New Workspace

About Sign Up Login

Research Tools

Keyword Search

Bill Content

Videos & Transcripts

Capitol Directory

US
Oklahoma OK
Legislatures
2022 Regular Session
House
Bills
HB1602
Compare Versions

OK

Oklahoma House Bill HB1602

Overview
Authors & Sponsors
Activity Timeline
Action History
Meeting Schedule
Draft Versions & Texts
Latest Draft
Compare Versions
Committee Assignments

Oklahoma 2022 Regular Session

Oklahoma House Bill HB1602 Compare Versions

Version 1 (Old)

Version 2 (New)

Old	New		Differences
1	1
2	2
3		-	ENGR. H. B. NO. 1602 Page 1 1
4		-	2
5		-	3
6		-	4
7		-	5
8		-	6
9		-	7
10		-	8
11		-	9
12		-	10
13		-	11
14		-	12
15		-	13
16		-	14
17		-	15
18		-	16
19		-	17
20		-	18
21		-	19
22		-	20
23		-	21
24		-	22
25		-	23
26		-	24
27		-
28		-	ENGROSSED HOUSE
29		-	BILL NO. 1602 By: Walke, West (Josh),
	3	+	HB1602 HFLR Page 1
	4	+	BOLD FACE denotes Committee Amendments. 1
	5	+	2
	6	+	3
	7	+	4
	8	+	5
	9	+	6
	10	+	7
	11	+	8
	12	+	9
	13	+	10
	14	+	11
	15	+	12
	16	+	13
	17	+	14
	18	+	15
	19	+	16
	20	+	17
	21	+	18
	22	+	19
	23	+	20
	24	+	21
	25	+	22
	26	+	23
	27	+	24
	28	+
	29	+	HOUSE OF REPRESENTATIVES - FLOOR VERSION
	30	+
	31	+	STATE OF OKLAHOMA
	32	+
	33	+	1st Session of the 58th Legislature (2021)
	34	+
	35	+	HOUSE BILL 1602 By: Walke, West (Josh),
30	36		Phillips, Talley, Moore,
31	37		Davis, Mize, Luttrell,
32	38		Townley, Bashore, Sims,
33		-	Pae, Fetgatter, Lawson,
34		-	Blancett, McDugle, Munson,
35		-	West (Tammy), Cornwell ,
36		-	Manger, Roberts (Eric),
37		-	Wolfley, Boles, Kerbs,
38		-	Dollens, Ranson, Randleman,
39		-	Roe, Brewer, Cruz, Boatman,
40		-	McEntire, Waldron, Conley,
41		-	Rosecrants, Wallace,
42		-	Virgin, Provenzano,
43		-	Hilbert, Fugate and
44		-	Caldwell (Trey) of the
45		-	House
	39	+	Dills, Pae, Fetgatter,
	40	+	Lawson, Blancett, McDugle,
	41	+	Munson, West (Tammy),
	42	+	Cornwell, Manger, Roberts
	43	+	(Eric), Wolfley, Boles,
	44	+	Kerbs, Dollens, Ranson,
	45	+	Randleman, Roe, Brewer,
	46	+	Cruz, Boatman, McEntire,
	47	+	Waldron, Conley,
	48	+	Rosecrants, Wallace and
	49	+	Virgin of the House
46	50
47	51		and
48	52
49	53		Montgomery, Hicks, Dossett
50	54		(J.A.) and Kidd of the
51	55		Senate
52	56
53	57
54	58
	59	+
	60	+
	61	+	AS INTRODUCED
55	62
56	63		An Act relating to privacy of computer data; enacting
57	64		the Oklahoma Computer Data Privacy Act; defining
58	65		terms; providing that this act applies to certain
59	66		businesses that collect consumers ' personal
60	67		information; providing exemptions; prescribing
61	68		compliance with other laws and legal proceedings;
62	69		requiring this act to be liberally construed to align
63	70		its effects with other laws relating to privacy and
64	71		protection of personal information; providing that
65	72		when in conflict federal law controls; providing that
66	73		when in conflict with state law the law providing the
67	74		greatest privacy or protection to consumers controls;
68		-	providing for preemption of local law ; providing
69		-	consumers the right to request disclosure of certain
	75	+	providing for preemption of local law; providing for
	76	+
	77	+	HB1602 HFLR Page 2
	78	+	BOLD FACE denotes Committee Amendments. 1
	79	+	2
	80	+	3
	81	+	4
	82	+	5
	83	+	6
	84	+	7
	85	+	8
	86	+	9
	87	+	10
	88	+	11
	89	+	12
	90	+	13
	91	+	14
	92	+	15
	93	+	16
	94	+	17
	95	+	18
	96	+	19
	97	+	20
	98	+	21
	99	+	22
	100	+	23
	101	+	24
	102	+
	103	+	the Oklahoma Corporation Commission to adopt rules t o
	104	+	implement, administer and enforce this act; providing
	105	+	guidelines for the use of personal information in
	106	+	research; providing consumers the right to request
	107	+	disclosure of certain information; providing
	108	+	consumers the right to request the deletion of their
70	109		information; providing consumers the right to request
71		-	the deletion of their information; providing
72		-	consumers the right to request and receive a
73		-	disclosure of personal information sold or disclosed;
74		-	providing consumers the right to opt in and out of
75		-
76		-	ENGR. H. B. NO. 1602 Page 2 1
77		-	2
78		-	3
79		-	4
80		-	5
81		-	6
82		-	7
83		-	8
84		-	9
85		-	10
86		-	11
87		-	12
88		-	13
89		-	14
90		-	15
91		-	16
92		-	17
93		-	18
94		-	19
95		-	20
96		-	21
97		-	22
98		-	23
99		-	24
100		-
101		-	the sale of their personal information; find ing that
102		-	individuals in Oklahoma h ave a right to prohibit
103		-	retention, use or disclosure of their own personal
104		-	data; finding that Oklahomans have been exploited for
105		-	monetary gain and manipulation by private ventures in
106		-	utilization of private data; find ing that the
107		-	protection of individuals ' data is a core
108		-	governmental function in orde r to protect the health,
109		-	safety and welfare of individuals in Oklahoma;
110		-	finding that this act is the least restrictive
111		-	alternative necessary to protect individuals and
112		-	their rights; finding that the use of a stri ctly
113		-	"opt-out" method for data privacy is ineffectual and
114		-	poses an immediate risk to health, safety and welfare
115		-	of Oklahomans; providing that contracts or other
116		-	agreements purporting to waive or limit a right,
117		-	remedy or means of enforcement are contrary to public
118		-	policy and are void; requiring that businesses
119		-	collecting consumer data information must inform the
120		-	consumer of each category of personal information
121		-	collected and for which purpose the information will
122		-	be used, and obtain the consumer 's explicit consent;
123		-	requiring businesses that collect, sell, or for a
124		-	business purpose disclose consumer s' personal
125		-	information to provide an online privacy policy or a
126		-	notice of the business 's policies; requiring
127		-	businesses to designate and make available methods
128		-	for submitting a verifiable consumer request for
129		-	information that is required to be disclosed or
	110	+	and receive a disclosure of personal information sold
	111	+	or disclosed; providing consumers the right to opt in
	112	+	and out of the sale of their personal information;
	113	+	finding that individuals in Oklahoma have a right to
	114	+	prohibit retention, use or disclosure of their own
	115	+	personal data; finding that Oklahomans have been
	116	+	exploited for monetary gain and manipulation by
	117	+	private ventures in utilization of private data;
	118	+	finding that the protection of individuals ' data is a
	119	+	core governmental function in orde r to protect the
	120	+	health, safety and welfare of individuals in
	121	+	Oklahoma; finding that this act is the least
	122	+	restrictive alternative necessary to protect
	123	+	individuals and their rights; find ing that the use of
	124	+	a strictly "opt-out" method for data privacy is
	125	+	ineffectual and poses an i mmediate risk to health,
	126	+	safety and welfare of Oklahomans; providing that
	127	+	contracts or other agreement s purporting to waive or
