Somebody's Been Reading Your Mail. SB 546 Hands You Back the Key.
There is a species of swindle that never announces itself. No masked man, no idling getaway car, no ransom note in letters clipped from a magazine. It happens in the half-second between your thumb landing on "I Agree" and the next thing blinking onto your screen — and by the time your coffee's gone cold, a few hundred strangers you will never meet know where you slept last night, what you searched at two in the morning, and roughly how your week is going.
Oklahoma consumers have been, to use the technical term, bamboozled. Politely, at industrial scale, and behind a privacy policy long enough to wallpaper a barn.
Senate Bill 546, filed this session by Sen. Howard, is the rare bill that treats that quiet larceny as larceny — and then does something refreshingly old-fashioned about it. It gives consumers the key back. OCPA believes this is the clearest consumer protection measure of the session, and we are urging its passage.
What the bill actually puts in a consumer's hand
Strip away the forty-one pages of definitions and cross-references, and SB 546 says that if a covered company is holding data about you, you may:
confirm they've got it, and see what they've got;
correct it when they've got it wrong;
delete it;
take a portable copy with you to a competitor; and
opt out — tell them to stop using your data for targeted advertising, stop selling it, and stop feeding it into the profiling engine that quietly decides things about your life.
That last right earns a paragraph of its own. The bill doesn't leave "things about your life" to the imagination. It spells out the decisions that count: financial and lending services, housing, insurance, health care, education enrollment, employment, criminal justice, and access to basic necessities like food and water. In plain English, the bill is saying that a machine you can't see, trained on data you never knowingly handed over, should not get the final word on whether you get the loan, the apartment, the job, or the groceries — and that you, the human being in question, get to pull the plug on that arrangement.
This goes to the heart of what OCPA exists to defend. Our mission is to safeguard consumers from unsafe and unfair business practices and to be a voice for the rights of information, choice, and safety. SB 546 advances all three at once.
The part the trade associations will not love
Here's where SB 546 shows real spine. For sensitive data — your race or ethnicity, your religious beliefs, a mental or physical health diagnosis, your sexual orientation, your citizenship or immigration status, your genetic and biometric markers, the precise dot on the map where you happen to be standing, and anything collected from a child — the bill flips the default. No quiet harvesting. A controller must get your consent first. Opt-in, not opt-out. The burden moves off the consumer's shoulders and onto the company's, which is exactly where it belongs.
And it closes the oldest trick in the digital book. The bill says "consent" cannot be manufactured through dark patterns — the cleverly buried buttons, the pre-checked boxes, the "No thanks, I hate saving money" guilt-trip prompts designed to subvert your choice. If they trick you into it, it doesn't count. It even defines precise geolocation down to a radius of 1,750 feet, so there's no hiding behind "well, technically we only knew the neighborhood."
And it has teeth
A right with no enforcement is a greeting card. SB 546 hands enforcement to the Attorney General and sets the penalty at up to $7,500 per violation — and when you're talking about a company processing data on a hundred thousand Oklahomans, "per violation" is a number that concentrates the corporate mind. Covered businesses must publish a real privacy notice, offer at least two reliable ways to submit a request, answer within forty-five days, and run a documented data protection assessment before they sell your data or turn the profiling engine loose. As introduced, the whole thing switches on January 1, 2026.
Why now, and why here
Oklahoma is rolling out the welcome mat for data centers, server farms, and the whole humming apparatus of the AI economy. Good — OCPA is not here to chase that investment off. Those jobs and that tax base are real, and Big Tech has, in its fashion, made plenty of ordinary lives easier. But the data those facilities ingest is our data, and the guardrails ought to ride in on the same truck as the construction crews. You do not invite a guest into the house and then decline to mention there are rooms they may not enter. SB 546 is Oklahoma, finally, mentioning the rooms.
Right now, an Oklahoman has no general, enforceable right to see, fix, delete, or wall off the data that companies collect about them. None. We are a blank spot on the map while a dozen other states have drawn their lines. SB 546 draws ours.
What we'll be watching
OCPA supports this bill and would sign it tomorrow. But an honest advocate names the soft spots, and we owe our members that candor. There is no private right of action — a consumer cannot take a violator to court themselves; enforcement depends entirely on the AG's office. The bill grants violators a standing 30-day window to cure, with no expiration date on that grace, which risks turning "comply with the law" into "comply only after you're caught." The coverage thresholds are high (100,000 consumers, or 25,000 plus more than half of revenue from selling data), which lets a fair number of mid-sized data handlers slip the net. The entity-level exemptions are broad — nonprofits and others are carved out wholesale rather than judged by what they actually do with data. And a "child" stops being a child at thirteen, which is younger than we'd draw it.
None of that is a reason to vote no. All of it is a reason to vote yes and keep the pen handy. A first line in the sand is still a line, and Oklahomans have been standing on the wrong side of it for too long.
OCPA urges the Legislature to pass SB 546.