Oklahoma's Data Privacy Law: What Businesses Need to Know About SB 546

After nearly a decade of legislative attempts, Oklahoma has joined the growing ranks of states with a comprehensive consumer data privacy law, making it the 20th state with such a law on the books. SB 546 takes effect on January 1, 2027, giving businesses roughly nine months to prepare.

Modeled closely after Virginia's Consumer Data Protection Act (VCDPA), SB 546 will feel familiar to privacy professionals who have already navigated the multi-state privacy landscape. That said, like every state privacy law, it has its own nuances. In this blog, we'll walk through whether you need to comply, what rights Oklahoma consumers have, what obligations your organization may face, and how to start preparing.

A Quick Definition of Terms

If you haven’t had to interpret data privacy law before, a few terms might seem confusing. For this article, it’s important to understand what a controller and processor are.

Under SB 546, a controller is “an individual or other person that, alone or jointly with others, determines the purpose and means of processing personal data,” and a processor is “means a person who, or legal entity that, processes personal data on behalf of a controller.”

If you find other terms in this article that you’re unfamiliar with, check out our data privacy terminology cheat sheet.

Does SB 546 Apply to Your Business?

You’re subject to the Oklahoma data privacy law if you:

• Conduct business in Oklahoma or produce a product or service targeted to Oklahoma residents; and
• During a calendar year, either control or process the personal data of at least 100,000 consumers, or control or process the personal data of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal data.

These thresholds mirror those in the VCDPA and the Iowa Consumer Data Protection Act (ICDPA), among others. If your organization already tracks applicability for those laws, Oklahoma's threshold structure should look familiar.

What Does Oklahoma’s Data Privacy Law Consider a ‘Sale’?

Unlike most (but not all) US data privacy laws, SB 546 defines a “sale” of personal data as an exchange for monetary consideration only. Most other state privacy laws also cover exchanges for “other valuable considerations” as well.

Targeted advertising can often be a “valuable consideration”; the adtech network gets your consumers’ data, and you get targeted ads. Note that even though Oklahoma only considers sales of data to be for monetary consideration, it still regulates uses of data for targeted advertising in order to account for this gap.

Who Is Exempt?

SB 546 includes several entity-level exemptions. The following organizations are not subject to the law:

• State agencies and political subdivisions of Oklahoma
• Financial institutions and data regulated by the Gramm-Leach-Bliley Act (GLBA)
• HIPAA-covered entities and their business associates
• Nonprofit organizations
• Institutions of higher education
• Individuals processing data for purely personal or household purposes

In addition to these entity-level exemptions, certain categories of data are also out of scope, regardless of who holds them. These include protected health information under HIPAA, employee and job applicant data, emergency contact information, FERPA-regulated student data, and data regulated by the Fair Credit Reporting Act (FCRA), among others.

Consumer Rights Under Oklahoma's Data Privacy Law

SB 546 grants Oklahoma residents a set of rights that will be recognizable to anyone familiar with other state privacy laws.

Right to Access: Consumers can confirm whether a controller is processing their personal data and request a copy of it.

Right to Correct: Consumers can request that inaccuracies in their personal data be corrected.

Right to Delete: Consumers can request the deletion of personal data the controller holds about them—whether the data was provided by the consumer or obtained about them from another source.

Right to Data Portability: Where data is available in a digital format, consumers can request a portable, readily usable copy of their personal data to transmit to another controller.

Right to Opt Out: Consumers can opt out of the processing of their personal data for:

• Targeted advertising
• The sale of personal data
• Profiling that produces a legal or similarly significant effect (such as decisions affecting housing, employment, financial services, health care, or access to basic necessities)

One thing worth noting: unlike California and Colorado, SB 546 does not require businesses to honor browser-based universal opt-out signals like the Global Privacy Control (GPC). Opt-out mechanisms must be disclosed in your privacy notice, but signal recognition is not required.

It's also worth noting that SB 546 does not include authorized agent provisions—consumers must exercise their rights directly and cannot designate a third party to act on their behalf (with the exception of a parent or guardian exercising rights on behalf of their child).

Response Timelines

You’ll need to respond to consumer requests within 45 days of receipt. This period can be extended by an additional 45 days when reasonably necessary, provided the controller notifies the consumer within the initial response window and explains the reason for the delay.

If you decline to act on a request, you’ll need to inform the consumer within 45 days, explain why, and provide instructions for appealing the decision.

The Appeal Process

Consumers can appeal declined rights requests. Once an appeal is received, you’ll need to respond within 60 days with a written explanation of your decision. If you deny the appeal, you’ll have to direct the consumer to the Oklahoma Attorney General's online complaint mechanism, making denying a consumers’ appeal a risky proposition.

Controller Obligations

Data Minimization and Security

Like the vast majority of data privacy laws, SB 546 requires you to limit data collection to what is adequate, relevant, and reasonably necessary for the purposes disclosed to consumers. You must also implement reasonable administrative, technical, and physical security practices appropriate to the volume and nature of the data they process.

Prohibited Practices

SB 546 prohibits controllers from:

• Processing personal data for purposes that are incompatible with the disclosed purpose, unless the consumer consents
• Processing data in violation of laws prohibiting unlawful discrimination
• Discriminating against consumers for exercising their privacy rights (for example, by denying goods or services, or charging different prices)
• Obtaining consent through dark patterns—i.e., user interfaces specifically designed to subvert or impair user autonomy or decision-making
• Processing sensitive data without obtaining the consumer's affirmative consent

What Counts as Sensitive Data?

SB 546 defines sensitive data to include:

• Data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status
• Genetic or biometric data processed to uniquely identify an individual
• Personal data collected from a known child
• Precise geolocation data (within a radius of 1,750 feet)

Controllers must obtain affirmative consent before processing any of these categories. For data collected from known children (defined as children under the age of 13), controllers must also comply with the Children's Online Privacy Protection Act (COPPA).

