Senate Bill 546 cleared the Oklahoma House 84–4, positioning the state to become the 21st to enact a comprehensive privacy framework.
After nearly a decade of legislative effort, Oklahoma moved decisively toward enacting a comprehensive consumer data privacy law on February 19, 2026, when the Oklahoma House of Representatives passed Senate Bill 546 by an overwhelming 84–4 vote. The bill, authored by Senator Brent Howard (R) and co-sponsored by House Majority Leader Josh West (R), now awaits Senate concurrence on House amendments before proceeding to Governor Kevin Stitt for signature.
The road to passage was anything but swift. West first introduced privacy legislation in 2019—at a time when California stood as the only state with a comprehensive data protection law. Earlier iterations of the bill, modeled after California’s Consumer Privacy Act, stalled repeatedly in the Senate. The current version pivots to a Virginia-style framework: the same “Consensus Privacy Approach” adopted by 18 other states and favored by both industry groups and the U.S. Chamber of Commerce. “This time, it’s not as voodoo as it was back in 2019 when we started talking about it,” West remarked on the House floor.
Key Provisions of SB 546
SB 546 covers any business operating in Oklahoma that controls or processes the personal data of at least 100,000 consumers, or the data of at least 25,000 consumers, and derives more than 50% of its gross revenue from the sale of personal data. The bill grants Oklahoma residents a core set of data subject rights, including the right to access, correct, and delete their personal data, and to obtain a portable copy of it, as well as the right to opt out of targeted advertising, the sale of personal data, and profiling decisions with significant legal effects.
Controllers are required to conduct and document data protection assessments for high-risk processing activities. Enforcement is vested exclusively in the Oklahoma Attorney General, accompanied by a 30-day right to cure that does not sunset—a design that mirrors the Virginia model and provides companies a compliance correction window before penalties attach. The maximum civil penalty is $7,500 per violation. There is no private right of action. A 30-day right-to-cure period is great (if passed) in Oklahoma.
Standard entity-level exemptions apply, shielding HIPAA-covered entities, GLBA financial institutions, non-profits, and governmental bodies from the law’s reach. A House floor amendment also added an exemption for personal data covered by the Controlled Substances Act. Notably absent from the final text are recognition of universal opt-out mechanisms (such as the Global Privacy Control) and enhanced children’s privacy protections—provisions that have appeared in more recently enacted state laws.
Effective Date and Path to Enactment
One significant House amendment pushed the effective date from July 1, 2026, to January 1, 2027, giving businesses additional runway to build compliance programs. The Oklahoma Senate previously passed the bill unanimously in March 2025, and a House committee advanced it in April of that year before the measure stalled at the session’s end. The Senate must now concur with the House amendments—a step West describes as a formality—before the bill reaches Governor Stitt’s desk. No veto is anticipated. So, it appears very likely another U.S. state is enacting a comprehensive data privacy law.
Compliance Implications
For businesses already operating under Virginia’s Consumer Data Protection Act, Texas’s Data Privacy and Security Act, or comparable state frameworks, SB 546 should not require a wholesale overhaul of existing privacy programs. Oklahoma’s requirements track closely with those laws on scope thresholds, data subject rights, and data protection assessment obligations. The absence of a universal opt-out mechanism requirement and the non-sunsetting cure period represent somewhat more business-friendly terms than some of the newer state enactments.
Organizations should nonetheless audit their Oklahoma consumer data inventories against the 100,000-consumer and 25,000-consumer/50%-revenue thresholds, review their privacy notices for SB 546 disclosures, and confirm that data subject request workflows are operable before January 1, 2027. The law’s “sale” definition is limited to monetary consideration, which may affect how data-sharing arrangements structured on a non-monetary basis are classified.
Broader Context
If signed by Governor Stitt, Oklahoma will become the 21st state to enact a comprehensive consumer privacy law, joining California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, Virginia, and Florida. The passage underscores the continued momentum of the state-law patchwork in the absence of a federal omnibus privacy statute—a reality that continues to complicate compliance planning for interstate businesses.
West, who has shepherded Oklahoma privacy legislation since its 2019 inception, offered a measured assessment of the final product: “It’s a start and you take what you can get in this. When you’ve got this much skin in the game, it’s good to get something.”
