OKLAHOMA CITY (OBV) — SB 546 was signed into law, establishing Oklahoma’s first comprehensive consumer data privacy framework with consumer rights, business duties, an appeal process, and Attorney General‑only enforcement effective January 1, 2027.
The law gives Oklahomans the right to access, correct, delete, and obtain a portable copy of their personal data and to opt out of processing for targeted advertising, the sale of personal data, and certain automated profiling that has legal or similarly significant effects.
House Majority Floor Leader Josh West, R-Grove, and Sen. Brent Howard, R-Altus, authored the bill.
“In the age of the internet, personal data is valuable currency,” West said. “People deserve to know how their data is being used and have the ability to make decisions about that information. Senate Bill 546 gives Oklahomans meaningful control over their own data while establishing clear standards for businesses operating in our state.”
According to the bill, a business that decides why and how to use personal data (a ‘data controller’ under SB 546) must respond to verified requests within 45 days and offer at least two methods for submitting requests.
Applicability and scope. SB 546 applies to controllers and processors that do business in Oklahoma or target Oklahoma residents and, in a calendar year, either process personal data of at least 100,000 consumers or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data. Exemptions include state agencies, financial institutions under GLBA, HIPAA‑covered entities and business associates, nonprofits, institutions of higher education, certain employment‑context data, and other categories enumerated in the statute.
Business duties. Controllers must practice data minimization, maintain reasonable security, publish a clear privacy notice (including categories of personal data, purposes, how to exercise rights, and sharing disclosures), and obtain consent to process sensitive data. Processors must follow controller instructions, assist with rights requests and security obligations, and execute contracts containing required terms.
Data protection assessments. Controllers must conduct and document data protection assessments for targeted advertising, the sale of personal data, certain higher‑risk profiling, processing of sensitive data, and other activities presenting a heightened risk of harm. Assessments must be produced to the Attorney General upon request and are confidential under the Open Records Act.
Enforcement. The Attorney General has exclusive authority to enforce the act. Before filing an action, the AG must provide 30 days’ notice to cure. Uncured or subsequent violations may draw civil penalties up to $7,500 per violation, with potential injunctive relief. The law does not create a private right of action.
Alignment with other states. Business groups note SB 546 follows the Virginia‑style model to avoid a patchwork of state rules, with opt‑out rights, AG‑only enforcement, and no private right of action. The State Chamber said the bill’s thresholds, cure period, and alignment with established frameworks were priorities for the business community.
“SB 546 is the product of years of work between policymakers and the business community to get this legislation right,” Brittnee Preston, executive director of the Oklahoma Tech Alliance, said. “It prioritizes consumer protection while creating certainty for businesses operating in Oklahoma and across state lines. If enacted, Oklahoma will become the 21st state to pass a data privacy law, which sets the foundation for the state to move forward in the technology space, focus on innovation and launch our workforce into the advanced tech space. I appreciate the bill authors for sticking with us to ensure we passed an Oklahoma forward data privacy law.”
SB 546, authored by Sen. Brent Howard with Rep. Josh West as principal House author, passed the House 84–4 on Feb. 19, 2026, and the Senate concurred with House amendments 38–7 on Mar. 16, 2026. The measure was enrolled March 17 and sent to the Governor for action.
The vote capped a five‑year arc that began with early privacy bills filed in 2021 and continued after SB 546 stalled last session and carried over into 2026 as the business community worked toward a workable framework.
“The first draft landed right after the pandemic and just as California’s privacy law took effect and kept changing, so companies were still trying to gauge compliance costs,” said Amanda Hall, policy and research director at the State Chamber of Oklahoma.
“In 2021 only Virginia and Colorado were moving, and we expected the federal government to act, so our members did not want Oklahoma going first. When it became clear Washington was not stepping in and other states were pressing ahead, we knew we needed a better answer. Over the next five years we worked with members to shape a bill that avoids adding to the patchwork, so multi‑state employers are not stuck with different compliance regimes in every jurisdiction.”
What companies should do now
- Stand up rights‑request channels: Provide two or more secure methods (e.g., web form and email) and verify identity before fulfilling requests. Track the 45‑day clock.
- Refresh privacy notices: Disclose categories of data, purposes, how to exercise rights/appeals, and sharing categories; clearly label opt‑out if you sell data or use it for targeted advertising.
- Map data and minimize: Limit collection to what is adequate, relevant, and reasonably necessary for disclosed purposes. Document retention and security practices.
- Paper your processors: Update DPAs to include required terms (confidentiality, deletion/return, audits/assessments, subcontractor flow‑down).
- Schedule DPAs (assessments): Complete data protection assessments for targeted ads, sale of data, sensitive data, and risk‑elevating profiling; keep them on file for AG request.
Why it matters: SB 546 sets a uniform baseline for Oklahoma consistent with adopted U.S. state privacy frameworks, which the State Chamber argues reduces compliance friction for multi‑state businesses while preserving strong consumer rights and AG oversight.
