They Read the Fine Print Back to the People Who Wrote It. SB 546 Is Law.

Data SecurityPrivacyTech
Written By OCPA Staff

A bill that survives the Oklahoma Legislature intact is a rumor. A bill that survives with its spine still in place is a small miracle, and this month we got one. Senate Bill 546 — the consumer data privacy measure OCPA championed when it was nothing but a freshly filed long shot — has cleared both chambers and been signed by the Governor. The House passed it on the 19th of February. The Senate concurred in the House amendments on the 16th of March, 38 to 7. The Governor signed it on March 20th. It takes effect January 1, 2027.

It started life with a single name on it, Sen. Howard's. It crossed the finish line carrying a bipartisan crew of House coauthors. That is what coalition-building looks like, and it does not happen by accident.

OCPA called SB 546 the clearest consumer protection bill of the session when it was filed. We stand by that assessment today. So let's do the thing advocacy organizations too rarely do in public: let's open the hood and look at what the negotiation actually changed. Because something always gets traded between "as introduced" and "as enrolled," and the consumer deserves to know whether the trade was a haircut or a beheading.

What they took

Somewhere between January 2025 and this spring, the lobbyists made their case, and the bill came out the other side with five fingerprints on it.

The effective date slid a full year, from January 1, 2026 to January 1, 2027. OCPA can be honest about this one: the original date was already past by the time the bill cleared the House, and a compliance runway long enough for a business to actually rebuild its data plumbing is not unreasonable. We'll allow it.

The definition of "biometric data" got tightened — the expansive "includes, but is not limited to" became a more clipped "such as." A narrowing, yes, but a modest one. The core protections for fingerprints, voiceprints, and iris scans remain.

A new carve-out appeared for data tied to the Controlled Substances Act's listed-chemicals reporting. Somebody had a specific worry; somebody got their specific exemption. The legislative tradition continues.

The obligations that travel with de-identified data were trimmed. Where the introduced bill made anyone receiving stripped-down data agree to follow "the provisions of this act," the final version binds them only to "the requirements of this subsection." That's a real narrowing of the downstream leash, and it's the change we'd have fought hardest in that room.

And the language was cleaned up — the tangled "service provider" definitions got untied, COPPA was defined to automatically track future federal rules, and an overbroad clause in Section 320 got scoped to mean what the drafters plainly intended all along. Housekeeping, mostly, and on balance the kind that makes a law harder for a clever defendant to wriggle out of.

That's the bill of sale. Notice what's not on it.

What they couldn't take

The architecture held. Every load-bearing wall is still standing.

Oklahomans still get the five rights — to see their data, fix it, delete it, take a portable copy, and opt out of targeted advertising, the sale of their data, and the profiling that decides whether they get the loan, the lease, the job, the insurance, or the groceries. Sensitive data still requires consent first — opt-in, not opt-out — for health information, religious beliefs, racial and ethnic origin, sexual orientation, citizenship status, biometrics, children's data, and precise location. The dark-patterns ban survived, so manufactured "consent" still counts for nothing. The anti-waiver clause survived, meaning no company can slip a "you give up your privacy rights" clause into the terms of service and have it stick. The data protection assessments survived. And the $7,500-per-violation penalty, enforced by the Attorney General, survived without a scratch.

That is not a gutted bill. That is a bill that took its lumps at the margins and kept its heart. In this building, that's a win you take and you don't apologize for it.

What this means for OCPA's mission

OCPA exists to safeguard consumers from unsafe and unfair business practices and to be a voice for the rights of information, choice, and safety. SB 546 is now the single most significant advancement of those principles in Oklahoma statute.

The right of information — you can now confirm what data a company holds about you and access it. The right of choice — you can opt out of targeted advertising and the sale of your data, and sensitive data requires your affirmative consent before it's collected at all. The right of safety — controllers must maintain reasonable data security practices and conduct documented data protection assessments before engaging in the processing activities most likely to harm consumers.

These aren't aspirational talking points anymore. As of January 1, 2027, they're enforceable law.

What's still on our desk for next session

OCPA would be a poor advocate if we let the confetti obscure the work that's left, so here it is — the same list we flagged the day this bill was filed, because the negotiation didn't touch any of it.

There is still no private right of action. If a company tramples a consumer's rights, that consumer still can't take them to court — they're depending on the AG's office, and an overworked AG is a thin reed for four million people to lean on. The right to cure is still permanent, with no sunset, which means a violator's first move can be "wait and see if anyone notices." The coverage thresholds are still high enough that plenty of mid-sized data handlers never come under the law at all. And the entity-level exemptions are still broad — which, we'll note with a rueful smile, means OCPA itself, as a 501(c)(4) nonprofit, is exempt from a privacy law we just spent a year cheering for. The wrong businesses can still escape on a technicality rather than on the merits of their actual data practices.

Those are the fights for the 2027 session. Today is not the day for them.

What today is the day for

For the first time, an ordinary Oklahoman — not a Californian, not a Virginian, an Oklahoman — has the enforceable right to know who's holding their life in a database and to tell them to knock it off. Oklahoma courted the data centers. Oklahoma rolled out the welcome mat for the server farms and the AI boom. And now Oklahoma has written down the house rules.

It's a good law. It got better at the things that needed cleaning and held the line on the things that mattered. OCPA thanks Sen. Howard, Rep. West, and the bipartisan coalition that carried this across the finish line — and we'll be back next session for the parts we couldn't win this round.

OCPA Staff
Previous

Good Rules Make Good Neighbors: Why Oklahoma's Data Center Bill Is a Conversation Worth Having
Next

The Most Expensive Word in HB 3041 Is "Greater"