Oklahoma recently proposed consumer data privacy legislation. The Oklahoma Computer Data Privacy Act (OCDPA) was filed on January 19, 2021 for consideration in the State’s 58th Legislative Session, which starts in February.

Representatives Josh West, R-Grove, and Representative Collin Walke, D-Oklahoma City, sponsored the bipartisan legislation, House Bill 1602.

The Consumer Data Privacy Bill’s Details

The OCDPA would mandate that certain companies get prior consent before collecting and selling consumer data.

The bill defines “consent” as:

[A]n act that clearly and conspicuously communicates the individual's authorization of an act or practice that is made in the absence of any mechanism in the user interface that has the purpose or substantial effect of obscuring, subverting or impairing decision-making or choice to obtain consent.

House Bill 1602 also provides Oklahomans with a mechanism for requesting that businesses disclose what consumer data they have. It also grants the right to request deletion of that information.

When the Bill Would Protect Consumer Data

Oklahoma’s bill would apply to any business that does business in Oklahoma that collects consumers' personal information or has that information collected on the business's behalf and satisfies one or more of the following thresholds:

1. has annual gross revenue over $10,000,000.00;
2. annually alone or in combination with entities buys, sells, or receives or shares for commercial purposes the personal information of 50,000 or more consumers, households or devices; or
3. derives 25% or more of the business's annual revenue from selling consumers' personal information.

Circumstances When the Bill Would Not Apply

The Consumer Data Privacy Bill would not apply to the following:

1. Publicly available information;
2. Protected health information (PHI) governed by state health privacy laws or collected by a covered entity or a business associate of a covered entity as defined by HIPAA;
3. A health care provider governed by state health privacy laws or a covered entity to the extent that the provider or entity maintains the personal information of a patient in the same manner as PHI;
4. Information collected as part of a clinical trial;
5. The sale of personal information to or by a consumer reporting agency if the information is to be reported in or used to generate a consumer report and used solely for a purpose authorized under the FCRA;
6. Personal information collected, processed, sold or disclosed in accordance with the Gramm-Leach-Bliley Act or the Driver's Privacy Protection Act of 1994;
7. De-identified or aggregate consumer information; or
8. A consumer's personal information collected or sold by a business if every aspect of the collection or sale occurred wholly outside of Oklahoma.

Oklahoma Corporation Commission will Be Enforcement Agency

Under House Bill 1602, the Oklahoma Corporation Commission would enforce the consumer data privacy legislation, and any fines collected by the Commission for violations would go to the State’s General Revenue Fund.

The bill also provides a private right of action for Oklahomans. Residents may seek injunctive relief, actual damages, and statutory damages up to $7,500 for intentional violations.

“Our government is set up so that it is difficult to pass laws without broad agreement, which is why technology usually gets ahead of the law,” said Representative West. “That’s not new. For example, before using spacing units, there was a lot of oil and gas that was wasted. Spacing units improved oil and gas extraction efficiency. So, regulations can, at times, actually improve efficiency. We hope this is the first step in more efficient internet usage.”

According to co-author Representative Walke, regulations to protect consumer data privacy are clearly needed, stating that “as with all legislation, there will be groups with adverse interests opposing this bill, but the legislature’s priority should be focused on protecting our constituent’s privacy.”

“That is a safeguard that we have in place for the government, and it should be no less true for private companies who can – and often do – exploit our private information for their personal gain. I believe our bill is common sense: Absent consent, personal data should be just that, private. It should not be bartered to the highest bidder who can then use that information without the consumer’s knowledge.”

Many States Move to Consider Data Privacy Legislation

According to the National Conference of State Legislatures, at least 30 states and Puerto Rico considered legislation in 2020.

Michigan added a law that amends the requirements for insurers providing privacy policies to customers.

Virginia enacted a law (SB 101) that permits a merchant to scan the machine readable zone of an individual's driver’s license for verification purposes. However, it requires the merchant to destroy the retained information when the verfication has been completed.

In addition, California enacted three bills last year. Assembly Bill 82 requires the use of data broker registration fees to offset website costs when the information provided by data brokers is accessible to the public. Assembly Bill 713 exempts deidentified information in accordance with specified federal law or policy from the Consumer Privacy Act (CCPA). Finally, Assembly Bill 1281 exempts specific employment information and personal data concerning business-to-business communications and transactions from the CCPA.