Oklahoma Enacts Comprehensive Consumer Data Privacy Law

On March 20, 2026, Oklahoma Governor Kevin Stitt signed Senate Bill 546 into law, establishing Oklahoma’s Act Relating to Data Privacy (the “Oklahoma Privacy Law”). Oklahoma becomes the 21st state to enact a comprehensive consumer privacy law, joining a growing patchwork of state-level data protection frameworks in the absence of an omnibus federal privacy law. The Oklahoma Privacy Law follows similar patterns as other comprehensive state privacy laws enacted in recent years, adopting the dominant model for state privacy legislation observed in states outside of California. (California’s privacy law, the California Consumer Privacy Act (“CCPA”), has its own unique model.) For more information about how the Oklahoma Privacy Law compares to other privacy laws, please see our state privacy law tracker.

This Legal Update summarizes the core provisions of the Oklahoma Privacy Law and highlights a few key takeaways for businesses as they prepare for compliance.

Who Is Covered

The Oklahoma Privacy Law applies to companies that conduct business in Oklahoma or produce products or services targeted at Oklahoma residents, provided the business meets one of both of the following thresholds during a calendar year:

• The business controls or processes the personal data of at least 100,000 Oklahoma consumers; or
• The business controls or processes the personal data of at least 25,000 Oklahoma consumers and derives more than 50% of gross revenue from the sale of personal data.

Entity-Level Exemptions

The following entities and individuals are exempt from the Oklahoma Privacy Law:

• State agencies and political subdivisions of Oklahoma, including service providers processing data on their behalf;
• Financial institutions subject to Title V of the Gramm-Leach-Bliley Act (“GLBA”);
• Covered entities and business associates governed by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act;
• Nonprofit organizations;
• Institutions of higher education; and
• Individuals processing personal data for purely personal or household activities.

In addition to these entity-level exemptions, the Oklahoma Privacy Law provides certain data-level exemptions, including, inter alia, data subject to the GLBA, protected health information under HIPAA, data regulated by the Fair Credit Reporting Act (“FCRA”), data regulated by the Family Educational Rights and Privacy Act (“FERPA”), employee and job applicant data, data of individuals acting in a commercial context (e.g., business contact information), and data covered by the Controlled Substances Act.

Consumer Rights

The Oklahoma Privacy Law grants Oklahoma residents the following rights, which are consistent with the standard set of rights found across other US state privacy laws:

• Right to Access: Consumers may confirm whether a controller is processing their personal data and access that data.
• Right to Correction: Consumers may request correction of inaccuracies in their personal data.
• Right to Deletion: Consumers may request deletion of personal data provided by or obtained about them.
• Right to Data Portability: Consumers may obtain a copy of their personal data in a portable and, to the extent technically feasible, readily usable format.
• Right to Opt Out of Sale: Consumers may opt out of the sale of their personal data. The Oklahoma Privacy Law defines “sale” narrowly as an exchange for monetary consideration only, excluding exchanges for other valuable consideration as seen in some other privacy laws.
• Right to Opt Out of Targeted Advertising: Consumers may opt out of the processing of their personal data for purposes of targeted advertising.
• Right to Opt Out of Profiling: Consumers may opt out of profiling in furtherance of a decision that produces a legal or similarly significant effect, such as decisions affecting financial and lending services, housing, insurance, health care, education, employment opportunities, criminal justice, or access to basic necessities such as food and water.
• Right to Appeal: If a controller declines to act on a consumer’s request, the consumer may appeal the decision. Controllers must respond to appeals within 60 days after the date of receipt of the appeal and, if the appeal is denied, must direct the consumer to the Oklahoma Attorney General’s online complaint mechanism.

Notably, the Oklahoma Privacy Law does not require controllers to recognize universal opt-out preference signals (e.g., Global Privacy Control) and does not require controllers to honor rights requests received from authorized agents.

Internal Business Obligations

The Oklahoma Privacy Law imposes several operational obligations on controllers:

• Data Minimization and Purpose Limitation: Controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the disclosed purposes for which the data is processed. Controllers may not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purpose without obtaining consumer consent.
• Data Security: Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data at issue.
• Unlawful Discrimination: Controllers may not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers or discriminate against a consumer for exercising any of their consumer rights.
• Privacy Notice Requirements: Controllers must provide a reasonably accessible and clear privacy notice.
• Sensitive Personal Data: Controllers may not process sensitive data without obtaining consumer consent. The Oklahoma Privacy Law defines “sensitive data” as personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data that is processed for the purpose of identifying an individual; personal data collected from a known child; or precise geolocation data. For personal data collected from a known child (under age 13), controllers must process the data in accordance with the Children’s Online Privacy Protection Act (“COPPA”).
• Processor Contracts: The Oklahoma Privacy Law requires that controller-processor relationships be governed by written contracts that include clear instructions for processing, the nature and purpose of the processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties, along with other common processor restrictions observed under the non-CCPA privacy laws.
• Data Protection Impact Assessments (“DPIA”): Controllers must conduct and document data protection assessments for the following processing activities: (i) targeted advertising, (ii) sale of personal data, (iii) profiling where there is a reasonably foreseeable risk of harm, (iv) processing sensitive data, and (v) any other processing activities that present a heightened risk of harm to consumers.

Effective Date and Enforcement

The Oklahoma Privacy Law takes effect on January 1, 2027.

The Oklahoma Attorney General has exclusive authority to enforce the Oklahoma Privacy Law. There is no private right of action.

Before bringing an enforcement action, the Oklahoma Attorney General must provide a company with a 30-day right-to-cure period. If the company cures the violation within that 30-day period and provides a written statement confirming the cure and committing to no further violations, the Oklahoma Attorney General may not bring an action. Unlike several other state privacy laws, the Oklahoma Privacy Law does not mention that the cure period phases out after a certain period of time.

Civil penalties are capped at $7,500 per violation. Courts may also award reasonable attorney fees and other expenses incurred in investigating and bringing an action.

Key Takeaways

For businesses already operating under other US state privacy frameworks, the Oklahoma Privacy Law may not require a wholesale overhaul of existing privacy programs. However, organizations should consider taking the following steps before the January 1, 2027 effective date:

• Conduct a data inventory to identify personal data in scope under the Oklahoma Privacy Law, including an assessment of whether your organization meets the applicability thresholds.
• Analyze your existing privacy program to identify any gaps relative to the Oklahoma Privacy Law’s specific requirements.
• Update the company’s privacy policy to include Oklahoma in its scope and address the Oklahoma Privacy Law’s specific privacy notice requirements, including the categories of personal data processed, purpose of processing the personal data, the mechanisms for handling consumer rights and appeals, the categories of personal data shared with third parties and categories of data recipients, and opt-out procedures for data sales and targeted advertising.
• Update internal policies and documents, including consumer rights request playbooks (ensuring 45-day response timelines and a conspicuously available appeal process), vendor management processes (confirming that processor contracts meet statutory requirements), and DPIA procedures for high-risk processing activities.
• Maintain auditable records documenting the compliance steps taken, the training provided to employees regarding the Oklahoma Privacy Law, and efforts to enforce compliance with the Oklahoma Privacy Law within the organization.