On March 20, 2026, Oklahoma became the 20th state to pass a comprehensive consumer privacy statute. The Oklahoma Consumer Data Privacy Act (“OKCDPA”) takes effect January 1, 2027. For dealerships and their vendors, the law largely follows the familiar state privacy framework from the other 19 states, but businesses now have less than a year to review data practices, update notices, confirm consumer-rights procedures, and revisit vendor contracts.
Applicability
The OKCDPA applies to controllers and processors that do business in Oklahoma, or target Oklahoma residents, and annually control or process personal data of either: (1) at least 100,000 Oklahoma consumers, or (2) at least 25,000 Oklahoma consumers while deriving more than 50% of gross revenue from the sale of personal data. The Act defines “sale” narrowly, limiting it to exchanges for monetary consideration.
Because of the scope and scale of the data dealers obtain, and the fact that most dealers retain data for some time, many dealers may fall over the 100,000 threshold. Notably, the law applies only to Oklahoma consumers acting in an individual or household context, not to commercial data or information about your employees or applicants.
It also includes several exemptions, including for data and entities subject to the Gramm-Leach-Bliley Act (GLBA). As we have discussed in prior articles, there is an open question as to the scope of the GLBA exemption, and while this should give dealers an argument in the event of an issue under the state law, there are several important reasons why dealers should comply with the law to avoid potential application to some dealership operations, as well as other contractual and franchise obligations. This is a somewhat complicated question, and dealers should consult with their attorneys regarding whether and how the GLBA exemption may apply to their specific operations.
Controller and Processor Obligations
Like other state privacy laws, the OKCDPA places obligations on data “controllers” (like dealers) to obtain consent before processing sensitive data, respond to consumer requests, implement reasonable security safeguards, and provide compliant privacy notices.
Third party “Processors” (or service providers for the Controller) must act according to the controller’s instructions and assist with compliance, including consumer-rights requests, data security, breach notification support, and data protection assessments. The Act also requires certain provisions in controller-processor contracts. This means that to comply with the law, you must obtain a new contract addendum with your service providers (in addition to the one required under the federal Safeguards Rule).
Consumer Rights
The statute provides certain rights to Oklahoma consumers, including the right to access, correct, and delete personal data; obtain a portable copy; and opt out of targeted advertising, the sale of personal data, and profiling. Businesses are required to honor those rights, and must respond within 45 days, with one possible 45-day extension, and must offer an appeal process for denied requests.
Enforcement and Penalties
The Oklahoma Attorney General has exclusive enforcement authority. The law does not provide a private right of action. It includes a mandatory 30-day cure period with no sunset, making it more business-friendly than some other state privacy laws. Violations may result in penalties of up to $7,500 per violation.
What This Means for Dealers
The Oklahoma privacy law adds yet another layer to the increasingly complex patchwork of state privacy legislation that dealers must navigate. While the OKCDPA’s thresholds may mean that some smaller Oklahoma dealers fall outside the strict requirements of the law, the broader trend is unmistakable: honoring the standards and requirements of these consumer privacy laws is rapidly becoming the de facto consumer protection standard across the country.
Many dealers and dealer groups are choosing to apply privacy-law compliance measures across all locations, regardless of state-specific requirements. OEMs are also increasingly imposing privacy obligations by contract, and consumers expect their rights to be honored no matter where they live.
ComplyAuto Has Dealers Covered
The good news is that ComplyAuto makes it easy and takes care of it for you. We work with state dealer associations and regulators nationwide to help ensure our solutions meet legal and technical requirements. ComplyAuto’s Privacy software will ensure full compliance with the OKCDPA. With a deadline approaching, don’t wait; contact ComplyAuto today, before the law takes effect on January 1, 2027.
If you have questions about the OKCDPA or want to simplify compliance, contact ComplyAuto today.