New Oklahoma Law SB 546: Data Privacy Requirements

Oklahoma enacted its first comprehensive consumer data privacy law when Governor Kevin Stitt signed Senate Bill 546. The Oklahoma Data Privacy Act establishes consumer rights, controller and processor obligations, and an enforcement framework that takes effect on January 1, 2027. This guide covers everything businesses and privacy professionals need to know about the New Oklahoma law.

Oklahoma’s new privacy law, enacted through Senate Bill 546 (SB 546), is Oklahoma’s comprehensive state consumer privacy statute. Sponsored by Senator Howard in the Senate and Representatives West, Archer, Pae, Provenzano, Waldron, and Alonso-Sandoval in the House, the law is codified in Title 75A of the Oklahoma Statutes (Sections 300–315).

SB 546 grants Oklahoma residents rights over their personal data, imposes duties on businesses that collect and process that data, and gives the Attorney General exclusive enforcement authority. The law takes effect January 1, 2027. All obligations, consumer rights, and enforcement mechanisms apply simultaneously from that date; there are no phased-in provisions.

The Oklahoma privacy law applies to any controller or processor doing business in Oklahoma or targeting Oklahoma residents who met at least one of two thresholds in the preceding calendar year:

• Controls or processes personal data of at least 100,000 Oklahoma consumers, or
• Controls or processes personal data of at least 25,000 Oklahoma consumers and derives over 50% of gross revenue from the sale of personal data

Who is exempt?

The law exempts entities like state agencies, Financial institutions subject to the Gramm-Leach-Bliley Act, Covered entities, and business associates governed by HIPAA, nonprofit organisations, persons processing data in the course of a purely personal or household activity, etc.

Certain categories of data are also exempt regardless of who processes them, including protected health information under HIPAA, health records, identifiable private information used in human subjects research, and information regulated under applicable federal law.

Under the Oklahoma data privacy law, personal data means any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual (names, email addresses, etc).

It also includes pseudonymous data when used by a controller or processor in conjunction with additional information that reasonably links the data to a specific individual.

Personal data does not include:

• De-identified data: data that cannot reasonably be linked to an identified or identifiable individual
• Publicly available information: information lawfully made available through government records or widely distributed media

Sensitive data

The new Oklahoma privacy law defines a separate category of sensitive data that requires opt-in consent before processing. Sensitive data includes:

• Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status
• Genetic or biometric data processed to uniquely identify an individual
• Personal data collected from a known child (under 13)
• Precise geolocation data (within a radius of 1,750 feet)

Consent means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process their personal data. Controllers must obtain opt-in consent before processing sensitive data. For non-sensitive personal data like IP address, SB 546 follows an opt-out model rather than requiring prior consent.

Consent includes written statements (including electronic) and other unambiguous affirmative actions, but does not include:

• Acceptance of broad terms of use that contain data processing descriptions alongside unrelated information
• Hovering over, muting, pausing, or closing content
• Agreement obtained through dark patterns

Controllers must provide consumers with a reasonably accessible and clear privacy notice that includes:

1. The categories of personal data processed, including any sensitive data

2. The purposes for which personal data is processed

3. How consumers may exercise their rights, including the appeals process

4. The categories of personal data shared with third parties (if applicable)

5. The categories of third parties with whom data is shared (if applicable)

If a controller sells personal data or processes it for targeted advertising, the privacy notice must clearly and conspicuously disclose this and explain how consumers can opt out.

A consent management platform (CMP) like CookieYes can help implement an opt-out cookie consent banner, capture opt-out preferences, honour UOOM signals, maintain audit-ready consent records, and generate a privacy notice.

Oklahoma consumers can submit requests to exercise the following rights:

• Right to access and confirmation: Consumers can confirm whether a controller is processing their personal data and access that data.
• Right to correction: Consumers can request correction of inaccurate personal data, taking into account the nature of the data and the purposes of processing.
• Right to deletion: Consumers can request deletion of personal data they provided or that the controller obtained about them.
• Right to portability: Where data is available in digital format and processing is carried out by automated means, consumers can obtain a portable, readily usable copy of their data to transmit to another controller.
• Right to opt out: Consumers can opt out of targeted advertising, the sale of personal data, and profiling. 

