Req. No. 7151 Page 1 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
STATE OF OKLAHOMA
1st Session of the 58th Legislature (2021)
HOUSE BILL 1602 By: Walke and West (Josh)
AS INTRODUCED
An Act relating to privacy of computer data; enacting
the Oklahoma Computer Data Privacy Act; defining
terms; providing that this act applies to certain
businesses that collect consumers ' personal
information; providing exemptions; prescribing
compliance with other laws and legal proceedings;
requiring this act to be liberally construed to align
its effects with other laws relating to privacy and
protection of personal information; providing that
when in conflict federal law controls; providing that
when in conflict with state law the law providing the
greatest privacy or protection to consumers controls;
providing for preemption of local law; providing for
the Oklahoma Corporation Commission to adopt rules to
implement, administer and enforce this act; providing
guidelines for the use of personal information in
research; providing consumers the right to request
disclosure of certain information; providing
consumers the right to request the deletion of their
information; providing consumers the right to request
and receive a disclosure of personal information sold
or disclosed; providing consumers the right to opt in
and out of the sale of their personal information;
finding that individuals in Oklahoma have a right to
prohibit retention, use or disclosure of their own
personal data; finding that Oklahomans have been
exploited for monetary gain and manipulation by
private ventures in utilization of private data;
finding that the protection of individuals ' data is a
core governmental function in orde r to protect the
health, safety and welfare of individuals in
Oklahoma; finding that this act is the least
restrictive alternative n ecessary to protect
Req. No. 7151 Page 2 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
individuals and their rights; find ing that the use of
a strictly "opt-out" method for data privacy is
ineffectual and poses an i mmediate risk to health,
safety and welfare of Oklahomans; providing that
contracts or other agreement s purporting to waive or
limit a right, remedy or mean s of enforcement are
contrary to public policy and are void; requiring
that businesses collecting consumer data information
must inform the consumer of each category of personal
information collected and for which purpose the
information will be used , and obtain the consumer 's
explicit consent; requiring business es that collect,
sell, or for a business purpose disclose consumer s'
personal information to provide an online privacy
policy or a notice of the busin ess's policies;
requiring businesses to designate and make available
methods for submitting a verifiable consumer request
for information that is required to be disclosed or
deleted; requiring business es receiving consumer
requests to promptly take steps t o reasonable verify
the identity of the requesting consumers; requiring
businesses that receive a verifiable consumer request
within a certain timeframe disclose the required
information; requiring businesses that use de-
identified information to not re -identify or attempt
to re-identify a consumer who is the subject of de-
identified information without obtaining permission;
providing that business es may not discriminate
against consumers for exercising their rights;
providing that business es may offer a financial
incentive to consumers for the collection, sale or
disclosure of their personal information; providing
that businesses may not divide a single transaction
into more than one transaction with the intent to
avoid the requirements of this act; requiri ng
businesses to ensure employees hand ling consumer
inquiries about privacy practices are informed of
certain rights, requirements and information;
providing civil penalties; authorizing the Oklahoma
Corporation Commission to take certain actions
against violating businesses; authorizing the
Commission to recover reasonable expenses incurred in
obtaining injunctive relief or civil penalties;
directing the Commission to deposit collected
penalties in a dedicated account in the General
Revenue Fund; providing certain immunities; providing
Req. No. 7151 Page 3 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
protections to service providers; providing for
codification; and providing an effective date.
BE IT ENACTED BY THE PEOPLE OF THE STATE OF OKLAHOMA:
SECTION 1. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.1 of Title 17, unless there
is created a duplication in numbering, reads as follows:
This act shall be known and may be cited as the "Oklahoma
Computer Data Privacy Act ".
SECTION 2. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.2 of Title 17, unless there
is created a duplication in numbering, reads as follows:
As used in this act:
1. "Aggregate consumer information " means information that
relates to a group or category of consumers from which individual
consumer identities have been removed and that is not linked or
reasonably linkable to a particular consumer or household, including
through a device. The term does not include one or more individual
consumer records that have been de -identified;
2. "Biometric information " means an individual's physiological,
biological or behavioral characteristics that can be used, alone or
in combination with other characteristics or other identifying data,
to establish the individual 's identity. The term includes:
Req. No. 7151 Page 4 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
a. deoxyribonucleic acid (DNA),
b. an image of an iris, retina , fingerprint, face, hand,
palm or vein pattern or a voice recording from which
an identifier template can be extracted such as a
faceprint, minutiae template or voiceprint,
c. keystroke patterns or rhythms,
d. gait patterns or rhythms, and
e. sleep, health or exercise data that contains
identifying information ;
3. "Business" means a for-profit entity, including a sole
proprietorship, partnership, limited liability company, cor poration,
association or other legal entity that is organized or operated for
the profit or financial benefit of the entity 's shareholders or
other owners, but does not include internet service providers so
long as they are acting in their role as interne t service providers;
4. "Business purpose" means the use of personal information
for:
a. the following operational purposes of a business or
service provider, provided that the use of the
information is reasona bly necessary and proportionate
to achieve the operational purpose for which the
information was collected or processed or another
operational purpose that is compatible with the
context in which the information was collected:
Req. No. 7151 Page 5 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
(1) auditing related to a cur rent interaction with a
consumer and any concurrent transactions,
including counting ad impressions to unique
visitors, verifying the positioning and quality
