Oklahoma Joins State Privacy Wave

Governor Kevin Stitt signed Senate Bill 546 into law on March 20, 2026. (jdsupra.com) The statute takes effect January 1, 2027, and gives exclusive enforcement authority to the Oklahoma Attorney General with a mandatory 30‑day notice-to-cure before enforcement and civil penalties up to $7,500 per violation. (okbusinessvoice.com) SB 546 applies to controllers and processors that do business in Oklahoma or target Oklahoma residents and that annually either process personal data of at least 100,000 consumers or process data of at least 25,000 consumers while deriving more than 50% of gross revenue from selling personal data. (fpf.org) Consumers gain rights to access, correct, delete, receive a portable copy of personal data, and opt out of targeted advertising, the sale of personal data, and certain automated profiling, and controllers must respond to verified requests within 45 days while offering at least two submission methods. (okbusinessvoice.com) The law’s definition of “biometric data” explicitly includes data generated from photographs, videos, or audio recordings when used to identify a specific individual, aligning Oklahoma with Minnesota’s approach rather than other state models that exclude photo/video‑derived identifiers. (technologylaw.fkks.com) Controllers must perform documented data protection assessments for targeted advertising, sales of personal data, certain high‑risk profiling, and sensitive-data processing, and those assessments must be produced to the Attorney General on request and are confidential under the Open Records Act; processors are required to follow controller instructions and sign contracts containing statutory terms. (fpf.org)