Keypoint: The 2022 legislative session of proposed state consumer privacy legislation kicks off with the filing of a new bill in Oklahoma.
On September 9, 2021, Rep. Collin Walke (D) and Majority Leader Rep. Josh West (R) filed the Oklahoma Computer Data Privacy Act of 2022. The Oklahoma legislature is not scheduled to convene until February 7, 2022, such that there is ample time for policymakers and lobbyists to study the bill. We spoke with Representative Walke earlier this year about his goal of passing a privacy law in 2022.
In an accompanying press release, Representative Walke stated: “The National Security Commission on Artificial Intelligence explained that America is ill-prepared for the next decade of technological development, and part of that is due to a lack of governmental action in regulating things like data privacy. It is time that we heed the advice of security experts like the National Security Commission and pass meaningful data privacy legislation. We must be part of the solution and not the problem.”
In 2021, the Oklahoma House passed another privacy bill but it did not make it out of the Senate Judiciary Committee. According to Rep. Walke, the 2021 version will still be alive when the 2022 legislative session convenes such that Oklahoma lawmakers will have two bills to consider.
Below is an overview of the 2022 bill (as introduced).
In addition, members of Husch Blackwell’s privacy and data security practice will be hosting a webinar on September 28 to discuss developments in U.S. privacy law, including the 2022 Oklahoma bill. Click here to register.
Who Does the Bill Apply To?
The bill applies to “businesses,” defined as “[a] sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of Oklahoma, and that satisfies one or more of the following thresholds: (A) has annual gross revenues in excess of ten million dollars ($10,000,000) in the preceding calendar year; (B) alone or in combination, annually buys, receives, shares, or discloses for commercial purposes, alone or in combination, the personal information of 25,000 or more consumers, households, or devices; or (C) derives 50 percent or more of its annual revenues from sharing consumers’ personal information.”
As a general matter, the bill’s thresholds capture more organizations than comparable laws in California, Colorado and Virginia.
The bill defines “consumer” as Oklahoma residents, but does not include an employee or contractor of a business acting in their role as an employee or contractor.
Finally, the bill contains exclusions for certain types of entities and data sets such as protected health information and covered entities. The bill also does not apply to personal information collected, processed, sold or disclosed pursuant to the Gramm-Leach-Bliley Act (GLBA).
What Information Is Covered?
Personal information is defined as “information that identifies or could reasonably be linked, directly or indirectly, with a particular consumer, household, or consumer device.” The bill excludes publicly available information but defines the term restrictively to only mean “information that is lawfully made available from federal, state or local government records.” Personal information also does not include de-identified or aggregate consumer information.
Are There Restrictions on the Collection and Use of Information?
Yes. The bill requires businesses to “only collect and/or share information with third parties that is reasonably necessary to provide a good or service to a consumer who has requested the same or is reasonably necessary for security purposes or fraud detection.” Further, the “monetization of personal information shall never be considered reasonably necessary for any purpose.”
In addition, businesses are required to limit their “use and retention of a consumer’s personal information to that which is reasonably necessary to provide a service or conduct an activity that a consumer has requested or for a related operational purpose.”
Is There a Right to Opt-Out?
Yes, the bill requires businesses to “apprise” consumers of their right to opt out of personalized advertising. The notification must be made in a clear and conspicuous manner on the business’s homepage. The bill does not otherwise prescribe the form that notification must take (i.e., there is no “Do Not Sell My Personal Information” link requirement or mention of opt-out icons).
Do Businesses Need to Provide a Privacy Policy?
Yes. The bill mandates that businesses provide disclosures to consumers “in a clear and conspicuous manner in its privacy policies, which shall be written in plain language and shall be available prior to any data collection, and shall be updated if any terms or conditions change.”
The notice must identify: (1) the manner and method by which a consumer may exercise their rights provided by the act; (2) the personal information collected from consumers; (3) the reason(s) the business collects, discloses, or retains personal information; (4) whether the business discloses personal information, and if so, what information is disclosed and to whom; (5) whether the business shares personal information with service providers, and if so, the categories of service providers; and (6) the length of time that the business retains personal information.
What Rights Are Provided?
In addition to the right to opt-out of personalized advertising mentioned above, consumers have the right to deletion, right to know/access, right to data portability, right to correct inaccurate information, and right not to be discriminated against for exercising their rights.
Does the Bill Require Data Processing Agreements?
Yes. Businesses that disclose personal information to service providers must enter into contracts that require service providers to adhere to the bill’s restrictions.
Does the Bill Prohibit Dark Patterns?
Yes. The bill prohibits companies from designing, modifying, or manipulating user interfaces “with the purpose or substantial effect of obscuring, subverting, or impairing user autonomy, decision-making, or choice.”
How Will the Bill Be Enforced?
The state Attorney General’s office will enforce the bill. Among other penalties, the AG’s office may seek penalties of $7,500 for each intentional violation and $2,500 for each unintentional violation. The bill does not purport to create a private right of action.
What is the Proposed Effective Date?
November 1, 2023