On March 20, 2026, Oklahoma Governor Kevin Stitt signed into law Enrolled Senate Bill No. 546, a comprehensive privacy law that will go into effect on January 1, 2027—this makes Oklahoma the 21st state to enact a comprehensive privacy law. The bill follows the common model used in many state privacy statutes: it grants consumers baseline privacy rights, requires opt-outs for targeted advertising and certain disclosures, and expects companies to document and manage higher-risk processing.

In general, the law applies to a controller or processor doing business in Oklahoma, or targeting Oklahoma residents, and, during a calendar year, either controls or processes personal data of at least 100,000 consumers, or controls/processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data.

Consumers have rights to access and confirm processing, correct inaccuracies, delete personal data (including data “provided by or obtained about” the consumer), obtain portable data the consumer provided, and opt out of targeted advertising, the sale of personal data, and certain profiling with significant effects.

“Sale” is the exchange of personal data for monetary consideration, with carve-outs including disclosures to processors, for requested services, and to affiliates. Notably, this is narrower than laws in states that include “valuable consideration” in the definition of sale. “Sensitive data” includesprecise geolocation, biometric data used for unique identification, and known children’s data, and generally requires opt-in consent.

The statute also calls for data minimization and reasonable security, required privacy notice disclosures (including clear disclosure of sale/targeted advertising, where applicable), and data protection assessments for targeted advertising, sale of personal data, sensitive data processing, and certain profiling/high-risk processing. It will be enforced by the Attorney General, includes a 30-day cure process, and provides no private right of action. Companies should use the lead time to confirm applicability and operationalize opt-outs, consent, consumer requests, vendor controls, and assessments.