of ad impressions, and auditing compliance with a
specification or other standards for ad
impressions,
(2) detecting a security incident, protecting against
malicious, deceptive, fraudulent or illegal
activity, and prosecuting those responsible for
any illegal activity described by this division,
(3) identifying and repairing or removing errors that
impair the intended functionality of computer
hardware or software,
(4) using personal information in the short term or
for a transient use, provided that the
information is not:
(a) disclosed to a third party, and
(b) used to build a profile about a consume r or
alter an individual consumer 's experience
outside of a current interaction with the
consumer, including the contextual
customization of an advertisement displayed
as part of the same interaction,
Req. No. 7151 Page 6 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
(5) performing a service on behalf of the business or
service provider, including:
(a) maintaining or servicing an account,
providing customer service, processing or
fulfilling an order or transaction,
verifying customer information, processing a
payment, providing financing, providing
advertising or market ing services, or
providing analytic services, or
(b) performing a service similar to a service
described by subdivision (a) of this
division on behalf of the business or
service provider,
(6) undertaking internal research for technological
development and demonstration, or
(7) undertaking an activity to:
(a) verify or maintain the quality or safety of
a service or device that is owned by,
manufactured by, manufactured for or
controlled by the business, or
(b) improve, upgrade or enhance a service or
device described by subdivision (a) of this
division, or
Req. No. 7151 Page 7 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
b. another operational purpose for wh ich notice is given
under this act, but specifically excepting cross -
context targeted advertising, unless the customer has
opted in to the same ;
5. "Collect" means to buy, rent, gather, obtain, receive or
access the personal information of a consumer by any means,
including by actively or passively receiving the information from
the consumer or by observing the consumer 's behavior;
6. "Commercial purpose" means a purpose that is intended to
result in a profit or other tangible benefit or the advancement of a
person's commercial or economic interests, such as by inducing
another person to buy, ren t, lease, subscribe to, provide or
exchange products, goods, property, infor mation or services or by
enabling or effecting, directly or indirectly, a commercial
transaction. The term does not include the purpose of engaging in
speech recognized by state or federal courts as noncommercial
speech, including political speech and jou rnalism;
7. "Consumer" means an individual who is a resident of this
state;
8. "De-identified information " means information that cannot
reasonably identify, relate to, describe, be associated with, or be
linked to, directly or indirectly, a particular c onsumer;
9. "Device" means any physical object capable of connecting to
the Internet, directly or indirectly, or to another device ;
Req. No. 7151 Page 8 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
10. "Identifier" means data elements or other information that
alone or in conjunction with other information can be used to
identify a particular consumer, household or device that is linked
to a particular consumer or household;
11. "Internet service provider" means a person who provides a
mass-market retail service by wire or radio that provides the
capability to transmit data and to receive data from all or
substantially all Internet endpoints, including any capabilities
that are incidental to and enable the operations of the service,
excluding dial-up Internet access service ;
12. "Person" means an individual, sole propr ietorship, firm,
partnership, joint venture, syndicate, business trust, company,
corporation, limited liability company, association, committee and
any other organization or gro up of persons acting in concert;
13. "Personal information " means information that identifies,
relates to, describes, can be associated with or can reasonably be
linked to, directly or indirectly, a particular consumer or
household. The term includes the following categories of
information if the information identifies, relates to, describes,
can be associated with or can reasonably be linked to, directly or
indirectly, a particular consumer or household:
a. an identifier, including a real name, alias, mailing
address, account name, date of birth, driver license
number, unique ident ifier, Social Security number,
Req. No. 7151 Page 9 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
passport number, signature, telephone number or other
government-issued identification number, or other
similar identifier,
b. an online identifier, including an electronic mail
address or Internet Protocol address, or other similar
identifier,
c. a physical characteristic or description, including a
characteristic of a protected classification under
state or federal law,
d. commercial information, including:
(1) a record of personal property,
(2) a good or service purchased, obtained or
considered,
(3) an insurance policy number, or
(4) other purchasing or consuming histories or
tendencies,
e. biometric information,
f. Internet or other electronic network activity
information, including:
(1) browsing or search history, and
(2) other information regarding a consumer 's
interaction with an Internet website, application
or advertisement,
g. geolocation data,
Req. No. 7151 Page 10 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
h. audio, electronic, visua l, thermal, olfactory or other
similar information,
i. professional or employment -related information,
j. education information that is not publicly available
personally identifiable information under the Family
Educational Rights and Privacy Act of 1974,
k. financial information, including a financial
institution account number, credit or debit card
number, or password or access code associated with a
credit or debit card or bank account,
l. medical information,
m. health insurance information, or
n. inferences drawn from any of the information listed
under this paragraph to create a profile about a
consumer that reflects the consumer 's preferences,
characteristics, psychological trends,
predispositions, behavior, att itudes, intelligence,
abilities or aptitudes;
14. "Processing information " means performing any operation or
set of operations on persona l data or on sets of personal data,
whether or not by automated means;
15. "Publicly available information " means information that is
lawfully made available to the public from federal, state or local
government records. The term does not include:
Req. No. 7151 Page 11 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
a. biometric information of a consumer collected by a
business without the consumer 's knowledge or consent,
b. data that is used for a purpose that is not compatible
