Global Data Privacy Guide |
|
USA, Oklahoma |
|
(United States)
Firm
Crowe Dunlevy
Contributors
Anthony Hendricks |
|
What is the key legislation? | Oklahoma has no single comprehensive data privacy legislation. Instead, Oklahoma has enacted several laws that safeguard personal information and an individual's right to privacy. Relevant state laws related to data privacy in Oklahoma include:
Along with state law, companies and individuals in Oklahoma may also have to comply with Federal laws related to data privacy and security. |
What data is protected? | The data protected varies by statute. Financial Privacy Act The act provides that financial institutions are prohibited from giving, releasing or disclosing any financial records to a government authority without either the written consent of the customer or being served with a subpoena. ‘'Government authority' under the act means any agency, board, commission or department of the State of Oklahoma, or any officer, employee, representative, or agent thereof (6 O.S. § 2202(c)). Oklahoma case law interprets government authority to also include trial court judges and municipal police officers. Security Breach Notification Act Section 163 of the Security Breach Notification Act (24 O.S. §§ 161 – 166) provides that entities that own or license data that includes personal information are required to disclose breaches under certain circumstances. Entities are required to notify any affected individual if:
'Personal Information' means the first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of this state, when the data elements are neither encrypted nor redacted:
Electric Usage Data Protection Act The Electric Usage Data Protection Act places restrictions on how electric utilities can disclose customer information. Electric utilities are required to maintain the confidentiality of customer information (Title 17 O.S. § 710.4). Section 710.6 provides that electric utilities can provide customer information with customer consent to affiliates and third parties contractors. Electric utilities are also allowed to disclose customer information as required by law, a warrant or subpoena, as part of a merger or sale, emergency situations, or written consent of the customer. Personal Privacy Protection Act The Personal Privacy Protection Act provides that a public agency can not require any individual to provide personal affiliation information or compel the release of personal affiliation information. Public agencies also can not release, publicize or otherwise publicly disclose any personal affiliation information in the possession of the public agency; or Request or require a current or prospective contractor or grantee with the public agency to provide the public agency with a list of entities organized pursuant to Section 501(c) of the United States Internal Revenue Code to which it has provided financial or nonfinancial support. Personal affiliation information is defined as “any list, record, register, registry, roll, roster or other compilation of data of any kind that directly or indirectly identifies a person as a member, supporter, or volunteer of, or donor of financial or nonfinancial support to, any entity organized pursuant to Section 501(c) of the United States Internal Revenue Code.” Student Data Accessibility, Transparency and Accountability Act of 2013 The Student Data Accessibility, Transparency and Accountability Act of 2013 places restrictions on access to student information held by the Oklahoma State Department of Education. Access to student information is restricted to (1) authorized staff and contractors of the Department of Education; (2) district administrators, teachers, and school personnel who require access to this data to perform assigned duties; (3) students and their parents; and (4) authorized staff of other state agencies as required by law or as part of an interagency data-sharing agreement. |
Who is subject to privacy obligations? | Applicability varies by law. Below is a discussion of the subject of the state privacy laws: Financial Privacy Act Oklahoma’s Financial Privacy Act applies to financial institutions. Security Breach Notification Act Oklahoma’s Security Breach Notification Act applies to individuals and entities that owns or licenses computerized data that includes personal information of any resident of Oklahoma. Student Data Accessibility, Transparency and Accountability Act of 2013 The Student Data Accessibility, Transparency and Accountability Act only addresses the Oklahoma Department of Education and does not address the records held by individual schools. |
What are the principles applicable to personal data processing? | There is not an Oklahoma specific statute regarding this. |
How is the processing of personal data regulated? | Oklahoma does not have a specific law that addresses this. |
How are storage, security and retention of personal data regulated? | Oklahoma does not have a specific law that addresses this. |
What are the data subjects' rights? | There are no Oklahoma laws. |
Are there restrictions on cross-border data transfers? | There are no Oklahoma laws. |
Are there any notification requirements for data breaches? | Entities and individuals are required to notify any affected individual if:
Notice under the Security Breach Notification Act can be delayed if a law enforcement agency advises that disclosure would impede an investigation or impact national or homeland security. |
Who is the privacy regulator? | The Oklahoma Attorney General regulates privacy. |