	128	+	limit a right, remedy or mean s of enforcement are
	129	+	contrary to public policy and are void; requiring
	130	+	that businesses collecting consumer data information
	131	+	must inform the consumer of each category of personal
	132	+	information collected and for which purpose the
	133	+	information will be used , and obtain the consumer 's
	134	+	explicit consent; requiring business es that collect,
	135	+	sell, or for a business purpose disclose consumer s'
	136	+	personal information to provide an online privacy
	137	+	policy or a notice of the business 's policies;
	138	+	requiring businesses to designate and make available
	139	+	methods for submitting a verifiable consumer request
	140	+	for information that is required to be disclosed or
130	141		deleted; requiring business es receiving consumer
131		-	requests to promptly take steps to ~~reasonably~~ verify
	142	+	requests to promptly take steps to reasonable verify
132	143		the identity of the requesting consumers; requiring
133	144		businesses that receive a verifiable consumer request
134	145		within a certain timeframe disclose the required
135	146		information; requiring businesses that use de-
136	147		identified information to not re -identify or attempt
137	148		to re-identify a consumer who is the subject of de-
138	149		identified information without obtaining permission;
	150	+
	151	+	HB1602 HFLR Page 3
	152	+	BOLD FACE denotes Committee Amendments. 1
	153	+	2
	154	+	3
	155	+	4
	156	+	5
	157	+	6
	158	+	7
	159	+	8
	160	+	9
	161	+	10
	162	+	11
	163	+	12
	164	+	13
	165	+	14
	166	+	15
	167	+	16
	168	+	17
	169	+	18
	170	+	19
	171	+	20
	172	+	21
	173	+	22
	174	+	23
	175	+	24
	176	+
139	177		providing that business es may not discriminate
140	178		against consumers for exercising their rights;
141	179		providing that business es may offer a financial
142	180		incentive to consumers for the collection, sale or
143	181		disclosure of their persona l information; providing
144	182		that businesses may not divide a single transaction
145	183		into more than one transaction with the intent to
146	184		avoid the requirements of this act; requiring
147	185		businesses to ensure employees hand ling consumer
148		-
149		-	ENGR. H. B. NO. 1602 Page 3 1
150		-	2
151		-	3
152		-	4
153		-	5
154		-	6
155		-	7
156		-	8
157		-	9
158		-	10
159		-	11
160		-	12
161		-	13
162		-	14
163		-	15
164		-	16
165		-	17
166		-	18
167		-	19
168		-	20
169		-	21
170		-	22
171		-	23
172		-	24
173		-
174	186		inquiries about privacy practices are informed of
175	187		certain rights, requirements and information;
176	188		providing civil penalties; authorizing the Oklahoma
177		-	~~Attorney General~~ to take certain actions ~~against~~
178		-	violating ~~businesses~~; authorizing the ~~Attorney~~
179		-	~~General~~ to recover reasonable expenses ~~i ncurred~~ in
	189	+	Corporation Commission to take certain actions
	190	+	against violating business es; authorizing the
	191	+	Commission to recover reasonable expenses incurre d in
180	192		obtaining injunctive relief or civil penalties;
181		-	directing the ~~Attorney General~~ to deposit collected
	193	+	directing the Commission to deposit collected
182	194		penalties in a dedicated account in the General
183	195		Revenue Fund; providing certain immunities; providing
184	196		protections to service providers; providing for
185	197		codification; and providing an effective date.
186	198
187	199
188	200
189	201
190	202
191		-
192	203		BE IT ENACTED BY THE PEOPLE OF THE STATE OF OKLAHOMA:
193	204		SECTION 1. NEW LAW A new section of law to be codified
194	205		in the Oklahoma Statutes as Section 901.1 of Title 17, unless there
195	206		is created a duplication in numbering, reads as follows:
196	207		This act shall be known and may be cited as the "Oklahoma
197	208		Computer Data Privacy Act ".
198	209		SECTION 2. NEW LAW A new section of law to be codified
199	210		in the Oklahoma Statutes as Section 901.2 of Title 17, unless there
200	211		is created a duplication in numbering, reads as follows:
201	212		As used in this act:
	213	+
	214	+	HB1602 HFLR Page 4
	215	+	BOLD FACE denotes Committee Amendments. 1
	216	+	2
	217	+	3
	218	+	4
	219	+	5
	220	+	6
	221	+	7
	222	+	8
	223	+	9
	224	+	10
	225	+	11
	226	+	12
	227	+	13
	228	+	14
	229	+	15
	230	+	16
	231	+	17
	232	+	18
	233	+	19
	234	+	20
	235	+	21
	236	+	22
	237	+	23
	238	+	24
	239	+
202	240		1. "Aggregate consumer information " means information that
203	241		relates to a group or category of consumers from which individual
204	242		consumer identities have bee n removed and that is not linked or
205	243		reasonably linkable to a particular consumer or household, including
206		-
207		-	ENGR. H. B. NO. 1602 Page 4 1
208		-	2
209		-	3
210		-	4
211		-	5
212		-	6
213		-	7
214		-	8
215		-	9
216		-	10
217		-	11
218		-	12
219		-	13
220		-	14
221		-	15
222		-	16
223		-	17
224		-	18
225		-	19
226		-	20
227		-	21
228		-	22
229		-	23
230		-	24
231		-
232	244		through a device. The term does not include one or more individual
233	245		consumer records that have been de -identified;
234	246		2. "Biometric information " means an individual's physiological,
235	247		biological or behavioral characteristics that can be used, alone or
236	248		in combination with other characteristics or other identifying data,
237	249		to establish the individual 's identity. The term includes:
238	250		a. deoxyribonucleic acid (DNA) ,
239	251		b. an image of an iris, retina , fingerprint, face, hand,
240	252		palm or vein pattern or a voice recording from which
241	253		an identifier template can be extracted such as a
242	254		faceprint, minutiae template or voiceprint,
243	255		c. keystroke patterns or rhythms,
244	256		d. gait patterns or rhythms, and
245	257		e. sleep, health or exercise data that contains
246	258		identifying information ;
247	259		3. "Business" means a for-profit entity, including a sole
248	260		proprietorship, partnership, limited liability company, cor poration,
249	261		association or other legal entity that is organized or operated for
250	262		the profit or financial benefit of the entity 's shareholders or
	263	+
	264	+	HB1602 HFLR Page 5
	265	+	BOLD FACE denotes Committee Amendments. 1
	266	+	2
	267	+	3
	268	+	4
	269	+	5
	270	+	6
	271	+	7
	272	+	8
	273	+	9
	274	+	10
	275	+	11
	276	+	12
	277	+	13
	278	+	14
	279	+	15
	280	+	16
	281	+	17
	282	+	18
	283	+	19
	284	+	20
	285	+	21
	286	+	22
	287	+	23
	288	+	24
	289	+
251	290		other owners, but does not include internet service providers so
252	291		long as they are acting in their role as interne t service providers;
253	292		4. "Business purpose" means the use of personal information
254	293		for:
255		-
256		-	ENGR. H. B. NO. 1602 Page 5 1
257		-	2
258		-	3
259		-	4
260		-	5
261		-	6
262		-	7
263		-	8
264		-	9
265		-	10
266		-	11
267		-	12
268		-	13
269		-	14
270		-	15
271		-	16
272		-	17
273		-	18
274		-	19
275		-	20
276		-	21
277		-	22
278		-	23
279		-	24
280		-
