Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.


Did You Know?


It's statutes may include:

  • Specific methods of notification delivery
  • Data owner responsibility for reporting and notifications
  • Immediate notification by vendor
  • Violations are considered an unlawful practice and could result in fines up to $150,000 and civil action
  • Other state laws, federal laws, industry regulations, and/or out-of-country laws may apply

Who Me?


Oklahoma breach and notification laws may apply if you are:

  • An individual or entity that owns or licenses computerized data that includes PII
  • An individual or entity that maintains computerized data that includes PII

There are exemptions.

What is PII?


PII relevant to a breach in OK includes an individual’s name with one or more of the following:

  • Social security number;
  • Driver license or state identification card number;
  • Financial account or credit/debit card numbers; with any security codes etc. permitting access to the financial account of resident.



The statutes include, but are not limited to:

Title 24. Debtor and Creditor

   Chapter 8 - Credit Services Organization Act

     “Security Breach Notification Act” § 24-161 to 24-166

Title 74. State Government

    § 74-3113.1 Disclosure of breach of security of computerized personal information


Oklahoma has laws related to the protection personal information.  The Security Breach Notification Act stipulates that “Federal and State Laws require that if you maintain [as part of a database] a consumer's name and other personal identification numbers, i.e., SSN, driver's license, credit card or financial information with the personal security code that such information must be encrypted or redacted so that in the event of a breach, such information cannot be obtained and used by a third party.”

There are additional protection, retention and disposal laws for the state



A violation that results in injury or loss to residents of Oklahoma may be enforced by the attorney general or a district attorney in the same manner as an unlawful practice under the Oklahoma Consumer Protection Act. They additionally have exclusive authority to bring action and may obtain either actual damages or a civil penalty not-to-exceed $150,000.00 per breach.

A violation by a state-chartered or state-licensed financial institution are enforceable exclusively by the primary state regulator of the financial institution.



When considering reporting requirements, it would include, but not limited to:

  • The combination of personal information breached
  • If the data was encrypted or redacted
  • If the data included any kind of key, access or security code or password;
  • Whether identity theft or other fraud may occur
  • If it was acquired by an unauthorized person


The notification may be delayed if law enforcement advises the person it will impede a criminal or civil investigation or homeland or national security; otherwise, the notification must be made without unreasonable delay.


Requires detailed information and potential provision of services

Disclosure may be made by written notice, telephone or electronically, with stipulations. A substitute notice, with specific requirements, may be sent if the cost of the notice exceeds $50,000 or the persons to be notified exceeds 100,000 or they do not have sufficient contact information or appropriate consent.

Contact the Privacy Experts at CSR