Oklahoma

Scope of this Summary:

Notification requirements applicable to individuals or entities that own, license, or maintain covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.

Risk of Harm Threshold

Notification not required if covered entity reasonably believes that breach has not and will not cause identity theft or other fraud to any Oklahoma resident.

Breach Defined

Unauthorized access and acquisition of unencrypted or unredacted computerized data as part of a database of personal information regarding multiple individuals that compromises the security or confidentiality of the covered info, excluding certain good-faith acquisitions by employees or agents.

Encryption Safe Harbor

Statute does not apply to information that is encrypted or redacted so long as encryption key was not accessed or acquired.

Form of Covered Info

Electronic Only

Covered Info

The first name or first initial and last name in combination with and linked to any one or more of the following data elements:

• Social Security number
• Driver's license number or other unique identification number created or collected by a government entity
• Financial account number, or credit card or debit card number, in combination with any required expiration date, security code, access code, or password that would permit access to an individual's financial account,
• Unique electronic identifier or routing code in combination with any required security code, access code, or password that would permit access to an individual's financial account, or
• Unique biometric data such as fingerprint, retina or iris image, or other unique physical or digital representation of biometric data to authenticate a specific individual
• Personal information does not include information that is lawfully obtained from publicly available sources, or from federal, state or local government records lawfully made available to the general public.

Consumer Notice Timing

Must be made without unreasonable delay, consistent with any measures to determine the scope of the breach and to restore the reasonable integrity of the system.

Consumer Notice Method

By written notice, telephone notice, or electronic notice if consistent with E-SIGN. Substitute notice is available if certain criteria are satisfied.

Consumer Notice Content

Oklahoma's general breach notification statute does not set out specific content requirements for the notice to affected persons.

Delayed Notice

Notification may be delayed if law enforcement determines and advises that notification will impede a criminal or civil investigation or homeland or national security.

Government Notice

If 500 or more state residents are notified as result of a single breach, must also notify the Attorney General without unreasonable delay, but no later than sixty (60) days after providing notice to the impacted residents.

Consumer Reporting Agency Notice

The Oklahoma general breach notification statute does not require notice to Consumer Reporting Agencies.

Exceptions for Other Laws

The following entities shall be deemed to be in compliance with the notification requirements. A financial institution that complies with the notification requirements prescribed by the Gram-Leach-Bliley Act and the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, an entity that complies with the notification requirements prescribed by the Oklahoma Hospital Cybersecurity Protection Act of 2023 or the Health Insurance Portability and Accountability Act of 1996 (HIPAA), or an entity that complies with the notification requirements or procedures pursuant to the rules, regulations, procedures, or guidelines established by the primary or functional federal regulatory of the entity.

Third-Party Notice

If you maintain covered info on behalf of another entity, you must notify it as soon as practicable following discovery of a breach.

Private Right of Action

Oklahoma's general breach notification statute does not provide for a private right of action.

Potential Penalties

Violations may result in civil penalties.

This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.

Current as of January 5, 2026