Oklahoma Governor Kevin Stitt signed Senate Bill 546 into law on March 20, 2026, creating the state’s first comprehensive consumer data privacy framework. The law, now formally known as the Oklahoma Consumer Data Privacy Act, takes effect January 1, 2027, giving businesses roughly nine months to prepare.
The legislation passed the Oklahoma House 84-4 in February and cleared the Senate 38-7 on March 16 before reaching the governor’s desk. It took seven years and five drafts to get here, with earlier versions stalling repeatedly since 2019.
SB 546 applies to businesses operating in Oklahoma or targeting Oklahoma residents that meet one of two thresholds. The first is controlling or processing personal data of at least 100,000 Oklahoma consumers in a calendar year. The second is controlling or processing data of at least 25,000 Oklahoma consumers while earning more than 50% of gross revenue from selling personal data.
Oklahomans will gain the right to access, correct, delete, and obtain portable copies of their personal data. They can also opt out of targeted advertising and the sale of their personal information. Businesses must provide clear privacy notices, maintain reasonable data security, and get consent before processing sensitive data like health information, biometrics, or precise geolocation.
The law follows a Virginia-style model that most other state privacy laws have adopted. For companies already compliant with privacy rules in states like Virginia, Texas, or Colorado, the Oklahoma requirements should be a relatively low-lift addition rather than a ground-up rebuild.
A few details stand out. There is no private right of action, meaning consumers cannot sue businesses directly. Enforcement belongs exclusively to the Oklahoma Attorney General, who must provide 30 days’ written notice before taking action. That cure period is permanent and does not sunset. Maximum civil penalties are $7,500 per violation.
The law also uses a narrower definition of “sale” that covers only exchanges for money, not other forms of valuable consideration. And unlike some newer state privacy laws, SB 546 does not require businesses to recognize universal opt-out signals like Global Privacy Control.
Small businesses that fall below the data-processing thresholds are likely exempt. But businesses that do meet the thresholds should start now by mapping what personal data they hold on Oklahoma residents, updating privacy notices, building or extending consumer request workflows, and documenting data protection assessments for high-risk activities like targeted advertising.
Oklahoma is now the 20th or 21st state with a comprehensive privacy law on the books, depending on how Florida’s law is classified. More states are expected to follow during 2026 legislative sessions, which means the compliance landscape for businesses operating across state lines will keep getting more complex.
