Better Sooner Than Later: Oklahoma Passes A New Consumer Privacy Law

On March 20, 2026, Oklahoma Governor Kevin Stitt signed SB 546 into law, codifying Oklahoma's comprehensive consumer privacy law. The law takes effect January 1, 2027, and, while it follows the familiar omnibus state privacy model, it contains notable drafting choices and omits some features found in other state laws.

In Depth

Who does SB 546 apply to?

SB 546 follows the familiar threshold-based model. It applies to a controller or processor that conducts business in Oklahoma or produces a product or service targeted to Oklahoma residents and, during a calendar year, engages in either of the following:

1. Controls or processes personal data of at least 100,000 consumers.
2. Controls or processes personal data of at least 25,000 consumers and derives more than 50% of gross revenue from the sale of personal data.

Who is a consumer?

SB 546 defines a "consumer" as an individual who is a resident of Oklahoma acting only in an individual or household context, and excludes individuals acting in a commercial or employment context.

What is personal data?

"Personal data" means information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual. The definition includes pseudonymous data when used in conjunction with additional information that reasonably links the data to an identified or identifiable individual, but excludes de-identified data and publicly available information.

What is sensitive data?

SB 546 defines "sensitive data" in a manner that generally tracks other omnibus state privacy laws and includes:

1. Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status.
2. Genetic or biometric data processed for the purpose of uniquely identifying an individual.
3. Personal data collected from a known child.
4. Precise geolocation data.

For these purposes, "precise geolocation data" means information derived from technology, including GPS-level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of an individual with precision and accuracy within a radius of 1,750 feet.

Who can enforce?

The Oklahoma attorney general has exclusive enforcement authority. Before bringing an action, the attorney general must provide written notice at least 30 days in advance identifying the alleged violations. If the violation is cured within that period and the controller or processor provides a written statement with supporting documentation showing the cure and representing that no further violations will occur, the attorney general may not bring the action. Civil penalties may reach $7,500 per violation, injunctive relief is available, and the bill expressly disclaims a private right of action. Unlike several other states, this cure period does not sunset.

Who is exempt?

SB 546 contains entity-level and data-level exemptions. At the entity level, it exempts state agencies and political subdivisions (and service providers processing on their behalf), financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), covered entities and business associates regulated by the Health Insurance Portability and Accountability Act (HIPAA), nonprofit organizations, and institutions of higher education.

At the data level, the exemptions are broad and largely familiar, notably including personal data subject to GLBA, HIPAA, federal research laws, the Fair Credit Reporting Act, the Driver's Privacy Protection Act, and the Farm Credit Act, among others.

Like other state privacy laws, SB 546 also includes separate carve-outs preserving certain processing for legal compliance, investigations, security and fraud response, legal claims, requested products or services, qualifying research, product recall, technical repair, and certain internal operations, subject to certain limits.

What obligations are imposed?

SB 546 imposes operational obligations on controllers and direct assistance and contracting obligations on processors. In particular, controllers must:

1. Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the personal data is processed, as disclosed to the consumer.
2. Establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data at issue.
3. Refrain from processing personal data for a purpose that is neither reasonably necessary to nor compatible with the disclosed purpose unless the controller first obtains the consumer's consent.
4. Avoid processing personal data in violation of state or federal laws that prohibit unlawful discrimination against consumers, and avoid discriminating against consumers for exercising their rights, subject to the law's loyalty-program and related carve-out.
5. Obtain the consumer's consent before processing sensitive data and, in the case of sensitive data of a known child, process that data in accordance with the Children's Online Privacy Protection Act.
6. Establish two or more secure and reliable methods for consumers to submit rights requests, without requiring the consumer to create a new account; if the controller maintains a website, provide a mechanism on the website for requests, although an online-only controller with a direct relationship to the consumer may provide only an email address.
7. Provide consumers with a reasonably accessible and clear privacy notice describing the categories of personal data processed (including, if applicable, sensitive data), the purposes of processing, how consumers may exercise and appeal their rights, and, if applicable, the categories of personal data shared with third parties and the categories of third parties.
8. Clearly and conspicuously disclose in the privacy notice any sale of personal data to third parties or processing for targeted advertising, together with the manner in which a consumer may exercise the right to opt out.
9. With respect to de-identified data, take reasonable measures to ensure the data cannot be associated with an individual, publicly commit to process the data only in de-identified fashion and not attempt to reidentify it, and contractually obligate recipients to comply with the same requirements.

