On March 16, the Oklahoma legislature passed SB 546, with Oklahoma Governor Kevin Stitt signing the bill into law on March 20. SB 546 is the twentieth state comprehensive law to be enacted and will take effect on January 1, 2027. Notably, the Oklahoma law comes after a long hiatus for state comprehensive privacy laws, with last year marking the first year since 2020 in which no new state comprehensive privacy was enacted.

SB 546 generally adheres to the standard model exemplified by most non-California state comprehensive privacy laws but is on the more “business-friendly” side of the spectrum. The law includes entity-wide exemptions for entities covered by the Gramm-Leach-Bliley Act (GLBA), as well as both covered entities and business associates regulated by the Health Insurance Portability and Accountability Act (HIPAA). It also includes exemptions for personal data processed in a “commercial” or “employment” context. Additionally, unlike many other comprehensive privacy laws, Oklahoma’s law does not require entities to comply with opt-out preference signals as valid requests to opt-out. Because of these provisions and others, companies that have taken steps to comply with the requirements in other states can likely readily adapt their compliance programs for Oklahoma.

In this post, we summarize notable provisions of SB 546 and highlight key takeaways for companies looking to understand how this law will affect their privacy compliance obligations. To stay up to date on the latest state privacy law developments, please subscribe to the WilmerHale Privacy and Cybersecurity Law Blog.

KEY TAKEAWAYS

• Adheres to Standard State Comprehensive Privacy Law: Oklahoma’s state comprehensive privacy law generally aligns with most non-California state comprehensive privacy laws and is unlikely to create any new privacy compliance obligations for companies that have taken steps to comply with most of the other comprehensive privacy laws already in effect.
• Broad Exemptions: SB 546 exempts HIPAA covered entities, business associates, and protected health information from its scope, as well as financial institutions subject to the GLBA. This is broader than the “information-level” exemption that exists under certain state laws (such as California). Additionally, SB 546 exempts commercial and employment information from its scope, which is consistent with most of the other comprehensive privacy laws (outside of California).
• Narrowly Defines Sale: While SB 546 largely tracks the model used by most non-California state comprehensive privacy laws, the law narrowly defines “sale of personal data” to only include “the exchange of personal data for monetary consideration by the controller to a third party.” This is a departure from other state comprehensive privacy laws that define “sale of personal data” to include the exchange of personal data for “other valuable consideration.”
• Does Not Require Companies to Recognize Opt-Out Preference Signals: Unlike many recent state comprehensive privacy laws, SB 546 does not require companies to recognize opt-out preference signals. This may make it easier for companies to comply with data subject requests in relation to Oklahoma residents.

KEY PROVISIONS

• Key Definitions:
  • Consumer: SB 546 excludes individuals “acting in a commercial or employment context” from its definition of “consumer.”
  • Sale of personal data: SB 546 defines the “sale of personal data” as “the exchange of personal data for monetary consideration by the controller to a third party.”
  • Sensitive data: SB 546 defines “sensitive data” to include (a) “personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;” (b) “genetic or biometric data that is processed for the purpose of uniquely identifying an individual;” (c) “personal data collected from a known child;” and (d) “precise geolocation data.”
• Applicability Thresholds: SB 546 generally applies to entities that conduct business in Oklahoma or target products or services to Oklahoma residents and satisfied at least one of the following two thresholds in the previous calendar year: (1) controlled or processed personal information of at least 25,000 consumers and derived more than 50% of gross revenue from sale of personal information; or (2) controlled or processed personal information of at least 100,000 consumers.
• Exemptions: SB 546 exempts various entities and information types, including: state entities and state political subdivisions; nonprofit organizations; institutions of higher education; financial institutions and data subject to the GLBA; HIPAA covered entities, business associates, protected health information, and other information subject to HIPAA; other types of health and medical research-related information; information governed by FCRA, the Driver’s Privacy Protection Act, FERPA, and the Farm Credit Act; and certain employment-related information.
  • Entities that comply with COPPA’s verifiable parental consent requirements are deemed to comply with the Act’s parental consent requirements.
• Privacy Notices: SB 546 requires controllers to provide consumers with a privacy notice that includes: categories of personal data processed by the controller; purposes for such processing; description of how a consumer may exercise their data rights; categories of personal data that the controller shares with a third party; and categories of third parties with which personal data is shared.
  • SB 546 also requires controllers that sell personal data or process personal data for targeted advertising purposes to “clearly and conspicuously disclose” the “process and the manner in which a consumer may exercise the right to opt out of such process.”
• Opt-In for Sensitive Data Processing: SB 546 prohibits controllers from processing sensitive data without obtaining consumers’ consent.
• Consumer Data Rights: SB 546 creates a fairly standard set of data rights for consumers, including: (1) the right to confirm whether a controller is processing their personal data and to access said data; (2) the right to correct inaccurate personal data; (3) the right to delete personal data; (4) the right to data portability; and (5) the right to opt-out of the processing of their personal data for purposes of targeted advertising, the sale of personal data, or “profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.”
  • However, SB 546 does not provide consumers with the right to revoke consent.
• Data Protection Assessments: SB 546 requires that controllers conduct data protection assessments for high-risk data processing activities, including the processing of personal data for purposes of targeted advertising, the sale of personal data, specified types of profiling, as well as the processing of sensitive data.
• Data Processing Agreements for Processors: SB 546 imposes requirements on processors, such as requiring that a contract govern the processor’s execution of data processing activities on behalf of the controller.
• Enforcement and Violations:
  • No private right of action: SB 546 does not create a private right of action; rather, it grants the Oklahoma Attorney General (AG) sole enforcement authority.
  • Cure period: SB 546 requires that the Oklahoma AG provide entities with a 30-day cure period before initiating an enforcement action.
  • Civil penalties: SB 546 creates civil penalties of up to $7,500 per violation.
• Effective Date: SB 546 will take effect on January 1, 2027.