Subscribe
Welcome to the Club, Oklahoma: The Sooner State Enacts Comprehensive Privacy Law
On March 20, 2026, Oklahoma Governor Kevin Stitt signed Senate Bill 546 (“SB 546”) into law, making Oklahoma the 20th state (or 21st, if you include Florida’s limited-scope Digital Bill of Rights) to enact a comprehensive consumer data privacy law, and the first state to do so since 2024. SB 546 will take effect on January 1, 2027.
In-scope organizations will be relieved to learn that the Oklahoma law is similar to many of the more “business-friendly” consumer privacy laws that states have passed in recent years. This post summarizes who the law applies to, highlights its key provisions, flags a few notable nuances, and outlines practical next steps for compliance.
Who Does It Apply To?
The Oklahoma Law adopts familiar thresholds for determining applicability. It applies to for-profit organizations that do business in Oklahoma or target Oklahoma residents and that either (1) process the personal data of at least 100,000 Oklahoma consumers annually, or (2) process the personal data of at least 25,000 Oklahoma consumers while deriving more than 50% of gross revenue from the sale of personal data.
The law also includes a familiar, and relatively generous, set of exemptions. As with most other state comprehensive privacy laws, the Oklahoma law does not apply to data relating to individuals acting in a commercial or employment context. It also includes common data- and entity-level exemptions, such as for information subject to the Health Insurance Portability and Accountability Act (“HIPAA”) and the Family Educational Rights and Privacy Act (“FERPA”), and for organizations subject to HIPAA and the Gramm-Leach-Bliley Act (“GLBA”).
What Are the Key Provisions?
SB 546 creates a familiar set of rights for Oklahoma residents, including rights to access, correct, delete, and obtain a portable copy of their data. Oklahoma residents will also have the right to opt out of targeted advertising, data sales, and profiling decisions with significant legal effects. Controllers must respond to consumer requests within 45 days (with the potential for a 45-day extension) and maintain an appeals process.
The Oklahoma law also requires controllers to provide privacy notices that clearly describe their data processing practices, including the categories of personal data collected, the purposes of processing, and how consumers can exercise their rights. It also mandates contracts with processors that include specific baseline data protection terms.
Controllers are also required to conduct and document data protection assessments for certain higher risk activities such as targeted advertising, personal data sales, profiling decisions with significant legal effects, sensitive data processing, and processing that presents a heightened risk of harm to consumers.
Anything New?
While SB 546 aligns, for the most part, with existing state comprehensive privacy laws that use the “Virginia model,” there are some notable nuances worth flagging:
- No Authorized Agents: SB 546 does not expressly allow authorized agents to submit rights requests on behalf of Oklahoma consumers.
- Narrow Definition of Sale: Oklahoma adopts a relatively narrow definition of sale. Under the law, sale “means the exchange of personal data for monetary consideration by the controller to a third party.” That definition contrasts with other state laws that define sales to include exchanges of personal data for monetary or “other valuable consideration.”
- No Requirement to Honor Universal Opt-Out Mechanisms: The law does not require controllers to recognize universal opt-out mechanisms like Global Privacy Control (“GPC”). This means that businesses subject to state laws that do impose that requirement will need to continue doing so for those states’ residents, but need not take any further action vis-à-vis Oklahoma residents in that regard.
What About Enforcement?
Enforcement power rests exclusively with the Oklahoma Attorney General, accompanied by a 30-day right to cure that does not sunset. There is no private right of action, and penalties may not exceed $7,500 per violation.
What Should I Do Now?
SB 546 will take effect on January 1, 2027, giving businesses approximately nine months to prepare.
If your organization does business in Oklahoma, you’ll want to confirm whether you meet the law’s applicability thresholds and identify any Oklahoma-specific gaps not already addressed by your existing compliance programs. For organizations with mature privacy compliance programs, Oklahoma is largely an additive exercise. Now is an opportune time to review your privacy compliance program and update your privacy notice to ensure readiness before the effective date.
While Oklahoma is the first state to address comprehensive privacy rights for its residents in 2026, it’s unlikely to be the last. Several states are in the late stages of considering similar bills, and others are actively amending their existing comprehensive privacy laws.
*****
If you have questions about how Oklahoma’s SB 546 fits into your existing compliance program, please contact any member of the Wyrick Robbins Privacy and Data Security Team.
