Oklahoma privacy bill heads to governor’s desk for signature

Oklahoma is on the verge of joining the growing list of states with a comprehensive consumer data privacy law after the legislature this week sent Senate Bill 546 to Gov. Kevin Stitt for his signature.

The measure, authored by Sen. Brent Howard and carried in the House by Rep. Josh West, cleared the Senate in 2025, passed the House on a floor substitute by an 84 to 4 vote on February 19, and then won final Senate approval of the House amendments by a 38 to 7 vote on Monday.

If Stitt signs the bill, Oklahoma would establish a broad statewide framework governing how large businesses collect, use and sell residents’ personal data.

The bill applies to companies that do business in Oklahoma or target products or services to Oklahoma residents and that either control or process the personal data of at least 100,000 consumers in a calendar year, or control or process the data of at least 25,000 consumers while deriving more than 50 percent of gross revenue from the sale of personal data.

The version that cleared the legislature sets an effective date of July 1.

The proposal follows the now familiar model used in a growing number of state privacy laws. It gives consumers the right to confirm whether a company is processing their personal data, access that data, correct inaccuracies, delete data provided by or obtained about them, and obtain a portable copy of certain personal data.

It also gives consumers the right to opt-out of targeted advertising, the sale of personal data, and certain profiling decisions that produce legal or similarly significant effects.

Companies must respond to consumer requests within 45 days, with a possible 45-day extension when reasonably necessary.

The bill is especially relevant to biometric and other sensitive categories of data because it requires consent before a company may process sensitive data. Its definitions expressly include biometric data generated from measurements of biological characteristics used to identify a specific individual, while excluding ordinary photographs and recordings unless they are used to identify someone.

The bill also covers precise geolocation within its broader sensitive-data framework, and it requires companies processing the sensitive data of a known child to do so in accordance with the federal Children’s Online Privacy Protection Act.

Like many business-backed state privacy bills, SB 546 pairs consumer rights with significant limits on enforcement. The Oklahoma attorney general would have exclusive authority to enforce the law.

Before filing suit, the attorney general would have to give a controller or processor written notice at least 30 days in advance, and the target could avoid an action by curing the violation and providing a written statement that it has fixed the problem and will not repeat it.

If a violation is not resolved, the bill authorizes civil penalties of up to $7,500 per violation and allows courts to award attorney fees and investigative expenses. At the same time, the bill expressly states that it does not create a private right of action.

The bill also contains a wide set of exemptions that narrow its reach. It would not apply to state agencies or political subdivisions, nonprofits, institutions of higher education, HIPAA-regulated health data and entities, or certain financial institutions and data already regulated under federal law.

It also excludes purely personal or household activity. Those carveouts are one reason the legislation has generated sharply different reactions from privacy advocates and business groups.

Supporters argue that the measure would finally give Oklahoma consumers a baseline set of privacy rights while providing businesses with a predictable statewide rulebook.

The U.S. Chamber of Commerce said earlier this month that SB 546 is aligned with the “consensus privacy approach” already adopted in numerous other states.

The Software & Information Industry Association urged Stitt to sign the bill, saying the bill would protect consumer rights, support innovation, and avoid fragmented litigation through centralized enforcement by the attorney general.

Opponents, however, argue that the bill does too little and locks in a weak model.

Consumer Reports urged Stitt to veto the measure, describing it as a weak comprehensive privacy bill and objecting in part to provisions that, in its view, allow companies to offer different prices, rates, levels, quality or selection of goods and services after a consumer exercises opt-out rights.

That criticism is tied to language in the bill stating that its anti-discrimination provision should not be read to prohibit different pricing or offerings in some circumstances, including loyalty and rewards programs.

“Oklahoma is poised to enact a weak comprehensive privacy bill unless the governor takes action,” said Matt Schwartz, policy analyst at Consumer Reports. “This legislation ignores many of the improvements made by recent privacy laws and instead opts for an outdated model matching that of some of the weakest laws in the nation.”

The advocacy group said “the bill includes definitions rife with loopholes, creates broad carveouts, and lacks universal opt-out controls. It should also include enforcement mechanisms that will incentivize companies to comply the first time around.”

These disputes reflect the broader national fight over what state privacy laws are supposed to accomplish. In one camp are business groups and many state lawmakers who favor broad consumer rights on paper, but want exclusive attorney general enforcement, generous cure provisions and no private lawsuits.

In the other camp are consumer advocates who argue that those features make such laws harder to enforce in practice and leave residents with rights that depend heavily on the political will and resources of a single state official.

Oklahoma’s bill lands squarely in the first category, even as it adopts the core architecture of a modern state privacy statute.

What remains is the governor’s decision on whether Oklahoma will become the next state to enact a comprehensive privacy law, and whether that law will be seen as a meaningful consumer protection measure or another industry friendly framework with limited practical bite.

Article Topics

biometrics  |  data privacy  |  data protection  |  legislation  |  Oklahoma  |  United States