This article has been written by Gannat Juneja, pursuing a Diploma in International Data Protection and Privacy Laws from LawSikho. It has been edited by Prashant Baviskar (Associate, LawSikho) and Ruchika Mohapatra (Associate, LawSikho).
On the dawn of 9th September 2021, a new bill was introduced by Collin Walke and Josh West (a majority leader) in Oklahoma. No one expected that the legislative session of 2022 would witness the filing of the new proposed consumer privacy legislation when Collin Walke introduced the new bill known as Oklahoma Computer Data Privacy Act, 2022.
Interestingly, it is important to mention here that the Oklahoma legislature is scheduled to convene after 07th February in 2022. Thus, the policymakers, legal scholars, eminent personalities, retired juries, researchers, and lobbyists have sufficient time to study and dissect the bill. The proposed effective date of the bill is 01st January 2023 i.e. exact same date as Virginia’s law.
According to Collin Walke, the quantum of development in the area of artificial intelligence technology development and the lack of privacy protection by the dormant government is alarming. The need of the hour is to come up with the solutions for data privacy and protection and listen to the advice of data security experts like the National Security Commission. The main objective of Walke is to get the privacy law in action in 2022. The introduced Bill has acknowledged the right to privacy as a constitutional right of the Oklahoma citizens and specifically conveys that any collection of information without their knowledge and consent is a violation of their right to privacy.
Here apart from consent, “knowledge” has been used so as to provide leverage to the citizen (data subject). Further, in case of conflict between the Federal and state-level laws, the stringent act providing more appropriate protection shall prevail; thereby protecting privacy in a more effective manner.
Application of the Bill/Proposed Act
The proposed bill applies to all types of businesses. The term business is defined under Section 3(3) and it includes all types of business propositions whether incorporated or not, like that of a sole proprietorship, partnership, limited liability company, corporation, an association of persons, or any other legal entity.
But the deciding factor for the application of the act is that the business that collects consumers’ personal information (also defined under the proposed bill), singly or jointly, and is either the processor or controller, or acting in a joint position for determining the purposes and the means of the processing of consumers’ personal information, that carries on the business in the State of Oklahoma, and further that satisfies any one or more of the following threshold limits:
(A) has annual gross revenues in excess of ten million dollars ($10,000,000) in the preceding calendar year;
(B) alone or in combination, annually buys, receives, shares, or discloses for commercial purposes, alone or in combination, the personal information of 25,000 or more consumers, households, or devices; or
(C) derives 50 percent or more of its annual revenues from sharing consumers’ personal information.”
It is interesting to note that clause (B) also mentions the “household” and the word “Device.” The word “Household” is not defined under the act but as per the basic definition, the term means the house and its occupants. Now this calls for clarification whether 25,000 households shall be included or 25000 consumers residing or 25000 devices in use. A single consumer living alone may be using 10 or 20+ devices at a single location.
The device is also defined under the act as any physical object capable of connecting to the internet or to other devices. It means any electronic device like mobile, printer, pager, computer, laptop, CCTV falls into its purview. But the purview of the introduced bill is it covers a large number of entities as compared to laws in California, Colorado, and Virginia.
According to the Bill, the word “consumer” is the resident of Oklahoma, but it does not include an employee or contractor of the business. As per Section-3(13), personal information is defined as “information that identifies or could reasonably be linked, directly or indirectly, with a particular consumer, household, or consumer device.”
It is important to note that the bill specifically excludes publicly available information. Further, the term ‘publicly available information’ is also defined as the information that is lawfully made available from federal, state, or local government records. However, the personal information also does not include de-identified or aggregate consumer information.
Information : how to collect and use it
As per the act, there are certain restrictions as to how the information is to be collected and utilised. The proposed bill warrants that the businesses must only collect the information or share the information with the 3rd parties which are only required to facilitate the products or services to the consumer and that too only for those consumers who have explicitly requested the same or is required for security purposes or fraud detection. It is important to note that the monetisation of personal information for any purpose shall never be considered necessary.
Further, as per the other data privacy and protection laws across the globe, the data limitation and minimization concept are also made applicable for the use and retention of a consumer’s personal information.
(a) the type of personal information collected;
(b) the basis of collection or the reason, disclosures, and the retention period of the personal information hereby collected;
(c) the rights granted to the consumers and the procedure by which a consumer may exercise their rights provided by the Act;
(d) how the business uses the personal information and whether the information is disclosed to the third party or not;
(e) whether the business is acting as a controller or processor and if the personal information is being shared with the service providers, and if so, the categories of service providers; and
(f) retention period of the personal information.
Rights granted under the Bill
The Oklahoma residents have been bestowed with various rights under the bill like the right to opt-out, the right to deletion, the right to know/access, the right to data portability, the right to correct inaccurate information, and the right not to be discriminated against for exercising their rights likewise the rights provided as by the California Consumer Privacy Act.
Further, any sale or disclosure made by the business for a business purpose would be required to be disclosed to the consumer. There cannot be any discrimination against the consumers for exercising their rights granted under the Act. Furthermore, the right to opt-out must be granted and every business must apprise its consumer of this very right in a clear and conspicuous manner so as to opt-out of personal advertising on the homepage of the business website itself.
If any consumer wants any information or disclosure and places a valid request with the business, the request must be adhered to within 45 days of the receipt of the verifiable consumer request. If not complied within 45 days, the business must provide the basis for such delay and must comply with the request within the next 45 days. Notice to a consumer must be given for the delay in complying with the request along with the reasons mentioned therein.
However, the maximum total number of two requests can be made by the same consumer within a period of 12 months. The business is not under an obligation to comply with any further requests.
The data processing agreements by the service providers also fall under the purview of the proposed bill and are liable to provide protection. Further, the bill prohibits dark patterns and the companies are barred from designing, modifying, altering, or manipulating the user interfaces.
Exceptions and exemptions
The amended Bill contains certain exclusions and thus would not apply to certain types of entities and certain data sets as protected health information collected by business associates and covered entities, Health Insurance Portability and Accountability Act (HIPAA) covered entities, HIPAA business associates. The Bill also does not apply to the sale, collection, processing, selling, or disclosure of personal information by a consumer reporting agency or financial institutions pursuant to the Gramm-Leach-Bliley Act (GLBA). Further, the Bill does not contain any employee and business-to-business exemptions as seen in the CCPA.
Enforcement and penalties
The state Attorney General’s office shall be the appropriate authority to enforce the bill. For each intentional violation penalty amount of $7,500 is fixed and $2,500 for each unintentional violation. However, the bill does not purport to create a private right of action.
The punitive damages may be further imposed by the court on the request of the Attorney General in addition to the injunctive relief so as to prevent repetitive violations. The Attorney General is also entitled to recover costs and damages from the violating party.
In many ways, the story remains the same for states. Until the federal government passes comprehensive data privacy legislation, states will continue to attempt to enact their own. In lieu of a uniform law, it can be argued that a patchwork of different laws enacted at different times is continuing to confuse and confound businesses and consumers alike.
- 2022 Oklahoma Computer Data Privacy Act Filed – Byte Back (bytebacklaw.com)
- Virginia Law
- Home – NSCAI
- Health Insurance Portability and Accountability Act of 1996 (HIPAA) | CDC
- Gramm-Leach-Bliley Act | Federal Trade Commission (ftc.gov)
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: