Oklahoma Governor signed Senate Bill 546 on March 20, 2026, creating the state's first comprehensive consumer data privacy law. The legislation takes effect January 1, 2027, and will regulate how companies collect, use, and handle personal information belonging to Oklahoma residents.
The law applies to data controllers and processors operating in Oklahoma that meet specific thresholds: those handling information on at least 100,000 consumers, or those processing data on at least 25,000 consumers while generating more than half their revenue from selling personal data. Certain entities receive exemptions, including state agencies and their service providers, financial institutions covered by federal banking privacy rules, healthcare organizations subject to HIPAA regulations, nonprofit organizations, and institutions of higher education.
Protection under the law extends only to Oklahoma residents acting in individual or household capacities. Persons operating in commercial or employment contexts fall outside the law's scope. The legislation defines "personal data" as any information linked or reasonably linkable to an identified or identifiable individual, with additional safeguards for sensitive categories including racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship status, genetic or biometric identifiers, data from children, and precise location information.
Consumers gain several rights under the framework. They may confirm whether companies process their personal data, request corrections to inaccurate information, demand deletion of their records, obtain portable copies of previously provided data in digital formats, and opt out of processing for targeted advertising, sales, or certain profiling activities. Companies must respond to consumer requests within 45 days, with one additional 45-day extension available when reasonably necessary. If denying a request, controllers must explain their reasoning and provide appeal procedures.
Controllers face obligations including data minimization principles, conducting data protection assessments for sensitive processing, providing clear privacy notices, including specific contractual provisions with data processors, maintaining reasonable security practices, obtaining consent before processing sensitive information, and complying with child privacy protections. Companies cannot process data for purposes incompatible with original collection without consumer consent, nor can they discriminate against consumers exercising their rights.
Enforcement authority rests exclusively with the Oklahoma Attorney General. Violations carry potential fines of up to $7,500 per violation. The law explicitly prohibits private lawsuits by consumers, restricting enforcement to state officials.
