Oklahoma Legislature looks to pass numerous new consumer privacy laws
In a January 22nd article titled “Oklahoma the latest state to consider consumer data privacy legislation,” we discussed House Bill 1602, a recently proposed bipartisan bill that, if passed, would require certain companies to obtain prior consent before using, processing or selling data collected from Oklahoma consumers online. Last week, that bill and many others concerning data privacy were passed by the Oklahoma House of Representatives and may become state law if passed by the Oklahoma Senate. Below is a quick summary of these multiple data privacy and cybersecurity bills making their way through the state Legislature.
Oklahoma Computer Data Privacy Act
House Bill 1602, also known as the Oklahoma Computer Data Privacy Act, was passed by the House last week after going through a notable amendment process. The Act, which is now co-authored by approximately 40 state representatives and senators, would require companies that do a certain type or amount of business in Oklahoma to obtain consent from consumers before collecting their personal information. The Act has received national press as one of the first “opt-in” data privacy bills in the country, requiring that consumers first “opt in” for collection, use and sale of their information instead of allowing these activities until a consumer “opts out.”
Since our prior article on the bill, House Bill 1602 was amended to provide exclusive enforcement authority of the Act to the Oklahoma attorney general and to remove the private right of action from the legislation. As a result, instead of the Oklahoma Corporation Commission and private litigants enforcing the Act, the amended bill allows the attorney general to pursue civil litigation to collect damages and seek injunctive relief on behalf of the state. The recent amendment also pushed the effective date from November 1, 2021 to January 1, 2023.
Oklahoma Consumer Protection Act amendment
Electronic monitoring of employees’ accounts
House Bill 1126 is another privacy bill making its way through the state Legislature and would require that businesses provide prior written notice of any electronic monitoring of their employees’ “accounts.” Importantly, the bill does not define which “accounts” can be monitored only with prior notice. However, based on where the bill would be codified, it appears the legislation aims to regulate monitoring of employee e-mail accounts. The proposed legislation provides one enumerated exception to this notice requirement: when an employer has reasonable grounds to believe employees are engaged in illegal conduct about which monitoring may produce evidence. House Bill 1126 would also require state agencies and political subdivisions to adopt a written policy on electronic monitoring. If passed, the bill would become law effective November 1, 2021.
Disclosures on websites
House Bill 1130 would create a new law that would require every for-profit business that operates a website or mobile application in the state to publish on its homepage or within the mobile app the categories of personal information it collects, how it uses the information, if it discloses or sells the information to third-parties, and the process for consumers to request changes to the personal information collected by the business. Like the recently amended Oklahoma Computer Data Privacy Act, this bill would be exclusively enforced by the Oklahoma attorney general. House Bill 1130 was referred to legislative committee on February 21, 2021 and has not yet been heard or passed by the Oklahoma House; however, it is still eligible to be heard later this year.
Oklahoma Computer Crimes Act amendment
House Bill 1759 updates Oklahoma’s criminal laws to more accurately reflect current technology and technological threats. This bill proposes to amend the Oklahoma Computer Crimes Act so as to modernize its language to ensure the Oklahoma Computer Crimes Act imposes criminal violations and penalties for things such as ransomware and other cyberattacks. House Bill 1759 unanimously passed the House Judiciary-Criminal Committee on February 19th and is now eligible to be heard by the whole House. If signed into law, the changes proposed by the bill will take effect November 1, 2021.
Next steps for businesses
Although many of these bills are still making their way through the state Legislature, businesses should start reviewing their online privacy policies and practices now as several of these bills, if signed into law, will go into effect as early as this November.
For more information about these bills and other cybersecurity issues that may affect your business, be on the lookout for more articles and McAfee & Taft’s continuing video Q&A series, “What You Need to Know About Data Privacy and Cybersecurity,” continuing throughout 2021.
From general inquiries to drafting, implementing and training your workforce, McAfee & Taft can help you navigate these and other cybersecurity issues using decades of experience and a collection of best practices and resources. For more information on these and other privacy law and cybersecurity issues questions, please feel free to contact one of our Data Privacy and Cybersecurity attorneys.