Oklahoma House Passes Tough Data Privacy Law Yet

Oklahoma Computer Data Privacy Act

Update 04/12. At the time of this writing, it is unlikely that the bill will be heard in the Oklahoma Senate.

With concerns over the privacy of personal data and the risk of manipulation of that data, the Oklahoma House of Representatives passed House Bill 1602, Oklahoma Computer Data Privacy Act (OCDPA), by a vote of 85-11.  The Bill has bipartisan support and is co-authored by more than 40 state representatives and senators, and is expected to pass when the bill is brought to the Senate.

“It’s time for Oklahoman's to have the ultimate say in how their personal data is used,” said Rep. Josh West, R-Grove. “For too long we’ve allowed big tech to mine our information, sell it at their profit and then use it to manipulate our marketing choices and worse. Today, we step closer to taking back our rights.”

Like other laws of its kind, such as the CCPA, the OCDPA is focused on the data privacy of personal identifiable information. However, there are three significant developments in this act that set it apart, and it may serve as the canary in the coal mine for stricter laws elsewhere. 

Active Opt-In for Consent

The OCDPA is the first “opt-in” data privacy law in the country, which means that companies will have to ask for explicit consent prior to collecting any personally identifiable information. By contrast, the CCPA is an “opt-out” law, which means that businesses can collect information unless requested not to. 

Section 16 states that “After the effective date of this act, a business shall not collect a consumer's personal information directly from the consumer prior to notifying the consumer of each category of personal information to be collected and for what purposes information will be used, as well as obtaining the consumers consent, which may be provided electronically by the consumer, to collect a consumer's personal information.”

The Bill is quite clear in defining consent as something that must not only be granted by the consumer in question but can only be given if the consumer understands what they are allowing if it is granted.

Lower Thresholds

Secondly, the OCDPA has lower thresholds than other data privacy laws which means that a higher percentage of businesses collecting data on Oklahoma residents are likely to be impacted.

By comparison, the CCPA has an annual gross revenue threshold of $25,000,000.

Active Opt-In to sales

Additionally, the OCDPA requires consumers to actively opt-in to the sale of Personal Information. The law states that “a business may not sell to a third party the personal information of a consumer who does not opt in to the sale of that information after the effective date of the act”.

Who will the OCDPA law apply to?

The act will apply to any organization that does business in Oklahoma and collects personally identifiable information from its customers in Oklahoma or has that information collected by others on its behalf and meets one or more of the following:

• Has annual gross revenues of at least $10 Million,
• Either alone or in combination with other entities buys, sells, or receives for commercial purposes the personal information of 50,000 more consumers or devices per year,
• Derives 25% or more of the business annual revenue from the selling or sharing of customer personal data

If your business meets any one of these three criteria, you’re in scope.

Exemptions and Exceptions from the Act‍

As written, the Act does not appear to apply to PHI that is protected by HIPAA organizations that are governed by HIPAA. The act states that “Protected health information governed by state health privacy laws, or collected by a covered entity or a business associate of a covered entity… that is governed by the privacy, security and breach notification rules”.

The Bill does not contain employee and business-to-business exemptions such as those found in the CCPA.

What rights does OCDPA Provide to Oklahoma Consumers?

The Act outlines a number of rights for consumers, such as the right to request disclosure of the information the business has on the consumer, the right to request the deletion of their information, the right to request and then receive disclosures of the PII sold, the right to opt in and out of the sale of their personal data, and the right to prohibit the use, disclosure, or the retention of their personal information.

Enforcement of the OCDPA and penalties for noncompliance

The bill will be enforced by the Oklahoma Attorney General who can seek fines of $2,500 for each individual violation and $7,500 for each intentional violation. Additionally, the OCDPA originally included a provision for a private right of action, which would have granted individuals the ability to file a lawsuit or make a claim against an offending company.

If passed by the Senate, the law will go into effect January 1st, 2023.