By Tim Rollins
Oklahoma became one of many states to propose consumer data privacy laws
similar to that of the European Union’s General Data Protection Regulation
(GDPR) and California’s Consumer Privacy Act (CCPA). The act passed the Oklahoma House, but stalled in committee in the Senate. A new bill has been proposed for consideration in 2022.
On February 5, 2021 a bipartisan bill was filed that would require certain companies to obtain prior consent before collecting and selling the data of Oklahoma residents. If passed, the proposed Oklahoma Computer Data Privacy Act (OCDPA) would also give residents a mechanism for requesting that businesses disclose what information they have about them, as well as the right to request deletion of that information.
Need to Know Information
WHO IT APPLIES TO
Oklahoma’s bill would apply to any business that does business in Oklahoma that collects consumers’ personal information or has that information collected on the business’s behalf and satisfies one or more of the following thresholds:
- has annual gross revenue over $10 million;
- annually alone or in combination with entities buys, sells, or receives or shares for commercial purposes the personal information of 50,000 or more consumers, households or devices; or
- derives 25% or more of the business’s annual revenue from selling consumers’ personal information.
WHAT IS COVERED
The OCDPA would mandate that certain companies get prior consent before collecting and selling consumer data. The bill defines “consent” as "an act that clearly and conspicuously communicates the individual’s authorization of an act or practice that is made in the absence of any mechanism in the user interface that has the purpose or substantial effect of obscuring, subverting or impairing decision-making or choice to obtain consent."
Under the proposed law, both the commission and private plaintiffs would be able to seek injunctive relief, actual damages, and statutory damages up to $7,500 for willful violations.
Expert Analysis by Rebecca Perry, Director of Strategic Partnerships, Exterro
The advancement of the Oklahoma Computer Data Privacy Act (OCDPA) signals that states have a renewed interest in introducing data privacy legislation. The California Consumer Privacy Act (CCPA) was not the finish line, but the starting line. More states like Oklahoma will begin to follow and introduce comprehensive legislation that is in line with the recently passed California Privacy Rights Act (CPRA). Companies must build a comprehensive and sustainable compliance framework built on proven standards and models, like Exterro’s Legal GRC Platform.
Data Privacy Tip
To learn more about the status of this bill and other proposed bills across the country, visit Exterro's State Privacy Law Map.