Oklahoma Computer Data Privacy Act

This week we'll take a look at the Oklahoma Computer Data Privacy Act of 2022, the latest in internet privacy legislation in the United States. At a high level, this bill aims to create consumer privacy rights for Oklahoma residents, requiring consumer opt-ins and consent of collection, use, and retention of their personal data. Last year, the Oklahoma Computer Data Privacy Act crossed over in March (85-11), but ultimately did not pass. The legislation was pre-filed for the 2022 by Representative Collin Walke and Majority Leader Representative Josh West. The Oklahoma legislature is not scheduled to convene until next week (February 7).

For previous US focused privacy legislation, check out Examining the American Data Dissemination (ADD) ACT and NV SB260 – The Latest in Internet Privacy Legislation. Let's take a closer look at legislation many are comparing to the California Privacy Rights Act and the Virginia Consumer Data Protection Act.

What data is covered under the OK Computer Data Privacy Act?

HB2968 defines personal information as “information that identifies or could reasonably be linked, directly or indirectly, with a particular consumer, household, or consumer device.” The bill also defines "publicly available information" as “information that is lawfully made available from federal, state or local government records." Publicly available information is excluded from the regulations put forth in this bill.

Businesses that qualify under the bill will also face restrictions on their method of collection and use of the personal information they collect. Eligible business will be required to “only collect and/or share information with third parties that is reasonably necessary to provide a good or service to a consumer who has requested the same or is reasonably necessary for security purposes or fraud detection.” The bill also explicitly states that the “monetization of personal information shall never be considered reasonably necessary for any purpose.”

What rights are outlined for consumers?

Requiring Consent

First and foremost, the Oklahoma Computer Data Privacy Act requires consumer to consent to businesses collecting their personal information. The bill states “After the effective date of this act, a business shall not collect a consumer’s personal information directly from the consumer prior to notifying the consumer of each category of personal information to be collected and for what purposes information will be used, as well as obtaining the consumer’s consent, which may be provided electronically by the consumer, to collect a consumer’s personal information.” “Consent” if defined in the bill as “an act that clearly and conspicuously communicates the individual’s authorization of an act or practice that is made in the absence of any mechanism in the user interface that has the purpose or substantial effect of obscuring, subverting or impairing decision-making or choice to obtain consent.”

Right to Opt-Out

Following suit of similar legislation, consumers will be given "the Right to Opt-Out". For Oklahoma residents, this means businesses must “apprise” them of their right to opt-out of personalized advertising. This bill does not define the exact form/method the notification must be presented to consumers (think a clickable link, a button, etc.), but it does state the notification must be made in a "clear and conspicuous manner" on the business’s homepage.

Opt-In Requirement for Sale of Personal Information

Following the right to Opt-Out, business will also be required to provide methods for consumers to opt in to the sale of their information. If the consumer does not opt in, the business cannot sell their information. The bill states “A business may not sell to a third party the personal information of a consumer who does not opt in to the sale of that information after the effective date of this act or after a consumer submits a verifiable request to opt out of any future sale.” It goes on to say a “third party to whom a business has sold the personal information of a consumer may not sell the information unless the consumer receives explicit notice of the potential sale and is provided the opportunity to, and in fact does, exercise the right to opt in to the sale as provided by this section.”

The bill also prohibits something known as Dark Patterns. Dark patterns are methods of website design with the express purpose or substail effect of "obscuring, subverting, or impairing user autonomy, decision-making, or choice.” Ultimately this type of website design impacts websites themselves, forms within the website, emails sent out, or downloadable apps. The end result is users being manipulated into actions that the business wants them to take, but that the user didn’t intend to or that they actively didn’t want to do.

Other rights the bill affords to consumers are: the right to deletion, right to know/access, right to data portability, right to correct inaccurate information, and right not to be discriminated against for exercising their rights.

Who is impacted by the new rules?

The Oklahoma bill will have thresholds applicable to a larger number of organizations than other laws it is compared to (laws in California, Colorado, and Virginia). HB2968 defines "businesses" as “[a] sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of Oklahoma." The business must also satisfy one or more of the following thresholds:

• Has annual gross revenues in excess of 10 million dollars in the preceding calendar year (CCPA sets its gross revenues at $25 million)
• Alone or in combination, annually buys, receives, shares, or discloses for commercial purposes, alone or in combination, the personal information of 25,000 or more consumers, households, or devices
• Derives 50 percent or more of its annual revenues from sharing consumers’ personal information

“Consumer” is defined as "a natural person who is an Oklahoma resident" but "does not include an employee or contractor of a business acting in his or her role as an employee or contractor Oklahoma residents".

Exclusions

There are exclusions outlined in the bill for certain types of business like covered entities, HIPAA covered entities, and HIPAA business associates. Some of these exclusions also pertain to specific types of data sets (think protected health information). There is also an exclusion related to personal information collected, processed, sold or disclosed for companies subject to the Gramm-Leach-Bliley Act (GLBA). The GLBA "requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data."

Privacy Policies

Businesses that qualify under these rules are also required by the legislation to provide Privacy Policies. When drafting these disclosures, businesses must ensure the policies be written “in a clear and conspicuous manner" and "in plain language and shall be available prior to any data collection, and shall be updated if any terms or conditions change.” The privacy policies must identify six things:

1. The manner and method by which a consumer may exercise their rights provided by the act
2. The personal information collected from consumers
3. The reason(s) the business collects, discloses, or retains personal information
4. Whether the business discloses personal information, and if so, what information is disclosed and to whom
5. Whether the business shares personal information with service providers, and if so, the categories of service providers
6. The length of time that the business retains personal information. (Businesses are required to limit their “use and retention of a consumer’s personal information to that which is reasonably necessary to provide a service or conduct an activity that a consumer has requested or for a related operational purpose.”)

Eligible businesses must also enter into contracts with the service providers they disclose personal information collected on their customers to so they can ensure the provider will also adhere to the bill's restrictions.

What will enforcement look like?

If the HB2968 is passed this year, it will become effective November 1, 2023. Responsibility for enforcement of the changes outlined in the bill will fall upon the state Attorney General’s office. The office of the AG will be able to seek penalties for intentional violations ($7,500) and unintentional violations ($2,500).

In an accompanying press release, bill sponsor Representative Walke stated: “The National Security Commission on Artificial Intelligence explained that America is ill-prepared for the next decade of technological development, and part of that is due to a lack of governmental action in regulating things like data privacy. It is time that we heed the advice of security experts like the National Security Commission and pass meaningful data privacy legislation. We must be part of the solution and not the problem.”

Cover Photo by Hannah Wei on Unsplash

About BillTrack50 – BillTrack50 offers free tools for citizens to easily research legislators and bills across all 50 states and Congress. BillTrack50 also offers professional tools to help organizations with ongoing legislative and regulatory tracking, as well as easy ways to share information both internally and with the public.