281	294		a. the following operational purposes of a business or
282	295		service provider, provided that the use of the
283	296		information is reasonably necessary and proportionate
284	297		to achieve the operational purpose for which the
285	298		information was collected or processed or another
286	299		operational purpose that is compatible with the
287	300		context in which the information was collected:
288	301		(1) auditing related to a current interaction with a
289	302		consumer and any concurrent transactions,
290	303		including counting ad impres sions to unique
291	304		visitors, verifying the positioning and quality
292	305		of ad impressions, and auditing compliance with a
293	306		specification or other standards for ad
294	307		impressions,
295	308		(2) detecting a security incident, protecting against
296	309		malicious, deceptive, fraudulent or illegal
297	310		activity, and prosecuting those responsible for
298	311		any illegal activity described by this division,
	312	+
	313	+	HB1602 HFLR Page 6
	314	+	BOLD FACE denotes Committee Amendments. 1
	315	+	2
	316	+	3
	317	+	4
	318	+	5
	319	+	6
	320	+	7
	321	+	8
	322	+	9
	323	+	10
	324	+	11
	325	+	12
	326	+	13
	327	+	14
	328	+	15
	329	+	16
	330	+	17
	331	+	18
	332	+	19
	333	+	20
	334	+	21
	335	+	22
	336	+	23
	337	+	24
	338	+
299	339		(3) identifying and repairing or removing errors that
300	340		impair the intended functionality of computer
301	341		hardware or software,
302	342		(4) using personal informati on in the short term or
303	343		for a transient use, provided that the
304	344		information is not:
305		-
306		-	ENGR. H. B. NO. 1602 Page 6 1
307		-	2
308		-	3
309		-	4
310		-	5
311		-	6
312		-	7
313		-	8
314		-	9
315		-	10
316		-	11
317		-	12
318		-	13
319		-	14
320		-	15
321		-	16
322		-	17
323		-	18
324		-	19
325		-	20
326		-	21
327		-	22
328		-	23
329		-	24
330		-
331	345		(a) disclosed to a third party, and
332	346		(b) used to build a profile about a consumer or
333	347		alter an individual consumer 's experience
334	348		outside of a current interaction with the
335	349		consumer, including the contextual
336	350		customization of an advertisement displayed
337	351		as part of the same interaction,
338	352		(5) performing a service on behalf of the business or
339	353		service provider, including:
340	354		(a) maintaining or servicing an account,
341	355		providing customer ser vice, processing or
342	356		fulfilling an order or transaction,
343	357		verifying customer information, processing a
344	358		payment, providing financing, providing
345	359		advertising or marketing services, or
346	360		providing analytic services, or
347	361		(b) performing a service similar to a service
348	362		described by subdivision (a) of this
	363	+
	364	+	HB1602 HFLR Page 7
	365	+	BOLD FACE denotes Committee Amendments. 1
	366	+	2
	367	+	3
	368	+	4
	369	+	5
	370	+	6
	371	+	7
	372	+	8
	373	+	9
	374	+	10
	375	+	11
	376	+	12
	377	+	13
	378	+	14
	379	+	15
	380	+	16
	381	+	17
	382	+	18
	383	+	19
	384	+	20
	385	+	21
	386	+	22
	387	+	23
	388	+	24
	389	+
349	390		division on behalf of the business or
350	391		service provider,
351	392		(6) undertaking internal research for technological
352		-	development and demonstration,
	393	+	development and demonstration, or
353	394		(7) undertaking an activity to:
354		-
355		-	ENGR. H. B. NO. 1602 Page 7 1
356		-	2
357		-	3
358		-	4
359		-	5
360		-	6
361		-	7
362		-	8
363		-	9
364		-	10
365		-	11
366		-	12
367		-	13
368		-	14
369		-	15
370		-	16
371		-	17
372		-	18
373		-	19
374		-	20
375		-	21
376		-	22
377		-	23
378		-	24
379		-
380	395		(a) verify or maintain the quality or safety of
381	396		a service or device that is owned by,
382	397		manufactured by, manufactured for or
383	398		controlled by the business, or
384	399		(b) improve, upgrade or enhance a service or
385	400		device described by subdivision (a) of this
386	401		division, or
387		-	(8) retention of employment date, or
388	402		b. another operational purpose for wh ich notice is given
389	403		under this act, but specifically excepting cross -
390	404		context targeted advertising, unless the customer has
391	405		opted in to the same ;
392	406		5. "Collect" means to buy, rent, gather, obtain, receive or
393	407		access the personal information of a consumer by any mean s,
394	408		including by actively or passively receiving the information from
395	409		the consumer or by observing the consumer 's behavior;
396	410		6. "Commercial purpose" means a purpose that is intended to
397	411		result in a profit or other tangible benefit or the advancement of a
398	412		person's commercial or economic interests, such as by inducing
399	413		another person to buy, ren t, lease, subscribe to, provide or
	414	+
	415	+	HB1602 HFLR Page 8
	416	+	BOLD FACE denotes Committee Amendments. 1
	417	+	2
	418	+	3
	419	+	4
	420	+	5
	421	+	6
	422	+	7
	423	+	8
	424	+	9
	425	+	10
	426	+	11
	427	+	12
	428	+	13
	429	+	14
	430	+	15
	431	+	16
	432	+	17
	433	+	18
	434	+	19
	435	+	20
	436	+	21
	437	+	22
	438	+	23
	439	+	24
	440	+
400	441		exchange products, goods, property, information or services or by
401	442		enabling or effecting, directly or indirectly, a commercial
402	443		transaction. The term does not include the purpose of engaging in
403		-
404		-	ENGR. H. B. NO. 1602 Page 8 1
405		-	2
406		-	3
407		-	4
408		-	5
409		-	6
410		-	7
411		-	8
412		-	9
413		-	10
414		-	11
415		-	12
416		-	13
417		-	14
418		-	15
419		-	16
420		-	17
421		-	18
422		-	19
423		-	20
424		-	21
425		-	22
426		-	23
427		-	24
428		-
429	444		speech recognized by state or federal courts as noncommercial
430	445		speech, including political speech and journalism ;
431	446		7. "Consumer" means an individual who is a resident of this
432	447		state;
433	448		8. "De-identified information" means information that cannot
434	449		reasonably identify, relate to, describe, be associated with, or be
435	450		linked to, directly or indirectly, a particular consumer ;
436	451		9. "Device" means any physical object capable of connecting to
437	452		the Internet, directl y or indirectly, or to another device ;
438	453		10. "Identifier" means data elements or other information that
439	454		alone or in conjunction with other information can be used to
440	455		identify a particular consumer, household or device that is linked
441	456		to a particular consumer or household;
442	457		11. "Internet service provider" means a person who provides a
443	458		mass-market retail service by wire or radio that provides the
444	459		capability to transmit data and to receive data from all or
445	460		substantially all Internet endpoints, including any capa bilities
446	461		that are incidental to and enable the operations of the service,
447	462		excluding dial-up Internet access service ;
448	463		12. "Person" means an individual, sole proprietorship, firm,
449	464		partnership, joint venture, syndicate, business trust, company,
	465	+
	466	+	HB1602 HFLR Page 9
