The state of Oklahoma could be the next to test the waters around a new data protection bill that would rein in what big tech companies can and can’t do with residents’ data.

If passed, the law would be the first of its kind; currently there's nothing governing the collection or use of consumer data in the state.

The bipartisan bill, The Oklahoma Computer Data Privacy Act (OCDPA) was introduced in the state’s House of Representatives at the beginning of this month by Rep. Josh West of Grove and Democratic state Rep. Collin Walke of Oklahoma City.

Like the California Consumer Privacy Act, what some might refer to as the gold standard state consumer data privacy law in the US so far, the OCDPA would give residents a way to request what information businesses may have on them, along with the ability to request the organizations delete it.

Unlike other bills, the Oklahoma act would require a company obtain prior consent before gathering and selling data belonging to Oklahomans, including personally identifiable information (“PII”) like individuals names, email addresses, phone numbers, and IP addresses. CCPA, in contrast, must oblige with a consumer's request to opt-out of the sale of their personal information to third parties.

The act would allow the Oklahoma Corporation Commission to adopt rules to implement, administer and enforce the act, meaning it could impose penalties against businesses who violate it.

Under the proposed law, the commission - the state's public utilities commission - it also oversees oil and gas drilling, along with telephone companies – could charge $7,500 for willful violations. According to law firm McAfee and Taft, private plaintiffs would be able to seek injunctive relief, actual damages, and statutory damages up to $7,500 for willful violations too.

It sounds as if the bill came about through a combination of needs, first to keep up with advances in technology and second, to minimize the vast amount of data that increasingly fewer companies control on internet users.

"It brought to light just how much we don't know — just how much you don't know — who has your information,” West told a local ABC affiliate recently. "You either don't think it's okay to have your data sold to whoever — whoever wants to pay for it. Or you're okay with it. And I would say most people aren't okay with it.”

The bill is still in its infancy; if passed, it could go into effect on November 1, 2021, sooner than other state privacy laws currently making their way through state legislatures across the country.

The bill's introduction is another example of how the tides are turning when it comes to data privacy in the US. Oklahoma’s legislation joins CCPA/GDPR-like legislation recently introduced in Connecticut, Oklahoma, Minnesota, Mississippi, New York, and Virginia.

Virginia's law, the Consumer Data Protection Act, appears closest to a done deal but wouldn't go into effect until January 1, 2023. The act would apply to business that control or process data for at least 100,000 Virginians, or those commercial entities that derive at least 50 percent of their revenues from the sale and processing of consumer data of at least 25,000 customers. While the act has been introduced and is slated to be included in the current session, it still needs Governor Ralph Northam's signature; it has already passed both chambers of the state legislature.

In many ways the story remains the same for states. Until the federal government passes comprehensive data privacy legislation, states will continue to attempt to enact their own. In lieu of a uniform law, it can be argued that a patchwork of different laws enacted at different times is continuing to confuse and confound businesses and consumers alike but with no movement on a federal data privacy law, we appear to be in a holding pattern.

Assuming Oklahoma's legislation moves forward – and given the influx of data privacy bills over the last five years, it’s a safe bet to – it’s more incentive for organizations to keep tabs on how, where, and why data on consumers is collected and processed.