with the purpose for which the data is:
(1) publicly maintained, or
(2) maintained in and made a vailable from government
records, or
c. de-identified or aggregate consu mer information;
16. "Service provider" means a for-profit entity as described
by paragraph 3 of this section that processes information on behalf
of a business and to which the busin ess discloses, for a business
purpose, a consumer's personal information under a written contract,
provided that the contract prohibits the entity receiving the
information from retaining, using or disclosing the information for
any purpose other than:
a. providing the services specified in the contract with
the business, or
b. for a purpose permitted by this act, including for a
commercial purpose other than pro viding those
specified services;
17. "Third party" means a person who is not:
a. a business to which this act applies that collects
personal information from consumers, or
Req. No. 7151 Page 12 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
b. a person to whom the business discloses, for a
business purpose, a consumer 's personal information
under a written contract, provided that the contract:
(1) prohibits the person receiving the information
from:
(a) selling the information,
(b) retaining, using or disclosing the
information for any purpose other than
providing the services specified in the
contract, including for a commercial purpose
other than providing those ser vices, and
(c) retaining, using or disclosing the
information outside of the direct business
relationship between the person and the
business, and
(2) includes a certification made by the person
receiving the personal information that the
person understands and will comply with the
prohibitions under division (1) of this
subparagraph;
18. "Unique identifier" means a persistent identifier that can
be used over time and across different services to recognize a
consumer, a custodial parent or guardian, or any minor children over
Req. No. 7151 Page 13 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
which the parent or guardian has custody, or a device that is linked
to those individuals. The term includes:
a. a device identifier,
b. an Internet Protocol address,
c. a cookie, beacon, pixel tag, mobile ad id entifier or
similar technology,
d. a customer number, unique pseudonym or user alias,
e. a telephone number, and
f. another form of a persistent or probabilistic
identifier that can be used to identify a particular
consumer or device;
19. "Verifiable consumer request " means a request:
a. that is made by a consumer, a consumer on behalf of
the consumer's minor child, or a natural person or
person who is authorized by a consumer to act on the
consumer's behalf, and
b. that a business can reasonably verify, in accordance
with rules adopted under Section 9 of this act, was
submitted by the consumer about whom the business has
collected personal information; and
20. "Consent" means an act that clearly and conspicuously
communicates the individual's authorization of an act or pra ctice
that is made in the absence of any mechanism in the user inter face
Req. No. 7151 Page 14 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
that has the purpose or substantial effe ct of obscuring, subverting
or impairing decision -making or choice to obtain consent .
SECTION 3. NEW LAW A new section of la w to be codified
in the Oklahoma Statutes as Section 901.3 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. This act applies only to:
1. A business that:
a. does business in this state,
b. collects consumers' personal information or has that
information collected on the business 's behalf,
c. alone or in conjunction with others, determines the
purpose for and means of processing consumers '
personal information, and
d. satisfies one or more of the following thresholds:
(1) has annual gross revenue in an amount that
exceeds Ten Million Dollars ($10,000,000.00),
(2) alone or in combination with others, annually
buys, sells, or receives or shares for commercial
purposes the personal information of fifty
thousand or more consumers, households or
devices, or
(3) derives twenty-five percent (25%) or more of the
business's annual revenue from selling consumers '
personal information; and
Req. No. 7151 Page 15 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
2. An entity that controls or is controlled by a business
described by paragraph 1 of this subsection.
B. For purposes of paragraph 2 of subsection A of this section ,
"control" means the:
1. Ownership of, or power to vote, more than fifty percent
(50%) of the outstanding shares of any class of voting security of a
business;
2. Control in any ma nner over the election of a majority of the
directors or of individuals exercising similar functions; or
3. Power to exercise a controlling influence over the
management of a company.
C. For purposes of this ac t, a business sells a consumer 's
personal information to another business or a third party if the
business sells, rents, discloses, dissemina tes, makes available,
transfers or otherwise communicates, orally, in writing, or by
electronic or other means, the information to the other business or
third party for monetary or other valuable consideration.
D. For purposes of this a ct, a business does not sell a
consumer's personal information if:
1. The consumer directs the business to intentionally disclose
the information or uses the business to intenti onally interact with
a third party, provided that the third party does not sell the
information, unless that disc losure is consistent with this a ct; or
2. The business:
Req. No. 7151 Page 16 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
a. uses or shares an identifier of the consumer to alert
a third party that the consum er has opted out of the
sale of the information,
b. uses or shares with a service provider a consumer 's
personal information that is necessary to perform a
business purpose if:
(1) the business provided notice that the information
is being used or shared i n the business's terms
and conditions consistent with Sections 14 and 18
of this act, and
(2) the service provider does not further collect,
sell or use the information except as necessary
to perform the business purpose, or
c. transfers to a third party a consumer's personal
information as an asset that is part of a merger,
acquisition, bankruptcy or other transaction in which
the third party assumes control of all or part of the
business, provided that information is used or shared
consistent with Section s 11, 13 and 14 of this act.
E. For purposes of paragraph 1 of subsection D of this section ,
an intentional interaction occurs if the consumer does one or more
deliberate acts with the intent to interact with a third party.
Placing a cursor over, muting, pausing or closing online content
does not constitute a consumer 's intent to interact with a third
Req. No. 7151 Page 17 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
party. Instead, said deliberate act must be consent to such
interaction as defined herein.