	467	+	BOLD FACE denotes Committee Amendments. 1
	468	+	2
	469	+	3
	470	+	4
	471	+	5
	472	+	6
	473	+	7
	474	+	8
	475	+	9
	476	+	10
	477	+	11
	478	+	12
	479	+	13
	480	+	14
	481	+	15
	482	+	16
	483	+	17
	484	+	18
	485	+	19
	486	+	20
	487	+	21
	488	+	22
	489	+	23
	490	+	24
	491	+
450	492		corporation, limited liability company, association, committee and
451	493		any other organization or gro up of persons acting in concert;
452		-
453		-	ENGR. H. B. NO. 1602 Page 9 1
454		-	2
455		-	3
456		-	4
457		-	5
458		-	6
459		-	7
460		-	8
461		-	9
462		-	10
463		-	11
464		-	12
465		-	13
466		-	14
467		-	15
468		-	16
469		-	17
470		-	18
471		-	19
472		-	20
473		-	21
474		-	22
475		-	23
476		-	24
477		-
478	494		13. "Personal information " means information that identifies,
479	495		relates to, describes, can be associated with or can reasonably be
480	496		linked to, directly or indirectly, a particular consumer or
481	497		household. The term includes the following categories of
482	498		information if the information identifies, relates to, de scribes,
483	499		can be associated with or can reasonably be linked to, directly or
484	500		indirectly, a particular consumer or household:
485	501		a. an identifier, including a real name, alias, mailing
486	502		address, account name, date of birth, driver license
487	503		number, unique identifier, Social Security number,
488	504		passport number, signature, telephone number or other
489	505		government-issued identification number, or other
490	506		similar identifier,
491	507		b. an online identifier, including an electronic mail
492	508		address or Internet Protocol address, or other similar
493	509		identifier,
494	510		c. a physical characteristic or description, including a
495	511		characteristic of a protected classification under
496	512		state or federal law,
497	513		d. commercial information, including:
498	514		(1) a record of personal property,
	515	+
	516	+	HB1602 HFLR Page 10
	517	+	BOLD FACE denotes Committee Amendments. 1
	518	+	2
	519	+	3
	520	+	4
	521	+	5
	522	+	6
	523	+	7
	524	+	8
	525	+	9
	526	+	10
	527	+	11
	528	+	12
	529	+	13
	530	+	14
	531	+	15
	532	+	16
	533	+	17
	534	+	18
	535	+	19
	536	+	20
	537	+	21
	538	+	22
	539	+	23
	540	+	24
	541	+
499	542		(2) a good or service purchased, obtained or
500	543		considered,
501	544		(3) an insurance policy number, or
502		-
503		-	ENGR. H. B. NO. 1602 Page 10 1
504		-	2
505		-	3
506		-	4
507		-	5
508		-	6
509		-	7
510		-	8
511		-	9
512		-	10
513		-	11
514		-	12
515		-	13
516		-	14
517		-	15
518		-	16
519		-	17
520		-	18
521		-	19
522		-	20
523		-	21
524		-	22
525		-	23
526		-	24
527		-
528	545		(4) other purchasing or consuming h istories or
529	546		tendencies,
530	547		e. biometric information,
531	548		f. Internet or other electronic network activity
532	549		information, including:
533	550		(1) browsing or search history, and
534	551		(2) other information regarding a consumer 's
535	552		interaction with an Internet website, application
536	553		or advertisement,
537	554		g. geolocation data,
538	555		h. audio, electronic, visua l, thermal, olfactory or other
539	556		similar information,
540	557		i. professional or employment -related information,
541	558		j. education information that is not publicly available
542		-	personally identifiable ~~information~~ under the ~~federal~~
543		-	~~Family~~ Educational Rights and Privacy Act of 1974,
	559	+	personally identifiable informati on under the Family
	560	+	Educational Rights and Privacy Act of 1974,
544	561		k. financial information, including a financial
545	562		institution account number, credit or debit card
546	563		number, or password or access code associated with a
547	564		credit or debit card or bank account,
548	565		l. medical information,
	566	+
	567	+	HB1602 HFLR Page 11
	568	+	BOLD FACE denotes Committee Amendments. 1
	569	+	2
	570	+	3
	571	+	4
	572	+	5
	573	+	6
	574	+	7
	575	+	8
	576	+	9
	577	+	10
	578	+	11
	579	+	12
	580	+	13
	581	+	14
	582	+	15
	583	+	16
	584	+	17
	585	+	18
	586	+	19
	587	+	20
	588	+	21
	589	+	22
	590	+	23
	591	+	24
	592	+
549	593		m. health insurance information, or
550	594		n. inferences drawn from any of the information listed
551	595		under this paragraph to create a profile about a
552		-
553		-	ENGR. H. B. NO. 1602 Page 11 1
554		-	2
555		-	3
556		-	4
557		-	5
558		-	6
559		-	7
560		-	8
561		-	9
562		-	10
563		-	11
564		-	12
565		-	13
566		-	14
567		-	15
568		-	16
569		-	17
570		-	18
571		-	19
572		-	20
573		-	21
574		-	22
575		-	23
576		-	24
577		-
578	596		consumer that reflects the consumer 's preferences,
579	597		characteristics, psychological trends,
580	598		predispositions, behavior, att itudes, intelligence,
581	599		abilities or aptitudes;
582	600		14. "Processing information " means performing any operation or
583	601		set of operations on personal data or on sets of personal data,
584	602		whether or not by automated means;
585	603		15. "Publicly available information" means information that is
586	604		lawfully made available to the public from federal, state or local
587		-	government records or information received from widely distributed
588		-	media or by the consumer in the public domain . The term does not
589		-	include:
	605	+	government records. The term does not include:
590	606		a. biometric information of a consumer collected by a
591	607		business without the consumer 's knowledge or consent,
592		-	or
593		-	b. de-identified or aggregate consu mer information;
	608	+	b. data that is used for a purpose that is not compatible
	609	+	with the purpose for which the data is:
	610	+	(1) publicly maintained, or
	611	+	(2) maintained in and made available from government
	612	+	records, or
	613	+	c. de-identified or aggregate consu mer information;
594	614		16. "Service provider" means a for-profit entity as described
595	615		by paragraph 3 of this section that processes information on behalf
596	616		of a business and to which the business discloses, for a business
	617	+
	618	+	HB1602 HFLR Page 12
	619	+	BOLD FACE denotes Committee Amendments. 1
	620	+	2
	621	+	3
	622	+	4
	623	+	5
	624	+	6
	625	+	7
	626	+	8
	627	+	9
	628	+	10
	629	+	11
	630	+	12
	631	+	13
	632	+	14
	633	+	15
	634	+	16
	635	+	17
	636	+	18
	637	+	19
	638	+	20
	639	+	21
	640	+	22
	641	+	23
	642	+	24
	643	+
597	644		purpose, a consumer's personal information under a written contr act,
598	645		provided that the contract prohibits the entity receiving the
599	646		information from retaining, using or disclosing the information for
600	647		any purpose other than:
601		-
602		-	ENGR. H. B. NO. 1602 Page 12 1
603		-	2
604		-	3
605		-	4
606		-	5
607		-	6
608		-	7
609		-	8
610		-	9
611		-	10
612		-	11
613		-	12
614		-	13
615		-	14
616		-	15
617		-	16
618		-	17
619		-	18
620		-	19
621		-	20
622		-	21
623		-	22
624		-	23
625		-	24
626		-
627	648		a. providing the services specified in the contract with
628	649		the business, or
629	650		b. for a purpose permit ted by this act, including for a
