March 27, 2026

Oklahoma Joins Comprehensive State Privacy Law Landscape

LinkedIn Facebook X Send Embed On March 20, 2026, Oklahoma Governor Kevin Stitt signed into law Enrolled Senate Bill No. 546, a comprehensive privacy law that will go into effect on January 1, 2027—this makes Oklahoma the 21st state to enact a comprehensive privacy law. The bill follows the common model used in many state privacy statutes: it grants consumers baseline privacy rights, requires opt-outs for targeted advertising and certain disclosures, and expects companies to document and manage higher-risk processing.

In general, the law applies to a controller or processor doing business in Oklahoma, or targeting Oklahoma residents, and, during a calendar year, either controls or processes personal data of at least 100,000 consumers, or controls/processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data.

Consumers have rights to access and confirm processing, correct inaccuracies, delete personal data (including data “provided by or obtained about” the consumer), obtain portable data the consumer provided, and opt out of targeted advertising, the sale of personal data, and certain profiling with significant effects.

“Sale” is the exchange of personal data for monetary consideration, with carve-outs including disclosures to processors, for requested services, and to affiliates. Notably, this is narrower than laws in states that include “valuable consideration” in the definition of sale. “Sensitive data” includesprecise geolocation, biometric data used for unique identification, and known children’s data, and generally requires opt-in consent.

The statute also calls for data minimization and reasonable security, required privacy notice disclosures (including clear disclosure of sale/targeted advertising, where applicable), and data protection assessments for targeted advertising, sale of personal data, sensitive data processing, and certain profiling/high-risk processing. It will be enforced by the Attorney General, includes a 30-day cure process, and provides no private right of action. Companies should use the lead time to confirm applicability and operationalize opt-outs, consent, consumer requests, vendor controls, and assessments.

[View source.]

Send Print Report

Latest Posts

• Oklahoma Joins Comprehensive State Privacy Law Landscape
• Expel Annual Threat Report Shows Identity Compromise Continues to Be Threat Actors’ Favorite Tool
• No Good Deed Goes Unpunished: Victim Stryker Sued for Iranian-Backed Cyber Attack
• Ford Settlement Highlights Simple Practice: Opt-Outs Must be Easy
• Skullcandy Can’t Transfer Its CIPA Case Out of California See more »

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
Attorney Advertising.

©
Robinson+Cole Data Privacy + Security Insider
2026

Written by:

Robinson+Cole Data Privacy + Security Insider Contact + Follow Roma Patel + Follow

PUBLISH YOUR CONTENT ON JD SUPRA

• ✔ Increased readership
• ✔ Actionable analytics
• ✔ Ongoing writing guidance Join more than 70,000 authors publishing their insights on JD Supra

Start Publishing »

Published In:

Consumer Privacy Rights + Follow Data Privacy + Follow Data Protection + Follow New Legislation + Follow Opt-Outs + Follow Personal Data + Follow Regulatory Requirements + Follow State Privacy Laws + Follow Consumer Protection + Follow Privacy + Follow Science, Computers & Technology + Follow more

Robinson+Cole Data Privacy + Security Insider on:

Solve with 2Captcha

Solve with 2Captcha