Late last month, Oklahoma’s governor signed into law a new consumer-focused bill offering residents new data rights, but one data-privacy expert said that most will not notice changes in their day-to-day lives.
Starting Jan. 1, Senate Bill 546 will establish new consumer rights regarding personal data, including requiring that businesses allow Oklahomans to access, correct, delete and obtain copies of their personal data. They can also opt out of the sale of their personal data and certain targeted advertising practices, and it creates clear rules for businesses that collect and process information from Oklahoma residents.
Oklahoma’s law is modeled similarly to Virginia’s consumer data privacy law, which privacy advocates have critiqued as too business-friendly and lax on enforcement because it doesn’t offer a private right of action that allows private citizens to sue violators. Instead, it offers businesses a “cure period” of 30 days, to correct errors before they face penalties.
Roshni Patel, an attorney at the international law firm Troutman Pepper Locke, said Oklahoma’s law in some ways has a narrower scope and is more business friendly than more stringent comprehensive consumer privacy laws, but that it’s representative of a “middle of the road” approach to regulating data privacy.
“Some of the definitions are lighter than what we see in California and Colorado, and then some of the more stringent requirements from California are missing as well,” Roshni said.
Those definitions, like what constitutes “sensitive personal information,” do not include things like neural data, as Colorado’s data privacy law regulates. The law also includes a narrowed definition of data “sale,” limiting it to data exchanged for money. California’s law broadly defines data sales as transactions involving “any valuable consideration.”
The businesses regulated by Oklahoma’s law — those operating in Oklahoma that either process personal data of more than 100,000 consumers, or process data of 25,000 consumers while earning a majority of revenue from selling data — are required also to provide transparent privacy notices, maintain reasonable data security practices and obtain consumer consent before processing sensitive personal information.
Despite this, consumers may not notice any changes, Patel said. She noted that only those who “know enough to check privacy policy” may see that they have rights specifically offered. And because some companies are opting to offer these rights to all users anyway, instead of attempting to comply with a patchwork of varying regulations across state lines, Oklahoma’s law might not make that much of a splash.
“Some companies are choosing now, with 20 state privacy laws in effect, or taking effect soon, to just give rights to the entire U.S. population. So if you make a request, they’ll honor it, regardless of where you reside,” Patel said. “As the laws are becoming slightly different, and we’re seeing more of them, we have seen sort of a shift towards companies now only offering rights to residents of states that have privacy laws.”
She said one change is that “Oklahoma residents will now have rights to exercise with respect to the processing of their personal information. … But it is kind of like you have to be in the know, because there’s no flashy DROP system, like in California.”
Though Oklahoma’s law may not stand out, Patel said it’s still notable that states are attempting to regulate privacy where federal lawmakers have failed. Some experts have noted that efforts to pass a national data privacy law have been somewhat eclipsed by controversies surrounding artificial intelligence regulation.
“The context and timing does make it interesting, but they didn’t really include anything too notable or anything that stands out,” she said. “So it seems like they want to give their residents the baseline rights that other state residents now have.”