630	651		commercial purpose other than pro viding those
631	652		specified services;
632	653		17. "Third party" means a person who is not:
633	654		a. a business to which this act applies that collects
634	655		personal information from consumers, or
635	656		b. a person to whom the business discloses, for a
636	657		business purpose, a consumer 's personal information
637	658		under a written contract, provided that the contract:
638	659		(1) prohibits the person receiving the information
639	660		from:
640	661		(a) selling the information,
641	662		(b) retaining, using or disclos ing the
642	663		information for any purpose other than
643	664		providing the services specified in the
644	665		contract, including for a commercial purpose
645	666		other than providing those services, and
	667	+
	668	+	HB1602 HFLR Page 13
	669	+	BOLD FACE denotes Committee Amendments. 1
	670	+	2
	671	+	3
	672	+	4
	673	+	5
	674	+	6
	675	+	7
	676	+	8
	677	+	9
	678	+	10
	679	+	11
	680	+	12
	681	+	13
	682	+	14
	683	+	15
	684	+	16
	685	+	17
	686	+	18
	687	+	19
	688	+	20
	689	+	21
	690	+	22
	691	+	23
	692	+	24
	693	+
646	694		(c) retaining, using or disclosing the
647	695		information outside of the direct business
648	696		relationship between the person and the
649	697		business, and
650		-
651		-	ENGR. H. B. NO. 1602 Page 13 1
652		-	2
653		-	3
654		-	4
655		-	5
656		-	6
657		-	7
658		-	8
659		-	9
660		-	10
661		-	11
662		-	12
663		-	13
664		-	14
665		-	15
666		-	16
667		-	17
668		-	18
669		-	19
670		-	20
671		-	21
672		-	22
673		-	23
674		-	24
675		-
676	698		(2) includes a certification made by the person
677	699		receiving the personal information that the
678	700		person understands and will comply with the
679	701		prohibitions under division (1) of this
680	702		subparagraph;
681	703		18. "Unique identifier" means a persistent identifier that can
682	704		be used over time and across different services to recognize a
683	705		consumer, a custodial parent or guardian, or any minor children over
684	706		which the parent or guardian has custody, or a device that is linked
685	707		to those individuals. The term includes:
686	708		a. a device identifier,
687	709		b. an Internet Protocol address,
688	710		c. a cookie, beacon, pixel tag, mobile ad id entifier or
689	711		similar technology,
690	712		d. a customer number, unique pseudonym or user alias,
691	713		e. a telephone number, and
692	714		f. another form of a persistent or probabilistic
693	715		identifier that can be used to identify a particular
694	716		consumer or device;
695	717		19. "Verifiable consumer request " means a request:
	718	+
	719	+	HB1602 HFLR Page 14
	720	+	BOLD FACE denotes Committee Amendments. 1
	721	+	2
	722	+	3
	723	+	4
	724	+	5
	725	+	6
	726	+	7
	727	+	8
	728	+	9
	729	+	10
	730	+	11
	731	+	12
	732	+	13
	733	+	14
	734	+	15
	735	+	16
	736	+	17
	737	+	18
	738	+	19
	739	+	20
	740	+	21
	741	+	22
	742	+	23
	743	+	24
	744	+
696	745		a. that is made by a consumer, a consumer on behalf of
697	746		the consumer's minor child, or a natural person or
698	747		person who is authorized by a consumer to act on the
699	748		consumer's behalf, and
700		-
701		-	ENGR. H. B. NO. 1602 Page 14 1
702		-	2
703		-	3
704		-	4
705		-	5
706		-	6
707		-	7
708		-	8
709		-	9
710		-	10
711		-	11
712		-	12
713		-	13
714		-	14
715		-	15
716		-	16
717		-	17
718		-	18
719		-	19
720		-	20
721		-	21
722		-	22
723		-	23
724		-	24
725		-
726	749		b. that a business can reasonably verify, in accordance
727		-	with Section 19 of this act, was ~~submitted by the~~
728		-	consumer about whom the business ~~has collected~~
729		-	personal information; and
	750	+	with rules adopted under Section 9 of this act, was
	751	+	submitted by the consumer about whom the business ha s
	752	+	collected personal information; and
730	753		20. "Consent" means an act that clearly and conspicuously
731	754		communicates the individual's authorization of an act or pra ctice
732	755		that is made in the absence of any mechanism in the user inter face
733	756		that has the purpose or su bstantial effect of obscuring, subverting
734	757		or impairing decision -making or choice to obtain consent .
735	758		SECTION 3. NEW LAW A new section of law to be codified
736	759		in the Oklahoma Statutes as Section 901.3 of Title 17, unless there
737	760		is created a duplication in numbering, reads as follows:
738	761		A. This act applies only to:
739	762		1. A business that:
740	763		a. does business in this state,
741	764		b. collects consumers' personal information or has that
742	765		information collected on the business 's behalf,
743	766		c. alone or in conjunction with others, determines the
744	767		purpose for and means of processing consumers '
745	768		personal information, and
	769	+
	770	+	HB1602 HFLR Page 15
	771	+	BOLD FACE denotes Committee Amendments. 1
	772	+	2
	773	+	3
	774	+	4
	775	+	5
	776	+	6
	777	+	7
	778	+	8
	779	+	9
	780	+	10
	781	+	11
	782	+	12
	783	+	13
	784	+	14
	785	+	15
	786	+	16
	787	+	17
	788	+	18
	789	+	19
	790	+	20
	791	+	21
	792	+	22
	793	+	23
	794	+	24
	795	+
746	796		d. satisfies one or more of the following thresholds:
747	797		(1) has annual gross revenue in an amount that
748	798		exceeds Ten Million Dollars ($10,000,000.00),
749		-
750		-	ENGR. H. B. NO. 1602 Page 15 1
751		-	2
752		-	3
753		-	4
754		-	5
755		-	6
756		-	7
757		-	8
758		-	9
759		-	10
760		-	11
761		-	12
762		-	13
763		-	14
764		-	15
765		-	16
766		-	17
767		-	18
768		-	19
769		-	20
770		-	21
771		-	22
772		-	23
773		-	24
774		-
775	799		(2) alone or in combination with others, annually
776		-	buys, sells or receives or shares for commercial
	800	+	buys, sells, or receives or shares for commercial
777	801		purposes the personal information of fifty
778	802		thousand or more consumers, households or
779	803		devices, or
780	804		(3) derives twenty-five percent (25%) or more of the
781	805		business's annual revenue from selling consumers '
782	806		personal information; and
783	807		2. An entity that controls or is controlled by a business
784		-	described by paragraph 1 of this subsection and that shares the same
785		-	or substantially similar brand name and/or common database for
786		-	consumers' personal information. For purposes of this paragraph,
	808	+	described by paragraph 1 of this subsection.
	809	+	B. For purposes of paragraph 2 of subsection A of this section ,
787	810		"control" means the:
788		-	a. ownership of, or power to vote, more than fifty
789		-	percent (50%) of the outstanding shares of any class
790		-	of voting security of a business ,
791		-	b. control in any manner over the election of a majority
792		-	of the directors or of indivi duals exercising similar
793		-	functions, or
794		-	c. power to exercise a controlling influence over the
	811	+	1. Ownership of, or power to vote, more than fifty percent
	812	+	(50%) of the outstanding shares of any class of voting security of a
	813	+	business;
