Oklahoma has followed other states in beginning consideration of data privacy legislation in the absence of a comprehensive federal privacy statute. The “Oklahoma Computer Data Privacy Act” (HB 1602) is a strong data privacy bill, one that would put teeth into Oklahoma’s regulation of the collection, usage, processing, selling, and disclosing of personal information. Thus far, the bill has only been reported out of the House of Representatives’ Technology Committee, and its prospects for enactment are unclear.
It is somewhat curious that deeply Republican Oklahoma would produce a data privacy and protection bill much stronger than deeply Democratic Virginia or Washington state. However, this apparent discrepancy may come down to the prevalence of big technology companies in both states and their respective influence in Richmond and Olympia.
Be that as it may, the Oklahoma Computer Data Privacy Act would create a mostly opt in regime, and businesses would have to garner the consent of Oklahoma residents to conduct many of the activities they do now. People would gain many of the same rights promised in other privacy bills regarding access to their personal information, and businesses would have many of the same exemptions to the obligations and responsibilities placed upon them one may find in other privacy bills. However, this bill allows Oklahoma residents to sue for violations, which is not always featured in other privacy bills.
Starting, as usual with definitions, “personal information” is broadly defined, for it would encompass a number of categories of information that could be linked to either a “particular consumer or household.” Specifically, the definition includes “information that identifies, relates to, describes, can be associated with or can reasonably be linked to, directly or indirectly, a particular consumer or household” including the following categories:
- an identifier, including a real name, alias, mailing address, account name, date of birth, driver license number, unique identifier, Social Security number, passport number, signature, telephone number or other government-issued identification number, or other similar identifier,
- an online identifier, including an electronic mail address or Internet Protocol address, or other similar identifier,
- a physical characteristic or description, including a characteristic of a protected classification under state or federal law,
- commercial information, including:
- a record of personal property,
- a good or service purchased, obtained or considered,
- an insurance policy number, or
- other purchasing or consuming histories or tendencies,
- biometric information,
- Internet or other electronic network activity information, including:
- browsing or search history, and
- other information regarding a consumer’s interaction with an Internet website, application or advertisement,
- geolocation data,
- audio, electronic, visual, thermal, olfactory or other similar information,
- professional or employment-related information,
- education information that is not publicly available personally identifiable information under the Family Educational Rights and Privacy Act of 1974,
- financial information, including a financial institution account number, credit or debit card number, or password or access code associated with a credit or debit card or bank account,
- medical information,
- health insurance information, or
- inferences drawn from any of the information listed under this paragraph to create a profile about a consumer that reflects the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities or aptitudes;
Moreover, the entity charged with drafting the regulations for and enforcing HB 1602, the Oklahoma Corporation Commission (OCC), may change this definition as technology and times change. Therefore, the bill’s definition of “personal information” is among the strongest encountered in either state or federal legislation.
HB 1602 defines what constitutes a “business purpose,” a term that is key throughout the bill, for many rights people would receive about knowing about how their personal information is being sold or shared will pertain to business purposes. Consequently, the definition is worth quoting in full:
- the following operational purposes of a business or service provider, provided that the use of the information is reasonably necessary and proportionate to achieve the operational purpose for which the information was collected or processed or another operational purpose that is compatible with the context in which the information was collected:
- auditing related to a current interaction with a consumer and any concurrent transactions, including counting ad impressions to unique visitors, verifying the positioning and quality of ad impressions, and auditing compliance with a specification or other standards for ad impressions,
- detecting a security incident, protecting against malicious, deceptive, fraudulent or illegal activity, and prosecuting those responsible for any illegal activity described by this division,
- identifying and repairing or removing errors that impair the intended functionality of computer hardware or software,
- using personal information in the short term or for a transient use, provided that the information is not:
- disclosed to a third party, and
- used to build a profile about a consumer or alter an individual consumer’s experience outside of a current interaction with the consumer, including the contextual customization of an advertisement displayed as part of the same interaction,
- performing a service on behalf of the business or service provider, including:
- maintaining or servicing an account, providing customer service, processing or fulfilling an order or transaction, verifying customer information, processing a payment, providing financing, providing advertising or marketing services, or providing analytic services, or
- performing a service similar to a service described by subdivision (a) of this division on behalf of the business or service provider,
- undertaking internal research for technological development and demonstration, or
- undertaking an activity to:
- verify or maintain the quality or safety of a service or device that is owned by, manufactured by, manufactured for or controlled by the business, or
- improve, upgrade or enhance a service or device described by subdivision (a) of this division, or
- another operational purpose for which notice is given under this act, but specifically excepting cross-context targeted advertising, unless the customer has opted in to the same;
HB 1602 uses the term “commercial purpose” for data collection, processing, usage, selling, and disclosing, and it means:
…a purpose that is intended to result in a profit or other tangible benefit or the advancement of a person’s commercial or economic interests, such as by inducing another person to buy, rent, lease, subscribe to, provide or exchange products, goods, property, information or services or by enabling or effecting, directly or indirectly, a commercial transaction.
