Oklahoma has joined the growing chorus of states enacting comprehensive consumer privacy legislation. With the passage of Senate Bill 546, the Sooner State has a new data protection framework taking effect on January 1, 2027.

Here is what businesses need to know.

Who is Regulated?

The law applies to controllers and processors that conduct business in Oklahoma or target products or services to Oklahoma residents and that, during a calendar year, either process personal data of at least 100,000 consumers, or process personal data of at least 25,000 consumers while deriving more than 50% of gross revenue from the sale of personal data. These thresholds are by now familiar landmarks of the state privacy law model.

The law carves out state agencies, financial institutions subject to the Gramm-Leach-Bliley Act, HIPAA-covered entities and business associates, nonprofits, and institutions of higher education. Data-type exemptions also apply to protected health information, and information regulated by the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, and the Family Educational Rights and Privacy Act, among others.

Oklahoma Consumer Rights

A consumer is entitled to exercise consumer rights at any time by submitting a request to a controller specifying the rights the consumer wishes to exercise.  Those rights are familiar to anyone who has been tracking state privacy legislation. Consumers may request confirmation of whether a controller is processing their personal data and access to that data.  They may request correction of inaccuracies in their personal data, considering the nature of the data and the purposes of processing.  They may request deletion of personal data provided by or obtained about them.  If data is available in a digital format, consumers may obtain a portable copy of personal data they previously provided to the controller.  Consumers may also opt out of the processing of their personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce a legal or similarly significant effect.

How Must Controllers Respond to Consumer Requests?

A controller must respond to a consumer request no later than 45 days after receipt, with the option to extend that period by an additional 45 days when reasonably necessary given the complexity and number of the consumer’s requests, provided the controller informs the consumer within the initial 45-day window.  Information must be provided free of charge, up to twice annually per consumer.  If a request is manifestly unfounded, excessive, or repetitive, the controller may charge a reasonable administrative fee or decline to act, but the controller bears the burden of demonstrating those conditions are met.

Controllers must also establish a process for consumers to appeal a refusal to act, and that appeal process must be conspicuously available and similar in accessibility to the process for submitting the original request.  The controller must respond to the appeal in writing within 60 days, including a written explanation, and if the appeal is denied, must direct the consumer to the Attorney General’s online complaint mechanism.

Controller and Processor Duties

Controllers must limit data collection to what is adequate and reasonably necessary for disclosed purposes, maintain reasonable data security practices, and refrain from processing data for incompatible purposes without consent. They may not discriminate against consumers who exercise their rights. Privacy notices must be clear and accessible and must disclose the categories of data processed, the purposes of processing, third-party data sharing, and available opt-out mechanisms.

Sensitive data, which includes information revealing racial or ethnic origin, religious beliefs, health diagnoses, sexual orientation, immigration status, genetic or biometric data, precise geolocation, and data collected from known children, requires affirmative consumer consent before processing.

Processors must follow controller instructions under a written contract that addresses the nature and duration of processing, confidentiality obligations, and data return or deletion upon the conclusion of services.

Data Protection Assessments

Controllers must conduct and document data protection assessments for certain processing activities.  These include processing personal data for targeted advertising, the sale of personal data, profiling that presents a reasonably foreseeable risk of harm, and the processing of sensitive data.  Controllers must make those assessments available to the Attorney General upon written request.  The assessments are confidential and exempt from the Oklahoma Open Records Act, and disclosure to the Attorney General does not constitute a waiver of attorney-client privilege or work product protection.  The assessment requirement applies only to processing activities that commence on or after the effective date and is not retroactive.

Enforcement

The Attorney General holds exclusive enforcement authority. There is no private right of action. Before filing suit, the Attorney General must provide 30 days’ written notice of the alleged violation. A controller or processor that cures the violation within that window and submits a written commitment to compliance may avoid an action altogether. Unresolved violations carry civil penalties of up to $7,500 per violation, plus attorney fees and costs.

What Now?

Oklahoma’s new consumer data protection law takes effect on January 1, 2027.  That may feel like there is time to spare, but businesses that fall within the law’s scope would be well-served to begin their data governance work now. Mapping data flows, auditing sensitive data practices, updating privacy notices, building out consumer rights request mechanisms, revising processor agreements, and conducting data protection assessments all take time. The Sooner State’s name may invite a certain sense of urgency, and when it comes to privacy; being a “sooner” rather than a “later” is genuinely good advice.

To keep up with the latest in this area, please sign up to receive these posts via email, and you can follow Taft Privacy, Security, and Artificial Intelligence on LinkedIn for even more. Should you need counsel in any of these areas, Taft’s attorneys are ready to assist.