	814	+	2. Control in any manner over the election of a majority of the
	815	+	directors or of individuals exercising similar fun ctions; or
	816	+	3. Power to exercise a controlling influence over the
795	817		management of a company.
796		-	B. For purposes of this ac t, a business sells a consumer 's
	818	+	C. For purposes of this ac t, a business sells a consumer 's
797	819		personal information to another business or a third party if the
	820	+
	821	+	HB1602 HFLR Page 16
	822	+	BOLD FACE denotes Committee Amendments. 1
	823	+	2
	824	+	3
	825	+	4
	826	+	5
	827	+	6
	828	+	7
	829	+	8
	830	+	9
	831	+	10
	832	+	11
	833	+	12
	834	+	13
	835	+	14
	836	+	15
	837	+	16
	838	+	17
	839	+	18
	840	+	19
	841	+	20
	842	+	21
	843	+	22
	844	+	23
	845	+	24
	846	+
798	847		business sells, rents, discloses, dissem inates, makes available,
799		-
800		-	ENGR. H. B. NO. 1602 Page 16 1
801		-	2
802		-	3
803		-	4
804		-	5
805		-	6
806		-	7
807		-	8
808		-	9
809		-	10
810		-	11
811		-	12
812		-	13
813		-	14
814		-	15
815		-	16
816		-	17
817		-	18
818		-	19
819		-	20
820		-	21
821		-	22
822		-	23
823		-	24
824		-
825	848		transfers or otherwise communicates, orally, in writing, or by
826	849		electronic or other means, the information to the other business or
827	850		third party for monetary or other valuable consideration.
828		-	C. For purposes of this ~~act~~, a business does not sell a
	851	+	D. For purposes of this a ct, a business does not sell a
829	852		consumer's personal information if:
830	853		1. The consumer directs the business to intentionally disclose
831	854		the information or uses the business to intentionally interact with
832	855		a third party, provided that the third party does not sell the
833	856		information, unless that disclosure is consistent with this a ct; or
834	857		2. The business:
835	858		a. uses or shares an identifier of the consumer to alert
836	859		a third party that the consumer has opted out of the
837	860		sale of the information,
838	861		b. uses or shares with a service provider a c onsumer's
839	862		personal information that is necessary to perform a
840	863		business purpose if:
841	864		(1) the business provided notice that the information
842	865		is being used or shared in the business 's terms
843		-	and conditions consistent with Sections ~~1 3~~ and 17
	866	+	and conditions consistent with Sections 14 and 18
844	867		of this act, and
845	868		(2) the service provider does not further collect,
846	869		sell or use the information except as necessary
847	870		to perform the business purpose, or
848	871
849		-	ENGR. H. B. NO. 1602 Page 17 1
	872	+	HB1602 HFLR Page 17
	873	+	BOLD FACE denotes Committee Amendments. 1
850	874		2
851	875		3
852	876		4
853	877		5
854	878		6
855	879		7
856	880		8
857	881		9
858	882		10
859	883		11
860	884		12
861	885		13
862	886		14
863	887		15
864	888		16
865	889		17
866	890		18
867	891		19
868	892		20
869	893		21
870	894		22
871	895		23
872	896		24
873	897
874	898		c. transfers to a third party a consumer 's personal
875	899		information as an asset that is part of a merger,
876	900		acquisition, bankruptcy or other transaction in which
877	901		the third party assumes control of all or part of the
878	902		business, provided that information is used or shared
879		-	consistent with this act .
880		-	D. For purposes of paragraph 1 of subsection C of this section ,
	903	+	consistent with Sections 11, 13 and 14 of this act.
	904	+	E. For purposes of paragraph 1 of subsection D of this section ,
881	905		an intentional interaction occurs if the consumer does one or more
882	906		deliberate acts with the intent to interact with a third party.
883	907		Placing a cursor over, muting, pausing or closing online content
884	908		does not constitute a consumer 's intent to interact with a third
885	909		party. Instead, said deliberate act must be consent to such
886	910		interaction as defined herein.
887	911		SECTION 4. NEW LAW A new section of law to be codified
888	912		in the Oklahoma Statutes as Section 901.4 of Title 17, unless there
889	913		is created a duplication in numbering, reads as follows:
890	914		A. This act does not apply to:
891	915		1. Publicly available information;
892		-	2. Medical information governed by state privacy health laws or
893		-	protected health information that is collected by a covered entity
894		-	or business associate governed by the privacy, security and data
895		-	breach notification rules issued by the United States Department of
896		-	Health and Human Services, Parts 160 and 164 of Title 45 of the Code
897		-	of Federal Regulations, established pursuant to the federal Hea lth
898		-
899		-	ENGR. H. B. NO. 1602 Page 18 1
900		-	2
901		-	3
902		-	4
903		-	5
904		-	6
905		-	7
906		-	8
907		-	9
908		-	10
909		-	11
910		-	12
911		-	13
912		-	14
913		-	15
914		-	16
915		-	17
916		-	18
917		-	19
918		-	20
919		-	21
920		-	22
921		-	23
922		-	24
923		-
924		-	Insurance Portability and Accountability Act of 1996 (Public Law
925		-	104-191) and the federal Health Information Technology for Economic
926		-	and Clinical Health Act, Title XIII of the federal American Recovery
927		-	and Reinvestment Act of 2009 (Public Law 111 -5);
928		-	3. A provider of health care , or a health plan, governed by
929		-	state privacy health laws or a covered entity go verned by the
930		-	privacy, security and data breach notification rules issued by the
931		-	United States Department of Health and Human Services, Parts 160 an d
932		-	164 of Title 45 of the Code of Federal Regulations, established
933		-	pursuant to the federal Health Insurance Portability and
934		-	Accountability Act of 1996 (Public Law 104 -191), to the extent the
935		-	provider or covered entity maintains, uses and discloses patient
936		-	information in the same manner as medical information or protected
937		-	health information as described in paragraph 2 of this subsection;
938		-	4. A business associate of a covered entity go verned by the
939		-	privacy, security and data breach notification rules issued by the
940		-	United States Department of Health and Human Services, Parts 160 and
941		-	164 of Title 45 of the Code of Federal Regulations, established
942		-	pursuant to the federal Health Insurance Portability and
943		-	Accountability Act of 1996 (Public Law 104 -191) and the federal
944		-	Health Information Technology for Economic and Clinical Health Act,
945		-	Title XIII of the federal American Recovery and Reinvestment Act of
946		-	2009 (Public Law 111 -5), to the extent that the bus iness associate
947		-	maintains, uses and discloses patient information in the same manner
948		-
949		-	ENGR. H. B. NO. 1602 Page 19 1
950		-	2
951		-	3
952		-	4
953		-	5
954		-	6
955		-	7
956		-	8
957		-	9
958		-	10
959		-	11
960		-	12
961		-	13
962		-	14
963		-	15
964		-	16
965		-	17
966		-	18
967		-	19
968		-	20
969		-	21
970		-	22
971		-	23
972		-	24
973		-
974		-	as medical information or protected health information as described
