Keypoint: Although weakened from its original version, the Oklahoma bill would (if enacted) provide substantial privacy rights to Oklahoma residents and, in some respects, provide more privacy protections than found in the CCPA.
On March 4, 2021, the Oklahoma House of Representatives passed the Oklahoma Computer Data Privacy Act by a vote of 85-11 with 5 excused. The bill, which is perhaps best described as a heavily-modified version of the California Consumer Privacy Act (CCPA), will now move to the Oklahoma Senate.
The Oklahoma bill was the subject of extensive reporting last month after a prior version of the bill, which included a private right of action, passed unanimously through the House Technology Committee. However, the private right of action was deleted in a significantly modified version of the bill that was introduced earlier this week.
Yet, even with the amendments, the bill is still notable for at least three reasons: scope of applicability, consent for collection, and opt-in to sales. Below is a high-level summary of the some of the bill’s more notable provisions.
The bill would set a lower monetary threshold for applicability than is found in the CCPA. Specifically, the bill would apply to for-profit businesses that (1) do business in the state, (2) collect the personal information of Oklahoma residents, (3) determine the purposes for and means of the processing, and: (a) have annual gross revenues in excess of $10,000,000, (b) alone or in combination with others, annually buy, sell or receive or share for commercial purposes the personal information of 50,000 or more consumers, households or devices, and/or (3) derive 25% or more of their annual revenue from selling consumers’ personal information.
Those familiar with the CCPA will recognize that the Oklahoma bill would lower the annual gross revenue monetary threshold from $25,000,000 to $10,000,000, meaning that it would likely apply to more companies than the CCPA.
Significantly, the bill would go beyond the CCPA and require consent for the collection of personal information.
Specifically, Section 16 states that “After the effective date of this act, a business shall not collect a consumer’s personal information directly from the consumer prior to notifying the consumer of each category of personal information to be collected and for what purposes information will be used, as well as obtaining the consumer’s consent, which may be provided electronically by the consumer, to collect a consumer’s personal information.”
The bill defines “consent” as “an act that clearly and conspicuously communicates the individual’s authorization of an act or practice that is made in the absence of any mechanism in the user interface that has the purpose or substantial effect of obscuring, subverting or impairing decision-making or choice to obtain consent.”
Opt-In To Sales
In another notable difference from the CCPA, the Oklahoma bill would require consumers to opt-in to the sale of personal information.
Specifically, Section 13.D provides that “A business may not sell to a third party the personal information of a consumer who does not opt in to the sale of that information after the effective date of this act or after a consumer submits a verifiable request to opt out of any future sale.”
Further, a “third party to whom a business has sold the personal information of a consumer may not sell the information unless the consumer receives explicit notice of the potential sale and is provided the opportunity to, and in fact does, exercise the right to opt in to the sale as provided by this section.”
Similar to the CCPA, the bill would provide Oklahoma residents with the right to request that a business disclose to the consumer the categories and specific items of personal information the business has collected and the right to delete that personal information (subject to eight exceptions). A business that sells, or discloses for a business purpose, the consumer’s personal information would also be required to disclose to the consumer certain information regarding the sale/disclosure. Further, consumers would be permitted to opt-out of the sale of their personal information. Businesses also would be prohibited from discriminating against consumers for exercising their rights. Finally, businesses would be required to provide information regarding their privacy practices in their online privacy policies.
Exceptions and Exemptions
As amended, the bill would not apply to, among other things, protected health information collected by business associates and covered entities, HIPAA covered entities, HIPAA business associates, the sale of personal information to or by a consumer reporting agency under certain circumstances, and financial institutions (and personal information) subject to the GLBA. Many of these carve-outs were added in the amended bill.
The bill does not contain employee and business-to-business exemptions similar to the CCPA’s exemptions.
If passed, the bill would be enforceable by the state Attorney General’s office, which could seek monetary fines of $2,500 for each violation and $7,500 for each intentional violation. As noted, a prior version of the bill included a private right of action, which was deleted. That version also would have charged the Oklahoma Corporation Commission with adopting rules to implement, administer and enforce the bill.
As amended, the bill would go into effect on January 1, 2023 (the same date as Virginia’s just-passed law). The prior version of the bill had an effective date of November 1, 2021.