Oklahoma’s “Opt-In” Data Privacy Bill Could be First of Its Kind in US
The Oklahoma House Technology Committee unanimously recommended that the state’s legislature vote on House Bill 1602, aka the Oklahoma Computer Data Privacy Act (“OCDPA”), which if approved would require companies to obtain explicit permission to collect and sell personal data. The legislation has bipartisan support and is co-authored by more than 40 representatives and senators and is expected to pass when the bill comes to a vote.
Is Oklahoma’s Bill the Same as CCPA?
Though there are similarities in the laws, there are two significant developments with the OCDPA. First, the legislation is one of the first “opt-in” data privacy bills in the country, meaning that companies will have to ask for consent prior to collecting personally identifiable information (“PII”), which includes information such as name, email address, phone number and IP address. In that sense, the OCDPA may look more like GDPR than CCPA; the latter of which is an “opt-out” jurisdiction. Second, the OCDPA has bright-line thresholds which should exempt some small businesses from compliance obligations, however these thresholds are lower than regulations such as CCPA, so a higher percentage of businesses collecting data from Oklahoma residents are likely to be in scope.
What Companies are Affected?
OCDPA would apply to any company that does business in Oklahoma that collects consumers’ personal information or has that information collected on the business’s behalf and satisfies one or more of the following thresholds:
- has annual gross revenue over $10,000,000.00;
- annually alone or in combination with entities buys, sells, or receives or shares for commercial purposes the personal information of 50,000 or more consumers, households or devices; or
- derives 25% or more of the business’s annual revenue from selling consumers’ personal information.
As with CCPA, OCDPA is an “or” test, meaning that if your company exceeds any of these three brightline thresholds, you’re in scope.
What Rights Does OCDPA Provide to Consumers?
OCDPA enumerates a number of rights for consumers, including:
- The right to request disclosure of certain information;
- The right to request the deletion of their information;
- The right to request and receive a disclosure of personal information sold or disclosed;
- The right to opt in and out of the sale of their personal information; and
- The right to prohibit retention, use or disclosure of their own personal data.
What Are the Penalties for Noncompliance?
OCDPA includes a provision for a private right of action, meaning that private citizens would be able to file a lawsuit or make a claim against an offending company and receive injunctive relief, actual damages and statutory damages up to $7,500 for intentional violations. Additionally, the Oklahoma Corporation Commission can enforce OCDPA against companies in the same manner as private citizens.
When Will OCDPA Be Implemented?
If passed, OCDPA would become effective on November 1, 2021, meaning that companies will need to get compliant quickly if the bill passes.
The proposed OCDPA would be yet another privacy law with which businesses need to comply, and the nuances of each law exclude the possibility for a one-size-fits-all solution. Implementing a flexible approach will be key to compliance efforts as additional laws around the country and globe continue to be implemented.
How Can Clym Help?
Clym believes in striking a balance between legal compliance and business needs, which is why we provide a cost-effective, scalable and flexible platform to comply with LGPD, GDPR, CCPA and other laws, including those in the UK, as they come online. Our platform provides consumers with an effective and easy-to-navigate way to opt-out of data collection while not infringing upon the website UI that businesses rely on to drive revenues. Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.