Oklahoma’s New Comprehensive Privacy Law: What companies should know

On March 20, 2026, the Oklahoma governor signed Senate Bill 546 into law, creating a new comprehensive state data privacy framework.

• The law takes effect on January 1, 2027, and requires businesses to let consumers opt out of targeted advertising, data sales, and specific profiling
• Controllers must conduct data protection assessments before engaging in high-risk processing activities
• The Oklahoma Attorney General has exclusive enforcement authority and can levy fines of up to $7,500 per violation

Who does the Oklahoma Privacy Act apply to?

The law applies to entities conducting business in Oklahoma or producing products or services targeted to its residents.

To fall under the act, a business must either: 

• Control or process the personal data of at least 100,000 consumers during a calendar year, or 
• Control or process the data of at least 25,000 consumers and derive over 50% of their gross revenue from the sale of personal data

What does the law mean for targeted advertising?

As in other US jurisdictions, the main compliance risk under the Oklahoma law centers on advertising.

Covered businesses must allow consumers to opt out of the processing of their personal data for targeted advertising or the sale of personal data.

As in other states like Virginia, Colorado, and Connecticut, businesses covered by the Oklahoma Privacy Act now require a compliant consent banner and appropriate vendor contracts before they can share personal data with advertising networks and other third parties.

Are data protection assessments required?

Yes. Like most of the 20 other states to enact a comprehensive privacy law, Oklahoma requires covered businesses to conduct a “data protection assessment” before undertaking certain data-processing activities.

These activities include: 

• Processing personal data for targeted advertising
• Selling personal data
• Processing sensitive data

These assessments must identify and weigh the direct or indirect benefits of the processing against the potential risks to consumer rights.

How will the law be enforced?

The Oklahoma Attorney General has exclusive enforcement authority. The law does not contain a private right of action.

Before the Attorney General brings an action against an allegedly non-compliant controller, they must provide a 30-day notice to cure the identified violation.

If the business fails to cure the issue or breaches its written statement that it will not repeat the violation, it faces civil penalties of up to $7,500 for each infraction.

How can businesses prepare?

With the law taking effect on January 1, 2027, companies need to understand exactly what personal data they collect and where it flows. Non-compliant advertising trackers represent a major blind spot.

• Establish robust digital tracking governance to track all personal data elements shared and all third parties receiving personal data
• Continuously audit websites and apps to ensure that user consent is actually honored and no sensitive data is shared
• Run data protection assessments for any processing of personal data for targeted advertising, selling of personal data, or processing of sensitive data

Prevent all website and app privacy violations by continuously scanning your websites and mobile apps with Web Auditor and App Auditor. Privado AI offers the most comprehensive solution to verify in real-time that your websites, apps, and CMP are compliant with all applicable privacy requirements for each location, including your privacy policies.