Alert

March 24, 2026

Oklahoma Enacts Comprehensive Consumer Data Privacy Law

On March 20, 2026, Oklahoma Governor Kevin Stitt signed Senate Bill 546, which enacts Oklahoma's comprehensive privacy bill. After several states passed comprehensive consumer data privacy laws in 2024 and none did in 2025, Oklahoma has become the first state to do so in 2026. Oklahoma becomes the nation's 20th state with a comprehensive consumer data privacy law.

The Oklahoma privacy law provides obligations and exceptions similar to other state privacy laws. However, small differences in these laws can have a large impact on a business's data processing. In particular, affected businesses should note the law's disclosure obligations, standards around purpose specification and secondary processing, and consent standards. Consumer financial services businesses should note differences in the scope of the terms "sensitive data" and "biometric data," the definition of "consent," and consumer opt out rights.

Applicability

The applicability of the Oklahoma privacy law has two prongs. Note that the law has no dollar threshold. Entities are subject to the privacy law when:

• they conduct business in Oklahoma or produce products or services that are targeted at the residents of Oklahoma; and
• during a calendar year, they control or process the personal data of:

• at least 100,000 consumers; or

• at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

However, the law does not apply to financial institutions under the Gramm-Leach-Bliley Act, entities covered under HIPAA privacy regulations, and other specified entities. In addition, the law does not apply to, among other things:

• certain activities by consumer reporting agencies, furnishers, and consumer report users, as regulated by the Fair Credit Reporting Act;
• personal data collected, processed, sold, or disclosed in compliance with the Driver's Privacy Protection Act;
• personal data on consumers in commercial or employment contexts;
• publicly available information (via exclusion from the definition of "personal data");
• deidentified data (via exclusion from the definition of "personal data") but not necessarily "pseudonymous data"; and
• personal data collected under other federal laws specified in the law.

Consumer Rights

The Oklahoma privacy law provides consumers with a number of rights related to their personal data. Consumers, by submitting a request to a controller, have the right to:

• confirm whether the controller is processing the consumer's personal data and access such data, unless such confirmation or access would require the controller to reveal a trade secret;
• correct inaccuracies in the consumer's personal data, taking into account the nature of the information and the purposes of the processing of the information;
• delete personal data about the consumer;
• obtain a copy of the consumer's personal data held by the controller in a portable and, to the extent electronically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance; and
• opt out of the processing of the consumer's personal data for the purposes of targeted advertising, the sale of such data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

The law defines "sale" more narrowly than other state laws, limiting it to exchanges for monetary consideration. Opt out requirements under the law do not include the use of universal opt out mechanisms.

Controller Obligations

The Oklahoma privacy law imposes separate obligations on controllers and processors. Therefore, an entity must determine its role under the statute. Under the law, "controller" is defined as an individual or legal entity that, "alone or jointly with others, determines the purpose and means of processing personal data." The law defines "processor" as an individual or legal entity that "processes personal data on behalf of a controller." Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination.

Under the law, controllers must, among other things:

• limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the personal data is processed, as disclosed to the consumer;
• establish, implement, and maintain reasonable security practices;
• not process personal data for purposes that are not reasonably necessary to or compatible with the disclosed purposes for which the personal data is processed as disclosed to the consumer, unless the controller obtains the consumer's consent;
• not process personal data in violation of the laws of Oklahoma and federal laws that prohibit unlawful discrimination against consumers;
• not discriminate against a consumer for exercising any consumer rights contained in the law, including by denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer; and
• not process sensitive data concerning a consumer without obtaining the consumer's consent or, in the case of a known child, without processing such data in accordance with the Children's Online Privacy Protection Act.

"Sensitive data" is more narrowly defined than some state laws, but it includes "biometric data" defined more broadly than other states. In particular, it wraps certain visual data used to identify a consumer into its requirements.

The law does not include heightened handling requirements for minors' data.

The Oklahoma privacy law also requires that controllers conduct a data protection assessment for each of the controller's processing activities that presents a heightened risk of harm to a consumer. Processing that presents a heightened risk of harm to a consumer includes:

• the processing of personal data for the purposes of targeted advertising;
• the sale of personal data;
• the processing of personal data for the purposes of profiling in which the profiling presents a reasonably foreseeable risk of certain types of harms;
• the processing of sensitive data; and
• any processing activities involving personal data that present a heightened risk of harm to consumers.

A processor must follow the instructions of the controller and must assist the controller in meeting the controller's obligations, including responding to consumer rights requests and obligations related to data security and breach notification, as well as providing necessary information to enable the controller to conduct and document data protection assessments. The law requires that a contract between the controller and processor must govern the processor's data processing procedures with respect to processing performed on behalf of the controller.

Enforcement

The Oklahoma privacy law grants the Oklahoma attorney general the exclusive authority to enforce the law. Prior to initiating any action, the attorney general must issue a written notice to the controller or processor identifying the specific provisions of the law that the attorney general believes that the controller or processor violated. If the controller or processor fails to cure the alleged violation within 30 days after receiving notice of alleged noncompliance, an enforcement action may be brought. Each violation is punishable by a civil penalty of up to $7,500, plus reasonable attorney's fees and expenses incurred in investigation and bringing an action. The law does not provide for a private right of action.

Effective Date

The Oklahoma privacy law will become effective on January 1, 2027.