Oklahoma passed a consumer privacy law, the Oklahoma Consumer Data Privacy Act (OCDPA) or Senate Bill 546, in March 2026.
It aims to protect the personal data of consumers in the state and outlines obligations data controllers and processors must follow.
Learn about this new law and how it might impact you below.
- What Is the Oklahoma Consumer Data Privacy Act (Senate Bill 546)?
- Oklahoma Consumer Data Privacy Act Key Terms and Definitions
- What Does the Oklahoma Consumer Data Privacy Act Cover?
- What Are the Requirements of the Oklahoma Consumer Data Privacy Act?
- How Will Consumers Be Impacted by the Oklahoma Consumer Data Privacy Act?
- Who Does the Oklahoma Consumer Data Privacy Act Apply To?
- How Will Businesses Be Impacted by the Oklahoma Privacy Law?
- Who Must Comply with Oklahoma's New Privacy Law?
- How Can Businesses Prepare for Senate Bill 546?
- How Will the Oklahoma Consumer Data Privacy Act Be Enforced?
- What Are the Fines and Penalties Under the Oklahoma Consumer Data Privacy Act?
- How Will Termly Help Businesses with the Oklahoma Consumer Data Privacy Act?
- Oklahoma Data Privacy Law FAQs
What Is the Oklahoma Consumer Data Privacy Act (Senate Bill 546)?
The Oklahoma Consumer Data Privacy Act (OCDPA), or Senate Bill 546, is a comprehensive consumer privacy law.
It gives rights to state residents over their personal data online and outlines requirements entities must follow to legally collect, process, and use that information.
When is the Oklahoma Consumer Data Privacy Act Effective?
The Oklahoma Consumer Data Privacy Act becomes effective on January 1, 2027.
Oklahoma Consumer Data Privacy Act Key Terms and Definitions
Next, read through some key terms from the Oklahoma privacy law and their definitions exactly as they appear in the official legal text:
What Does the Oklahoma Consumer Data Privacy Act Cover?
The Oklahoma Consumer Data Privacy Act covers the online personal information of residents of the state.
It governs how entities can collect, store, use, and share that data, including a category of sensitive personal information.
Overall, it focuses on transparency, consumer control, and responsible data processing requirements.
What Are the Requirements of the Oklahoma Consumer Data Privacy Act?
Take a look at some of the main requirements outlined in Oklahoma’s new privacy law.
Data Collection Limitations
Entities that fall under Oklahoma’s new privacy law are required to only collect data that is considered adequate, relevant, and reasonably necessary in relation to the purposes for which that personal data is processed, as disclosed to the consumer.
This means you cannot collect information from consumers protected by this law without first providing them with notice, which could be in the form of a privacy policy.
Data Processor Responsibilities
Data processors under this law are required to adhere to the instructions of the controller and assist the controller in complying with the OCDPA.
This includes taking into account the rights the law grants to Oklahoma consumers and considering the nature of the data being processed.
Contractual Obligations Between Controllers and Processors
Under Oklahoma’s new privacy law, controllers and processors must both sign contracts that outline the following guidelines:
- Clear instructions for processing data, including, the nature and purpose of processing, the type of data subject to processing, and the duration of processing,
- Outline the rights and obligations of both parties,
- Require the processor to ensure each person processing personal data is subject to a duty of confidentiality with respect to the data,
- At the controller’s direction, delete or return all personal data to the controller as requested after the provision of the service is completed, unless retention is required by law,
- Make available to the controller, upon reasonable request, all information in the processor’s possession to demonstrate the processor’s compliance with the requirements of this law,
- Cooperate with reasonable assessments by the controller or the controller’s designated assessor,
- Engage any subcontractor to a written contract requiring them to also meet the requirements of the processor.
Data Protection Assessment
According to Oklahoma’s new privacy law, controllers must perform data protection assessments if you process personal data in the following ways:
- You process personal data for purposes of targeted advertising,
- You sell of personal data,
- You process personal data for purposes of profiling, and it presents reasonably foreseeable risks,
- You process sensitive personal data,
- You process personal data in a way that presents a heightened risk of harm to consumers.
You must weigh the direct or indirect benefits that may flow from the processing, and factor in additional aspects including the use of de-identified data, the reasonable expectations of consumers, and the context of the processing.
A single data protection assessment used to accommodate a data privacy law with similar or greater protections to Oklahoma’s law can be used.
How Will Consumers Be Impacted by the Oklahoma Consumer Data Privacy Act?
Consumers in Oklahoma gain new rights under this new privacy law, including expanded control over how businesses handle their personal information online.
Consumers in the state now have a right to:
- Access their data
- Correct their data
- Request to delete their data
- Obtain a portable copy of their personal information
- Opt out of targeted ads, the sale of their data, and profiling
Who Does the Oklahoma Consumer Data Privacy Act Apply To?
