Consumer Data Privacy Legislation Proposed in Oklahoma

Oklahoma recently proposed consumer data privacy legislation. The Oklahoma Computer Data Privacy Act (OCDPA) was filed on January 19, 2021 for consideration in the State’s 58th Legislative Session, which starts in February.

Representatives Josh West, R-Grove, and Representative Collin Walke, D-Oklahoma City, sponsored the bipartisan legislation, House Bill 1602.

The Consumer Data Privacy Bill’s Details

The bill defines “consent” as:

[A]n act that clearly and conspicuously communicates the individual’s authorization of an act or practice that is made in the absence of any mechanism in the user interface that has the purpose or substantial effect of obscuring, subverting or impairing decision-making or choice to obtain consent.

House Bill 1602 also provides Oklahomans with a mechanism for requesting that businesses disclose what consumer data they have. It also grants the right to request deletion of that information.

Consumer Data Privacy Legislation
Consumer Data Privacy Legislation

When the Bill Would Protect Consumer Data

  1. has annual gross revenue over $10,000,000.00;
  2. annually alone or in combination with entities buys, sells, or receives or shares for commercial purposes the personal information of 50,000 or more consumers, households or devices; or
  3. derives 25% or more of the business’s annual revenue from selling consumers’ personal information.

Circumstances When the Bill Would Not Apply

  1. Publicly available information;
  2. Protected health information (PHI) governed by state health privacy laws or collected by a covered entity or a business associate of a covered entity as defined by HIPAA;
  3. A health care provider governed by state health privacy laws or a covered entity to the extent that the provider or entity maintains the personal information of a patient in the same manner as PHI;
  4. Information collected as part of a clinical trial;
  5. The sale of personal information to or by a consumer reporting agency if the information is to be reported in or used to generate a consumer report and used solely for a purpose authorized under the FCRA;
  6. Personal information collected, processed, sold or disclosed in accordance with the Gramm-Leach-Bliley Act or the Driver’s Privacy Protection Act of 1994;
  7. De-identified or aggregate consumer information; or
  8. A consumer’s personal information collected or sold by a business if every aspect of the collection or sale occurred wholly outside of Oklahoma.

Oklahoma Corporation Commission will Be Enforcement Agency

The bill also provides a private right of action for Oklahomans. Residents may seek injunctive relief, actual damages, and statutory damages up to $7,500 for intentional violations.

“Our government is set up so that it is difficult to pass laws without broad agreement, which is why technology usually gets ahead of the law,” said Representative West. “That’s not new. For example, before using spacing units, there was a lot of oil and gas that was wasted. Spacing units improved oil and gas extraction efficiency. So, regulations can, at times, actually improve efficiency. We hope this is the first step in more efficient internet usage.”

According to co-author Representative Walke, regulations to protect consumer data privacy are clearly needed, stating that “as with all legislation, there will be groups with adverse interests opposing this bill, but the legislature’s priority should be focused on protecting our constituent’s privacy.”

“That is a safeguard that we have in place for the government, and it should be no less true for private companies who can — and often do — exploit our private information for their personal gain. I believe our bill is common sense: Absent consent, personal data should be just that, private. It should not be bartered to the highest bidder who can then use that information without the consumer’s knowledge.”

Many States Move to Consider Data Privacy Legislation

Michigan added a law that amends the requirements for insurers providing privacy policies to customers.

Virginia enacted a law (SB 101) that permits a merchant to scan the machine readable zone of an individual’s driver’s license for verification purposes. However, it requires the merchant to destroy the retained information when the verfication has been completed.

In addition, California enacted three bills last year. Assembly Bill 82 requires the use of data broker registration fees to offset website costs when the information provided by data brokers is accessible to the public. Assembly Bill 713 exempts deidentified information in accordance with specified federal law or policy from the Consumer Privacy Act (CCPA). Finally, Assembly Bill 1281 exempts specific employment information and personal data concerning business-to-business communications and transactions from the CCPA.

Ryan Carpenter serves as Attorney and Managing Director of Carpenter Wellington. Ryan advises clients across a broad set of corporate and commercial matters.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store