975		-	in paragraph 2 of this subsection;
976		-	5. Information that meets both of the following conditions:
977		-	a. is de-identified in accordance with the requirements
978		-	for de-identification set forth in Section 164.514 of
979		-	Part 164 of Title 45 of the Code of Federal
980		-	Regulations, and
981		-	b. is derived from patient information that was
982		-	originally collected, created, transmitted or
983		-	maintained by an entity regulated by the Health
984		-	Insurance Portability and Accountability Act of 1996
985		-	or the Federal Policy for the Protection of Human
986		-	Subjects, also known as the Common Rule.
987		-	Information that meets the requirements of subparagraph a or b
988		-	of this paragraph but is subsequently re -identified shall no lon ger
989		-	be eligible for the exemption in this paragraph and shall be subject
990		-	to applicable federal and state data privacy and security laws,
991		-	including, but not limited to, the Health Insurance Portability and
992		-	Accountability Act of 1996 and state medical privac y laws;
993		-	6. Information that is collected, used or disclosed in
994		-	research, as defined in Section 164.501 of Title 45 of the Code of
995		-	Federal Regulations, including, but not limited to, a clinical
996		-	trial, and that is conducted in accordance with applicable e thics,
997		-	confidentiality, privacy and security rules of Part 164 of Title 45
998		-
999		-	ENGR. H. B. NO. 1602 Page 20 1
1000		-	2
1001		-	3
1002		-	4
1003		-	5
1004		-	6
1005		-	7
1006		-	8
1007		-	9
1008		-	10
1009		-	11
1010		-	12
1011		-	13
1012		-	14
1013		-	15
1014		-	16
1015		-	17
1016		-	18
1017		-	19
1018		-	20
1019		-	21
1020		-	22
1021		-	23
1022		-	24
1023		-
1024		-	of the Code of Federal Regulations, the Federal Policy for the
1025		-	Protection of Human Subjects, also known as the Common Rule, good
1026		-	clinical practice guidelines issued by the Internation al Council for
1027		-	Harmonisation, or human subject protection requirements of the
1028		-	United States Food and Drug Administration;
1029		-	7. The sale of personal information t o or by a consumer
	916	+	2. Protected health information governed by state health
	917	+	privacy laws, or collected by a covered entity or a business
	918	+	associate of a covered entity, as those terms are defined by 45
	919	+	C.F.R., Section 160.103, that is go verned by the privacy, security
	920	+	and breach notification rules in 45 C.F.R. , Parts 160 and 164
	921	+	adopted by the United States Department of Health and Human Services
	922	+
	923	+	HB1602 HFLR Page 18
	924	+	BOLD FACE denotes Committee Amendments. 1
	925	+	2
	926	+	3
	927	+	4
	928	+	5
	929	+	6
	930	+	7
	931	+	8
	932	+	9
	933	+	10
	934	+	11
	935	+	12
	936	+	13
	937	+	14
	938	+	15
	939	+	16
	940	+	17
	941	+	18
	942	+	19
	943	+	20
	944	+	21
	945	+	22
	946	+	23
	947	+	24
	948	+
	949	+	under the Health Insurance Portability and Accountability Act of
	950	+	1996 (Pub. L. No. 104-191) and Title XIII of the American Recovery
	951	+	and Reinvestment Act of 2009 (Pub. L. No. 111-5);
	952	+	3. A health care provider governed by state health privacy
	953	+	laws, or a covered entity descr ibed by paragraph 2 of this
	954	+	subsection to the extent that the provider or entity maintains the
	955	+	personal information of a patient in the same manner as protected
	956	+	health information described by that paragraph;
	957	+	4. Information collected as part of a clinical trial subject to
	958	+	the Federal Policy for the Protection of Human Subjects in
	959	+	accordance with the good clinical practice guidelines issued by the
	960	+	International Council for Harmoni sation or the human subject
	961	+	protection requirements of the United States Food and Drug
	962	+	Administration;
	963	+	5. The sale of personal information t o or by a consumer
1030	964		reporting agency if the information is to be:
1031	965		a. reported in or used to generate a consumer report, as
1032	966		defined by Section 1681a(d) of the Fair Credit
1033	967		Reporting Act (15 U.S.C., Section 1681 et seq.), and
1034	968		b. used solely for a purpose authorized under that act;
1035		-	8. Personal ~~information~~ collected, processed, sold or disclosed
	969	+	6. Personal informa tion collected, processed, sold or disclosed
1036	970		in accordance with:
1037		-	a. the federal Gramm-Leach-Bliley Act of 1999 (Public Law
1038		-	106-102) and its implementing regulations, or
1039		-	b. the federal Driver's Privacy Protection Act of 1994
1040		-	(18 U.S.C., Section 2721 et seq.);
1041		-	9. De-identified or aggregate consumer information ; or
1042		-	10. A consumer's personal information collected or sold by a
	971	+	a. the Gramm-Leach-Bliley Act (Pub. L. No. 106 -102) and
	972	+	its implementing regulations, or
	973	+
	974	+	HB1602 HFLR Page 19
	975	+	BOLD FACE denotes Committee Amendments. 1
	976	+	2
	977	+	3
	978	+	4
	979	+	5
	980	+	6
	981	+	7
	982	+	8
	983	+	9
	984	+	10
	985	+	11
	986	+	12
	987	+	13
	988	+	14
	989	+	15
	990	+	16
	991	+	17
	992	+	18
	993	+	19
	994	+	20
	995	+	21
	996	+	22
	997	+	23
	998	+	24
	999	+
	1000	+	b. the Driver's Privacy Protection Act of 1994 (18
	1001	+	U.S.C., Section 2721 et seq.);
	1002	+	7. De-identified or aggregate consumer information; or
	1003	+	8. A consumer's personal information collected or sold by a
1043	1004		business, if every aspect of the collection or sale oc curred wholly
1044	1005		outside of this state.
1045		-	Provided further, nothing in this a ct shall be deemed to apply
1046		-	in any manner to a financial instit ution or an affiliate of a
1047		-
1048		-	ENGR. H. B. NO. 1602 Page 21 1
1049		-	2
1050		-	3
1051		-	4
1052		-	5
1053		-	6
1054		-	7
1055		-	8
1056		-	9
1057		-	10
1058		-	11
1059		-	12
1060		-	13
1061		-	14
1062		-	15
1063		-	16
1064		-	17
1065		-	18
1066		-	19
1067		-	20
1068		-	21
1069		-	22
1070		-	23
1071		-	24
1072		-
1073		-	financial institution that is subject to the federal Gramm -Leach-
1074		-	Bliley Act of 1999 and the rules promulgated thereunder.
1075		-	B. For the purposes of this section, a business or other person
1076		-	shall not re-identify, or attempt to re -identify, information that
1077		-	has met the requirements of paragraphs 2 through 6 of subsection A
1078		-	of this section, except for one or more of the following purposes:
1079		-	1. Treatment, payment or health care operations conducted by a
1080		-	covered entity or business associ ate acting on behalf of, and at the
1081		-	written direction of, the covered entity. For purposes of this
1082		-	paragraph, "treatment", "payment", "health care operations" and
1083		-	"covered entity" have the same meaning as defined in Section 164.501
1084		-	of Title 45 of the Code of Federal Regulations, and "business
1085		-	associate" has the same meaning as defined in Section 160.103 of
1086		-	Title 45 of the Code of Federal Regulations;
1087		-	2. Public health activities or purposes as described in Section
