After nearly a decade of legislative attempts, Oklahoma has joined the growing ranks of states with a comprehensive consumer data privacy law, making it the 20th state with such a law on the books. SB 546 takes effect on January 1, 2027, giving businesses roughly nine months to prepare.
Modeled closely after Virginia's Consumer Data Protection Act (VCDPA), SB 546 will feel familiar to privacy professionals who have already navigated the multi-state privacy landscape. That said, like every state privacy law, it has its own nuances. In this blog, we'll walk through whether you need to comply, what rights Oklahoma consumers have, what obligations your organization may face, and how to start preparing.
If you haven’t had to interpret data privacy law before, a few terms might seem confusing. For this article, it’s important to understand what a controller and processor are.
Under SB 546, a controller is “an individual or other person that, alone or jointly with others, determines the purpose and means of processing personal data,” and a processor is “means a person who, or legal entity that, processes personal data on behalf of a controller.”
If you find other terms in this article that you’re unfamiliar with, check out our data privacy terminology cheat sheet.
You’re subject to the Oklahoma data privacy law if you:
These thresholds mirror those in the VCDPA and the Iowa Consumer Data Protection Act (ICDPA), among others. If your organization already tracks applicability for those laws, Oklahoma's threshold structure should look familiar.
Unlike most (but not all) US data privacy laws, SB 546 defines a “sale” of personal data as an exchange for monetary consideration only. Most other state privacy laws also cover exchanges for “other valuable considerations” as well.
Targeted advertising can often be a “valuable consideration”; the adtech network gets your consumers’ data, and you get targeted ads. Note that even though Oklahoma only considers sales of data to be for monetary consideration, it still regulates uses of data for targeted advertising in order to account for this gap.
SB 546 includes several entity-level exemptions. The following organizations are not subject to the law:
In addition to these entity-level exemptions, certain categories of data are also out of scope, regardless of who holds them. These include protected health information under HIPAA, employee and job applicant data, emergency contact information, FERPA-regulated student data, and data regulated by the Fair Credit Reporting Act (FCRA), among others.
SB 546 grants Oklahoma residents a set of rights that will be recognizable to anyone familiar with other state privacy laws.
Right to Access: Consumers can confirm whether a controller is processing their personal data and request a copy of it.
Right to Correct: Consumers can request that inaccuracies in their personal data be corrected.
Right to Delete: Consumers can request the deletion of personal data the controller holds about them—whether the data was provided by the consumer or obtained about them from another source.
Right to Data Portability: Where data is available in a digital format, consumers can request a portable, readily usable copy of their personal data to transmit to another controller.
Right to Opt Out: Consumers can opt out of the processing of their personal data for:
One thing worth noting: unlike California and Colorado, SB 546 does not require businesses to honor browser-based universal opt-out signals like the Global Privacy Control (GPC). Opt-out mechanisms must be disclosed in your privacy notice, but signal recognition is not required.
It's also worth noting that SB 546 does not include authorized agent provisions—consumers must exercise their rights directly and cannot designate a third party to act on their behalf (with the exception of a parent or guardian exercising rights on behalf of their child).
You’ll need to respond to consumer requests within 45 days of receipt. This period can be extended by an additional 45 days when reasonably necessary, provided the controller notifies the consumer within the initial response window and explains the reason for the delay.
If you decline to act on a request, you’ll need to inform the consumer within 45 days, explain why, and provide instructions for appealing the decision.
Consumers can appeal declined rights requests. Once an appeal is received, you’ll need to respond within 60 days with a written explanation of your decision. If you deny the appeal, you’ll have to direct the consumer to the Oklahoma Attorney General's online complaint mechanism, making denying a consumers’ appeal a risky proposition.
Like the vast majority of data privacy laws, SB 546 requires you to limit data collection to what is adequate, relevant, and reasonably necessary for the purposes disclosed to consumers. You must also implement reasonable administrative, technical, and physical security practices appropriate to the volume and nature of the data they process.
SB 546 prohibits controllers from:
SB 546 defines sensitive data to include:
Controllers must obtain affirmative consent before processing any of these categories. For data collected from known children (defined as children under the age of 13), controllers must also comply with the Children's Online Privacy Protection Act (COPPA).
As in other privacy laws, you’ll need to provide a reasonably accessible and clear privacy notice. This notice needs to include:
If you share personal data with vendors or other third-party processors, SB 546 requires those relationships to be governed by written contracts. A valid controller-processor agreement under the law must include:
The contract must also require processors to maintain confidentiality, delete or return data upon request, cooperate with audits or assessments, and ensure any subprocessors they engage are bound by equivalent obligations.
The good news is that most other state privacy laws based on the Virginia model follow this same structure–so, if you’re already compliant with Virginia’s, Colorado’s, Utah’s, and Connecticut’s requirements around data processing addenda, you’re likely in compliance with Oklahoma’s new requirements. However, auditing your contracts to confirm this is the case is essential.