What are the consequences of a privacy breach? | Following a data breach, the entities and individuals are required to provide notices to the affected parties. Please see the section on notification requirements. |
How is electronic marketing regulated? | Electronic marketing is subject to the Oklahoma Consumer Protection Act along with laws that address spoofing and phishing. Oklahoma Consumer Protection Act The Oklahoma Consumer Protection Act prohibits several enumerated “unfair or deceptive trade practices,” including misrepresentations, false statements, and bait and switch advertising. Anti-Caller ID Spoofing Act The Anti-Caller ID Spoofing Act makes it illegal for a caller to knowingly insert false information into a caller identification system with the intent to mislead, defraud, or deceive the recipient of a telephone call (15 O.S. § 776.23). Anti-Phishing Act Oklahoma has an Anti-Phishing Act that makes it unlawful for any person, by means of a web page or link to a webpage to solicit, request, or take any action to induce another person to provide identifying information by representing himself, herself, or itself to be a business without the authority or approval of the business (15 O.S. § 776.8 - 776.12). The Anti-Phishing Act provides a private right of action that allows victims to seek injunctive relief and damages. Fraudulent Use of Electronic Mail The Fraudulent Use of Electronic Mail provision of the Oklahoma Consumer Protection Act makes it unlawful to send an e-mail when the sender knows that the e-mail does not contain an identifying point of origin or contains false, misleading, or malicious material that could purposefully or negligently injure a person (§§ 776.1 - 776.7 of Title 15 of the O.S.). |
Are there any recent developments or expected reforms? | The Oklahoma State Legislature is currently debating two consumer data privacy laws. The 2021 Oklahoma Computer Data Privacy act would require businesses to get consent before collecting data, and consumers would have to opt-in to the sale of their data. The bill also provides consumer rights. The 2022 version of the bill only allows businesses to collect and share data with third parties only if it is necessary to provide goods and services. Companies would also be required to inform consumers of their right to opt out of personalized advertising. The bill also includes consumer rights. |
Global Data Privacy Guide
Oklahoma has no single comprehensive data privacy legislation. Instead, Oklahoma has enacted several laws that safeguard personal information and an individual's right to privacy. Relevant state laws related to data privacy in Oklahoma include:
- Financial Privacy Act (6 O.S. §§ 2201 – 2208 )
- Security Breach Notification Act (24 O.S. §§ 161 – 166)
- Electric Usage Data Protection Act (17 O.S. § 710.4)
- Personal Privacy Protection Act (51 O.S. § 50)
- Statutes regarding unsolicited commercial communications including the Fraudulent Use of Electronic Mail Act (15 O.S. (§§ 776.1 - 776.7), Anti-Phishing Act (15 O.S. § 776.8 - 776.12), Anti-Caller Id Spoofing Act (15 O.S. § 776.23), Oklahoma Consumer Protection Act provisions on commercial telephone solicitation (15 O.S. § 775A.4).
- Security of Communication Act (13 O.S. §§ 176.1 - 176.7)
- Student Data Accessibility, Transparency and Accountability Act of 2013 (70 of O.S. § 3-168)
Along with state law, companies and individuals in Oklahoma may also have to comply with Federal laws related to data privacy and security.
The data protected varies by statute.
Financial Privacy Act
The act provides that financial institutions are prohibited from giving, releasing or disclosing any financial records to a government authority without either the written consent of the customer or being served with a subpoena. ‘'Government authority' under the act means any agency, board, commission or department of the State of Oklahoma, or any officer, employee, representative, or agent thereof (6 O.S. § 2202(c)). Oklahoma case law interprets government authority to also include trial court judges and municipal police officers.
Security Breach Notification Act
Section 163 of the Security Breach Notification Act (24 O.S. §§ 161 – 166) provides that entities that own or license data that includes personal information are required to disclose breaches under certain circumstances. Entities are required to notify any affected individual if:
- unredacted or unencrypted personal information was accessed and acquired by an unauthorized person.
- the encrypted information is accessed and acquired in an unencrypted form or;
- the security breach involves a person with access to the encrypted key
'Personal Information' means the first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of this state, when the data elements are neither encrypted nor redacted:
- social security number,
- driver license number or state identification card number issued in lieu of a driver license, or;
- financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to the financial accounts of a resident.
Electric Usage Data Protection Act
The Electric Usage Data Protection Act places restrictions on how electric utilities can disclose customer information. Electric utilities are required to maintain the confidentiality of customer information (Title 17 O.S. § 710.4). Section 710.6 provides that electric utilities can provide customer information with customer consent to affiliates and third parties contractors. Electric utilities are also allowed to disclose customer information as required by law, a warrant or subpoena, as part of a merger or sale, emergency situations, or written consent of the customer.
