PRIA Logo
OklahomaSB 546Oklahoma 2026 Regular SessionSenateWALLET

Data privacy; establishing consumer rights; appeal process; privacy notice; data protection assessments; penalties; liability. Effective date.

Sponsored By: Brent Howard (Republican)

Signed by Governor

Senate Committee

Your PRIA Score

Score Hidden

Personalized for You

How does this bill affect your finances?

Sign up for a PRIA Policy Scan to see your personalized alignment score for this bill and every other piece of legislation we track. We analyze your financial profile against policy provisions to show you exactly what matters to your wallet.

Free to start

Bill Overview

Analyzed Economic Effects

7 provisions identified: 2 benefits, 0 costs, 5 mixed.

Who this privacy law covers

Beginning January 1, 2027, this law covers companies that do business in Oklahoma or target residents and handle data of 100,000+ people a year, or 25,000+ people and get over 50% of revenue from selling data. It does not cover state agencies, HIPAA health providers, GLBA-regulated banks, nonprofits, colleges, purely personal use, and certain health and research data. Companies may process data to obey the law, work with police or courts, protect life and safety, prevent fraud or security incidents, or do approved research, and may do internal product research, recalls, and error fixes. Any claimed exemption must be necessary, limited to the listed purpose, and proven by the company.

Clear privacy notices and opt-outs

Beginning January 1, 2027, companies must give a clear, easy-to-find privacy notice. It must list data types (including sensitive data), purposes, how to use your rights and appeals, and who data is shared with. If they sell data or use it for targeted ads, they must say so and tell you how to opt out.

Companies must limit and secure data

Beginning January 1, 2027, companies must collect only data that is needed and keep it safe with reasonable security. They cannot use your data for incompatible purposes without your consent, must get consent for sensitive data, and cannot punish you for using your rights. Companies that process data for others must follow written instructions, help with security and requests, and bind subcontractors by contract. Before high-risk uses like targeted ads, data sales, sensitive data, or risky profiling, controllers must complete written data-protection assessments and share them with the Attorney General on request. Processors may use an independent assessor instead of a direct audit.

Your new data rights and appeals

Beginning January 1, 2027, you have new data rights. You can access, fix, delete, or get a copy of your data, and opt out of targeted ads, sale, and certain profiling. Parents or guardians can act for a known child; COPPA consent counts. Companies must offer at least two secure ways (or email for online-only), verify your request, and answer in 45 days (one 45-day extension allowed). If denied, they must explain why, tell you how to appeal, decide appeals within 60 days, and share the Attorney General’s complaint link if they still refuse. The first two requests each year are free; after that, a reasonable fee or refusal is allowed only for unfounded, excessive, or repetitive requests. If your data came from another source, a company can comply by keeping only a record of your request or by stopping non-exempt processing. Contracts cannot make you waive these rights.

Attorney General enforcement and fines

Beginning January 1, 2027, the Attorney General alone enforces this law, posts guidance on rights and duties, and offers an online complaint form. The Attorney General must give 30 days’ notice before suing; if the company cures and assures no repeat, no suit is filed. After the cure window or a broken cure promise, courts may impose fines up to $7,500 per violation, plus injunctions and attorney fees. When companies share data, a discloser is not liable for a recipient’s violation if it lacked actual knowledge of the recipient’s intent at the time.

Different prices after data opt-outs

Beginning January 1, 2027, companies may offer a different price, rate, level, or quality if you opt out or join a voluntary loyalty or rewards program. A company does not have to provide a product or service that needs data it does not collect.

Rules for de-identified and masked data

Beginning January 1, 2027, companies that hold de-identified data must keep it unlinkable, promise not to reidentify it, and bind anyone they share it with to the same rules. They must watch recipients for compliance and act on breaches. Companies do not have to reidentify de-identified or pseudonymous data just to answer a request, and some rights do not apply to pseudonymous data when IDs are kept separate with strong controls.

Sponsors & Cosponsors

Sponsor

  • Brent Howard

    Republican • Senate

Cosponsors

  • Alonso-Sandoval

    Affiliation unavailable

  • Nick Archer

    Republican • House

  • Josh West

    Republican • House

  • Daniel Pae

    Republican • House

  • Melissa Provenzano

    Democratic • House

  • John Waldron

    Democratic • House

Roll Call Votes

All Roll Calls

Yes: 107 • No: 13

Senate vote 3/16/2026

Top_of_Page

Yes: 0 • No: 7

House vote 2/19/2026

Top_of_Page

Yes: 84 • No: 4

House vote 4/24/2025

DO PASS

Yes: 15 • No: 2

House vote 4/9/2025

DO PASS

Yes: 8 • No: 0

Senate vote 3/26/2025

THIRD READING

Yes: 0 • No: 0

Senate vote 2/13/2025

Top_of_Page

Yes: 0 • No: 0

Actions Timeline

  1. Approved by Governor 03/20/2026

    3/20/2026Senate

  2. Sent to Governor

    3/17/2026Senate

  3. Signed, returned to Senate

    3/17/2026House

  4. Enrolled, to House

    3/17/2026Senate

  5. Referred for enrollment

    3/16/2026Senate

  6. Measure passed: Ayes: 38 Nays: 7

    3/16/2026Senate

  7. HAs adopted

    3/16/2026Senate

  8. Coauthored by Representative Alonso-Sandoval

    2/23/2026Senate

  9. HAs read

    2/23/2026Senate

  10. Engrossed, signed, to Senate

    2/23/2026House

  11. Referred for engrossment

    2/19/2026House

  12. Third Reading, Measure passed: Ayes: 84 Nays: 4

    2/19/2026House

  13. Title restored

    2/19/2026House

  14. Amended by floor substitute

    2/19/2026House

  15. Coauthored by Representative(s) Archer, Pae, Provenzano, Waldron

    2/19/2026House

  16. General Order

    2/19/2026House

  17. CR; Do Pass Commerce and Economic Development Oversight Committee

    4/24/2025House

  18. Policy recommendation to the Commerce and Economic Development Oversight committee; Do Pass Government Modernization and Technology

    4/9/2025House

  19. Referred to Government Modernization and Technology

    4/1/2025House

  20. Second Reading referred to Commerce and Economic Development Oversight

    4/1/2025House

  21. First Reading

    3/27/2025House

  22. Engrossed to House

    3/27/2025Senate

  23. Referred for engrossment

    3/26/2025Senate

  24. Measure passed: Ayes: 46 Nays: 0

    3/26/2025Senate

  25. Title stricken

    3/26/2025Senate

Bill Text

  • Enrolled (final version)

    3/17/2026

    PDF

  • Amended And Engrossed

    2/23/2026

    PDF

  • Floor (House)

    4/24/2025

    PDF

  • House Committee Report

    4/24/2025

    PDF

  • House Policy Committee Report

    4/9/2025

    PDF

  • Engrossed

    3/27/2025

    PDF

  • Floor (Senate)

    2/17/2025

    PDF

  • Senate Committee Report

    2/13/2025

    PDF

  • Introduced

    1/13/2025

    PDF

Related Bills

Back to State Legislation