On March 20, Oklahoma Governor Kevin Stitt signed Senate Bill 546, the Oklahoma Data Privacy Act, creating a broad state privacy framework that gives Oklahoma consumers new rights over how certain businesses collect, use, and share personal data. The law takes effect on January 1, 2027.
The Act applies to controllers and processors that do business in Oklahoma or target products or services to Oklahoma residents and that either process the personal data of at least 100,000 consumers in a calendar year or process the personal data of at least 25,000 consumers while deriving more than 50% of gross revenue from the sale of personal data. The law excludes, among others, financial institutions and data subject to the Gramm-Leach-Bliley Act, as well as certain activity regulated by the Fair Credit Reporting Act.
Key provisions include:
- Consumer rights. The Act gives consumers the right to confirm whether a controller is processing their personal data, access that data, correct inaccuracies, delete certain data, and obtain a portable copy of data previously provided to the controller. It also allows consumers to opt out of targeted advertising, the sale of personal data, and certain profiling.
- Response and appeal procedures. Controllers generally must respond to authenticated consumer requests within 45 days. They may extend that period once for another 45 days when reasonably necessary, and they must provide an appeal process if they deny a request.
- Sensitive data restrictions. Controllers must obtain consumer consent before processing sensitive data. For known children, processing must comply with the Children’s Online Privacy Protection Act.
- Controller and processor obligations. The Act requires controllers to follow data minimization and reasonable data security standards and to provide privacy notices with specified disclosures. It also requires processor contracts and data protection assessments for certain higher-risk processing activities, including targeted advertising, the sale of personal data, certain profiling, and the processing of sensitive data.
- Attorney General enforcement. The Oklahoma Attorney General has exclusive enforcement authority under the Act. The law provides a 30-day cure period, authorizes civil penalties of up to $7,500 per violation, and does not create a private right of action.
Putting It Into Practice: Although the Act excludes financial institutions and data subject to the Gramm-Leach-Bliley Act, companies operating across affiliated business lines should assess carefully how far those exemptions extend. Businesses collecting consumer data should continue monitoring state privacy developments and update compliance programs as necessary.
