Oklahoma does … something?

23 January 2020

On January 13, Rep. Collin Walke (D-Oklahoma City) filed the Oklahoma E-Mail Communication Content Privacy Protection Act. This bill is intended to “make it illegal for companies, like Google or Microsoft, that host email servers to glean information from users” (Facebook post, 14 January 2020).

The bill itself is pretty short. There is a general prohibition saying:

No email service provider shall conduct any form of scanning of the subject lines or body of any email communication sent to or by any of its clients nor shall such email service provider allow any other person, whether directly or indirectly, to perform a scan of any such email communications.

Oklahoma E-Mail Communication Content Privacy Protection Act, Sec 3.A.

That’s pretty heady stuff there. It would seem to prohibit things like spam or virus filters from operating. After all, both of those work by scanning the content of messages. Thankfully, the definitions of the bill tighten things up a bit:

“Scanning” means any process pursuant to which any part of the content of an email communication is analyzed, summarized, interpreted or otherwise examined by human action or by the use of software, analytical programs, algorithms or any other method that allows a person or business entity, including the email service provider, to acquire information about the email client which includes personal information about the client such as their name, mailing address, phone number or numbers, other email addresses, financial information or any other information about the email client which can be derived from the scanning of the client’s email communications

Oklahoma E-Mail Communication Content Privacy Protection Act, Sec 2.9.
Read moreSending email to wireless domains?

It doesn’t help that they don’t actually define “email client,” but I think that we can safely assume that it means “a person using an email service” as opposed to the mail user agent (like Outlook or Thunderbird). But, making this assumption, the text appears to be aimed mainly at the large webmail providers who use some basic scanning of a message to display relevant ads to their users.

That said, the prohibition is pretty large. While the term “scanning” seems to narrow itself to what we might refer to as “Personally Identifiable Information” (or “PII”), it is important to note that this is inclusive language: “acquire information about the email client which includes personal information…” Thus, we should note that the intent here is not just to prohibit “scanning” messages to find PII which might be used by the provider, but rather to prohibit the gathering of ANY data from the message which might be useful for any purpose.

What I’m really uncertain of at the moment is how this bill would play with the long-standing Electronic Communications Privacy Act which seems to already prohibit the interception and unauthorized use of stored communications.

Read morePrior Business Relationships are irrelevant

This is certainly a bill that I’ll be watching this year.

Bibliography

  1. Oklahoma E-Mail Communication Content Privacy Protection Act, Collin Walke (2020, January 13). Retrieved January 22, 2020 from https://legiscan.com/OK/sponsors/HB2810/2020.
  2. Facebook post, Collin Walke (2020, January 14). Retrieved January 22, 2020 from https://www.facebook.com/Walkefor87/posts/2657786940984444.
  3. Electronic Communications Privacy Act (n.d.). Retrieved from https://www.law.cornell.edu/uscode/text/18/part-I/chapter-119.