On March 23, 2026, the legislature of Oklahoma passed Oklahoma SB546, a comprehensive privacy law that will go into effect on January 1, 2027. This new privacy law will provide residents of Oklahoma with privacy rights and will impose compliance obligations upon certain businesses, such as the requirement to have a Privacy Policy that includes all of the disclosures required by this law. In this article, we will discuss the following aspects of Oklahoma’s privacy law so that you can be ready for its requirements:
- Who needs to comply with Oklahoma’s privacy law;
- The definition of “personal data” under this law;
- The privacy rights provided to residents of Oklahoma;
- The Privacy Policy requirements of Oklahoma SB546;
- Penalties for non-compliance; and
- How Termageddon will manage updates for Oklahoma’s privacy law.
Table of Contents
Who needs to comply with Oklahoma’s privacy law?
Oklahoma’s privacy law applies to anyone who does business in Oklahoma or that produces a product or service targeted to residents of the state and, that during a calendar year:
- Control or process the personal data of at least 100,000 residents of Oklahoma; or
- Control or process the personal data of at least 25,000 residents of Oklahoma and derive over 50% of gross revenue from the sale of personal data.
Oklahoma SB546 does not apply to nonprofit organizations so only for profit organizations will need to comply with this law. Notably, Oklahoma’s privacy law applies to organizations that are formed in or headquartered in outside of Oklahoma as well, if they meet the factors above.
How does Oklahoma SB546 define “personal data”?
Since this privacy law applies to organizations controlling or processing a certain amount of personal data of residents of Oklahoma, it is important to determine how this privacy law defines “personal data.” Oklahoma SB546 defines “personal data” as “any information including sensitive data that is linked or reasonably linkable to an identified or identifiable individual.”
This means that personal data commonly collected through business websites such as names, emails, phone numbers, physical addresses, and IP addresses, would be considered “personal data” under Oklahoma’s privacy law. The privacy law does specifically exempt de-identified data or publicly available information from the definition of “personal data.”
What are the privacy rights provided by Oklahoma’s privacy law?
Oklahoma SB546 provides the following privacy rights to residents of the state:
- Confirm whether the controller is processing the consumer’s personal data;
- Access personal data;
- Correct inaccuracies in the personal data;
- Delete personal data;
- Obtain a copy of the personal data in a portable and readily usable format that allows the consumer to transmit the data to another controller, where the processing is carried out by automated means;
- Opt out of targeted advertising;
- Opt out of the sale of personal data;
- Opt out of profiling in furtherance of a decision that produces a legal or similarly significant effect;
- The right to not be discriminated against based upon the exercise of privacy rights.
Businesses that are required to comply with this law have 45 days from a receipt of a request to exercise privacy rights to reply to the consumer, though this period may be extended by an additional 45 days if needed. Consumers also have the ability to appeal a refusal to exercise a particular privacy right.
What are the Privacy Policy requirements of Oklahoma SB546?
Oklahoma SB546 requires businesses that are subject to this law to provide consumers with an accessible and clear Privacy Policy that includes the following disclosures:
- The categories of personal data processed;
- The purpose for processing the personal data;
- How consumers can exercise their privacy rights, including how to appeal a privacy rights decision;
- The categories of personal data shared with third parties, if any;
- The categories of third parties with whom the personal data is shared, if any;
- Whether personal data is sold or processed for targeted advertising. If personal data is sold or used for targeted advertising, how a consumer can opt out of such sale or use.
What are the penalties for failing to comply with Oklahoma’s privacy law?
Oklahoma’s privacy law will be enforced by the State’s Attorney General, who can impose penalties of up to $7,500 per violation. Usually, in the privacy law enforcement landscape, per violation means per person whose privacy rights were infringed upon. For example, if a website has 100 website visitors from Oklahoma without a compliant Privacy Policy, the fine could be calculated by multiplying 100 by $7,500, which can lead to very high penalties.
How will Termageddon handle updates for Oklahoma SB546?
We have been tracking this privacy law since its inception and through its many iterations. We will continue to track it for any amendments, rules and regulations. We will email all affected customers prior to the effective date of January 1, 2027 in order to make updates to Privacy Policies.
