Opt-in or Opt-out? How Oklahoma’s “Opt-in” Data Privacy Law Flips the Script

Sameer Ahirrao -

On March 4, 2021 the Oklahoma House of Representatives passed House Bill 1602, better known as the Consumer Data Privacy Act (CDPA). If adopted into law, Oklahoma would be the third state–and the second this year–to pass a comprehensive consumer data privacy statute.

All around the country state lawmakers are debating bills that would provide data privacy protections. Just last month the Virginia General Assembly passed their own comprehensive information privacy statute (confusingly this law is also titled the Consumer Data Privacy Act or CDPR). State laws are seen by many as a stop-gap measure to make up for the absence of a comprehensive federal data privacy legislation. Until there is a federal law on the subject states will continue to pass laws with differing compliance standards. State lawmakers have looked to the trailblazing California Consumer Privacy Act (CCPA) as a model for their own bills to standardize requirements and reduce compliance risk for data processing businesses. Oklahoma certainly copied from California’s homework in drafting their own CDPA, but Oklahoma’s “opt-in” provision is a major innovation that takes US law in the direction of the EU’s markedly pro-consumer General Data Protection Regulation (GDPR). Let’s take a quick look at some key aspects of Oklahoma’s CDPA.

Who would Oklahoma’s bill regulate?

Oklahoma’s bill would only apply to data collection and processing businesses that meet one of the following criteria: (1) exceeds gross annual revenues of $10,000,000; (2) commercializes the personal information of over 50 thousand consumers; or (3) derives 25 percent of annual revenue from selling consumer personal information. This is roughly in line with the criteria used under the CCPA. Much like California and Virginia before it, Oklahoma’s bill tries to avoid federal preemption by exempting businesses that deal with medical information and financial information since both categories of data are regulated at the federal level by HIPPA and the Gramm-Leach-Bliley Act respectively. Notably, however, Section 5 of the bill would also exempt print media, wire services, and federally licensed radio and television stations from obligations under the CDPA. This is the first time a comprehensive state data privacy law would specifically address applicability to media outlets. States are likely to follow Oklahoma’s lead to ensure future data privacy statutes do not infringe on freedom of the press.

How is Oklahoma’s bill similar to previous state laws?

Oklahoma’s bill takes direct inspiration from its sister law in California. The text of the bill contains notice requirements, enforcement provisions, and data subject rights that read almost identically to comparable provisions first pioneered in California’s CCPA. In other words, all the greatest hits are here. Consumers can request a business disclose categories of data collected as well as any specific items of personal data collected from the consumer in the last 12 months. Consumers may request a business delete any personal information collected. Consumers may also request a business disclose any third-party entities to which personal data has been sold. These three consumer rights–access, deletion, and commercial transparency–have become boilerplate language for any state attempting to pass comprehensive data privacy protections.

How is Oklahoma’s bill different from previous state laws?

The biggest difference between the Oklahoma bill and both existing state laws is a new “opt-in” right for consumers. The laws in California and Virginia both contain “opt-out” rights which allow a consumer to tell a business they opt-out of any future sale or disclosure of personal data. Oklahoma flips the script, requiring businesses to provide consumers a clear and conspicuous link on their website which enables “opt-in” consent. Sale of data without first receiving opt-in consent is unlawful and businesses could face fines upwards of $7,500 when they sell data from Oklahoma consumers who have yet to opt-in. The opt-in requirement also applies to any third parties who seek to sell an Oklahoma consumer’s data even after purchasing it from another source which already obtained opt-in consent. Businesses may still collect and process data from an Oklahoma consumer without requiring opt-in consent, but the Oklahoma House of Representatives wanted to create a clear distinction between collection and processing activities–which consumers have reasonably come to expect in the course of internet use–and the sale of personal data.

Opt-in regimes of this sort are bound to be controversial since data brokerage is a lucrative industry with growing importance. Opt-in rights are also generally harder to administer than opt-out rights, especially where opt-in requirements are imposed on data wholesalers who had no initial contact with the consumer. No previous US state laws have used opt-in models for general consumer activities, preferring instead to provide opt-in protections solely to children. Across the Atlantic, however, the opt-in model is used extensively under the EU’s GDPR. Philosophically the GDPR is designed to provide consumers greater ownership rights over their data. Because of this, opt-in consent is necessary for collection, processing, and sale of personal information under Article 7 of the GDPR. Oklahoma’s bill does not go as far as the GDPR since Oklahoma would only provide opt-in rights when a business seeks to sell a consumer’s data. For the United States, however, this appears to be a major step towards something like the data ownership approach used in Europe.

Conclusion

23 states are currently considering their own data privacy bills. Every year more state legislatures are recognizing that companies who collect and process consumer data have a civic responsibility to uphold consumer privacy. As more states adopt comprehensive consumer data protection laws, companies must identify and minimize the consumer data that they own, collect, and process to reduce multi-jurisdictional regulatory risk. Data minimization and privacy by design strategies will reduce these risks and protect companies from costly enforcement actions.

About Ardent Privacy

Ardent Privacy is an "Enterprise Data Privacy Technology" solutions provider based in the Maryland/DC region of the United States and Pune, India. Ardent harnesses the power of AI to enable companies with data discovery and automated compliance with DPB (India), RBI Security Guidelines, GDPR (EU), CCPA/CPRA (California), and other global regulations by taking a data-driven approach. Ardent Privacy's solution utilizes machine learning and artificial intelligence to identify, inventory, map, minimize, and securely delete data in enterprises to reduce legal and financial liability.

For more information visit https://ardentprivacy.ai/and for more resources here.

Ardent Privacy articles should not be considered legal advice on data privacy regulations or any other specific facts or circumstances.