Processors, in turn, must follow controller instructions and assist controllers, as reasonably practicable, with consumer-rights requests, security-of-processing and breach-notification compliance, and the information needed to conduct and document data protection assessments.

Controller-processor contracts must contain specified terms, including instructions, purpose, data type, duration, party rights and obligations, confidentiality, deletion/return, compliance information, assessment cooperation, and written subprocessor flow-downs. SB 546 also voids contractual provisions that waive or limit rights under its consumer-rights, response, or appeal provisions.

What consumer rights are created by SB 546?

SB 546 gives Oklahoma consumers a familiar set of omnibus privacy rights, including:

1. The right to confirm whether a controller is processing the consumer's personal data and to access that data.
2. The right to correct inaccuracies in the consumer's personal data, considering the nature of the data and the purposes of processing.
3. The right to delete personal data provided by or obtained about the consumer.
4. The right, if the data is available in digital format, to obtain a portable copy of personal data previously provided by the consumer, in a readily usable format where technically feasible and where processing is carried out by automated means.
5. The right to opt out of targeted advertising, the sale of personal data, and profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.
6. The right to appeal a controller's refusal to take action on a request. With respect to a known child, a parent or legal guardian may exercise these rights on the child's behalf.

The bill enumerates these rights and does not add a separate right to obtain a list of specific third parties or a standalone right to a profiling explanation, reevaluation, or outcome report.

Response to consumer requests

Controllers must respond to an authenticated consumer request within 45 days after receipt, with one additional 45-day extension available when reasonably necessary in light of the complexity and number of requests. If a controller declines to act, it must explain the basis for the denial and provide appeal instructions within the same 45-day period. Responses must be provided free of charge up to twice annually per consumer, subject to a reasonable-fee or refusal mechanism for manifestly unfounded, excessive, or repetitive requests. The bill also provides a specific compliance pathway for deletion requests where the controller obtained the personal data from a source other than the consumer.

The appeal process must be conspicuously available and similar to the process for submitting an initial rights request. The controller must decide the appeal within 60 days after receipt and, if the appeal is denied, provide the online mechanism through which the consumer may submit a complaint to the Oklahoma attorney general.

Data protection assessments

SB 546 requires a controller to conduct and document a data protection assessment for:

1. The processing of personal data for purposes of targeted advertising.
2. The sale of personal data.
3. The processing of personal data for purposes of profiling, where the profiling presents a reasonably foreseeable risk of unfair or deceptive treatment, financial, physical, or reputational injury, a physical or other intrusion on the private affairs of consumers, or other substantial injury to consumers.
4. The processing of sensitive data.
5. Any processing activities involving personal data that present a heightened risk of harm to consumers.

The assessment must identify and weigh benefits and risks and take into account de-identified data, consumer expectations, context, and the controller-consumer relationship. A single assessment may address comparable processing operations, and an assessment prepared for another law may satisfy if it has a reasonably comparable scope and effect. Notably, assessments are confidential, may be requested by the Oklahoma attorney general through a civil investigation demand, and apply prospectively to processing activities that commence on or after the effective date.

When does SB 546 take effect?

If signed into law, SB 546 becomes effective January 1, 2027.

***

The state privacy law landscape continues to become more complex as each new omnibus law is introduced. Organizations should review applicability, consumer-rights workflows, notices, controller-processor contracts, sensitive-data consent flows, and assessment practices to determine whether targeted Oklahoma updates are warranted.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.