However, “[t]he term does not include the purpose of engaging in speech recognized by state or federal courts as noncommercial speech, including political speech and journalism.” Hence, speech protected by the U.S. and Oklahoma Constitutions would be exempted from the term.
The definition of consent is strong and seeks to address consent gained through the use of so-called ark patterns: “an act that clearly and conspicuously communicates the individual’s authorization of an act or practice that is made in the absence of any mechanism in the user interface that has the purpose or substantial effect of obscuring, subverting or impairing decision-making or choice to obtain consent.”
Notably, the bill does not have explicit definitions of sell, share, or disclose. However, in the body of the bill, functional definitions of these terms are found. In Section 3, one finds the definition of what constitutes selling a person’s personal information, which occurs if a business
sells, rents, discloses, disseminates, makes available, transfers or otherwise communicates, orally, in writing, or by electronic or other means, the information to the other business or third party for monetary or other valuable consideration.
This is a fairly tight definition that encompasses much of the personal data market. One wonders if the requirement of monetary or valuable consideration might be ripe for exploitation if a large company, say like Twitter, is freely trading personal data and receiving only personal data in return. Does that qualify as valuable consideration? I would think so, but I expect this part of the definition to get tested.
Things get interesting with how the carve outs to selling personal information are phrased. For example, one such exemption is when a person “directs the business to intentionally disclose the information or uses the business to intentionally interact with a third party, provided that the third party does not sell the information, unless that disclosure is consistent with this act” (emphasis added.) It would appear possible that a third party could sell a person’s personal information without consent so long as notice is provided. And yet, that reading appears to be directly at odds with other provisions. Moreover, elsewhere in the section, this provision is clarified through noting a person must intentionally interact with the third party through affirmatively consenting. However, it appears one need merely consent to the intentional interaction and not the sale of personal information. This is either a significant, intentional loophole, or drafting that needs to be tightened to conform to the rest of the bill.
Large companies doing business in Oklahoma are swept into the bill except for “internet service providers” acting in that capacity. To qualify, a business must
- Do business in the state
- Collect personal information
- Control the processing of the collected personal information; and
- Meet one or more of the following:
- Annual gross revenue of $10 million or more
- Buying, selling, receiving, or sharing the personal information of 50,000 or more Oklahoma residents a year; or
- Earn 25% of annual revenue from selling personal information
There are a number of carve outs for entities already subject to other privacy and data security regulations such as:
- The “Health Insurance Portability and Accountability Act of 1996” (P.L. 104–191) (HIPAA) and the “Health Information Technology for Economic and Clinical Health Act” (HITECH Act) (P.L. 111-5)
- “state health privacy laws”
- The “Fair Credit Reporting Act” for the sale of personal information to credit reporting agencies to be used to generate a consumer report
- The “Financial Services Modernization Act of 1999” (P.L. 106-102) (aka Gramm-Leach-Bliley)
Moreover, publicly available information is outside the scope of the bill, but this bill does not, as many other bills do, include information one posts on a social media platform in this category. Likewise, the same is true of “[d]e-identified or aggregate consumer information.”
Moreover, the non-commercial activities of the media would be exempted, and hence any data collection, processing, or disclosing for commercial purposes would be covered by HB 1602.
One also finds many of the same carve outs customary in privacy bills in the U.S., including compliance with federal, state, or local law or civil, criminal, and regulatory inquiries and investigations. Moreover, the preservation of and adherence to evidentiary privileges would allow an otherwise covered entity not to comply with HB 1602.
There is interesting language specifying that in the event HB 1602 and another state law conflict, whichever has the stronger provision shall win any dispute. And yet, the bill preempts any Oklahoma county, city, town, and municipal statutes on privacy and data security.
The OCC must promulgate regulations to implement, administer, and enforce the Oklahoma Computer Data Privacy Act on the following:
- Procedures related to verifying requests
- Opting in or opting out of the sale of one’s personal data
- A universal opt-in button for people to consent to the sale of their personal information
- Intelligible and easily understood notices and information
The OCC has discretion on whether to implement other regulations, including
- Expanding the definition of personal information to keep it current and relevant
- Revising the definition of identifier, which the bill defines as “data elements or other information that alone or in conjunction with other information can be used to identify a particular consumer, household or device that is linked to a particular consumer or household”
- Updating the methods by which one may submit a request to exercise a right; and
- Establishing exceptions for businesses to comply with federal or state law.
HB 1602 would allow for research for non-commercial purposes using personal information collected from people in the course of using a business’ service or product for other purposes so long as the research is compatible with the business purpose that led to the initial collection. The bill details a number of restrictions, requirements, and limitations on research under these auspices.
