Oklahoma Privacy Law (SB 546): What Businesses Need to Know Before 2027
Oklahoma Becomes the 20th State with a Privacy Law
On March 20, 2026, Governor Kevin Stitt signed SB 546 into law, making Oklahoma the 20th US state to enact a comprehensive consumer data privacy law. The Oklahoma Consumer Data Privacy Act (OKCDPA) takes effect on January 1, 2027, giving businesses approximately nine months to prepare.
After seven years of legislative attempts, Oklahoma joins a rapidly growing patchwork of state privacy laws that now covers more than half of the American population. For a full list, see our guide on how many states have data privacy laws.
Who Does the OKCDPA Apply To?
The law applies to entities that conduct business in Oklahoma or produce products or services targeted to Oklahoma residents, and that meet either of these thresholds:
- Process personal data of 100,000 or more Oklahoma consumers during a calendar year, OR
- Process personal data of 25,000 or more Oklahoma consumers and derive over 50% of gross revenue from selling personal data
These thresholds are similar to those in Virginia (VCDPA), Indiana (ICDPA), and Kentucky (KCDPA). Use our Privacy Law Calculator to check whether your business meets the thresholds for Oklahoma and all other state privacy laws.
Who Is Exempt?
The OKCDPA exempts several categories of entities:
- State and local government agencies
- Nonprofit organizations
- Higher education institutions
- Entities regulated under HIPAA (covered entities and business associates)
- Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
- Insurance companies regulated under Oklahoma insurance law
Consumer Rights Under the OKCDPA
The law grants Oklahoma residents the following rights:
- Right to access — confirm whether a controller is processing their personal data and access that data
- Right to correct — request correction of inaccurate personal data
- Right to delete — request deletion of personal data provided by or obtained about the consumer
- Right to data portability — obtain a copy of their personal data in a portable, readily usable format
- Right to opt out — opt out of the processing of personal data for targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects
Controllers must respond to consumer requests within 45 days, with a possible 45-day extension if reasonably necessary.
Business Obligations
Privacy Notice
Controllers must provide a clear, accessible privacy notice that includes the categories of personal data processed, purposes of processing, how consumers can exercise their rights, categories of third parties with whom data is shared, and categories of data shared with third parties.
Data Protection Assessments
Controllers must conduct and document data protection assessments for processing activities that present a heightened risk of harm, including targeted advertising, sale of personal data, processing sensitive data, and profiling.
Sensitive Data Consent
Processing sensitive personal data requires opt-in consent. Sensitive data under the OKCDPA includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, personal data of known children, and precise geolocation data.
Processor Contracts
Controllers must have contracts with their data processors that specify data processing instructions, the nature and purpose of processing, confidentiality obligations, and requirements to delete or return personal data at the controller's direction.
Enforcement
The OKCDPA is enforced exclusively by the Oklahoma Attorney General. There is no private right of action — individual consumers cannot sue businesses directly for violations.
Key enforcement details:
- 30-day cure period — businesses receive a 30-day notice and opportunity to cure alleged violations before the AG takes enforcement action
- Permanent cure period — unlike many other state laws, the OKCDPA's cure period does not sunset
- Penalties — up to $7,500 per violation, plus attorney's fees and investigative costs
The permanent cure period makes Oklahoma one of the more business-friendly privacy laws, alongside Iowa and Utah. Compare enforcement approaches using our state comparison tool.
How the OKCDPA Compares to Other State Laws
The OKCDPA closely follows the Virginia (VCDPA) model, which has become the template for most state privacy laws outside of California and Colorado. Key comparisons:
- Thresholds: Same as Virginia, Indiana, and Kentucky (100K consumers or 25K + 50% revenue from data sales)
- No universal opt-out requirement: Unlike California, Colorado, and Connecticut, Oklahoma does not require businesses to honor universal opt-out mechanisms like GPC
- AG-only enforcement: Same as most state privacy laws — no private right of action
- Permanent cure period: More business-friendly than states where the cure period has already expired (California, Colorado, Connecticut, Virginia, Oregon)
Preparation Timeline
With the January 1, 2027 effective date, businesses should follow this preparation timeline:
- Now (Q1 2026) — Determine whether the OKCDPA applies to your business using our calculator. If you already comply with Virginia or a similar state law, the gap analysis will be minimal.
- Q2 2026 — Conduct a data mapping exercise for Oklahoma consumer data. Identify what personal data you collect, how it is processed, and who it is shared with.
- Q3 2026 — Update your privacy policy to include Oklahoma-specific disclosures. Set up consumer request intake and response processes.
- Q4 2026 — Conduct data protection assessments for high-risk processing activities. Execute processor agreements. Train staff on new obligations.
- January 1, 2027 — Full compliance required.
View the full Oklahoma compliance checklist for a detailed breakdown of every requirement.
The Bottom Line
Oklahoma's privacy law follows the familiar Virginia-model pattern that most businesses are increasingly accustomed to. If you already comply with Virginia, Indiana, or Kentucky privacy laws, bringing your Oklahoma compliance into alignment should be straightforward. The permanent cure period and AG-only enforcement make it one of the more business-friendly laws, but with penalties of up to $7,500 per violation, noncompliance is not worth the risk.
This article provides general educational information and is not legal advice. Consult qualified legal counsel for guidance specific to your organization. Last updated: March 28, 2026.
Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.