Oklahoma Becomes 20th State to Enact a Comprehensive Consumer Data Privacy Law

Oklahoma Gov. Kevin Stitt signed into law Senate Bill 546 on March 20, making Oklahoma the 20th state to enact a comprehensive consumer data privacy law following California, Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware, New Jersey, New Hampshire, Kentucky, Nebraska, Maryland, Minnesota, and Rhode Island. The Act will go into effect Jan. 1, 2027.

APPLICABILITY

The Act applies to a controller or processor who:

Conducts business in Oklahoma or produces a product or service targeted to the residents of Oklahoma; and
During a calendar year, either:
1. Controls or processes personal data of at least 100,000 consumers, or
2. Controls or processes personal data of at least 25,000 consumers and derives 50 percent of gross revenue from the sale of personal data.

EXEMPTIONS

Exemptions include, in part:

A financial institution or data subject to Title V of the Gramm-Leach-Bliley Act;
A covered entity or business associate governed by the privacy, security, and breach notification rules established under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”);
Protected health information under HIPAA;
A nonprofit organization;
An institution of higher education;
The collection, maintenance, disclosure, sale, communication, or use of any personal information to the extent that the activity is regulated by and authorized under the Fair Credit Reporting Act;
Data processed or maintained in the course of an individual applying to, being employed by, or acting as an agent or independent contractor of a controller, processor, or third party.

CONSUMER RIGHTS

Consumers have the right to:

Confirm whether a controller is processing their personal data and to access the personal data;
Correct inaccuracies in the consumer’s personal data;
Delete personal data provided by or obtained about the consumer;
If the data is available in a digital format, obtain a copy of the personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format;
Opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

SENSITIVE DATA

A controller may not process the sensitive data of a consumer without obtaining the consumer’s consent or, in the case of processing the sensitive data of a known child, without processing that data in accordance with the Children’s Online Privacy Protection Act.

“Sensitive data” includes:

Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status;
Genetic or biometric data that is processed for the purpose of uniquely identifying an individual;
Personal data collected from a known child; or
Precise geolocation data.

CONTRACT REQUIREMENTS

A contract between a controller and a processor must govern the processor’s data processing procedures and include:

Clear instructions for processing data;
The nature and purpose of processing;
The type of data subject to processing;
The duration of processing;
The rights and obligations of both parties; and
A requirement that the processor:
1. Ensure that each person processing personal data is subject to a duty of confidentiality;
2. Delete or return all personal data to the controller if requested;
3. Make available to the controller all information in the processor’s possession necessary to demonstrate compliance;
4. Allow and cooperate with reasonable assessments;
5. Require subcontractors to meet the same requirements pursuant to a written agreement.

DATA PROTECTION ASSESSMENTS

A controller must conduct and document a data protection assessment for each of the following processing activities involving personal data:

The processing of personal data for purposes of targeted advertising;
The sale of personal data;
The processing of personal data for purposes of certain profiling;
The processing of sensitive data; and
Any processing activities involving personal data that present a heightened risk of harm to consumers.

ENFORCEMENT

The Attorney General has exclusive authority to enforce the Act and may seek a civil penalty not to exceed $7,500 per violation. The Act provides a 30-day cure provision.

IMPRESSION

The Act is sensible legislation that balances the rights of consumers with the impact on businesses. The Act follows the pattern of many post-California comprehensive data privacy laws and should not present overly burdensome compliance challenges for those that must comply with one or more of the other laws.

^{Photo: squeemu/stock.adobe.com}

Eric Rosenkoetter

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, and is focused on advising clients with respect to federal and state consumer financial protection laws and data privacy and security, and he is a Certified Information Privacy Professional though the International Association of Privacy Professionals. He also brings to the table experience as a litigator, chief compliance and ethics officer, director of legislative affairs, federal lobbyist, and administrative hearings officer. Eric earned his Juris Doctor from Washington University School of Law, and his Bachelor of Business Administration from Southern Methodist University. He is a member of the International Association of Privacy Professionals, the Receivables Management Association International (RMAI), and ACA International. He is admitted to practice law in Texas and Missouri and in the U.S. District Courts for the Northern, Southern, Eastern, and Western Districts of Texas. For more information, see https://mauricewutscher.com/attorneys/eric-rosenkoetter/