Oklahoma passes new data privacy law targeting big tech, data brokers

Oklahoma just enacted a comprehensive consumer data privacy law (SB 546) that primarily hits larger data holders, including big tech platforms and data brokers, and will take effect January 1, 2027.

Scope and who is covered

• Applies to entities doing business in or targeting Oklahoma residents that: process personal data of at least 100,000 consumers, or process data of 25,000 consumers and derive over half of their revenue from selling personal data (classic data broker profile).

• Exempts state agencies, nonprofits and certain data already regulated under federal laws like HIPAA.

Consumer rights

Oklahoma residents gain rights to:

• Access their personal data held by covered businesses.

• Correct inaccuracies in that data.

• Delete personal data.

• Obtain a portable copy of their data.

• Opt out of targeted advertising, sale of personal data to third parties, and certain automated profiling.

Companies must respond to rights requests within 45 days and at least twice per year at no cost to the consumer.

Duties on big tech and data brokers

Covered “controllers” must:

• Publish detailed privacy notices describing categories of data, purposes, sharing, and how to exercise rights; they must clearly disclose if they sell data or use it for targeted advertising and how to opt out.

• Follow data minimization and implement “reasonable” security measures.

• Obtain consent before processing sensitive data (e.g., certain health, precise location, or other designated categories).

• Conduct data protection assessments for higher-risk processing such as targeted ads, sale of personal data, sensitive data, and certain profiling.

• Use contracts with processors that set out instructions and confidentiality obligations.

Enforcement and remedies

• Enforced exclusively by the Oklahoma Attorney General; there is no private right of action, unlike California’s law for certain data breaches.

• Includes a mandatory 30‑day cure period before enforcement actions if violations can be fixed.

• Civil penalties can reach up to about 7,500 dollars per violation if not cured.

How it compares to other state laws

• Oklahoma becomes roughly the 20th–21st state with a comprehensive consumer privacy law, following the Virginia/Tennessee style “business‑friendly” model.

• It does not require honoring universal browser‑based opt-out preference signals, which several newer state laws do, easing technical compliance for covered firms.

• Compared to California, Oklahoma relies solely on AG enforcement and lacks a central opt-out mechanism; consumers must identify and contact specific companies to stop sale/targeted advertising.