This week, a house of a legislature passed one of the strongest privacy bills to be passed in the United States (U.S.) This bill would establish a system under which residents would need to opt into both data collection and the sale of their personal information. Because the default is that businesses cannot collect or sell personal information, this bill stands out from virtually all the other data privacy bills that have been successfully voted out of a legislative chamber. However, if the past is any indication, this bill will not get enacted, for it is too restrictive for data controllers and processors and too generous for the residents of this state. As a result, industry stakeholders will work hard to defeat this bill in the other chamber of the legislature.
The “Oklahoma Computer Data Privacy Act” (HB 2969) passed the Oklahoma House of Representatives by a 74-15 vote, marking the second straight year a data privacy bill has been sent to the state’s Senate. In early 2021, the Oklahoma House of Representatives sent the “Oklahoma Computer Data Privacy Act” (HB 1602) (see here for more detail and see here for more details and analysis on the bill as reported out of committee) to the State Senate after modifying the privacy bill, most notably through stripping the private right of action. Thereafter the bill died in the Senate which did not act on the bill other than referring it to committee.
The definition of personal information is very broadand is, in part, “information that identifies, relates to, describes, can be associated with or can reasonably be linked to, directly or indirectly, a particular consumer or household.” A few things to note about the first sentence of the lengthy definition. First, it includes information that can be associated directly or indirectly with a person or household. This is a broader conception than one usually finds in a data privacy bill, which stop at information that can be linked or can be reasonably linked. HB 2969 would include information that can be associated with a person, which connotes a looser relationship that will mean more information about a person will be “personal information” and subject to the bill. Secondly, the same is true of information that describes a person. Thirdly, personal information pertains to a consumer and a household. Again, most data privacy bills define personal information or data in ways that just pertain to a person. This is a broader notion that may capture some information outside those definitions. For example, metadata from one’s Wi-Fi router or any “smart” devices would automatically be personal information whereas that would be a debatable idea under other bills. And, let it also be said that HB 29269 includes employment information, which most bills do not, for businesses successfully made the case that making these data subject to data privacy laws would impair current employment practices. Moreover, the definition sweeps up “inferences drawn from any of the information listed under this paragraph to create a profile about a consumer that reflects the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities or aptitudes,” which goes to the profiles companies like Meta/Facebook and Google have on most people in the U.S. All in all, this is one of the most comprehensive definitions of personal information in any data privacy bill, and the most extensive in a bill passed by a legislative chamber in the U.S.
Not surprisingly, “public available information” is not considered personal information and this is “information that is lawfully made available to the public from federal, state or local government records or information received from widely distributed media or by the consumer in the public domain.” However, it does not encompass “biometric information or genetic information of a consumer collected by a business without the consumer’s knowledge or consent, or de-identified or aggregate consumer information.” As a result, public available information is outside the scope of the bill, and there are many other types of data and businesses exempted from the bill such as those entities subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Gramm-Leach-Bliley, the Fair Credit Reporting Act,, and others. However, if these entities should engage in practices outside the scope of those frameworks, they may become subject to HB 2969 provided they otherwise qualify. For example, consumer reporting agencies are exempted only if the personal information is to be used in consumer report, and all other activities would be governed by the new regime.
 information that identifies, relates to, describes, can be associated with or can reasonably be linked to, directly or indirectly, a particular consumer or household. The term includes the following categories of information if the information identifies, relates to, describes, can be associated with or can reasonably be linked to, directly or indirectly, a particular consumer or household:
a. an identifier, including a real name, alias, mailing address, account name, date of birth, driver license number, unique identifier, Social Security number, passport number, signature, telephone number or other government-issued identification number, or other similar identifier,
b. an online identifier, including an electronic mail address or Internet Protocol address, or other similar identifier,
c. a physical characteristic or description, including a characteristic of a protected classification under state or federal law,
d. commercial information, including:
(1) a record of personal property,
(2) a good or service purchased, obtained or considered,
(3) an insurance policy number, or
(4) other purchasing or consuming histories or tendencies,
e. biometric information and genetic information,
f. Internet or other electronic network activity information, including:
(1) browsing or search history, and
(2) other information regarding a consumer’s interaction with an Internet website, application or advertisement,
g. geolocation data,
h. audio, electronic, visual, thermal, olfactory or other similar information,
i. professional or employment-related information,
j. education information that is not publicly available personally identifiable information under the federal Family Educational Rights and Privacy Act of 1974,
k. financial information, including a financial institution account number, credit or debit card number, or password or access code associated with a credit or debit card or bank account,
l. medical information,
m. health insurance information, or
n. inferences drawn from any of the information listed under this paragraph to create a profile about a consumer that reflects the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities or aptitudes;
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2022. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.