Not a moment too soon(er), we have our twentieth state comprehensive privacy law. Ending a nearly two year national drought, Oklahoma Governor Kevin Stitt signed SB 546 into law on March 20, 2026.

For businesses concerned about preparing for the law's effective date of January 1, 2027, it will be welcome news that SB 546 breaks little, if any, new ground compared to the consensus formed across the 18 (non-California) state comprehensive laws currently in effect. That said, a few provisions are worth noting. 

Standard Scope and Definitions

SB 546 applies to controllers and processors doing business in Oklahoma or targeting Oklahoma residents that either (1) process personal data of at least 100,000 consumers annually, or (2) process data of at least 25,000 consumers and derive more than 50% of gross revenue from selling personal data. These thresholds track other state laws closely.

The law's definitions similarly generally follow the narrower formulation. Notably, the definition of "sale" is limited to exchanges for monetary consideration only, not other valuable consideration. This exempts many common data-sharing arrangements in the advertising ecosystems from the opt-out requirement.

Oklahoma's definition of biometric data, which includes data generated from photographs, video, or audio recordings when used to identify a specific individual, mirrors Minnesota's approach and stands in contrast to many other state comprehensive privacy laws, which often expressly exclude photo- and video-derived data.

Familiar Consumer Rights 

The consumer rights package is standard: access, correction, deletion, portability, and opt-out of targeted advertising, data sales, and certain profiling. Controllers must notify consumers within 45 days if declining to act on a request, and must provide appeal instructions.

Two absences are worth noting: the bill includes no provisions for authorized agents, and no provisions requiring recognition of opt-out preference signals. Businesses that geofence states in which they honor signals sent by Global Privacy Control will not need to update these restrictions.

Business Obligations Follow the Playbook

SB 546's controller and processor obligations align with state privacy orthodoxy: transparency, data minimization, reasonable security, processor contracts, and data protection assessments for high-risk processing activities. For organizations that have already built multi-state compliance frameworks, the Oklahoma obligations should largely fit within existing structures. 

AG Enforcement, With a Forever Cure Period

SB 546 takes effect January 1, 2027, and enforcement is the exclusive province of the attorney general. There is, of course, no private right of action. Before bringing an action, the AG must notify the alleged violator and allow 30 days to cure. Unlike several other states, this cure period does not sunset. Civil penalties are $7,500 per violation, with no escalator for willful or intentional violations.

Action Items

Businesses have until January 1, 2027 to comply, offering a reasonable runway. For businesses already compliant with other state frameworks, the incremental compliance burden should be manageable. The priorities for the coming months will include updating your privacy policy to reference Oklahoma in your updates for 2027, and ensuring your consumer request is configured to accept requests from Oklahoma residents.

Oklahoma may be the 20th state across the finish line, but it won't be the last. State privacy watchers expect at least a few more serious state legislative efforts to join the topography of state privacy law.