Oklahoma Consumer Privacy Law (SB 546)

• 3 February 2025: SB 546 first read in the Oklahoma Senate.
• 19 February 2026: Oklahoma House passed SB 546.
• 16 March 2026: Oklahoma Senate passed the final version.
• 20 March 2026: Governor approved SB 546.
• 1 January 2027: Law takes effect.

SB 546 applies to controllers and processors that:

• Conduct business in Oklahoma or produce a product or service targeted to Oklahoma residents.
• During a calendar year, either:
  • Control or process personal data of at least 100,000 consumers, or
  • Control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

SB 546 does not apply to:

• Oklahoma state agencies or political subdivisions.
• Service providers processing data on behalf of state agencies or political subdivisions.
• Financial institutions or data subject to the Gramm-Leach-Bliley Act.
• HIPAA covered entities and business associates.
• Nonprofit organizations.
• Institutions of higher education.
• Personal data processed in a purely personal or household context.
• Certain data tied to regulated listed chemicals under the federal Controlled Substances Act.

The law also exempts several categories of information, including protected health information, health records, certain research information, data regulated by the Fair Credit Reporting Act, data regulated by the Driver’s Privacy Protection Act, FERPA-regulated data, Farm Credit Act data, and employment-related data.

Controllers must:

• Limit personal data collection to what is adequate, relevant, and reasonably necessary for disclosed purposes.
• Use reasonable administrative, technical, and physical data security practices.
• Avoid processing personal data for incompatible purposes without consumer consent.
• Avoid processing personal data in violation of anti-discrimination laws.
• Avoid discriminating against consumers for exercising their rights.
• Obtain consent before processing sensitive data.
• Process known children’s data in line with the Children’s Online Privacy Protection Act.

Processors must follow controller instructions and assist controllers with consumer rights requests, data security duties, breach-related obligations, and data protection assessments.

Controller-processor contracts must describe the nature, purpose, type, and duration of processing, plus the rights and duties of each party.

Website owners that fall within the scope of SB 546 should:

• Provide two or more secure and reliable methods for consumers to submit rights requests.
• Provide a website mechanism for consumer requests if the controller maintains a website.
• Offer an email address for rights requests if the business operates only online and has a direct relationship with the consumer.
• Avoid requiring consumers to create a new account to exercise their rights.
• Publish a clear privacy notice that explains:
  • Categories of personal data processed.
  • Purposes for processing.
  • How consumers may exercise their rights.
  • How consumers may appeal a denied request.
  • Categories of personal data shared with third parties, if applicable.
  • Categories of third parties receiving personal data, if applicable.
• Clearly disclose any sale of personal data or processing for targeted advertising and explain how consumers may opt out of those practices.

SB 546 includes several additional duties:

• Controllers must respond to authenticated consumer requests or decline these within 45 days.
• The response period may be extended once by another 45 days when reasonably necessary.
• Controllers must provide request responses free of charge up to twice per year per consumer.
• Controllers must create an appeal process for denied requests and provide an online mechanism through which the consumer can submit a complaint to the Attorney General
• Controllers must respond to appeals within 60 days.
• Data protection assessments are required for:
  • Targeted advertising.
  • Sale of personal data.
  • Certain profiling activities.
  • Processing of sensitive data.
  • Processing that presents a heightened risk of harm to consumers.
• Assessments must be made available to the Attorney General upon written request.
• Assessments are confidential and exempt from public inspection under the Oklahoma Open Records Act.
• Controllers that use de-identified data must take reasonable steps so the data cannot be linked to an individual and must publicly commit not to reidentify it.

Consumers have the right to:

• Confirm whether a controller is processing their personal data.
• Access their personal data.
• Correct inaccuracies.
• Request deletion of personal data provided by or obtained about them.
• Obtain a copy of personal data previously provided to the controller in a portable and usable format, where technically feasible.
• Opt out of processing for:
  • Targeted advertising.
  • Sale of personal data.
  • Profiling that supports decisions with legal or similarly significant effects.

Parents or legal guardians may exercise rights on behalf of known children.

SB 546 is enforced by the Oklahoma Attorney General.

Before bringing an action, the Attorney General must provide written notice and allow a 30-day cure period.

A controller or processor may avoid an action if, within that 30-day period, it:

• Cures the identified violation.
• Provides documentation showing how the violation was cured.
• Provides a written statement that no further violations of that type occur.

Penalties may reach up to $7,500 per violation (approximately $7,500 USD).

The Attorney General may seek civil penalties, injunctive relief, attorney fees, and related expenses.

SB 546 does not create a private right of action.