to include racial or ethnic origin, religious beliefs, health diagnoses, sexual orientation, citizenship status, genetic or biometric data used for identification, and precise geolocation data – may not be processed without the consumer's opt-in consent.
Covered businesses must abide by data-minimization principles, limiting collection to what is adequate, relevant, and reasonably necessary. They also must conduct data protection assessments before engaging in activities such as targeted advertising, the sale of personal data, and the processing of "sensitive data."
Two additional features of the OCDPA are worth highlighting. First, enforcement authority rests exclusively with the Oklahoma Attorney General; there is no private right of action. Second, the law includes a permanent, mandatory 30-day "right to cure" period for alleged violations – a feature that stands in contrast to the trend in other states toward sunsetting or eliminating cure periods altogether. Violations may result in penalties of up to $7,500 per incident.
The OCDPA will go into effect on January 1, 2027.
* * *
As I've stated countless times, the absence of a comprehensive federal data privacy law that would preempt this now-larger "patchwork" remains a glaring gap. With each new state law – and each set of idiosyncratic definitions of rights, responsibilities, thresholds, exemptions, enforcement mechanisms, and so on – the compliance burden on businesses grows heavier and the regulatory landscape confronting consumers grows murkier.
Posts
