TL;DR: On February 19, 2026, the Oklahoma House passed SB-546 by a vote of 84-4. The bill grants Oklahomans the right to access, correct, and delete their personal data, plus opt out of targeted advertising and data sales. The Senate already passed it unanimously in 2025 but needs to approve House amendments before it goes to Governor Kevin Stitt. If signed, Oklahoma becomes the 21st state with a comprehensive privacy law. The bill takes effect January 1, 2027.

Seven Years to Get Here

House Majority Leader Josh West (R) first introduced privacy legislation in 2019. Back then, only California had a comprehensive privacy law. His early bills were modeled after California's CCPA. They went nowhere.

"But now, six years later, there are 20 other states [that] have passed comprehensive and enforceable data privacy legislation," West told Privacy Daily [1]. Oklahoma was starting to look like it couldn't figure out what everyone else already had.

The breakthrough came when West and Senate author Brent Howard (R) switched from California's approach to Virginia's framework. Less controversial. More business-friendly. Easier to pass. The formula worked. The Senate passed it unanimously in 2025 [2].

What the Law Actually Does

SB-546 covers businesses that either process the personal data of at least 100,000 Oklahomans, or process data for 25,000+ people while making more than half their revenue from selling that data [3].

If you're an Oklahoma resident, you get these rights:

  • Access: Companies must tell you what data they have on you
  • Correction: You can fix inaccurate information
  • Deletion: You can demand they wipe your data
  • Portability: You can get a copy of your data in a usable format
  • Opt-out: You can stop targeted advertising, data sales, and certain profiling, though a loophole still lets the government buy what brokers collect

Companies have 45 days to respond to your request. They have to post a clear privacy notice explaining what they collect and why [3].

Enforcement: No Private Lawsuits

Here's where it gets weaker than you'd want. You can't sue companies yourself if they violate your rights. Only the state Attorney General can bring enforcement actions [2].

And companies get a 30-day "cure period": if you catch them violating the law, they get a month to fix it before facing penalties. That cure period doesn't sunset. Ever [2]. Compare that to California, where the cure period ended in 2023.

The maximum penalty is $7,500 per violation [3]. Sounds significant until you realize that's per-violation, and companies that can afford to track hundreds of thousands of Oklahomans can also afford to settle.

The Exemptions

Standard carve-outs apply. Data already regulated by HIPAA, FERPA, GLBA, and the Fair Credit Reporting Act is exempt [3]. The House added an exemption for data covered by the Controlled Substances Act [1].

Non-profits and government entities aren't covered. Neither are employee or B2B data. This follows the Virginia template that most states have adopted: consumer-focused, not comprehensive.

What Happens Next

The Senate has to vote again to approve the House amendments, including the push to January 1, 2027 and the controlled substances exemption. West expects that to happen without drama [1]. Then it's on Governor Stitt's desk.

Nobody's predicting a veto. Stitt is Republican. The bill passed with overwhelming bipartisan support. The business community didn't fight it. It's about as politically safe as privacy legislation gets.

Where Oklahoma Fits

Oklahoma would join 20 other states with comprehensive privacy laws: California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, Virginia, and Florida [4].

Most of these laws follow the same Virginia-style template. Consumer rights without private enforcement. AG-only lawsuits. Cure periods that let companies fix problems before facing penalties. It's better than nothing. It's not as strong as it could be.

For Oklahomans, starting January 2027, you'll at least have the legal right to ask what data companies have collected on you, and tell them to delete it. Whether the AG will actually enforce violations is another question.

Sources

  1. Privacy Daily: Oklahoma Privacy Bill Nears Finish Line After Several Years of Stumbles (February 19, 2026)
  2. IAPP: A Long, Winding Road: Oklahoma Closes In on Comprehensive Privacy Law (February 2026)
  3. LegiScan: Oklahoma SB546 2026 Session
  4. IAPP: US State Privacy Legislation Tracker