State privacy momentum builds

Oklahoma’s SB 546 was signed by Governor Kevin Stitt on March 20, 2026 and will take effect January 1, 2027. (lexology.com) The Oklahoma House approved the bill 84–4 on February 19, 2026 after the Senate had earlier passed the measure, with Sen. Brent Howard and House Majority Leader Josh West listed as principal sponsors. (natlawreview.com) SB 546 applies to controllers/processors that process personal data for at least 100,000 consumers or for 25,000 consumers when over 50% of gross revenue derives from selling personal data. (lexology.com) The statute narrows “sale” to monetary consideration only, expressly treats biometric data to include photos/video/audio used to identify an individual, requires controllers to respond to consumer requests within 45 days, and omits recognition of third‑party opt‑out signals and an authorized‑agent framework. (lexology.com) California’s updated CCPA/CPRA regulations categorize cookies used for behavioral or cross‑context advertising as activities that may trigger a written “significant‑risk” privacy assessment, with the new regulatory regime effective January 1, 2026 and entities required to submit summaries of 2026–2027 assessments by April 1, 2028. (sheppard.com) At the federal level, Rep. Zoe Lofgren reintroduced the Online Privacy Act and competing House activity — including a Republican working group led by Reps. Brett Guthrie and John Joyce — has reignited a clash over whether a national bill will preempt state laws or preserve state authorities. (lofgren.house.gov) Oklahoma’s design largely tracks the Virginia‑style, multi‑state “consensus” framework that many businesses already implement, but the law vests exclusive enforcement with the state attorney general, preserves a 30‑day cure period, and contemplates civil penalties up to $7,500 per violation. (lexology.com)