Oklahoma has made multiple attempts to enact comprehensive data privacy legislation since 2022. The most recent bills — House Bill 2969 and Senate Bill 1796 — were introduced in the 2023–2024 legislative session and follow the Virginia CDPA model that has been adopted by several other Republican-controlled states. Oklahoma's privacy bills have typically passed their initial committee hearings with bipartisan support but have repeatedly failed to make it to floor votes in the final weeks of session. This pattern — advancing in committee but stalling before a full vote — suggests that while there is genuine legislative interest, the bills have not yet achieved the coalition strength needed to survive the competitive end-of-session legislative calendar. Oklahoma's Republican-led legislature has shown willingness to act on privacy in other contexts — the state has enacted protections for minors' social media use — and advocates believe a comprehensive privacy law is achievable if the right bill text and political moment align.
Oklahoma introduces its first serious comprehensive privacy legislation, drawing on the Virginia CDPA model. Bills receive committee hearings but do not advance to floor votes.
New versions of the bill with adjusted thresholds and exemptions introduced. Advance further in committee but again fail to reach a floor vote before session ends.
The 2024 session sees the most refined Oklahoma privacy bills yet, incorporating feedback from business groups and consumer advocates. Committee passage achieved in both chambers but floor vote not scheduled before adjournment.
Oklahoma privacy advocates have publicly committed to a 2025 push. The accumulation of neighboring states' laws (Texas, Nebraska, Iowa) is being cited as evidence that Oklahoma businesses need a consistent state framework.
Oklahoma's proposed legislation is a standard Virginia-model privacy bill providing consumers with rights to access, correct, delete, and receive copies of their personal data, as well as opt-out rights for sale of personal data and targeted advertising. The bill would apply to businesses processing data of 100,000 or more Oklahoma consumers or 25,000+ consumers where data sales exceed 25% of gross revenue. Sensitive data (health, racial origin, sexual orientation, religion, geolocation, biometrics, children's data) would require explicit opt-in consent. Enforcement would be handled exclusively by the Oklahoma Attorney General with a 30-day cure period and civil penalties up to $7,500 per violation.
If enacted as currently drafted, Oklahoma residents would receive the following privacy rights:
Confirm whether a business processes your personal data and request a copy of it.
Request correction of inaccurate personal data a business holds about you.
Request deletion of personal data that has been collected about you.
Receive your data in a portable, machine-readable format.
Prevent businesses from selling your personal data to third parties.
Stop businesses from using your data for cross-context behavioral advertising.
Opt out of automated decision-making in significant life decisions.
Businesses cannot penalize you for exercising your privacy rights.
The rights listed above are proposed, not enacted. They reflect the bill's current draft language and may change significantly before passage — or the bill may not pass at all. Until Oklahoma enacts a comprehensive privacy law, residents have limited state-level data privacy rights. Check our Active Laws page to see which states have enacted protections.
Oklahoma's repeated near-misses stem from a combination of legislative calendar competition and insufficient urgency. The Oklahoma legislative session is short (typically running February through May), and privacy bills that advance through committee often get crowded out by other priorities in the final weeks. Unlike states where a high-profile breach or scandal created urgent public pressure, Oklahoma has not experienced a triggering event. Additionally, some legislators have expressed concern about the compliance burden on Oklahoma small businesses — a concern that has been addressed in successive bill revisions by raising thresholds and adding cure period provisions, but has not been entirely resolved to the satisfaction of all stakeholders.
| Feature | Oklahoma (Proposed) | Virginia (Active) | California (Active) |
|---|---|---|---|
| Comprehensive privacy rights | Proposed | ✅ Yes | ✅ Yes |
| Right to delete | Proposed | ✅ Yes | ✅ Yes |
| Opt out of sale of data | Proposed | ✅ Yes | ✅ Yes |
| Sensitive data protections | Proposed | ✅ Yes | ✅ Yes |
| Enforcement agency | TBD | VA Attorney General | CA Privacy Protection Agency |
| Private right of action | TBD | No | Yes (breach only) |
| Currently enforceable | ❌ No | ✅ Yes | ✅ Yes |
Even though Oklahoma does not yet have a comprehensive privacy law, you are not without options:
Privacy laws pass because constituents demand them. If you believe Oklahoma residents deserve strong data privacy rights, contact your state legislature. Find your representatives at OpenStates.org — it takes only a few minutes to send a message that matters.
Use our Opt-Out Guide to see what rights you have today and get direct opt-out links for major companies.
Privacy legislation moves quickly. Subscribe to our newsletter and we'll alert you the moment Oklahoma passes a new privacy bill, a vote is scheduled, or a major amendment changes the bill's scope. You'll also receive our monthly digest of all U.S. privacy law changes — free, always.