SECTION 4. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.4 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. This act does not apply to:
1. Publicly available information;
2. Protected health information governed by sta te health
privacy laws, or collected by a covered entity or a business
associate of a covered entity, as those terms are defined by 45
C.F.R., Section 160.103, that is go verned by the privacy, security
and breach notification rules in 45 C.F.R. , Parts 160 and 164
adopted by the United States Department of Health and Human Services
under the Health Insurance Portability and Accountability Act of
1996 (Pub. L. No. 104-191) and Title XIII of the American Recovery
and Reinvestment Act of 2009 (Pub. L. No. 111-5);
3. A health care provider governed by state health privacy
laws, or a covered entity described by paragraph 2 of this
subsection to the extent that the provider or entity maintains the
personal information of a patient in the same manner as protected
health information described by that paragraph;
4. Information collected as part of a clinical trial subject to
the Federal Policy for the Protection of Human Subjects in
accordance with the good clinical practice guidelines issued by the
Req. No. 7151 Page 18 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
International Council for Harmonisation or the human subject
protection requirements of the United States Food and Drug
Administration;
5. The sale of personal information t o or by a consumer
reporting agency if the information is to be:
a. reported in or used to generate a consumer report, as
defined by Section 1681a(d) of the Fair Credit
Reporting Act (15 U.S.C., Section 1681 et seq.), and
b. used solely for a purpose authorized under that act;
6. Personal informa tion collected, processed, sold or disclosed
in accordance with:
a. the Gramm-Leach-Bliley Act (Pub. L. No. 106 -102) and
its implementing regulations, or
b. the Driver's Privacy Protection Act of 1994 (18
U.S.C., Section 2721 et seq.);
7. De-identified or aggregate consumer information; or
8. A consumer's personal information collected or sold by a
business, if every aspect of the collection or sale occurred wholly
outside of this state.
B. For purposes of paragraph 8 of subsection A of this section,
the collection or sale of a consumer 's personal information occurs
wholly outside of this state if:
1. The business collects that information while the consumer is
outside of this state;
Req. No. 7151 Page 19 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
2. No part of the sale of the information occurs in this state;
and
3. The business does not sell any personal information of the
consumer collected while the consumer is in this state.
C. For purposes of subsection B of this section, the collection
or sale of a consumer 's personal information does not occur wholly
outside of this state if a business stores a consumer 's personal
information, including on a device, when the consumer is in this
state and subsequently collects or sells that stored information
when the consumer and the information are outside of this state.
SECTION 5. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.5 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A right or obligation under this a ct does not apply to the
extent that the exercise of the right or performance of the
obligation infringes on a noncommercial activity of:
1. A publisher, editor, reporter or other person connected with
or employed by a newspaper, magazine or other publication of general
circulation, including a periodical newsletter, pamphlet or re port;
2. A radio or television station that holds a license issued by
the Federal Communications Commission ; or
3. An entity that provides an information service, including a
press association or wire service.
Req. No. 7151 Page 20 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
SECTION 6. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.6 of Title 17, unless there
is created a duplication in numbering, reads as follows:
This act does not:
1. Restrict a business 's ability to:
a. comply with:
(1) applicable federal, state or local laws, or
(2) a civil, criminal or regulatory inquiry,
investigation, subpoena or summons by a federal,
state or local authority,
b. cooperate with a law enforcement agency concerning
conduct or activity that the business, a s ervice
provider of the business or a third party reasonably
and in good faith believes may violate other
applicable federal, state or local laws, or
c. pursue or defend against a legal claim; or
2. Require a business to violate an evidentiary privilege under
federal or state law or prevent a business from disclosing to a
person covered by an evidentiary privilege the personal information
of a consumer as part of a privileged communication.
SECTION 7. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.7 of Title 17, unless there
is created a duplication in numbering, reads as follows:
Req. No. 7151 Page 21 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
A. This act shall be liberally construed to effect its purposes
and to harmonize, to the extent possible, with other laws of this
state relating to the privacy or protection of personal information.
B. To the extent of a confli ct between a provision of this a ct
and a provision of federal law, including a regulation or an
interpretation of federal law, federal law controls and conflicti ng
requirements or other provisions of this a ct do not apply.
C. To the extent of a conflict between a provision of this act
and another statute of this state with respect to the privacy or
protection of consumers ' personal information, the provision of l aw
that affords the greatest privacy or protection to consumers
prevails.
SECTION 8. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.8 of Title 17, unless there
is created a duplication in numberi ng, reads as follows:
This act preempts and supersedes any ordinance, order or rule
adopted by a political subdivision of this state relating to the
collection or sale by a business of a consumer 's personal
information.
SECTION 9. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.9 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. The Oklahoma Corporation Commission shall adopt rules
necessary to implement, admini ster and enforce this act.
Req. No. 7151 Page 22 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
B. The rules adopted under subsection A of this section must
establish:
1. Procedures governing the determination of, submission of,
and compliance with a verifiable consumer request for information
with the goal of minimizing administrative burdens on consumers and
businesses subject to this a ct by taking into account available
technology and security concerns, including:
a. treating as a verifiable consumer request a request
submitted through a password -protected online accoun t
maintained by the consumer with the business while
logged into the account, and
b. providing a mechanism for a request submitted by a
consumer who does not mainta in an account with the
business;
2. Procedures to facilitate and govern the submission of a nd
compliance with a request to opt out of or opt in to the sale of
personal information under Section 14 of this act;
3. Guidelines for the development of a recognizable and uniform
opt-in logo or button for use on businesses ' Internet websites in a
manner that promotes consumer awareness of the opportunity to opt in
to the sale of personal information; and
4. Procedures and guidelines, including any necessary
exceptions, to ensure that the notices and information businesses
Req. No. 7151 Page 23 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
are required to provide under this act, including information
regarding financial incentive offerings, is:
a. provided in a manner that is easily understood by the
average consumer,
b. accessible by consumers with disabilities, and
c. available in the languages primarily used by consu mers
to interact with businesses.
