On March 20, 2026, Oklahoma’s Governor signed Senate Bill (SB) 546, which establishes a consumer data privacy law for the state. Oklahoma’s law takes effect January 1, 2027.

To whom does the law apply?

The law applies to controllers (or processors) operating in the state and handling data for:

  • at least 100,000 consumers; or,
  • at least 25,000 consumers, while earning over half of their revenue from selling personal data.

There are certain exemptions for state agencies and their service providers, financial institutions covered by the Gramm-Leach-Bliley Act, entities covered by HIPAA/HITECH, non-profit organizations, and institutions of higher education.

Who is protected by the law?

A consumer protected under the legislation is defined as an individual who is a resident of Oklahoma, acting only in an individual or household capacity. A consumer does not include a person acting in a commercial or employment context.

What data is protected by the law?

The law protects “personal data,” which means any information, including sensitive data, which is linked or reasonably linkable to an identified or identifiable individual.

“Sensitive data” is given additional protection and includes the following:

  • Personal data revealing racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis
  • Sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data for uniquely identifying an individual
  • Personal data collected from a known child
  • Precise geolocation data.

What are the rights of consumers?

Under the law, consumers have the following rights:

  • To confirm whether a controller is processing their personal data
  • To correct inaccurate personal data
  • To delete personal data maintained by the controller
  • For data available in a digital format, to obtain a copy of their personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance
  • To opt out of the processing of personal data for targeted advertising, sale, or certain profiling

Controllers must respond within 45 days to consumers’ requests under the law, with one additional 45-day extension when reasonably necessary. If declining to act, the controller must explain why and provide appeal instructions.

What obligations do controllers have?

Similar to other state comprehensive privacy laws that have been enacted over the last several years, controllers in Oklahoma must, among other things:

  • Comply with data minimization principles, including limiting the collection of personal data to what is adequate, relevant, and reasonably necessary;
  • Perform data protection assessments relating to certain data processing activities, including processing sensitive data;
  • Provide a reasonably accessible and clear privacy notice to consumers;
  • Include certain provisions in agreements with processors concerning personal data;
  • Maintain reasonable administrative, technical, and physical security practices
  • Avoid processing for incompatible purposes without consent
  • Avoid unlawful discrimination and discriminating against consumers for exercising their rights
  • Obtain consent before processing sensitive data and comply with COPPA for known children

How is the law enforced?

The Attorney General has exclusive authority to enforce violations of the legislation. Violators of the law may incur a fine of up to $7,500 per violation. The law makes clear that it shall not be construed as providing a basis for a private right of action for a violation of this law.

If you have questions about Oklahoma’s new privacy law or related issues, please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

Tags: biometric data, controllers, COPPA, Genetic data, geolocation, Oklahoma, personal data, processors, sensitive data
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a principal in the Tampa, Florida, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the…

Joseph J. Lazzarotti is a principal in the Tampa, Florida, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Read more about Joseph J. Lazzarotti
Show more Show less
Photo of Damon W. Silver Damon W. Silver

Damon W. Silver is a principal in the New York City, New York, office of Jackson Lewis P.C. and co-leader of the firm’s Privacy, AI & Cybersecurity practice group. He is a Certified Information Privacy Professional (CIPP/US).

Damon helps clients across various industries—with…

Damon W. Silver is a principal in the New York City, New York, office of Jackson Lewis P.C. and co-leader of the firm’s Privacy, AI & Cybersecurity practice group. He is a Certified Information Privacy Professional (CIPP/US).

Damon helps clients across various industries—with a focus on financial services, healthcare, and education—handle their data safely. He works with them to pragmatically navigate the challenges they face from cyberattacks, technological developments including AI, a fast-evolving data privacy and security legal compliance landscape, and an active and innovative plaintiffs’ bar.

Damon recognizes that needs vary from one client to the next. Large, mature organizations, for instance, may need assistance managing multi-jurisdictional and multi-faceted compliance obligations. Others may be in a stage of development where their greatest need is to triage what must be done now and what can more safely be left for later. Damon takes the time to understand each client’s circumstances and priorities and then works with it to develop tailored approaches to effectively managing risk without unnecessarily hindering business operations.

Read more about Damon W. Silver
Show more Show less
Related Posts
Top 10 Privacy, AI & Cybersecurity Issues for 2026
January 28, 2026
Florida’s Digital Wiretapping Surge: What Businesses Need to Know About FSCA Litigation
January 27, 2026
The Hidden Legal Minefield: Compliance Concerns with AI Smart Glasses, Part 2 – Two-Party Consent and AI Note-Taking
December 15, 2025