On March 20, 2026, Oklahoma’s governor signed S.B. 546 making Oklahoma the latest state to enact a comprehensive state privacy law. The law, effective January 1, 2027, applies to organizations doing business in Oklahoma or targeting residents in Oklahoma that either (i) process 100,000 Oklahoma consumers’ personal data or (ii) process 25,000 Oklahoma consumers’ personal data and derive more than half of its revenue from selling personal data.
The law has similar notice, consumer rights, and vendor management obligations as those set forth in many other analogous state comprehensive privacy laws. For example, under the law, Oklahomans can request to access, correct, delete, and obtain copies of their personal data, as well as opt out of the sale of their personal data and certain targeted advertising practices.
There are, however, some notable differences between Oklahoma’s law and other state privacy laws. Unlike the approach adopted by most other states, Oklahoma narrowly defines “sale” as exchanges of personal data involving monetary consideration, while other states more broadly define sales to include exchanges of personal data for any valuable consideration. Additionally, Oklahoma, similar to Minnesota, has adopted a definition of “biometric data” that includes information generated from photo, audio and video when that data is used to identify a specific individual. In contrast, most other states with comprehensive privacy laws expressly exclude this type of information from their definitions of biometric data.
The law will be enforced exclusively by the Oklahoma Attorney General. Following receipt of a notice of violation by the Oklahoma Attorney General, and if the violation is cured within the 30-day period, then the Attorney General will not bring a formal action.