Personal Privacy Protection Act
The Personal Privacy Protection Act provides that a public agency can not require any individual to provide personal affiliation information or compel the release of personal affiliation information. Public agencies also can not release, publicize or otherwise publicly disclose any personal affiliation information in the possession of the public agency; or Request or require a current or prospective contractor or grantee with the public agency to provide the public agency with a list of entities organized pursuant to Section 501(c) of the United States Internal Revenue Code to which it has provided financial or nonfinancial support. Personal affiliation information is defined as “any list, record, register, registry, roll, roster or other compilation of data of any kind that directly or indirectly identifies a person as a member, supporter, or volunteer of, or donor of financial or nonfinancial support to, any entity organized pursuant to Section 501(c) of the United States Internal Revenue Code.”
Student Data Accessibility, Transparency and Accountability Act of 2013
The Student Data Accessibility, Transparency and Accountability Act of 2013 places restrictions on access to student information held by the Oklahoma State Department of Education. Access to student information is restricted to (1) authorized staff and contractors of the Department of Education; (2) district administrators, teachers, and school personnel who require access to this data to perform assigned duties; (3) students and their parents; and (4) authorized staff of other state agencies as required by law or as part of an interagency data-sharing agreement.
Applicability varies by law. Below is a discussion of the subject of the state privacy laws:
Financial Privacy Act
Oklahoma’s Financial Privacy Act applies to financial institutions.
Security Breach Notification Act
Oklahoma’s Security Breach Notification Act applies to individuals and entities that owns or licenses computerized data that includes personal information of any resident of Oklahoma.
Student Data Accessibility, Transparency and Accountability Act of 2013
The Student Data Accessibility, Transparency and Accountability Act only addresses the Oklahoma Department of Education and does not address the records held by individual schools.
There is not an Oklahoma specific statute regarding this.
Oklahoma does not have a specific law that addresses this.
Oklahoma does not have a specific law that addresses this.
There are no Oklahoma laws.
There are no Oklahoma laws.
Entities and individuals are required to notify any affected individual if:
- unredacted or unencrypted personal information was accessed and acquired by an unauthorized person.
- the encrypted information is accessed and acquired in an unencrypted form or;
- the security breach involves a person with access to the encrypted key
Notice under the Security Breach Notification Act can be delayed if a law enforcement agency advises that disclosure would impede an investigation or impact national or homeland security.
The Oklahoma Attorney General regulates privacy.
Following a data breach, the entities and individuals are required to provide notices to the affected parties. Please see the section on notification requirements.
Electronic marketing is subject to the Oklahoma Consumer Protection Act along with laws that address spoofing and phishing.
Oklahoma Consumer Protection Act
The Oklahoma Consumer Protection Act prohibits several enumerated “unfair or deceptive trade practices,” including misrepresentations, false statements, and bait and switch advertising.
Anti-Caller ID Spoofing Act
The Anti-Caller ID Spoofing Act makes it illegal for a caller to knowingly insert false information into a caller identification system with the intent to mislead, defraud, or deceive the recipient of a telephone call (15 O.S. § 776.23).
Anti-Phishing Act
Oklahoma has an Anti-Phishing Act that makes it unlawful for any person, by means of a web page or link to a webpage to solicit, request, or take any action to induce another person to provide identifying information by representing himself, herself, or itself to be a business without the authority or approval of the business (15 O.S. § 776.8 - 776.12). The Anti-Phishing Act provides a private right of action that allows victims to seek injunctive relief and damages.
Fraudulent Use of Electronic Mail
The Fraudulent Use of Electronic Mail provision of the Oklahoma Consumer Protection Act makes it unlawful to send an e-mail when the sender knows that the e-mail does not contain an identifying point of origin or contains false, misleading, or malicious material that could purposefully or negligently injure a person (§§ 776.1 - 776.7 of Title 15 of the O.S.).
The Oklahoma State Legislature is currently debating two consumer data privacy laws.
The 2021 Oklahoma Computer Data Privacy act would require businesses to get consent before collecting data, and consumers would have to opt-in to the sale of their data. The bill also provides consumer rights.
The 2022 version of the bill only allows businesses to collect and share data with third parties only if it is necessary to provide goods and services. Companies would also be required to inform consumers of their right to opt out of personalized advertising. The bill also includes consumer rights.