Oklahoma Joins The Privacy Law Wagon Sooner, Not Later

Oklahoma is the first since Rhode Island – which passed its in June 2024 – to enact a comprehensive privacy law. Want a full list of the states with these laws? Visit our tracker, where you will find a comparison of all of these laws’ key provisions. The Oklahoma law, Senate Bill 546, was signed by the governor on March 20 2026 and will go into effect on January 1, 2027. 

For anyone following state privacy laws in the US, Oklahoma’s approach will sound familiar. It applies if the company operates in Oklahoma or target Oklahoma residents and one of two additional conditions apply. Either that the company: (i) handles personal data for 100,000 or more Oklahoma consumers; or (ii) handles data for 25,000 or more Oklahoma consumers and earns over 50% of its revenue from selling personal data. The law does not apply to certain groups. These include nonprofits, colleges, and universities. The law also does not apply to health care providers covered by HIPAA or financial institutions regulated by GLBA. It also does not cover employee or job applicant data. 

The following are some of the key provisions that again, go into effect in January 2027:

• Consumer rights and choices: Under the law Oklahoma residents will have rights similar to those in other states. These include access, correction, and deletion rights. They also have the right to copies of their data in a usable format. Oklahomans will need to be given the ability to opt out of targeted advertising and the sale of personal information. They will also need to be able to opt out of profiling that has serious legal or real world effects. 
• Sensitive information: Like all states other than California, Iowa, and Utah, Oklahoma will require businesses to get opt in consent before using sensitive data. Sensitive data is defined to include health data, biometric data, and children’s data. It also includes precise location data and certain demographic details like race and ethnicity. Like other states, Oklahoma will require that consent be “freely given” and not be obtained through a dark pattern. 
• Data protection impact assessments: Businesses will need to complete data protection impact assessments for higher risk activities. The risk assessment obligation will begin on the law’s effective date, i.e., January 1, 2027. These situations include things like targeted advertising and selling personal data. It will also include certain types of profiling and processing sensitive data. These assessments will need to be shared with the Oklahoma Attorney General if requested.

Only the Oklahoma Attorney General can enforce the law; there is no private right of action. Oklahoma joins other states that provide companies with a 30 day period to fix violations. This cure period does not expire. (Read this for more about states’ cure periods.) Penalties can reach up to $7,500 per violation.

Putting It Into Practice: To meet the 2027 effective date businesses that will be subject to the law may want to start compliance efforts now. This includes assessing how to give rights and choices, and integrating the risk assessment requirements into its existing process.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.