Response timelines

Controllers must respond to authenticated consumer requests within 45 days. One 45-day extension is permitted for complex requests, provided the consumer is notified within the initial 45-day period. Responses are free of charge up to twice annually per consumer. Requests that are manifestly unfounded, excessive, or repetitive may be declined or subject to a reasonable fee.

If a controller declines a request, the consumer must be informed within 45 days with a justification and instructions for appeal. Controllers must establish an appeal process and respond to appeals within 60 days. If an appeal is denied, the controller must direct the consumer to the Attorney General’s online complaint mechanism.

Transparency and privacy notice

Under the new Oklahoma law, controllers must provide a clear and accessible privacy notice, and if applicable, disclose the sale of personal data, processing for targeted advertising, and how consumers can opt out of them.

Consumer rights compliance

Data controllers must respond to consumer requests within 45 days (with one 45-day extension possible) and provide responses free of charge up to twice a year. Controllers must authenticate the consumer, provide reasons for refusal, and establish an appeals process, responding within 60 days. If an appeal is denied, consumers must be directed to the Attorney General.

Consumer request infrastructure

Controllers must:

• Provide at least two secure and reliable methods to submit requests
• Align request methods with how consumers interact with the business
• Provide a mechanism on their website (if applicable)
• Not require consumers to create a new account to exercise rights

Data minimization and purpose limitation

Collect only what is necessary, use data only for disclosed purposes (unless consent is obtained), and do not discriminate against consumers or process data in violation of applicable laws.

Data security

Controllers must:

• Establish, implement, and maintain reasonable administrative, technical, and physical safeguards
• Ensure protection of confidentiality, integrity, and accessibility of personal data
• Tailor safeguards to the volume and nature of data processed

Consent requirements

Controllers must:

• Obtain opt-in consent before processing sensitive data
• Obtain parental consent for children’s data in line with COPPA

Do not rely on dark patterns, passive actions, or bundled consent.

Opt-out obligations

Provide consumers the ability to opt out of:

• Targeted advertising
• Sale of personal data
• Profiling with legal or similarly significant effects

Processor management and contracts

Controllers must enter into binding contracts with processors that clearly define processing instructions, the nature and purpose of processing, the types of data involved, the duration of processing, and the rights and obligations of both parties.

These agreements must ensure that processors maintain confidentiality, assist with consumer rights requests, support data security and breach notification obligations, enable data protection assessments, delete or return personal data upon request, and impose equivalent obligations on any sub-processors.

Data protection assessments

Perform and document data protection assessments for processing activities that present a heightened risk, such as those involving sensitive data or the sale of personal information.

These assessments should involve balancing the processing’s benefits against its potential risks, taking into account safeguards, the processing context, and consumer expectations.

De-identified data obligations

If controllers under the new Oklahoma privacy law use de-identified data, they must:

• Take reasonable measures to prevent re-identification
• Publicly commit not to re-identify the data
• Contractually require recipients to do the same

Contractual limitations

Controllers must not include contractual provisions that waive or limit consumer rights. Such provisions are void and unenforceable

Non-retaliation and fair treatment

Controllers must not deny goods or services, charge different prices, or lower quality solely because a consumer exercised their rights. However, there are limited exceptions for loyalty or incentive programs.

The Oklahoma Attorney General has exclusive authority to enforce SB 546. There is no private right of action. Consumers cannot bring civil suits for violations directly.

Before bringing an enforcement action, the Attorney General will provide written notice identifying the alleged violation. The controller or processor has 30 days to cure the violation and submit a written statement confirming the violation was remediated and will not recur. 

Civil penalties

If a controller or processor fails to cure within the 30-day window or breaches a cure statement previously provided to the Attorney General, the AG may seek:

• Civil penalties of up to $7,500 per violation
• Injunctive relief
• Recovery of reasonable attorney fees and investigation costs

• Publish a clear privacy notice and an opt-out banner
• Enable and respond to consumer rights requests (within 45 days)
• Provide easy, accessible request submission methods
• Collect only necessary data and use it for stated purposes
• Implement reasonable data security safeguards
• Obtain consent for sensitive and children’s data
• Offer opt-outs for ads, data sales, profiling, and third-party cookies
• Put compliant contracts in place with processors
• Conduct risk assessments for high-risk data processing
• Avoid unfair treatment of users exercising their rights