Oklahoma consumer data privacy law (SB 546): Everything you need to know

After nearly seven years of legislative effort, Oklahoma Governor Kevin Stitt signed Senate Bill 546 (SB 546) into law on March 20, 2026, making Oklahoma the 21st state to enact a comprehensive consumer data privacy law (or 20th, depending on whether Florida’s Digital Bill of Rights is counted as a full comprehensive privacy law). The law takes effect January 1, 2027.

‍

The Oklahoma law generally aligns with the “Virginia model” of data privacy regulation made famous by the Virginia Consumer Data Protection Act and largely mirrored in other states such as Indiana, Tennessee, and Minnesota. Nevertheless, the enactment of SB 546 is yet another data point in a clear trend: comprehensive consumer data privacy protection is becoming the norm across the U.S., even as the federal government has yet to establish a national regulatory framework.

‍

Didomi outlines SB 546’s key provisions, including who the law applies to, how it differs from other state data privacy regulations, what businesses must do to comply, what rights are afforded to Oklahoma residents, and what penalties may be imposed for non-compliance. 

‍

Oklahoma SB 546 cheat sheet

Who does SB 546 apply to?

SB 546 applies to entities doing business in Oklahoma or targeting products and services to Oklahoma residents that meet one of two data-volume thresholds: 

‍

1. The business controls or processes the personal data of at least 100,000 Oklahoma consumers per calendar year, or 
2. The business controls or processes the personal data of at least 25,000 consumers while deriving more than 50 percent of gross revenue from the sale of personal data. 

‍

Exempted entities

SB 546 contains a wide set of exemptions that further limit its reach. For example, the following entities are exempt from the Oklahoma law: 

‍

• State agencies and political subdivisions
• Nonprofits
• Institutions of higher education
• HIPAA-regulated health data and the entities that handle it
• Certain financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
• Employee data used strictly for employment purposes

‍

Compliance obligations for Oklahoma businesses

SB 546 imposes a set of affirmative obligations on covered companies and data processors that largely tracks the established playbook of other consensus-framework states. Businesses should evaluate compliance along several key dimensions.

‍

Transparency and Privacy Notices

Companies must provide consumers with a reasonably accessible, clear, and meaningful privacy notice disclosing the categories of personal data the company processes, the purposes for processing, how consumers may exercise their data subject rights, the categories of data shared with third parties, and the categories of third parties with whom data is shared. 

‍

In addition, privacy notices must specifically address whether the company sells personal data or engages in targeted advertising, and provide a clear mechanism for consumers to opt out of each.

‍

Data Minimization

Companies may only collect personal data that is adequate, relevant, and reasonably necessary in relation to the purposes for which it is processed. Processing personal data for purposes that are not compatible with those disclosed to consumers, absent a new consent, is generally prohibited.

‍

Reasonable Security

Companies must implement and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data they process. 

‍

The law does not specify particular technical standards, leaving controllers to calibrate their programs against industry norms and regulatory guidance.

‍

Processor Contracts

When a company engages a processor to manage the processing of personal data on its behalf, the relationship must be governed by a written contract. This contract must specify the following: 

‍

• The nature, duration, and purposes of the processing
• The type of personal data involved
• The rights and obligations of both parties

‍

In addition, the contract must require the processor to cooperate with the company in fulfilling consumer rights requests and to promptly notify the controller of any breach.

‍

Data Protection Assessments

For high-risk processing activities, controllers must conduct and document data protection assessments prior to engaging in the activity. The law specifies categories of processing that trigger this requirement, including: 

‍

• Processing for targeted advertising
• Data sales
• Profiling that produces significant effects
• Processing of sensitive personal data
• Any activity that presents a heightened risk of harm to consumers 

‍

Assessments must weigh the benefits of the processing against its potential risks and consider whether those risks can be mitigated. These assessments must be made available to the attorney general upon request.

‍

Sensitive Data

SB 546 defines a category of sensitive personal data that receives heightened protection, including:

‍

• Personal data revealing racial or ethnic origin
• Personal data revealing religious beliefs
• Personal data revealing mental or physical health diagnosis
• Personal data revealing sexual orientation
• Personal data revealing citizenship or immigration status
• Genetic or biometric data that is processed for the purpose of uniquely identifying an individual
• Personal data collected from a known child
• Precise geolocation data

‍

Companies may not process sensitive data without obtaining the consumer's explicit consent.

‍

Consumer rights under SB 546

The consumer rights package contained in SB 546 largely mirrors what has become the standard suite of protections across consensus-framework states like Virginia, Indiana, and Minnesota. Specifically, Oklahoma residents are provided with five core statutory rights associated with their personal data:

‍

Right of Access

Consumers may request that a controller confirm whether it is processing their personal data and obtain a copy of that data in a portable format. Companies must provide the data in a format that allows the consumer to transmit it to another controller where technically feasible.

‍

Right to Correction

Consumers may require a controller to correct inaccuracies in their personal data, taking into account the nature of the data and the purposes for which it is processed.

‍

Right to Deletion

Consumers may request that a controller delete personal data they have provided or that the controller has collected about them. Controllers are not required to comply in all circumstances, such as when data is necessary to complete a transaction, detect security incidents, or comply with a legal obligation.

‍

Right to Data Portability

Where personal data is processed by automated means, and the consumer provides the data directly, the consumer may request that the data be delivered in a portable, readily usable format.

