Oklahoma State Privacy Laws | Davis Wright Tremaine

Enrolled Senate Bill 546

Effective Date: January 1, 2027

Threshold

For controllers or processors that conduct business in Oklahoma or produces products or services that are intentionally targeted to Oklahoma residents ("consumers") and that during the preceding calendar year fall into one of the following categories:

(1) Control or process the personal data of at least 100,000 consumers; OR

(2) Control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

Definition of "Personal Data"

Any information including sensitive data that is linked or reasonably linkable to an identified or identifiable individual. Does not include de-identified data or publicly available information. Personal data does not include data from people acting in an employment or commercial context.

Definition of "Sensitive Data"

As with all state general privacy laws, includes personal data that reveals:

Race or ethnic origin;
Religious beliefs;
Citizenship or immigration status;
Physical or mental health diagnosis, or
Sexual orientation;
Genetic or biometric data that is processed for the purpose of uniquely identifying an individual;
Personal data collected from a known child; and
Precise geolocation data.

Definition of "Sale"

Exchange of personal data for monetary consideration only by the controller to a third party

Data-Protection Assessments

Required for processing activities with a heightened risk of harm to a consumer including targeted advertising, sale of personal data, processing of sensitive data, and certain profiling

Opt-In Consent Required for Processing Sensitive Data

Yes

Consumer Rights to Confirm Processing, Request Access, Correction, Deletion & Portability

Yes

Consumer Right to Opt Out of Sale

Yes

Consumer Right to Opt Out of Targeted Ads

Yes

Consumer Right to Opt Out of Profiling

Yes, only when the profiling is used in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer

Pseudonymous Data Exempt from Consumer Requests

Yes

Appeal Rights

Yes

Universal Opt-Out Mechanism Required

None

Data of Minors

Process sensitive data of a known child in accordance with COPPA

GLBA Exemption

Yes (entity-level)

HIPAA Exemption

Yes (both entity-level and data-level)

Applies/Does Not Apply to Personal Information in a Commercial or Employment Context

Does not apply to commercial or employment context; applies in an individual or household context

Nonprofit Exemption

Yes

Private Right of Action

No

Cure Period

30 Days

Enforcement Authority/Damages

Attorney General/up to $7,500 per violation

Current as of March 23, 2026

Disclaimer: States may periodically amend their laws and regulations and such amendments may affect or modify certain legal requirements or compliance obligations. There is no guarantee that this research is up to date as laws and regulations in the state consumer data privacy space continue to evolve. You should consult an attorney to assess the applicability of any existing, new, or proposed state consumer data privacy laws. By accessing this site, you acknowledge your understanding that the underlying content is not a replacement for legal counsel and does not constitute legal advice.

Oklahoma

Code/Regulations

Details