Oklahoma lawmakers have signed off on a sweeping new privacy measure, SB546, that gives residents far more say over what happens to their personal data. The bill lets Oklahomans ask companies for copies of the information stored about them, request that data be deleted, and opt out of both targeted advertising and the sale of their personal details. Supporters say the new rules are meant to drag data practices into the light, forcing clearer disclosures and setting deadlines for how quickly businesses must respond to people’s requests. The law is scheduled to take effect Jan. 1, 2027, and is aimed primarily at larger data holders.
State Rep. Josh West, who carried the bill in the House, did not bother with legalese. "The idea is not complicated. You should have a say in your private information," he said, according to KOCO. As KOCO reports, SB546 will require businesses to offer at least two secure ways for consumers to ask what information is being collected and to demand deletion. The outlet notes that the law also mandates a clear opt out for targeted advertising and for the sale of personal data, effectively putting Oklahoma in the growing club of states that have decided to police consumer data practices.
What SB546 actually requires
The text of the bill, as laid out by the Oklahoma Legislature, spells out a familiar but consequential set of consumer rights. Oklahomans would gain the ability to access the personal data companies hold on them, correct inaccuracies, request deletion, and obtain their information in a portable format. They can also opt out of targeted advertising and the sale of their personal data.
On the business side, covered companies must post clear privacy notices explaining what they collect and why, conduct data-protection assessments for certain high-risk processing, and avoid treating people differently simply because they choose to exercise their new rights. In other words, no punishing customers for asking too many questions about where their data is going.
How it fits into the national wave
Privacy watchers say SB546 looks a lot like the Virginia-style framework that has been spreading across statehouses in recent years as lawmakers try to thread the needle between consumer protection and business concerns. The International Association of Privacy Professionals has noted that Oklahoma’s proposal follows the now-standard playbook: opt outs for targeted ads and data sales, a requirement for data-protection assessments, and an enforcement model that runs through the state attorney general.
At the same time, observers point out that these state privacy laws live or die on the details. Thresholds for which companies are covered, carve-outs for certain industries or data types, and the precise enforcement tools all help determine whether a law has sharp teeth or more of a gentle nibble.
Critics say the bill does not go far enough
Consumer advocates are not exactly popping champagne. The Electronic Privacy Information Center reported that groups including Consumer Reports have criticized SB546 for leaving what they view as serious loopholes that tilt too far toward industry. Among the complaints: the bill offers only limited recognition of universal opt out mechanisms and omits a private right of action, which would let individuals sue companies directly over violations.
Those advocates argue the result is a law that may look strong on paper yet end up weaker than they had hoped when it comes time to hold data-hungry businesses accountable.
Who must comply - and how enforcement works
SB546 is not aimed at the neighborhood dry cleaner. The bill targets data controllers and processors that, in a single calendar year, either control or process the personal data of at least 100,000 consumers or control the personal data of at least 25,000 consumers while pulling more than 50 percent of their gross revenue from selling that data, according to the legislative text.
Enforcement authority sits entirely with the Oklahoma Attorney General. Before bringing a case, the AG must notify a business of an alleged violation and give it a 30-day window to fix the problem. If it does not, civil penalties can reach up to $7,500 per violation. Legal trackers report that the bill cleared the Legislature this session and moved toward the governor’s desk, with the timing of any formal signature expected to determine the final enactment schedule, as noted by Troutman Privacy.
What to watch next
All eyes now turn to two big questions: whether the governor signs SB546 and how the Attorney General’s office builds out complaint systems and compliance guidance ahead of the law’s Jan. 1, 2027 effective date. Legal observers expect the next year to be spent designing the tools and public outreach needed to make those new rights something regular Oklahomans can realistically use.
For businesses that cross the data thresholds, the message is to start doing the homework now: mapping what personal information they hold, where it lives, and how they will handle access, correction, and deletion requests. Outlets such as the National Law Review and state legislative trackers are following the rollout closely, with more implementation details and formal guidance expected in the coming months.