Among the rights residents of Oklahoma would gain under the bill, they could ask for and receive the categories and specific pieces of personal information a business has collected or amassed on them. This disclosure would need to include the categories of sources from which personal information was collected, the business or commercial purposes for collecting or selling personal information, and the categories of third parties to whom personal information is disclosed. Any information received must be in an electronic format that can be readily transmitted to another person.
Like most other bills, people could ask that businesses delete the personal information they have on them; however, there are a number of exceptions under which a business does not need to comply such as:
- Needing to complete a transaction
- Provide a requested good or service the person requested
- “Detect a security incident; protect against malicious, deceptive, fraudulent or illegal activity; or prosecute those responsible for any illegal activity described by this paragraph;”
- “Identify and repair or remove errors from computer hardware or software that impair its intended functionality;”
- “Exercise free speech or ensure the right of another consumer to exercise the right of free speech or another right afforded by law;”
And yet, unlike other bills, Oklahoma residents would not receive the right to correct or amend incorrect personal information a business or third party may be holding. This seems like a strange omission given how consumer-friendly the bill otherwise is.
A business receiving requests must take steps to reasonably verify the identity of the requester, and if it does, it has 45 days to comply. If it cannot reasonably verify the identity, then it does not have to comply with the request. This could prove to be another choke point for people trying to exercise their rights as has happened in California. Businesses can take an additional 45 days to comply with notice to the requester, and if the business decides not to honor the request it must inform the person of the reasons why and inform them of their right to appeal the decision. Businesses may not charge unless requests are baseless, excessive or repetitive.
The Oklahoma Computer Data Privacy Act seems to establish a regime under businesses may sell one’s personal information only after she has opted in. It is important to keep in mind the expansive definition of what constitutes selling personal information seems intended to cover every conceivable transfer of personal information from a business to a third party. However, the bill would grandfather in current arrangements under which businesses are selling personal information to third parties, for there is language making clear that after enactment, people would need to opt in before such sales could occur. Consequently, it appears the drafters are envisioning a bifurcated system of consent depending on when the sale of personal information began. If before the bill became law, a person needs to opt out, but after enactment, it becomes an opt in regime for all new selling of personal information. A person’s consent is also needed for when a third party to whom a business has sold one’s personal information wants to sell the data.
Additionally, businesses must disclose in publicly available privacy policies that they collect, sell, or disclose one’s personal information for business purposes. These policies must include people’s rights, a list of categories of personal information collected, a different list of categories of personal information sold, and another list of categories of personal information disclosed for a business purpose. Moreover, there must be a list of all the categories of sources from which the business acquires personal information. Moreover, the business must also furnish a list of categories of third parties to whom it sells personal information.
Moreover, businesses must provide notice about each category of personal information they collect, the purposes for which each category will be used, and obtain consent before collection can occur. In the event a business is sold, and its data collection practices materially change, it must notify people and then obtain consent again.
Businesses and their service providers must implement security procedures, and the language from the bill is almost verbatim what is in almost every other bill:
A business or service provider shall implement and maintain reasonable security procedures and practices, including administrative, physical and technical safeguards appropriate to the nature of the information and the purposes for which the personal information will be used, to protect consumers’ personal information from unauthorized use, disclosure, access, destruction or modification, irrespective of whether a customer has opted in or out of a sale of data.
All agreements and contracts that would abridge or nullify the rights bestowed by the Oklahoma Computer Data Privacy Act would be null and void as they are made contrary to public policy under the bill.
Businesses using de-identified personal information could not re-identify such data without consent. Moreover, these businesses must have safeguards and processes in place to prevent re-identification and processes to stop unauthorized disclosures of de-identified personal information.
It would be illegal to discriminate against Oklahoma residents who exercise their rights under the bill by denying them goods or services, charging a different price, or providing a different level of quality. And yet, this prohibition may well be consumed by the exception allowing just such a thing to happen if the difference in price or quality is “reasonably related to the value provided to the consumer by the consumer’s data.” It is unclear how this determination will be made, and it seems likely this will be the fulcrum businesses use to get people to surrender their personal information. In the same vein, businesses can offer loyalty or rewards programs that allow the business to collect, sell, or disclose personal information in return for payment or other financial incentives. The bill bars the use of “financial incentive practices that are unjust, unreasonable, coercive or usurious in nature,” however. How these terms are defined will be crucial in determining what is permissible.
The OCC would enforce the bill and could seek monetary damages, injunctive relief, and reasonable attorney’s fees in cases against violators. There is a two-tiered penalty system with businesses being liable for up to $2,500 per violation and up to $7,500 per intentional violation. Moreover, the bill establishes a private right of action with the same two-tiered penalty system in addition to actual damages and injunctive relief. Businesses can be liable for the violations of third parties and services if it has actual knowledge of or a reasonable belief the violation will occur. Nonetheless, a service provider cannot be held liable for a business’ violation.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.