Oklahoma Enacts Comprehensive Consumer Privacy Law

On March 20, Oklahoma Gov. Kevin Stitt signed Senate Bill 546 into law, making Oklahoma the 21st state to enact a comprehensive consumer data privacy statute. The Oklahoma Consumer Data Privacy Act (the Act) takes effect on January 1, 2027, giving businesses less than nine months to prepare for compliance. Like many recent state privacy laws, the Act follows the Virginia-style model, granting Oklahoma residents new rights over their personal data and imposing affirmative obligations on businesses that collect, process, and use that data.

This alert summarizes the Act’s key provisions and outlines practical steps organizations should take now to prepare for compliance.

Who Must Comply

The Act applies to entities that conduct business in Oklahoma or produce products or services targeted at Oklahoma residents and that, during a calendar year, meet one of the following thresholds:

• Control or process personal data of 100,000 or more Oklahoma consumers
• Control or process personal data of 25,000 or more Oklahoma consumers and derive more than 50% of gross revenue from the sale of personal data
  
  

Notably, “consumers” under the Act are defined as Oklahoma residents acting in a personal or household capacity only. Consistent with most state privacy laws outside of California, the Act does not cover data processed in an employment or business-to-business context, a meaningful limitation that narrows the scope of compliance for many organizations.

Entity-Level and Data-Level Exemptions

The Act includes several notable exemptions at both the entity and data levels, consistent with other state privacy frameworks. The following categories of entities are exempt from the Act’s requirements:

• State and local government entities
• Nonprofit organizations
• Financial institutions and data subject to the Gramm-Leach-Bliley Act (GLBA)
• Covered entities and business associates governed by the Health Insurance Portability and Accountability Act (HIPAA)
• Institutions of higher education
  
  

Organizations that operate across multiple lines of business should note that exemptions apply at the data and entity levels; a partial exemption does not insulate the organization as a whole.

In addition to these entity-level exemptions, certain categories of data fall outside the Act’s scope. These data-level exemptions include, among others, information regulated under GLBA, protected health information subject to HIPAA, data governed by the Fair Credit Reporting Act or the Family Educational Rights and Privacy Act, employment- and applicant-related data, business-to-business contact information, and data regulated under the Controlled Substances Act.

Key Consumer Rights

The Act grants Oklahoma residents several rights with respect to their personal data:

• Right to Access: Consumers may confirm whether a business is processing their personal data and obtain a copy of such data.
• Right to Correction: Consumers may request correction of inaccuracies in their personal data.
• Right to Deletion: Consumers may request deletion of personal data provided by or obtained about them.
• Right to Data Portability: Consumers may obtain a portable copy of their personal data, where it is maintained in digital form.
• Right to Opt-Out: Consumers may opt out of targeted advertising, the sale of personal data, and certain forms of profiling that produce legal or similarly significant effects. The Act defines “sale” narrowly, limiting it to exchanges involving monetary consideration only and excluding other forms of valuable consideration that are captured under some other privacy laws.
  
  

Unlike some other state privacy laws, the Act does not require controllers to recognize universal opt-out signals (such as Global Privacy Control) or to accept rights requests submitted through authorized agents. These omissions may simplify compliance for businesses already managing opt-out mechanisms under other state laws.

Covered businesses must respond to verified consumer requests within 45 days, with one permissible extension when reasonably necessary. Businesses must also provide a clear appeal mechanism for denied requests.

Controller Obligations

Businesses that qualify as “controllers” must comply with the following requirements:

• Publish a clear and accessible privacy notice describing data practices, consumer rights, and how to exercise those rights.
• Adhere to data minimization and purpose limitation principles, limiting data collection to what is adequate, relevant, and reasonably necessary.
• Maintain reasonable administrative, technical, and physical safeguards for personal data.
• Obtain consumer consent before processing sensitive data.
• Enter into contracts with processors containing required data protection provisions.
  
