State Privacy Law Tracker: Oklahoma

On this page, we’ll take a look at House Bill 1030, also known as the Oklahoma Computer Data Privacy Act. The Oklahoma data privacy law was introduced by Rep. Josh West, R-Grove and has passed in both the House and the Senate as of this writing. On May 26, 2023, it was sent to the governor for his final signature.

The Oklahoma privacy act aims to create consumer privacy rights for Oklahoma residents, requiring consumer opt-ins and consent for the collection, use, and retention of their personal data. In addition, the bill mandates the disclosure of privacy policies, limits data collection and use, and requires baseline cybersecurity measures. The bill does not provide a right to private actions. 

“Big tech is able to collect data on all of us down to the minutest detail,” West said in a release. “They then turn around and profit off the sale of that data, which is used to market us at best and socially engineer us at worst.”

West noted that the Oklahoma privacy law would mandate that businesses inform customers of the data they are gathering and their plans for it. Consumers would then have the choice of allowing the sale of their information.

West has attempted similar legislation over the past two years. His previous Oklahoma data privacy acts passed the House but failed to get a hearing in the state Senate.

Important Points

Scope

The Oklahoma consumer protection act applies to businesses that operate in the state, collect consumers’ personal information, and meet one or more of the following criteria: 

• have an annual gross income exceeding $15 million 
• buy, sell, or receive shares of the personal information of at least 50,000 consumers, households, or devices; or 
• derive 25 percent or more of the business’s annual revenue from selling consumers’ information.  

Consumer Rights

• the right to request disclosure of certain information
• the right to request deletion of certain information; providing consumers
• the right to request and receive a disclosure of personal information sold or disclosed
• the right to opt-in and out of the sale of personal information 

Business Requirements

The act requires businesses to: 

• write privacy policies in plain language and include:
  • how the consumer may request their data be corrected or deleted
  • What personal information is collected and what reasons it is collected for
  • whether the information is shared or sold and to what type of entities
  • consumers’ right to opt into the sale of their personal information and web link to do so
  • how long the data is retained. 
• when requested by the consumer, disclose personal data 
• when requested by the consumer, disclose if the data is shared and the category of third parties with whom the business shares the personal information
• delete data if requested by the consumer. This also includes the data that was shared with third parties
• conspicuously inform consumers of their rights to opt out of personalized advertising
• provide requests within 45 days with extensions, if needed 
• protect consumers’ personal information from unauthorized use, disclosure, access, destruction, or modification  

The act prohibits businesses from:

• sharing personal data to third parties unless it is necessary to provide a requested good or service or for security purposes or fraud detection; and
• denying service or altering prices or services based on a consumer’s rights granted in the measure.  

The act allows businesses to: 

• incentivize consumers for sharing their data by providing discounts or payments to consumers who voluntarily participate in a program that rewards consumers for repeated transactions;
• limit records requests to twice per 12-month period for each consumer; and 
• charge a fee in the case of baseless or excessive verifiable consumer requests.  

Enforcement

The measure directs the attorney general to enforce the act. Intentional violations may be liable for up to $7,500 per violation and unintentional violations may be liable for up to $2,500 per violation.  

Exemptions

The measure provides exemptions, such as activity subject to the Fair Credit Reporting Act, medical information governed by privacy health laws, de-identified information derived from a HIPAA-regulated entity, personal data used in accordance with the Gramm-Leach-Bliley Act of 1999 or the Driver’s Privacy Protection Act of 1994, and businesses outside this state where every aspect of the collection or sale of personal data occurred outside of Oklahoma.  Prepared 

This measure creates new laws relating to the privacy of computer data, providing protections for consumers’ personal information and enacting guidelines for businesses collecting consumer data information. 

What is a Comprehensive Privacy Law?

A comprehensive privacy law, also known as a comprehensive data protection law or a general data protection regulation, is a legal framework that sets out rules and regulations for the collection, use, storage, and protection of personal data. It is designed to safeguard individuals’ privacy rights and establish guidelines for organizations that handle personal information.

A comprehensive privacy law typically encompasses several key elements:

1. Scope and applicability: It defines the types of personal data covered by the law and specifies the entities and individuals subject to its provisions. This may include businesses, government agencies, and other organizations that process personal data.
2. Consent and individual rights: It outlines the requirements for obtaining valid consent from individuals before collecting and processing their personal data. It also grants individuals certain rights, such as the right to access their data, correct inaccuracies, and request its deletion.
3. Data handling practices: It establishes rules and principles for how organizations should handle personal data. This may include requirements for data minimization (collecting only the necessary data), purpose limitation (using data only for specified purposes), and data accuracy.
4. Security and data breaches: It mandates organizations to implement appropriate security measures to protect personal data from unauthorized access, loss, or misuse. It may also require organizations to report data breaches promptly and take necessary actions to mitigate harm.
5. Enforcement and penalties: It establishes regulatory authorities responsible for enforcing the privacy law, conducting investigations, and imposing penalties or fines for non-compliance. The penalties may vary based on the severity of the violation.

The European Union’s General Data Protection Regulation (GDPR) is an example of a comprehensive privacy law that sets high standards for data protection and privacy across its member states. Many US states have also implemented comprehensive laws, and the trendsetter is California’s  CPRA.

Centraleyes State Privacy Tracker

Stay with Centraleyes as we provide day-to-day updates on new developments in the area of state privacy laws.