SB 546 requires you to conduct and document data protection assessments before engaging in certain higher-risk processing activities, including:
A data protection assessment must weigh the direct and indirect benefits of the processing against the potential risks to consumers, taking into account available safeguards, de-identification, consumer expectations, and the nature of the controller-consumer relationship.
Furthermore, if the Attorney General conducts a civil investigation into your organization and requests your data protection assessments, you’ll need to hand them over. So, when in doubt about whether a data protection assessment is required, it’s best to conduct one. Fortunately, assessments only apply to processing activities that commence on or after January 1, 2027, so they are not retroactive.
Like every other US state privacy law except for California, the state Attorney General has the sole authority to enforce the law.
Before filing an enforcement action, the AG must provide written notice identifying the alleged violation and give the controller or processor 30 days to cure it. If the business cures the violation and provides a written statement confirming it has done so and committing to no further violations, no action will be brought.
This cure period is permanent too—it does not sunset. Don’t make the mistake of thinking you can put off compliance until after you receive a notice of violation in the hopes you can get up to speed during this 30-day window. Cure periods are meant to plug gaps and fix errors, not to spin up a privacy program from scratch.
Civil penalties are capped at $7,500 per violation. There is no escalator for willful or intentional violations. The Attorney General may also seek injunctive relief, and courts may award reasonable attorney fees and other expenses in enforcement actions.
For businesses already operating multi-state privacy compliance programs, the following comparison may be useful.
|
Feature |
Oklahoma SB 546 |
Virginia VCDPA |
California CCPA |
Texas TDPSA |
|
Applicability threshold |
100K consumers or 25K + 50% revenue from data sales |
100K consumers or 25K + 50% revenue from data sales |
$25M revenue or 100K+ consumers or 50% revenue from data sales |
No revenue or consumer data thresholds |
|
Private right of action |
No |
No |
Yes (limited) |
No |
|
Universal opt-out (GPC) required |
No |
No |
Yes |
Yes |
|
Cure period |
30 days (permanent) |
30 days (permanent) |
None (expired) |
30 days (permanent) |
|
Sensitive data |
Affirmative consent required |
Affirmative consent required |
Opt-out (some categories) |
Affirmative consent required |
|
Authorized agents |
No |
No |
Yes |
No |
|
Effective date |
January 1, 2027 |
In effect |
In effect |
In effect |
The takeaway for most compliance teams: Oklahoma fits squarely in the Virginia-model camp. Organizations with existing VCDPA or TDPSA compliance programs will find the heaviest lifting already done—the primary task is extending those programs to cover Oklahoma residents.
With SBA 546’s January 1, 2027 effective date on the horizon, here's where to focus your efforts.
Confirm whether you're in scope. Run SB 546's applicability thresholds against your data inventory. If your organization processes data from Oklahoma residents at scale, you're very likely covered.
Update your data map. Identify personal and sensitive data collected from Oklahoma residents. Flag any processing activities that could trigger a data protection assessment requirement—particularly targeted advertising, data sales, and sensitive data processing.
Conduct data protection assessments. Prioritize high-risk activities first. If your organization has existing GDPR DPIAs or similar assessments, evaluate whether they satisfy SB 546's requirements.
Review and update your privacy notice. Confirm it includes all disclosures required under SB 546, including opt-out mechanisms for targeted advertising and data sales. Remember that Oklahoma does not require universal opt-out signal recognition, but opt-out options still need to be clearly disclosed.
Build out your consumer request workflow. You'll need at least two secure methods for consumers to submit requests. Make sure your team can respond within 45 days and that an appeal process is in place and conspicuously accessible.
Audit your processor agreements. Review existing data processing contracts to confirm they include all elements required by SB 546.
Train your team. Ensure that privacy, legal, and customer-facing staff understand the new rights framework, response timelines, and appeal process.
Oklahoma's path to a comprehensive privacy law was anything but fast—the first attempts date back to 2019, when California stood alone as the only state with such a law. SB 546's passage reflects how dramatically the landscape has shifted. With 20 states now operating under comprehensive privacy frameworks, what once felt like novel regulatory territory is increasingly standard compliance practice.
For Oklahoma specifically, legislators have signaled that the law will evolve over time. States like Connecticut and Colorado have made significant changes to their privacy statutes in the years following initial passage, and Oklahoma will likely follow suit. Staying on top of amendments will be as important as building an initial compliance program.
You’re not alone if you feel a little overwhelmed, but Osano can help you stay informed and break down the complexities of end-to-end privacy compliance. Sign up for our newsletter to hear the latest privacy news, discover new resources to inform your compliance, and stay abreast of developments that impact your organization.