Oklahoma! Where the Wind Comes Sweeping Down the Plain With a New Privacy Law

Oklahoma became the 21st state to enact a comprehensive consumer data privacy law on March 20, 2026, when Governor Kevin Stitt signed SB 546 (the Act) into law. The Act is similar to the Virginia and Tennessee state privacy laws in that it takes a more "business-friendly" approach by, for instance, narrowly defining a "sale" of personal data and providing a mandatory right to cure. Businesses that have implemented procedures to comply with existing state privacy laws will be well positioned to comply with the Act.

The Act goes into effect on January 1, 2027. We highlight key provisions of the new law below.

Application Thresholds

Like the Virginia consumer privacy law, the Act applies to any businesses ("controller" and "processor" in the Act) that conducts business in Oklahoma or produces products or services that target Oklahoma residents and that, during a calendar year, does the following:

• Controls or processes the personal data of at least 100,000 consumers, or
• Controls or processes the personal data of at least 25,000 consumers and derives more than 50% of gross revenue from the sale of personal data.

The Act defines "consumer" as a natural person who resides in Oklahoma "acting only in a personal context." Like all state privacy laws other than California, the Act does not apply to the personal data of individuals acting in a commercial or employment context.

Exemptions

Consistent with most other state data privacy laws, the Act contains both entity-level exemptions and data-specific exemptions. At the entity-level, the Act exempts:

• Government entities, which includes any authority, board, body, bureau, commission, district, or agency of the state or of a political subdivision of the state;
• Nonprofit organizations;
• Financial institutions subject to Title V of the Gramm-Leach-Bliley Act;
• Covered entities and business associates governed by the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act; and
• Institutions of higher education.

The Act's data-specific exemptions include:

• Information governed by the Fair Credit Reporting Act;
• Protected health information under HIPAA and certain other health-related information;
• Information governed by the Family Educational Rights and Privacy Act;
• Personal information collected, processed, sold or disclosed in compliance with the Driver's Privacy Protection Act;
• Personal information collected, processed, sold, or disclosed in compliance with the Farm Credit Act;
• Personal information maintained or used for purposes of compliance with the regulation of listed chemicals under the Controlled Substances Act;
• Information collected as part of public- or peer-reviewed scientific or statistical research in the public interest;
• Information relating to applicants and employees "to the extent that the data is collected and used within the context of that role"; and
• Information processed or maintained as emergency contact information used for those purposes.

Processor Contracts

Like most of the other state privacy laws, the Act distinguishes a "controller"—an entity that "determines the purpose and means of processing personal information"—from a "processor"—an entity that "processes personal information on behalf of a controller." A processor must adhere to the processing instructions of a controller as set forth in a written contract between the controller and processor. That contract also must require the processor to keep personal information confidential, to return or delete personal information at the end of the services provided by the processor (except where required otherwise by law), make available to the controller information needed to demonstrate the processor's compliance with the Act, allow and cooperate with reasonable assessments by the controller or its agent, and engage any subprocessor with written contracts requiring the subprocessor to meet the same obligations as the processor regarding the personal information.

Data Minimization and Pseudonymous Data

Controllers must limit collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the personal data is processed, as disclosed by the controller to the consumer. Controllers also are prohibited from processing personal data for purposes neither reasonably necessary to nor compatible with the disclosed purpose for which the data was processed, as disclosed to the consumer, unless the controller first obtains the consumer's consent.

These restrictions do not apply to pseudonymous data—i.e., personal data that cannot be attributed to a specific individual without the use of additional information, provided that the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual. Pseudonymous data is also exempt from certain consumer rights so long as the controller can show that any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing that information.

Consumer Rights

As with other state privacy laws, the Act establishes individual rights for consumers, including the right for a consumer to access their personal data and to confirm whether a controller is processing the consumer's personal data. In addition, the Act provides the right for a consumer to request that a controller correct inaccuracies in the consumer's personal information, the right to delete personal data provided by the consumer or obtained by a controller regarding the consumer, and the right to obtain a copy of the data in a portable and readily usable format.

Oklahoma consumers also have the right to opt out of a controller's processing of personal data for the purpose of selling personal information about a consumer, targeted advertising, or profiling in furtherance of decisions producing legal or similarly significant effects concerning a consumer.

Consumers must be provided with two or more methods to exercise their rights. Controllers that operate solely online and have a direct relationship with the consumer may forgo providing two methods and provide only an email address for submitting requests. As with other state privacy laws, controllers in Oklahoma are required to respond to a consumer's request to exercise the consumer's rights within 45 days of receipt. The Act provides controllers with the option to an additional 45-day extension, with proper notice to the requesting consumer.

The controllers must establish a conspicuous process for a consumer to appeal the controller's refusal to take action on a consumer's request to exercise their rights within a reasonable period of time after the consumer's receipt of the controller's decision. If a consumer appeals a decision of the controller, the appeal response must be issued by the controller within 60 days. If the appeal is denied, controllers are obligated to provide the consumer with a method for contacting the attorney general's office.

