A majority of U.S. state legislatures that passed comprehensive privacy laws did so with a couple years of debate. Discussions have gone on for seven years in Oklahoma, but state lawmakers are finally in a position to add their state to the state privacy law network.

On 19 Feb., the Oklahoma House approved final passage of Senate Bill 546, state lawmakers' latest take on comprehensive privacy. It passed the chamber on an 84-4 vote and now requires concurrence from the Senate, which passed a different version of the bill in 2025 that carried over to the 2026 legislative session.

State Rep. Josh West, R-Okla., amended the bill on the House floor, substituting a compromise text that aligns mostly with the original framework for Virginia's Consumer Data Protection Act. West told the IAPP he expects the bill to move through Senate concurrence without further debate and sees "no reason" why Gov. Kevin Stitt, R-Okla., would not enact the bill.

SB 546 covers businesses that control or process the personal data of at least 100,000 Oklahomans, or the data of at least 25,000 consumers while deriving at least 50% of gross revenue from data sales. The bill contains standard data subject access rights, including opt-outs for targeted advertising and data sales as defined under the bill, and required data protection assessments for a range of processing activities.

If enacted by the governor, the bill will take force 1 Jan. 2027 and offer a 30-day cure provision under exclusive attorney general enforcement that does not sunset.

"It's a start and you take what you can get in this," said West, who has been carrying the bill since its 2019 origins when he and former state Rep. Collin Walke, D-Okla., first introduced the comprehensive privacy concept to the legislature. "When you've got this much skin in the game, it's good to get something. ... A lot of the people that were against this, even some of the big businesses like Amazon that use AI so much, know they need to have data privacy standards."

Where the bill landed 

West and Walke's privacy work began in earnest with an interim study in 2020. That spawned various comprehensive bills that gained enough traction to pass House on five occasions.

Walke, who left state politics in 2022 and is a shareholder leading Hall Estill's Cybersecurity & Data Privacy practice, told the IAPP that he and West always tried to seize on an opportunity for states to "take the lead and do it the right way." They initially sought to go against the grain with opt-in requirements that Walke admitted were "unrealisitic" and tried other nuanced provisions in the years to follow, including proposals on dark patterns and data minimization on information used for identity verification in their 2021 bill.

Ultimately, West settled for a framework that has become the foundation for a majority of the 19 enacted comprehensive laws comprising the state privacy patchwork. For Walke, the Oklahoma following the trend represents both a concession and a victory.

"With essentially half the country passing opt-out legislation, the tech companies have won, absent U.S. Congress getting serious about this," he said. "I would say the consumers have won as well. At least now I have rights that I didn't have before. And for that reason, I'm glad we have it on the books."

Oklahoma's bill is not likely to catch many covered entities off guard. Most of the businesses in scope are also operating across state lines, meaning they're complying with other comprehensive statutes with Oklahoma's requirements and potentially more. Notably, the bill omits some of the more common provisions passed by other states in recent years, including recognition of universal opt-out mechanisms and enhanced children's privacy protections.

"The maturation of these laws facilitated this passage," Walke said. "For all of the privacy policies I write for companies in Oklahoma, they're already complying with laws in other states. It's gotten to the point where these are commonly accepted practices and they needed to be codified."

One industry issue addressed during the House amendment process was moving the effective date out from 1 July to the new 1 Jan. 2027 date. 

West indicated there was originally a 1 Jan. 2026 effective date when the bill was filed last year with an emergency labelling. The goal was to pass early 2025 and then leave the rest of the year for businesses to prepare. The amendment to 1 Jan. 2027 merely honors the previously intended grace period, West said.

Given the years and haggling it took to get consensus Oklahoma's take on comprehensive privacy, it is fair to wonder how the law might mature in the years ahead. Connecticut and Colorado have made robust changes to their comprehensive statutes in the years following their passage, and even Virginia has amended its law to keep up with a dynamic digital landscape.

West expects modernization to be a rolling consideration, but it will not come with the same industry opposition he and Walke faced that stalled their legislative work to this point. He pointed to constituents' feelings about growing invasions of privacy stemming from connected devices and targeted advertising based on sensitive data.

"We'll have to go back and address this as we move further along, and we can adapt like anything else. The appetite has always been there in the House, and I don't think the debate is looked at like it was when we started," West said. "We weren't trying to get (the California Consumer Privacy Act) to Oklahoma. This is actually about safety."

Joe Duball is the news editor for the IAPP.