C. The Oklahoma Corporation Commission may adopt other rules
necessary to further the purposes of this a ct, including rules as
necessary to:
1. Update the categories of personal information listed under
paragraph 13 of Section 2 of this act and the definition of
identifier under paragraph 10 of Section 2 of this act to account
for privacy concerns, implementation obstacles, or changes in
technology and data collection methods;
2. Update the designated methods for submitt ing requests to
facilitate a consumer 's ability to obtain information from a
business under Section 19 of this act; and
3. Establish any exceptions necessary to comply with federal
law or other laws of this state, including laws relating to trade
secrets and intellectual property rights.
SECTION 10. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.10 of Title 17, unless there
is created a duplication in numbering, reads as follows:
Req. No. 7151 Page 24 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
For purposes of this act, "research" means scientific,
systematic study and observation, including basic research or
applied research that is in the public interest and that adheres to
all other applicable ethics and privacy laws or studies conducted in
the public interest in the area of public health. Research with
personal information that may have been collected from a consumer in
the course of the consumer 's interactions with a business 's service
or device for other purposes must be:
1. Compatible with the business pu rpose for which the personal
information was collected;
2. Subsequently pseudonymized and de -identified, or de-
identified and in the aggregate, such that the information cannot
reasonably identify, relate to, describe, be capable of being
associated with, or be linked, directly or indirectly, to a
particular consumer;
3. Made subject to technical safeguards that prohibit re -
identification of the consumer to whom the information may pertain;
4. Subject to business processes that specifically prohibit re -
identification of the information;
5. Made subject to business processes to prevent inadvertent
release of de-identified information;
6. Protected from any re -identification attempts;
7. Used solely for research purposes that are compatible with
the context in which the personal information was collected;
Req. No. 7151 Page 25 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
8. Not used for any commercial purpose; and
9. Subjected by the business conducting the research to
additional security controls that limit access to the research data
to only those individuals in a bu siness as are necessary to carry
out the research purpose.
SECTION 11. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.11 of Title 17, unless there
is created a duplication in numbering, reads as f ollows:
A. A consumer is entitled to request that a business that
collects the consumer 's personal information disclose to the
consumer the categories and specific items of personal information
the business has collected.
B. To receive the disclosure of information under subsection A
of this section, a consumer must submit to the business a verifiable
consumer request using a method designated by the business under
Section 19 of this act.
C. On receipt of a verifiable consumer request under this
section, a business shall disclose to the consumer in the time and
manner provided by Section 21 of this act:
1. Each enumerated category and item within each category of
personal information under paragraph 13 of Section 2 of this act
that the business collected about the consumer during the twelve
(12) months preceding the date of the request;
Req. No. 7151 Page 26 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
2. Each category of sources from which the information was
collected;
3. The business or commercial purpose for collecting or selling
the personal information; and
4. Each category of third parties with whom the business shares
the personal information.
D. This section does not require a business to:
1. Retain a consumer 's personal information that was collected
for a one-time transaction if the information is not sold or
retained in the ordinary course of business; or
2. Re-identify or otherwise link any data that, in the ordinary
course of business, is not maintained in a manner that would be
considered personal information.
SECTION 12. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.12 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. A consumer is entitled to request that a business that
collects the consumer 's personal information delete any personal
information the business has collected from the consumer by
submitting a verifiable consumer request using a method designated
by the business under Section 19 of this act.
B. Except as provided by s ubsection C of this section, on
receipt of a verifiable cons umer request under this section a
business shall delete from the business 's records any personal
Req. No. 7151 Page 27 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
information collected from the consumer and direct a service
provider of the business to delete the information from the
provider's records.
C. A business or service provider of the business is not
required to comply with a verifiable consumer request received under
this section if the business or service provider needs to retain the
consumer's personal information to:
1. Complete the transaction for which the information was
collected;
2. Provide a good or service requested by the consumer in the
context of the ongoing business relationship between the business
and consumer;
3. Perform under a contract between the business and the
consumer;
4. Detect a security incident; protect against malicious,
deceptive, fraudulent or illegal activity; or prosecute those
responsible for any illegal activity described by this paragraph;
5. Identify and repair or remove errors from compu ter hardware
or software that impair its intended functionality;
6. Exercise free speech or ensure the right of another consumer
to exercise the right of free speech or another right afforded by
law;
7. Comply with a court order or subpoena or other lawf ul
process; or
Req. No. 7151 Page 28 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
8. Engage in public or peer -reviewed scientific, historical or
statistical research that is in the public interest and that adheres
to all other applicable ethics and privacy laws , provided that:
a. the business's deletion of the informatio n is likely
to render impossible or seriously impair the
achievement of that research, and
b. the consumer has previously provided to the business
informed consent to retain the information for such
use.
