Close up view of the Oklahoma state flag waving.

Key point: Oklahoma becomes the 20th state to enact a broad consumer data privacy law.

On March 20, 2026, Oklahoma Governor Kevin Stitt signed SB 546 into law. In doing so, Oklahoma becomes the 20th state to enact a broadly applicable consumer data privacy law.

Passage of a consumer data privacy law in Oklahoma has been a multiyear process. The Oklahoma House first passed a consumer data privacy bill authored by then-Representative Collin Walke in 2021, but the bill stalled in the Senate. The House again passed a bill in 2022, and it again stalled in the Senate.

The new law is a more business-friendly blend of the 2022 version of Virginia’s consumer data privacy law and the Texas consumer data privacy law. Ultimately, entities subject to other state privacy laws will not have any new compliance obligations. In the below article, we provide an overview of the new law.

Applicability

The law applies to controllers and processors that conduct business in Oklahoma or produce a product or service targeted to residents of the state and that either (1) control or process the personal data of 100,000 or more consumers, or (2) control or process the personal data of at least 25,000 consumers and derive more than 50% of their gross revenue from the sale of personal data.

Oklahoma has a population of around 4.1 million people, meaning that the 100,000 consumer threshold is around 2.4% of the state’s population. Consumer is defined to exclude individuals acting in a commercial of employment context. Sale is defined narrowly to only include monetary consideration.

Exemptions

The law exempts GLBA financial institutions and data, HIPAA-covered entities and business associates, nonprofits, and institutions of higher education. The law also contains customary exemptions for health-related data, FCRA data, FERPA data, and employee data.

Notable Definitions

Sensitive Data

Sensitive data is defined narrowly to be: (1) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (2) genetic or biometric data that is processed for the purpose of uniquely identifying an individual; (3) personal data collected from a known child; and (4) precise geolocation data.

Biometric Data

The definition of biometric data largely follows the Virginia definition; however, the exception is narrower than in Virginia. Specifically, the law states that biometric data “does not include a physical or digital photograph, a video or audio recording, or data generated from a physical or digital photograph or a video or audio recording unless such data is generated to identify a specific individual.” The italicized language does not appear in Virginia or Texas’ laws, although it does appear in Connecticut’s law.

Consent

The law uses the Texas definition of consent, which includes language stating that consent does not include acceptance of general or broad terms or use or hovering over, muting, or closing content.

Personal Data

The law borrows from Texas’ definition and provides that personal data “includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.”

Consumer Rights

The law contains the customary consumer rights, including the rights to (1) confirm whether a controller is processing the consumer’s personal data and to access the personal data; (2) correct inaccuracies in the consumer’s personal data; (3) delete personal data provided by or obtained about the consumer; and (4) opt out of targeted advertising, the sale of personal data, and profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer. All rights, including the opt-out rights, are subject to authentication.

The law requires controllers to obtain consumer consent for the processing of sensitive data; however, it does not provide for the right to revoke consent.

Children’s Privacy Rights

The law does not contain any additional privacy rights for children above 13 years of age.

Universal Opt-Out Mechanisms

The law does not require controllers to recognize universal opt-out mechanisms.

Privacy Policy

The privacy policy provisions are consistent with those found in Virginia’s law.

Enforcement

Violations of the law are only enforceable by the state attorney general. Prior to bringing an action, the attorney general must notify a controller or processor and provide it with 30 days to cure the alleged violation(s). The attorney general can seek statutory damages of $7,500 for each violation.

The attorney general is required to post on its website information relating to the responsibilities of controllers and processors and consumer rights under the law as well as a mechanism through which consumers can submit complaints to the attorney general. That provision mirrors section 541.152 of the Texas consumer data privacy law.

Effective Date

The law goes into effect January 1, 2027.