
Oklahoma does … something?
On January 13, Rep. Collin Walke (D-Oklahoma City) filed the [acp title=”Oklahoma E-Mail Communication Content Privacy Protection Act” media=”website” url=”https://legiscan.com/OK/sponsors/HB2810/2020″ author=”Collin Walke” id=”walke-01″ day=”13″ month=”January” year=”2020″ day_access=”22″ month_access=”January” year_access=”2020″]{title}[/acp]. This bill is intended to “make it illegal for companies, like Google or Microsoft, that host email servers to glean information from users” [acp title=”Facebook post” author=”Collin Walke” media=”website” month=”January” day=”14″ year=”2020″ url=”https://www.facebook.com/Walkefor87/posts/2657786940984444″ month_access=”January” day_access=”22″ year_access=”2020″ id=”walke-02″]({title}, {day} {month} {year})[/acp].
The bill itself is pretty short. There is a general prohibition saying:
No email service provider shall conduct any form of scanning of the subject lines or body of any email communication sent to or by any of its clients nor shall such email service provider allow any other person, whether directly or indirectly, to perform a scan of any such email communications.
[acp title=”Oklahoma E-Mail Communication Content Privacy Protection Act” media=”website” url=”https://legiscan.com/OK/sponsors/HB2810/2020″ author=”Collin Walke” id=”walke-01″ day=”13″ month=”January” year=”2020″ day_access=”22″ month_access=”January” year_access=”2020″]{title}[/acp], Sec 3.A.
That’s pretty heady stuff there. It would seem to prohibit things like spam or virus filters from operating. After all, both of those work by scanning the content of messages. Thankfully, the definitions of the bill tighten things up a bit:
“Scanning” means any process pursuant to which any part of the content of an email communication is analyzed, summarized, interpreted or otherwise examined by human action or by the use of software, analytical programs, algorithms or any other method that allows a person or business entity, including the email service provider, to acquire information about the email client which includes personal information about the client such as their name, mailing address, phone number or numbers, other email addresses, financial information or any other information about the email client which can be derived from the scanning of the client’s email communications
[acp title=”Oklahoma E-Mail Communication Content Privacy Protection Act” media=”website” url=”https://legiscan.com/OK/sponsors/HB2810/2020″ author=”Collin Walke” id=”walke-01″ day=”13″ month=”January” year=”2020″ day_access=”22″ month_access=”January” year_access=”2020″]{title}[/acp], Sec 2.9.
It doesn’t help that they don’t actually define “email client,” but I think that we can safely assume that it means “a person using an email service” as opposed to the mail user agent (like Outlook or Thunderbird). But, making this assumption, the text appears to be aimed mainly at the large webmail providers who use some basic scanning of a message to display relevant ads to their users.
That said, the prohibition is pretty large. While the term “scanning” seems to narrow itself to what we might refer to as “Personally Identifiable Information” (or “PII”), it is important to note that this is inclusive language: “acquire information about the email client which includes personal information…” Thus, we should note that the intent here is not just to prohibit “scanning” messages to find PII which might be used by the provider, but rather to prohibit the gathering of ANY data from the message which might be useful for any purpose.
What I’m really uncertain of at the moment is how this bill would play with the long-standing [acp title=”Electronic Communications Privacy Act” url=”https://www.law.cornell.edu/uscode/text/18/part-I/chapter-119″]{title}[/acp] which seems to already prohibit the interception and unauthorized use of stored communications.
This is certainly a bill that I’ll be watching this year.