D. Where a business, service provider or third party has made a
consumer's personal information public, sai d business, service
provider or third party shall:
1. Take all reasonable steps, including technical measures, to
erase the personal information that the business, service provider
or third party made public taking into account available technology
and the cost of implementation; and
2. Also advise any other business, service provider or third
party with whom a contract regarding the consumer exists that the
consumer has requested the era sure of any links to, copies of or
replication of that personal information.
SECTION 13. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.13 of Title 17, unless there
is created a duplication in numbering, read s as follows:
Req. No. 7151 Page 29 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
A. A consumer is entitled to request that a business that
sells, or discloses for a business purpose, the consumer 's personal
information disclose to the consumer:
1. The categories of personal information the business
collected about the c onsumer;
2. The categories of personal information about the consumer
the business sold, or disclosed for a business purpose; and
3. The categories of third parties to whom the personal
information was sold or disclosed.
B. To receive the disclosure of information under subsection A
of this section, a consumer must submit to the business a verifiable
consumer request using a method designated by the business under
Section 19 of this act.
C. On receipt of a verifiable consumer request under this
section, a business shall disclose to the consumer in the time and
manner provided by Section 21 of this act:
1. Each enumerated category of personal information under
paragraph 13 of Section 2 of this act that the business collected
about the consumer during the twelve (12) months preceding the date
of the request;
2. The categories of third parties to whom the business sold
the consumer's personal information during the twelve (12) months
preceding the date of the request, by reference to each enumerated
Req. No. 7151 Page 30 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
category of information under paragraph 13 of Section 2 of this act
sold to each third party; and
3. The categories of third parties to whom the business
disclosed for a business purpose the consumer 's personal information
during the twelve (12) months preceding the date of the request, by
reference to each enumerated category of information under paragraph
13 of Section 2 of this act disclosed to each third party.
D. A business shall provide the information described by
paragraphs 2 and 3 of subsection C of th is section in two separate
lists.
E. A business that did not sell, or disclose for a business
purpose, the consumer 's personal information during the twelve (12)
months preceding the date of receiving the consumer 's verifiable
consumer request under this section shall disclose that fact to the
consumer.
SECTION 14. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.14 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. A consumer is entitled at any time to opt out of the sale of
the consumer's personal information by a business to third parties
by directing the business not to sell the information. A consumer
may authorize another person solely to opt out of the sale of the
consumer's personal information on the consumer 's behalf. Except as
Req. No. 7151 Page 31 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
provided by subsection C of this section, a business shall comply
with a direction not to sell that is received under this subsection.
B. A business that sells to a third party c onsumers' personal
information shall provide on the business 's Internet website's home
page:
1. Notice to consumers that:
a. the information may be sold,
b. identifies the persons to whom the information will or
could be sold,
c. the pro rata value of the consumer's personal
information that is being sold, and
d. consumers have the right to opt in to the sale; and
2. A clear and conspicuous link that enables a consumer, person
authorized by the consumer, to opt in to the sale of the consumer 's
personal information.
C. A business may not sell to a third party the personal
information of a consumer who does not opt in to the sale of that
information after the effective date of this act or after a consumer
submits a verifiable request to opt out of any futur e sale.
D. A business may use any personal information collected from
the consumer in connection with the consumer 's opting out under this
section solely to comply with this section.
E. A third party to whom a business has sold the personal
information of a consumer may not sell the information unless the
Req. No. 7151 Page 32 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
consumer receives explicit notice of the potential sale and is
provided the opportunity to, and in fact does, exercise the right to
opt in to the sale as provided by this section.
F. A business may not require a consumer to create an account
with the business to opt in to the sale of the consumer 's personal
information.
G. A business or service provider shall implement a nd maintain
reasonable security procedures and practices, including
administrative, physical and technical safeguards appropriate to the
nature of the information and the purposes for which the personal
information will be used, to protect consumers' personal information
from unauthorized use, disclosure, access, destruction or
modification, irrespective of whether a customer has opted in or out
of a sale of data.
SECTION 15. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.15 of Title 17, unless there
is created a duplication in nu mbering, reads as follows:
A. The Legislature of the State of Oklahoma finds that
individuals within Oklahoma have a r ight to prohibit retention, use
or disclosure of their own personal data.
B. The Legislature of the State of Oklahoma further finds that
individuals within Oklahoma have previously been exploited for
monetary gain and manipulation by private ventures in utilization of
private data.
Req. No. 7151 Page 33 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
C. The Legislature of the State of Oklahoma further finds that
the protection of individuals within Oklahoma and their data is a
core governmental function in orde r to protect the health, safety
and welfare of individuals within Oklahoma.
D. The Legislature of the State of Oklahoma further finds that
the terms and conditions set forth in this a ct are the least
restrictive alternative necessary to protect individuals within
Oklahoma and their rights and that the use of a strictly "opt-out"
method for data privacy is ineffectual and poses an immed iate risk
to the health, safety and welfare of individuals within Ok lahoma.
SECTION 16. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.16 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. A provision of a contract or other agre ement that purports
to waive or limit a right, remedy or m eans of enforcement under this
act is contrary to public policy and is void.
B. This section does not prevent a consumer from:
1. Declining to request information from a business;
2. Declining to opt in to a business's sale of the consumer 's
personal information; or
3. Authorizing a business to sell the consumer 's personal
information after previously opting out.
