On March 20, 2026, Governor Stitt signed into law Senate Bill 546, making Oklahoma the 20th state to enact a comprehensive consumer data privacy law following California, Virginia, Colorado, Utah, Connecticut,  Iowa, Indiana, Tennessee, Montana, Texas, Oregon,  Delaware,  New Jersey, New Hampshire,  Kentucky, Nebraska, Maryland, Minnesota, and Rhode Island.  The Act will go into effect January 1, 2027.

Applicability

The Act applies to a controller or processor who:

  1. Conducts business in Oklahoma or produces a product or service targeted to the residents of Oklahoma; and
  2. During a calendar year, either:
    1. Controls or processes personal data of at least 100,000 consumers, or
    2. Controls or processes personal data of at 25,000 consumers and derives fifty percent of gross revenue from the sale of personal data.

Exemptions

Exemptions include, in part:

  1. A financial institution or data subject to Title V of the Gramm-Leach-Bliley Act;
  2. A covered entity or business associate governed by the privacy, security, and breach notification rules established under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”);
  3. Protected health information under HIPAA;
  4. A nonprofit organization;
  5. An institution of higher education;
  6. The collection, maintenance, disclosure, sale, communication, or use of any personal information to the extent that the activity is regulated by and authorized under the Fair Credit Reporting Act;
  7. Data processed or maintained in the course of an individual applying to, being employed by, or acting as an agent or independent contractor of a controller, processor, or third party.

Consumer Rights

Consumers have the right to:

  1. Confirm whether a controller is processing their personal data and to access the personal data;
  2. Correct inaccuracies in the consumer’s personal data;
  3. Delete personal data provided by or obtained about the consumer;
  4. If the data is available in a digital format, obtain a copy of the personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format;
  5. Opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

Sensitive Data

A controller may not process the sensitive data of a consumer without obtaining the consumer’s consent or, in the case of processing the sensitive data of a known child, without processing that data in accordance with the Children’s Online Privacy Protection Act.

“Sensitive data” includes:

  1. Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status;
  2. Genetic or biometric data that is processed for the purpose of uniquely identifying an individual;
  3. Personal data collected from a known child; or
  4. Precise geolocation data.

Contract Requirements

A contract between a controller and a processor must govern the processor’s data processing procedures and include:

  1. Clear instructions for processing data;
  2. The nature and purpose of processing;
  3. The type of data subject to processing;
  4. The duration of processing;
  5. The rights and obligations of both parties; and
  6. A requirement that the processor:
    1. Ensure that each person processing personal data is subject to a duty of confidentiality;
    2. Delete or return all personal data to the controller if requested;
    3. Make available to the controller all information in the processor’s possession necessary to demonstrate compliance;
    4. Allow and cooperate with reasonable assessments;
    5. Require subcontractors to meet the same requirements pursuant to a written agreement.

Data Protection Assessments

A controller must conduct and document a data protection assessment for each of the following processing activities involving personal data:

  1. The processing of personal data for purposes of targeted advertising;
  2. The sale of personal data;
  3. The processing of personal data for purposes of certain profiling; and
  4. The processing of sensitive data; and
  5. Any processing activities involving personal data that present a heightened risk of harm to consumers.

Enforcement

The Attorney General has exclusive authority to enforce the Act and may seek a civil penalty  not to exceed $7,500 per violation. The Act provides a 30-day cure provision.

This Member Alert is intended for members of the Receivables Management Association International, is for informational purposes only, and is in no way intended to provide legal advice. Members are encouraged to consult with an attorney of their choice for legal advice concerning this matter.