On March 23, 2022, the Oklahoma House voted 74-15 (with 11 excused) to pass Representative Collin Walke’s HB2969 – the Oklahoma Computer Data Privacy Act. The bill now moves to the Senate. Last year, the Oklahoma House also passed a version of this bill, only to see it stall in the Senate Judiciary Committee. The bill is generally based on the California Consumer Privacy Act (CCPA) although it contains notable differences.
Below is a brief summary.
Monetary Threshold
The bill would set a lower monetary threshold for applicability than is found in the CCPA (and upcoming California Privacy Rights Act). Specifically, the bill would apply to for-profit businesses that (1) do business in the state, (2) collect the personal information of Oklahoma residents, (3) determine the purposes for and means of the processing, and: (a) have annual gross revenues in excess of $15,000,000, (b) alone or in combination with others, annually buy, sell or receive or share for commercial purposes the personal information of 50,000 or more consumers, households or devices, and/or (3) derive 25% or more of their annual revenue from selling consumers’ personal information.
Those familiar with the CCPA will recognize that the Oklahoma bill would lower the annual gross revenue monetary threshold from $25,000,000 to $15,000,000, meaning that it would likely apply to more companies than the CCPA. For reference, last year’s version of the bill set the threshold at $10,000,000.
Consent
Significantly, the bill would go beyond existing state privacy laws and require consent for the collection of personal information.
Specifically, Section 16 states that “After the effective date of this act, a business shall not collect a consumer’s personal information directly from the consumer prior to notifying the consumer of each category of personal information to be collected and for what purposes information will be used, as well as obtaining the consumer’s consent to opt in to collection, which may be provided electronically by the consumer, to collect a consumer’s personal information.”
The bill defines “consent” as “an act that clearly and conspicuously communicates the individual’s authorization of an act or practice that is made in the absence of any mechanism in the user interface that has the purpose or substantial effect of obscuring, subverting or impairing decision-making or choice to obtain consent.”
Consent to Sales
In another notable difference from existing state privacy laws, the Oklahoma bill would require consumers to opt-in to the sale of personal information.
Specifically, Section 13.D provides that “A business may not sell to a third party the personal information of a consumer who does not consent to the sales of that information after the effective date of this act or after a consumer submits a verifiable request to opt out of any future sale.”
Further, a “third party to whom a business has sold the personal information of a consumer may not sell the information unless the consumer receives explicit notice of the potential sale and is provided the opportunity to, and in fact does, consent to the sale as provided by this section.”
Consumer Rights
The bill would provide Oklahoma residents with the right to request that a business disclose to the consumer the categories and specific items of personal information the business has collected and the right to delete that personal information (subject to certain exceptions). A business that sells, or discloses for a business purpose, the consumer’s personal information would also be required to disclose to the consumer certain information regarding the sale/disclosure. Further, consumers would be permitted to opt-out of the sale of their personal information. Businesses also would be prohibited from discriminating against consumers for exercising their rights. Finally, businesses would be required to provide information regarding their privacy practices in their online privacy policies.
Exemptions
The bill would not apply to, among other things, protected health information collected by business associates and covered entities, HIPAA covered entities, HIPAA business associates, the sale of personal information to or by a consumer reporting agency under certain circumstances, and financial institutions (and personal information) subject to the GLBA.
Enforcement
If passed, the bill would be enforceable by the state Attorney General’s office, which could seek monetary fines of $2,500 for each violation and $7,500 for each intentional violation.
Effective Date
The bill would go into effect on January 1, 2023.