The Oklahoma Computer Data Privacy Act
The Oklahoma House has passed House Bill 2969. It is a comprehensive privacy bill. Right now, it needs to be passed in the Senate, then to get the governor’s signature to become a law. If that happens, it will join the California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act, Colorado Privacy Act, and Utah Consumer Privacy Act as another comprehensive state privacy law.
The law applies to businesses that do business in the state of Oklahoma, collect consumer personal information, determines the purpose for and means of processing consumers’ personal information, and either has annual gross revenue in excess of $15 million, annually, buys, sells, receives, or shares for commercial purposes the personal information of fifty thousand or more consumers, households, or devices, or derives 25% or more of the business’s annual revenue from selling consumer’s personal information.
The thresholds that are used to determine whether a business must comply with the law can be loosely categorized as the capability threshold ($25 million in annual gross revenue), the interactive threshold (transacts with the personal information of 50,000 consumers, households, or devices), and the business model threshold (25% or more of the revenue is from selling consumers’ personal information.)
Oklahoma’s business model threshold is more privacy friendly than similar provisions in other laws. The business model threshold specifically targets data brokers. By comparison, CCPA only considers a business a regulable data broker if they derive 50 percent or more of their annual revenues from selling or sharing consumers’ personal information. Colorado doesn’t specifically target data brokers in the same way. Virginia uses a hybrid interactive-business model threshold. The business has to control or process the personal data of at least 25,000 consumers and derive over 50 percent of their gross revenue from the sale of personal data. Utah mirrors Virginia.
In this respect, the Oklahoma Computer Data Privacy Act (OCDPA) is the best at ensuring that data brokers are obligated to comply with the data privacy law.
Under the Act, consumers have rights of access, they can request from the business that it disclose to them the categories and specific items of personal information that the business has collected. Consumers can also request deletion of their personal information under the Act. If a business sells or discloses for a business purpose the consumer’s personal information, the consumer can request that the business discloses the categories of personal information the business collected about the consumer, the categories of personal information about the consumer the business sold or disclosed for a business purpose, and the categories of third parties to whom the personal information was sold or disclosed.
Consumers also have the right to opt-out of sale of their personal information. This specifically applies to data collected about them prior to the effective date of the law. After the effective date of the act, businesses will be prohibited from collecting consumer personal information directly from the consumer prior to notifying them of each category of personal information to be collected and for what purposes information will be used, as well as obtaining the consumer’s consent to collect their personal information.
This significant provision, in a bill that is very likely to be signed into law, will have a big impact on data privacy compliance. It makes consent management very important. Thankfully, Clarip offers consent management solutions. Clarip also provides automated data subject request fulfillment, data mapping, vendor management, website scanning, data risk intelligence, and much more. Visit us at www.clarip.com or call 1-888-252-5653 to learn more.
Email Now:
Mike Mango, VP of Sales
mmango@clarip.com
Other Articles on this Topic:
Guidance on the Right to Know under the CCPA
Data Privacy and the Class-action Lawsuit
Data Privacy and the Private Right of Action
The CCPA: Loyalty Programs Put on Notice
US Data Privacy Law High-Water Mark: Entity Exemptions
US Data Privacy Law High-Water Mark: Data Exemptions
US Data Privacy Law High-Water Mark: Applicability