Req. No. 7151 Page 34 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
SECTION 17. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.17 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. After the effective date of this act, a business shall not
collect a consumer's personal information prior to notifying the
consumer of each category of personal information to be collected
and the purposes for which the category of information will be used
and obtains the consumer 's consent, which may be provided
electronically, to collect a consumer 's personal information.
B. A business may not collect an additional category of
personal information or use personal information collected for an
additional purpose unless the business provides notice to the
consumer of the additional category or purpose in accordance with
subsection A of this section.
C. If a third party that assumes control of all or part of a
business as described by subparagraph c of paragraph 2 of subsection
D of Section 3 of this act materially alters the practices of the
business in how personal information is use d or shared, and the
practices are materially inconsistent with a notice provided to a
consumer under subsection A or B of this section, the third party
must notify the consumer of the third party 's new or changed
practices in a conspicuous manner that all ows the consumer to easily
exercise a right provided under this act before the third party uses
or shares the personal information.
Req. No. 7151 Page 35 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
D. Subsection C of this section does not authorize a business
to make a material, retroactive change or other change to a
business's privacy policy in a manner that would be a deceptive
trade practice actionable under Oklahoma law.
SECTION 18. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.18 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. A business that collects, sells or for a business purpose
discloses a consumer 's personal information shall disclose the
following information in the business 's online privacy policy or
other notice of the business 's policies:
1. A description of a consumer 's rights under Sections 11, 13
and 23 of this act and designated methods for submitting a
verifiable consumer request for information under this act;
2. For a business that collects personal information about
consumers, a description of the consumer 's right to request the
deletion of the consumer 's personal information;
3. Separate lists containing the categories of consumers '
personal information described by paragraph 13 of Section 2 of this
act that, during the twelve (12) months preceding the date the
business updated the information as required by subsection B of this
section, the business:
a. collected,
b. sold, if applicable, or
Req. No. 7151 Page 36 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
c. disclosed for a business purpose, if applicable ;
4. The categories of sources from which the information under
paragraph 3 of this subsection is collected;
5. The business or commercial purposes for collecting personal
information;
6. If the business does not sell consumers ' personal
information or disclos e the information for a business or commercial
purpose, a statement of that fact;
7. The categories of third parties to whom the business sells
or discloses personal information;
8. If the business sells consumers ' personal information, the
Internet link required by subsection B of Section 14 of this act ;
and
9. If applicable, the financial incentives offered to consumers
under Section 24 of this act.
B. If a business described by subsection A of this section does
not have an online privacy policy or ot her notice of the business 's
policies, the business shall make the information required under
subsection A of this section available to consumers on the
business's Internet website or another website the business
maintains that is dedicated to consumers in this state.
C. A business must update the information required by
subsection A of this section at least once each year.
Req. No. 7151 Page 37 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
SECTION 19. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.1 9 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. A business shall designate and make available to consumers,
in a form that is reasonably accessible, at least two methods for
submitting a verifiable consumer request for informatio n required to
be disclosed or deleted under this a ct. The methods must include,
at a minimum:
1. A toll-free telephone number that a consumer may call to
submit the request; and
2. The business's Internet website at which the consumer may
submit the request, if the business maintains an Internet website.
B. The methods designated under subsection A of this section
may also include:
1. A mailing address;
2. An electronic mail address;
3. Another Internet web page or portal;
4. Another contact informa tion; or
5. Any consumer-friendly method approved by the Oklahoma
Corporation Commission under Section 9 of this act.
C. A business may not require a consumer to create an account
with the business to submit a verifiable consumer request.
Req. No. 7151 Page 38 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
SECTION 20. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.20 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. A business that receives a consumer request under Section 11
or 13 of this act shall promptly take steps to reasonably verify, in
accordance with rules adopted under Section 9 of this act, that:
1. The consumer who is the subject of the request is a consumer
about whom the business has collected, sold, or for a busi ness
purpose disclosed personal information; and
2. The request is made by:
a. the consumer,
b. a consumer on behalf of the consumer 's minor child, or
c. a person authorized to act on the consumer 's behalf.
B. A business may use any personal information collected from
the consumer in connection with the business 's verification of a
request under this section solely to verify the request.
C. A business that is unable to verify a consumer request under
this section is not required to comply with the reques t.
SECTION 21. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.21 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. Not later than forty-five (45) days after the date a
business receives a verifiable consumer request under Section 11 or
13 of this act, the business shall disclose free of charge to the
Req. No. 7151 Page 39 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
consumer the information required to be disclosed under those
sections.
B. A business may extend the time in whi ch to comply with
subsection A of this section once by an additional forty-five (45)
days if reasonably necessary or by an additional ninety (90) days
after taking into account the number and complexity of verifiable
consumer requests received by the busin ess. A business that extends
the time in which to comply with subsection A of this section shall
notify the consumer of the extension and reason for the delay within
the period prescribed by that subsection.
C. The disclosure required by subsection A of this section
must:
1. Cover personal information collected, sold or disclosed for
a business purpose, as applicable, during the twelve (12) months
preceding the date the business receives the request; and
2. Be made in writing and delivered to the consum er:
a. by mail or electronically, at the consumer 's option,
if the consumer does not have an account with the
business, or
b. through the consumer 's account with the business.
D. An electronic disclosure under subsection C of this section
must be in a readily accessible format that allows the consumer to
electronically transmit the information to another person or entity.
