This bill introduces comprehensive regulations to enhance the protection of children's personal data in Oklahoma. It mandates that covered entities—businesses offering online products or services to individuals in Oklahoma that process children's personal data—conduct data protection impact assessments for any online offerings likely to be accessed by children. These assessments must ensure that the design and operation of the products prioritize children's best interests, including appropriate handling of their personal data. The bill also requires default privacy settings to favor children's privacy and mandates clear communication of privacy policies in age-appropriate language. Furthermore, it prohibits the processing of children's personal data in ways that do not align with their best interests, such as profiling and the use of dark patterns.

In addition to these requirements, the legislation emphasizes the confidentiality of the data protection impact assessments, exempting them from public disclosure. Covered entities must notify the Attorney General of any violations and provide documentation of their assessments upon request. The bill establishes penalties for violations, including civil penalties of up to $2,500 for negligent violations and $7,500 for intentional violations, enforceable solely by the Attorney General. It also outlines specific exemptions, clarifying that it does not apply to protected health information, information collected during clinical trials, telecommunications services, or the delivery of physical products. The act is set to take effect on November 1, 2025.