The Oklahoma Consumer Data Privacy Act applies to anyone that conducts business in Oklahoma or produces products or services targeted at residents of the state who meet either of the following guidelines:
- Controls or processes personal data of at least 100,000 consumers, or
- Controls or processes personal data of at least 25,000 consumers and derives over 50% gross revenue from the sale of data.
How Will Businesses Be Impacted by the Oklahoma Privacy Law?
Businesses that fall under the Oklahoma Data Privacy Law will be impacted in several ways, including needing to update the content of your privacy policy and cookie policy.
How Will Senate Bill 546 Affect My Privacy Policy?
Under Oklahoma’s new privacy law, you need to update your privacy policy to include the following information:
- The categories of personal data you collect
- The purposes for why you process that data
- The categories of personal data you share with third parties, if any
- The categories of third parties you share personal data with, if any
- Instructions as to how consumers can exercise their privacy rights,
- Methods available for consumers to submit data subject requests.
The law also states that your policy must be posted in a prominent place and written using simple language that consumers can easily understand.
How Will the Senate Bill 546 Affect My Cookie Policy?
Senate Bill 546 impacts your cookies, especially if you use them for targeted advertising or profiling, because consumers have the right to opt out of those activities under this new law.
You should also ensure you cookie policy fully describes:
- The categories of data collected through cookies or other tracking technologies,
- The purposes for which you’re using that data,
- Instructions for how these consumers can opt out of targeted advertising and profiling.
You must transparently explain all of this to consumers in a way that’s easy for them to read and understand.
Who Must Comply with Oklahoma’s New Privacy Law?
Any business that meets the applicability thresholds and engages in data processing of Oklahoma residents must comply with this new privacy law, even if you’re located outside of the state.
Who Is Exempt from the Oklahoma Consumer Data Privacy Act?
The following organizations are exempt from Oklahoma’s Consumer Privacy Law:
- State agencies, political subdivisions, and service providers processing data on their behalf,
- Financial institutions subject to following the GLBA
- HIPAA covered entities and their associates
- Nonprofit organizations
- Institutions of higher education
How Can Businesses Prepare for Senate Bill 546?
To prepare for Oklahoma’s Consumer Privacy Law, businesses should take the following these five easy steps:
- Conduct a data privacy audit or inventory and map all data locations,
- Review your current privacy policy and update it to comply with the new law,
- Develop a process for receiving and responding to consumer requests to follow through on their rights,
- Establish adequate consent mechanisms for sensitive data, targeted advertising, and/or profiling,
- Train all employees on compliance procedures.
How Will the Oklahoma Consumer Data Privacy Act Be Enforced?
Senate bill 546 will be enforced by the Oklahoma Attorney General.
The AG will provide the entity with a 30-day cure period for the violation. If the issues are not addressed properly, the AG can move forward with enforcement.
What Are the Fines and Penalties Under the Oklahoma Consumer Data Privacy Act?
Fines for violating the Oklahoma Consumer Data Privacy Act can reach as high as $7,500 per incident.
Consumers do not have a private right of action under this law.
How Will Termly Help Businesses with the Oklahoma Consumer Data Privacy Act?
Termly will help businesses align with the Oklahoma Consumer Data Privacy Act by ensuring our tools are properly equipped to help you meet the notification and consent requirements outlined by the law before it enters into force in 2027.
Our consent management platform and privacy policy generator are regularly updated by our legal team and data privacy experts to accommodate new and evolving laws, including Oklahoma’s SB 546.
Oklahoma Data Privacy Law FAQs
Below are answers to frequently asked questions about Oklahoma’s new data privacy law.
What is the new data privacy law in Oklahoma?
Oklahoma’s new data privacy law is a comprehensive consumer data privacy law that grants residents of the state rights over how entities collect, process, and use their personal data.
It is like other U.S. state-level privacy laws and gives consumers the right to access, correct, delete, or opt out of certain types of data processing.
Businesses that fall under this law must provide consumers with a transparent privacy policy and meet various requirements to lawfully collect and use personal information.
Does Oklahoma’s new privacy law impact businesses?
Yes, Oklahoma’s new data privacy law will impact businesses around the world once it enters into force in 2027.
Any business that meets the thresholds outlined by this new law will be subject to complying with it.
Citations & Resources
Written by Natasha Piirainen
Natasha Piirainen is a privacy writer with a Bachelor’s Degree in English and Philosophy from Wheaton College and over 10 years of professional experience in research-driven content development.
Read all posts by Natasha Piirainen
Reviewed by Amanda Lee
Amanda is a Documentation Specialist and Certified Privacy Professional (US). She converts product documentation into easily understood product for Termly's customers. She also has strong understanding of US privacy laws and regulations, helping to keep customer policies up to date at a time when US states are enacting more and more privacy laws.
Read all posts reviewed by Amanda Lee