Privacy Notice Requirements

As in other privacy laws, you’ll need to provide a reasonably accessible and clear privacy notice. This notice needs to include:

• The categories of personal data processed, including any sensitive data
• The purpose for processing
• How consumers can exercise their rights
• A process for consumers to appeal denied rights requests, offered in a similar manner as rights request–note that if you subsequently deny a consumer’s appeal, you must also provide them with access to a complaint portal on the Attorney General’s website
• The categories of personal data shared with third parties (if applicable)
• The categories of third parties with whom data is shared (if applicable)
• How consumers specifically can exercise their right to opt out of the sale of personal data to third parties or the use of their data for targeted advertising (if applicable)

Processor Obligations and Contracts

If you share personal data with vendors or other third-party processors, SB 546 requires those relationships to be governed by written contracts. A valid controller-processor agreement under the law must include:

• Clear instructions for processing data
• The nature and purpose of the processing
• The type of data being processed
• The duration of processing
• The rights and obligations of both parties

The contract must also require processors to maintain confidentiality, delete or return data upon request, cooperate with audits or assessments, and ensure any subprocessors they engage are bound by equivalent obligations.

The good news is that most other state privacy laws based on the Virginia model follow this same structure–so, if you’re already compliant with Virginia’s, Colorado’s, Utah’s, and Connecticut’s requirements around data processing addenda, you’re likely in compliance with Oklahoma’s new requirements. However, auditing your contracts to confirm this is the case is essential.

Data Protection Assessments

SB 546 requires you to conduct and document data protection assessments before engaging in certain higher-risk processing activities, including:

• Processing personal data for targeted advertising
• Selling personal data
• Processing for profiling, where there is a reasonably foreseeable risk of unfair treatment, financial harm, privacy intrusion, or other substantial injury to consumers
• Processing sensitive data
• Any other processing that presents a heightened risk of harm to consumers

A data protection assessment must weigh the direct and indirect benefits of the processing against the potential risks to consumers, taking into account available safeguards, de-identification, consumer expectations, and the nature of the controller-consumer relationship.

Furthermore, if the Attorney General conducts a civil investigation into your organization and requests your data protection assessments, you’ll need to hand them over. So, when in doubt about whether a data protection assessment is required, it’s best to conduct one. Fortunately, assessments only apply to processing activities that commence on or after January 1, 2027, so they are not retroactive.

Enforcement

Like every other US state privacy law except for California, the state Attorney General has the sole authority to enforce the law.

Before filing an enforcement action, the AG must provide written notice identifying the alleged violation and give the controller or processor 30 days to cure it. If the business cures the violation and provides a written statement confirming it has done so and committing to no further violations, no action will be brought.

This cure period is permanent too—it does not sunset. Don’t make the mistake of thinking you can put off compliance until after you receive a notice of violation in the hopes you can get up to speed during this 30-day window. Cure periods are meant to plug gaps and fix errors, not to spin up a privacy program from scratch.

Civil penalties are capped at $7,500 per violation. There is no escalator for willful or intentional violations. The Attorney General may also seek injunctive relief, and courts may award reasonable attorney fees and other expenses in enforcement actions.

How SB 546 Compares to Other State Privacy Laws

For businesses already operating multi-state privacy compliance programs, the following comparison may be useful.

The takeaway for most compliance teams: Oklahoma fits squarely in the Virginia-model camp. Organizations with existing VCDPA or TDPSA compliance programs will find the heaviest lifting already done—the primary task is extending those programs to cover Oklahoma residents.

Steps to Prepare for SB 546 Compliance

With SBA 546’s January 1, 2027 effective date on the horizon, here's where to focus your efforts.

Confirm whether you're in scope. Run SB 546's applicability thresholds against your data inventory. If your organization processes data from Oklahoma residents at scale, you're very likely covered.

Update your data map. Identify personal and sensitive data collected from Oklahoma residents. Flag any processing activities that could trigger a data protection assessment requirement—particularly targeted advertising, data sales, and sensitive data processing.

Conduct data protection assessments. Prioritize high-risk activities first. If your organization has existing GDPR DPIAs or similar assessments, evaluate whether they satisfy SB 546's requirements.

Review and update your privacy notice. Confirm it includes all disclosures required under SB 546, including opt-out mechanisms for targeted advertising and data sales. Remember that Oklahoma does not require universal opt-out signal recognition, but opt-out options still need to be clearly disclosed.

Build out your consumer request workflow. You'll need at least two secure methods for consumers to submit requests. Make sure your team can respond within 45 days and that an appeal process is in place and conspicuously accessible.

Audit your processor agreements. Review existing data processing contracts to confirm they include all elements required by SB 546.

Train your team. Ensure that privacy, legal, and customer-facing staff understand the new rights framework, response timelines, and appeal process.

Staying up to Date on Future Amendments and Privacy Developments

Oklahoma's path to a comprehensive privacy law was anything but fast—the first attempts date back to 2019, when California stood alone as the only state with such a law. SB 546's passage reflects how dramatically the landscape has shifted. With 20 states now operating under comprehensive privacy frameworks, what once felt like novel regulatory territory is increasingly standard compliance practice.

For Oklahoma specifically, legislators have signaled that the law will evolve over time. States like Connecticut and Colorado have made significant changes to their privacy statutes in the years following initial passage, and Oklahoma will likely follow suit. Staying on top of amendments will be as important as building an initial compliance program.

You’re not alone if you feel a little overwhelmed, but Osano can help you stay informed and break down the complexities of end-to-end privacy compliance. Sign up for our newsletter to hear the latest privacy news, discover new resources to inform your compliance, and stay abreast of developments that impact your organization.