Privacy Notices

A controller must provide the consumer with a reasonably accessible and clear privacy notice that includes:

• Categories of personal information processed by the controller;
• Purpose of processing personal data;
• Categories of personal data the controller shares with third parties, if any;
• Categories of third parties with whom the controller shares personal data;
• How consumers may exercise their rights, including how a consumer may appeal a controller's decision with regard to the consumer's request; and
• If the controller sells personal data to third parties or processes such data for targeted advertising, a statement regarding such sales and targeted advertising and the mechanism for opting out of such sales or processing.

Definition of Consent

Consent may be a "statement written by electronic means, or any other unambiguous affirmative action." Also like other state privacy laws, consent may not be the consumer's "acceptance of a general or broad terms of use," "hovering over, muting, pausing, or closing a given piece of content," or obtained through the use of "dark patterns." "Dark patterns" are defined to include any manipulation or subversion of user "autonomy, decision-making, or choice," and those practices deemed by the Federal Trade Commission to be dark patterns.

Sensitive Data

Like Virginia's privacy law and the law in some other states, the Act requires controllers to obtain consent to process "sensitive data."

The Act defines "sensitive data" as:

• Personal data revealing
• Racial or ethnic origin,
• Religious beliefs,
• Mental or physical health diagnosis,
• Sexual orientation, and
• Citizenship and immigration status;
• Genetic and biometric data that identifies an individual;
• Precise geolocation data (location within a radius of 1,750 feet); and
• Personal data collected from a known child (i.e., someone under the age of 13).

To process data of known children, a controller must comply with the requirements of the Children's Online Privacy Protection Rule.

Definition of "Sale"

The Act defines "sale" as an "exchange of personal information for monetary consideration"by the controller to a third party. The Act follows the laws in Virginia and Tennessee in adopting this limited definition.

The definition of a "sale" under the Act and other state privacy laws is important because the scope of this term impacts whether a consumer can only opt out of a "sale" of their personal data (see below) and not from other disclosures. Consistent with all other state privacy laws, the Act's definition of a "sale" excludes any disclosure to an affiliate of the controller or the controller's processor for the purpose of providing a requested product or service in a merger or acquisition of the controller's business or assets, or of information that the consumer intentionally made public via mass media.

Data Protection Impact Assessments

The Act requires controllers to conduct and document data protection impact assessments before engaging in specific processing activities, including:

• Processing for targeted advertising;
• Selling personal information;
• Processing of personal information for profiling if the profiling presents a reasonably foreseeable risk of legal, deceptive, discriminatory, financial, reputational or physical harms;
• Processing sensitive data; and
• A catchall category of any processing activities involving personal information "that present a heightened risk of harm to consumers."

Impact assessments conducted in accordance with other state laws will be compliant under the Act, provided that those assessments "have a reasonably comparable scope and effect."

Exemptions

The Act includes standard limitations under state privacy laws, including that the law does not restrict a controller or processor from collecting, using, or retaining personal data to:

• Conduct internal research to develop, improve, or repair products, services, or technology;
• Effectuate a product recall;
• Identify and repair technical errors that impair existing or intended functionality; or
• Perform internal operations that are (1) reasonably aligned with consumer expectations, (2) reasonably anticipated based on the consumer's existing relationship with the controller, or (3) otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.

In addition, the Act does not restrict a controller's or processor's ability to:

• Comply with laws or regulations;
• Comply with regulatory inquiries or requests from law enforcement or governmental authorities;
• Cooperate with law enforcement in good faith;
• Investigate, establish, exercise, prepare for, or defend legal claims;
• Provide a product or service requested, perform a contract to which a consumer is a party, or take steps at the request of a consumer before entering into a contract;
• Take immediate steps to protect life or property;
• Prevent, detect, protect against, or respond to security incidents, fraud, identity theft, or other malicious or deceptive activities;
• Preserve the integrity or security of systems or investigate, report, or prosecute those responsible for security breaches;
• Engage in certain types of research; or
• Assist another controller, processor, or third party with any requirements under this part of the Act.

Attorney General Authority and Penalties for Noncompliance

The Act expressly forecloses a private right of action and gives the state attorney general sole enforcement authority. The act allows the Oklahoma attorney general to bring an action for declaratory, injunctive, and monetary relief, including $7,500 in civil penalties for each violation of the law (in situations where a company fails to remedy the violation within the statutory cure period), as well as attorneys' fees and investigative costs.

Cure Period

The attorney general's office must provide a covered company with the "opportunity to cure" any alleged violation within 30 days of receiving the notice of violation. If a covered company fails to take remedial measures within 30 days, the attorney general may initiate an action against the company, such as seeking injunctive and monetary relief. Unlike under some other state laws, the right to cure in the Act does not sunset.

Looking Ahead

Companies must come into compliance with the Act by the end of this year. Doing so should not be difficult, however, because the Act mirrors the more lenient of the state privacy laws currently in effect.

+++

Explore our State General Privacy Law Tracker, an interactive map that shows which U.S. states have enacted privacy laws and highlights key provisions that may affect your organization.

DWT's privacy and security team regularly counsels clients on how their business practices can comply with state privacy laws. We will continue to monitor the rapid development of other state and new federal privacy laws and regulations. For more insights, sign up for our alerts.