  

Data Protection Assessments

The Act requires controllers to conduct data protection assessments for certain high-risk processing activities, including targeted advertising and profiling. These assessments must be documented and made available to the Oklahoma Attorney General upon request. Organizations already conducting data protection impact assessments under other state laws should review whether their existing frameworks satisfy Oklahoma’s requirements.

Processor Obligations

Entities that process data on behalf of controllers (“processors”) must adhere to contractual requirements governing data processing and assist controllers in meeting their obligations under the Act.

Sensitive Data

The Act imposes heightened obligations on the processing of “sensitive data,” a category that includes precise geolocation information, data revealing racial or ethnic origin or religious beliefs, health information, and personal data of children, among others. Controllers may not process sensitive data without first obtaining the consumer’s affirmative consent, a requirement that may necessitate updates to consent flows, data collection forms, and privacy notices.

Enforcement and Penalties

Enforcement of the Act is vested exclusively in the Oklahoma Attorney General, and the Act does not provide a private right of action. Before initiating an enforcement action, the Attorney General must provide written notice and a 30-day cure period. If the violation is cured within that window, the Attorney General may not proceed with enforcement. Civil penalties may reach up to $7,500 per violation.

Importantly, the 30-day cure period is permanent and does not sunset, which is a significant distinction from several other state privacy laws, where cure periods either have expired or were never included. This permanent cure window gives businesses a meaningful and ongoing opportunity to remediate violations before facing penalties, and it may reduce enforcement risk for organizations that maintain responsive compliance programs.

Broader Privacy Landscape Context

Oklahoma’s enactment of this comprehensive privacy law continues a significant national trend.  As of April 2026, 21 states have adopted sweeping consumer data privacy statutes, with no sign of the trend slowing. In the continued absence of a federal comprehensive privacy law, the growing patchwork of state laws makes it increasingly critical for businesses operating across multiple states to develop scalable, multistate compliance strategies.

Organizations that have already implemented compliance programs under laws such as the California Consumer Privacy Act, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, or the Connecticut Data Privacy Act should be relatively well positioned to adapt. However, state-specific nuances remain important, and businesses should not assume that compliance with another state’s law ensures full compliance with the Act. Rather than managing each state’s requirements in isolation, organizations are increasingly well served by aligning to the strictest standard and working down from there.

Recommended Next Steps

Although the Act does not take effect until January 1, 2027, organizations should begin preparing now. The following steps will help position your organization for compliance:

• Assess Applicability: Determine whether your organization meets the Oklahoma applicability thresholds based on the volume of Oklahoma consumer data processed and revenue derived from data sales.
• Conduct a Data Inventory: Inventory personal data collected from Oklahoma residents and map data flows to identify where Oklahoma consumer data is collected, stored, shared, and processed.
• Update Privacy Notices: Review and update privacy notices and disclosures to address the specific requirements of the Act.
• Implement Consumer Rights Processes: Establish or refine mechanisms to receive, verify, and respond to consumer rights requests within the 45-day time frame, including an appeal process for denied requests.
• Evaluate Advertising and Data-Sharing Practices: Assess current practices related to targeted advertising, data sales, and profiling to ensure opt-out mechanisms are in place.
• Review Vendor Contracts: Confirm that contracts with data processors and service providers include the data protection provisions required under the Act.
• Conduct Data Protection Assessments: Evaluate whether your organization’s processing activities trigger the requirement for data protection assessments, and if they do, prepare the necessary documentation.
• Train Internal Stakeholders: Ensure that relevant personnel, including privacy, legal, IT, and marketing teams, are trained on the new compliance obligations.
  
  

How We Can Help

Our Data Privacy, Security, Safety & Risk Management team is closely monitoring developments in state privacy law and is prepared to assist with all aspects of Oklahoma Consumer Data Privacy Act compliance, from initial applicability assessments to privacy notice updates, vendor contract reviews, and full compliance program implementation. Please contact us if you have questions about how this law may affect your organization or if you would like to begin preparing before the Act takes effect on January 1, 2027.