Req. No. 7151 Page 40 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
E. A business is not required to make the disclosure required
by subsection A of this section to the same consumer more than once
in a twelve-month period.
F. Notwithstanding subsection A of this section, if a
consumer's verifiable consumer request is manifestly baseless or
excessive, in particular because of repetitiveness, a business may
charge a reasonable fee after taking into accoun t the administrative
costs of compliance or refusal to comply with the request. The
business has the burden of demonstrating that a request is
manifestly baseless or excessive.
G. A business that does not comply with a consumer 's verifiable
consumer request under subsection A of this section shall notify the
consumer, within the time the business is required to respond to a
request under this section, of the reasons for the refusal and the
rights the consumer may have to appeal that decision.
SECTION 22. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.22 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. A business that uses de -identified information may not re -
identify or attempt to re -identify a consumer who is the subject of
de-identified information without obtaining the consumer 's consent
or authorization.
B. A business that uses de -identified information shall
implement:
Req. No. 7151 Page 41 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1. Technical safeguards and busines s processes to prohibit re -
identification of the consumer to whom the information may pertain;
and
2. Business processes to prevent inadvertent release of de -
identified information.
C. This act may not be construed to require a business to re -
identify or otherwise link information that is not maintained in a
manner that would be considered personal information.
SECTION 23. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.23 of Title 17, unless ther e
is created a duplication in numbering, reads as follows:
A. A business may not discriminate against a consumer because
the consumer exercised a right under this a ct, including by:
1. Denying a good or service to the consumer;
2. Charging the consumer a different price or rate for a good
or service, including denying the use of a discount or other benefit
or imposing a penalty;
3. Providing a different level or quality of a good or service
to the consumer; or
4. Suggesting that the consumer will be ch arged a different
price or rate for, or provided a different level or quality of, a
good or service.
B. This section does not prohibit a business from offering or
charging a consumer a different price or rate for a good or service,
Req. No. 7151 Page 42 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
or offering or providin g to the consumer a different level or
quality of a good or service, if the difference is reasonably
related to the value provided to the consumer by the consumer 's
data.
SECTION 24. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.24 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. Subject to subsection B of this section, a business may
offer a financial incentive to a consumer, including a payment as
compensation, for the collection, sale or disclosure of the
consumer's personal information.
B. A business may enroll a customer in a financial incentive
program only if the business provides to the consumer a clear
description of the material terms of the program and obtains the
consumer's prior opt-in consent, which:
1. Contains a clear description of those material terms; and
2. May be revoked by the consumer at any time.
C. A business may not use financial incentive practices that
are unjust, unreasonable, co ercive or usurious in nature.
SECTION 25. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.25 of Title 17, unless there
is created a duplication in numbering, reads as follows:
Req. No. 7151 Page 43 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
A. A business may no t divide a single transaction into more
than one transaction with the intent to avoid the requirements of
this act.
B. For purposes of this a ct, two or more substantially similar
or related transactions are considered a single transaction if the
transactions:
1. Are entered into contemporaneously; and
2. Have at least one common party.
C. A court shall disregard any intermediate transactions
conducted by a business with the intent to avoid the requirements of
this act, including the disclosure of inform ation by a business to a
third party to avoid complying with the requirements under this act
applicable to a sale of the information.
SECTION 26. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.26 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A business shall ensure that each person responsible for
handling consumer inquiries about the business 's privacy practices
or compliance with this act is informed of the requirements of this
act and of how to direct a consumer in exercising any of the rights
to which a consumer is entitled under this a ct.
SECTION 27. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.27 of Title 17, unless there
is created a duplication in numbering, reads as follows:
Req. No. 7151 Page 44 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
A. A person who violates this a ct is liable to this state for
injunctive relief and/or a civil penalty in an amount not to exceed:
1. Two Thousand Five Hundred Dollars ($ 2,500.00) for each
violation; or
2. Seven Thousand Five Hundred Dollars ($7,500.00) for each
violation, if the violation is intentional.
B. The Oklahoma Corporation Commission is entitled to recover
reasonable expenses, including reasonable attorney fees, court costs
and investigatory costs, incurred in obtaining injunctive relief or
civil penalties, or both, under this section. Amounts collected
under this section shall be deposited in a dedicated account in the
General Revenue Fund and may be appropria ted only for the purposes
of the administration and enforcement of this a ct.
C. Additionally, consumers shall have a private right of action
against a person who violates this act. In addition to any actual
damages that may have been sustained, consumers shall also be
entitled to injunctive relief and /or statutory damages in an amount
not to exceed Two Thousand Five Hundred Dollars ($2,500 .00) for each
violation, or Seven Thousand Five Hundred Dollars ($7,500.00) for
each violation, if the violation was i ntentional.
SECTION 28. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.28 of Title 17, unless there
is created a duplication in numbering, reads as follows:
Req. No. 7151 Page 45 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
A business that discloses to a third party, or discloses for a
business purpose to a service provider, a consumer 's personal
information in compliance with this a ct may not be held liable for a
violation of this act by the third party or service provider if the
business does not have actual k nowledge or a reasonable belief that
the third party or service provider intends to violate thi s act.
SECTION 29. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.29 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A business's service provider may not be held liable for a
violation of this act by the business.
SECTION 30. This act shall become effective November 1, 2021.
58-1-7151 JL 01/15/21