‍

Right to Opt Out

Consumers may opt out of the processing of their personal data for purposes of targeted advertising, the sale of personal data, and certain forms of profiling that produce legal or similarly significant effects. In contrast to California's opt-in requirements related to sensitive data, Oklahoma takes an opt-out approach, meaning processing may occur unless and until a consumer objects.

‍

Responding to Consumer Requests

Controllers must respond to consumer requests within 45 days of receipt. A single 45-day extension is available when reasonably necessary, given the complexity or number of requests, but the controller must inform the consumer of the extension within the initial response period. 

‍

If a controller declines to act on a request, it must inform the consumer of its decision and provide instructions for appealing that decision to the controller. The law requires businesses to offer at least two secure and reliable means through which consumers can submit requests.

‍

Two notable absences distinguish SB 546 from some of its counterparts. The law contains no provision requiring controllers to honor authorized agents submitting requests on consumers' behalf, and it includes no mandate to recognize opt-out preference signals such as the Global Privacy Control (GPC) browser setting. This means businesses that currently geofence states where GPC signals must be honored will not need to extend those configurations to Oklahoma traffic.

‍

What can happen if a business fails to comply with SB 546 

If a company is alleged to have violated SB 546, an enforcement action may only be brought by the Oklahoma Attorney General’s Office. This means there is no private right of action under SB 546. 

‍

Cure Period

Before filing any enforcement action, the AG’s Office must provide the alleged violator with written notice identifying the specific provisions believed to have been violated and allowing 30 days to cure the identified violations. If the company cures the violation within that period and provides a written statement affirming the cure and committing not to repeat the conduct, the AG’s Office may not bring an action.

‍

Monetary Penalty for Non-Compliance

If a violation is not cured, civil penalties of up to $7,500 per violation may be assessed. Courts may also award the attorney general reasonable attorneys' fees and investigative costs. Notably, the $7,500 ceiling does not escalate for willful or intentional violations, which represents a contrast with some other state data privacy laws that impose enhanced penalties for knowing misconduct. 

‍

No Sunset for the Cure Period

Unlike several other states that have established sunset provisions on cure periods, meaning the opportunity to cure eventually expires regardless of circumstances, Oklahoma's cure period does not sunset. This means the cure period remains available to Oklahoma businesses for the foreseeable future. That permanence is a significant business-friendly feature that may limit the practical reach of enforcement.

‍

How can Didomi help businesses comply with the Oklahoma Data Privacy Law?

SB 546 imposes new compliance obligations on businesses operating in or serving Oklahoma residents. Specific provisions of SB 546 warrant targeted attention from compliance teams, including the monetary-consideration-only definition of "sale," the absence of authorized agent provisions, the absence of GPC signal requirements, and the permanent cure period. 

‍

Legal and compliance teams should consider auditing data inventories against Oklahoma's consumer thresholds, review privacy notices for SB 546-specific disclosures, and confirm that consumer request workflows are configured to handle Oklahoma residents by January 1, 2027.

‍

Keeping up with the pace and scope of these new data privacy regulations adds compliance complexity and risk to your business operations. Learn more about our multi-regulation Consent Management Platform (CMP), which covers privacy laws and regimes in the U.S. and worldwide, adn discuss your challenges with one of our experts:

‍

{{talk-to-an-expert}}

‍

Oklahoma Data Privacy Law: Frequently Asked Questions (FAQs)

When will SB 546 go into effect?

The law will officially go into effect on January 1, 2027. This means covered companies have a few months to get their compliance program in order and ready to meet the obligations imposed by the Oklahoma data privacy law. 

‍

How does the Oklahoma data privacy law define personal data?

SB 546 defines “personal data” to mean any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual.  The term also includes pseudonymous data, when such data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.  It is worth noting that the definition of “personal data” does not include de-identified data or publicly available information. 

‍

Does the Oklahoma law treat sensitive data differently?

Yes. Like other state privacy laws, SB 546 treats certain categories of personal data as "sensitive" and requires opt-in consent before processing. Sensitive data under the statute includes:

‍

• Personal data revealing racial or ethnic origin
• Personal data revealing religious beliefs
• Personal data revealing mental or physical health diagnosis
• Personal data revealing sexual orientation
• Personal data revealing citizenship or immigration status
• Genetic or biometric data that is processed for the purpose of uniquely identifying an individual
• Personal data collected from a known child
• Precise geolocation data

‍

How does the Oklahoma data privacy law define the "sale" of personal data?

Under SB 546, the “sale” of personal data is defined exclusively as exchanges for monetary consideration. There is no reference to “other valuable consideration” which was becoming commonplace in state data privacy laws. This represents a notable narrowing that exempts many common data-sharing arrangements in the digital advertising ecosystem that are structured on non-monetary terms, such as barter or cross-licensing.

‍

Is there a private right of action under the Oklahoma law?

No. Individuals cannot sue a company for alleged violations of SB 546. Enforcement authority is exclusively granted to the Oklahoma Attorney General’s Office. 

‍

Are companies able to correct an alleged compliance violation of the Oklahoma data privacy law?

Yes. SB 546 contains a 30-day “cure period” during which companies can take corrective steps to address an alleged violation before the Oklahoma Attorney General’s Office can pursue enforcement action.