1088		-	164.512 of Title 45 of the Code of Federal Regulations;
1089		-	3. Research, as defined in Section 164.501 of Title 45 of the
1090		-	Code of Federal Regulations, that is conducted in accordance with
1091		-	Part 46 of Title 45 of the Code of Federal Regulations and the
1092		-	Federal Policy for the Protection of Human Subject s, also known as
1093		-	the Common Rule;
1094		-	4. Pursuant to a contract where the lawful holder of the de -
1095		-	identified information expressly engages a person or entity to
1096		-	attempt to re-identify the de-identified information in order to
1097		-
1098		-	ENGR. H. B. NO. 1602 Page 22 1
1099		-	2
1100		-	3
1101		-	4
1102		-	5
1103		-	6
1104		-	7
1105		-	8
1106		-	9
1107		-	10
1108		-	11
1109		-	12
1110		-	13
1111		-	14
1112		-	15
1113		-	16
1114		-	17
1115		-	18
1116		-	19
1117		-	20
1118		-	21
1119		-	22
1120		-	23
1121		-	24
1122		-
1123		-	conduct testing, analysis, or val idation of de-identification, or
1124		-	related statistical techniques, if the contract bans any other use
1125		-	or disclosure of the re -identified information and requires the
1126		-	return or destruction of the information that was re -identified upon
1127		-	completion of the contr act; and
1128		-	5. If otherwise required by law.
1129		-	C. In accordance with paragraphs 2 through 6 of subsection A of
1130		-	this section, information re-identified pursuant to this section
1131		-	shall be subject to applicable federal and state data privacy and
1132		-	security laws, including, but not limited to, the Health Insurance
1133		-	Portability and Accountability Ac t of 1996 and state health privacy
1134		-	laws.
1135		-	D. Beginning January 1, 2023, any contract for the sale or
1136		-	license of de-identified information that has met the requirements
1137		-	of paragraphs 2 through 6 of subsection A of this section , where one
1138		-	of the parties is a person residing or doing business in the state,
1139		-	shall include the following, or substantially similar, provisions:
1140		-	1. A statement that the de -identified information being sold or
1141		-	licensed includes de-identified patient information;
1142		-	2. A statement that re-identification, and attempted re -
1143		-	identification, of the de -identified information by the purchaser or
1144		-	licensee of the information is proh ibited pursuant to this section;
1145		-	and
1146		-
1147		-	ENGR. H. B. NO. 1602 Page 23 1
1148		-	2
1149		-	3
1150		-	4
1151		-	5
1152		-	6
1153		-	7
1154		-	8
1155		-	9
1156		-	10
1157		-	11
1158		-	12
1159		-	13
1160		-	14
1161		-	15
1162		-	16
1163		-	17
1164		-	18
1165		-	19
1166		-	20
1167		-	21
1168		-	22
1169		-	23
1170		-	24
1171		-
1172		-	3. A requirement that, unless otherwise required by law, the
1173		-	purchaser or licensee of the de -identified information may not
1174		-	further disclose the de -identified information to any third party
1175		-	unless the third party is contractually bound by the same or
1176		-	stricter restrictions and conditions.
1177		-	E. For purposes of this section, "re -identify" means the
1178		-	process of reversal of de -identification techniques, including, but
1179		-	not limited to, the addition of specific pieces of information or
1180		-	data elements that can, ind ividually or in combination, be used to
1181		-	uniquely identify an individual or usage.
1182		-	F. For purposes of paragraph 10 of s ubsection A of this
1183		-	section, the collection or sale of a consumer 's personal information
1184		-	occurs wholly outside of this state if:
	1006	+	B. For purposes of paragraph 8 of subsection A of this section,
	1007	+	the collection or sale of a consumer 's personal information occurs
	1008	+	wholly outside of this state if:
1185	1009		1. The business collects that information while the c onsumer is
1186	1010		outside of this state;
1187	1011		2. No part of the sale of the information occurs in this state;
1188	1012		and
1189	1013		3. The business does not sell any personal information of the
1190	1014		consumer collected while the consumer is in this state.
1191		-	G. For purposes of subsection F of this section, the collection
	1015	+	C. For purposes of subsection B of this section, the collection
1192	1016		or sale of a consumer 's personal information does not occur wholly
1193	1017		outside of this state if a business stores a consumer 's personal
1194	1018		information, including on a device, when the consumer is in this
1195		-
1196		-	ENGR. H. B. NO. 1602 Page 24 1
1197		-	2
1198		-	3
1199		-	4
1200		-	5
1201		-	6
1202		-	7
1203		-	8
1204		-	9
1205		-	10
1206		-	11
1207		-	12
1208		-	13
1209		-	14
1210		-	15
1211		-	16
1212		-	17
1213		-	18
1214		-	19
1215		-	20
1216		-	21
1217		-	22
1218		-	23
1219		-	24
1220		-
1221	1019		state and subsequently colle cts or sells that stored information
1222	1020		when the consumer and the information are outside of this state.
1223		-	H. For purposes of this section, all of the following shall
1224		-	apply:
1225		-	1. "Business associate" has the same meaning as defined in
1226		-	Section 160.103 of Title 45 of the Code of Federal Regulations;
1227		-	2. "Covered entity" has the same meaning as defined in Section
1228		-	160.103 of Title 45 of the Code of Federal Regulations;
1229		-	3. "Identifiable private information" has the same meaning as
1230		-	defined in Section 46.102 of Title 45 of the Code of Federal
1231		-	Regulations;
1232		-	4. "Individually identifiable health information" has the same
1233		-	meaning as defined in Section 160.103 of Title 45 of the Code of
1234		-	Federal Regulations;
1235		-	5. "Medical informat ion" means any individually identifiable
1236		-	information, in electronic or physical form, in possession of or
1237		-	derived from a provider of health care, health care service plan,
1238		-	pharmaceutical company, or contractor regarding a patient' s medical
1239		-	history, mental or physical condition, or treatment;
1240		-	6. "Patient information" means identifiable private
1241		-	information, protected health information individually identifiable
1242		-	health information, or medical information;
1243		-
1244		-	ENGR. H. B. NO. 1602 Page 25 1
1245		-	2
1246		-	3
1247		-	4
1248		-	5
1249		-	6
1250		-	7
1251		-	8
1252		-	9
1253		-	10
1254		-	11
1255		-	12
1256		-	13
1257		-	14
1258		-	15
1259		-	16
1260		-	17
1261		-	18
1262		-	19
1263		-	20
1264		-	21
1265		-	22
1266		-	23
1267		-	24
1268		-
1269		-	7. "Protected health information" has the same meaning as
1270		-	defined in Section 160.103 of Title 45 of the Code of Federal
1271		-	Regulations; and
1272		-	8. "Provider of health care" means a person or entity that is a
1273		-	covered entity.
1274	1021		SECTION 5. NEW LAW A new section of law to be codified
1275	1022		in the Oklahoma Statutes as Section 901.5 of Title 17, unless there
1276	1023		is created a duplication in numbering, reads as follows:
	1024	+
	1025	+	HB1602 HFLR Page 20
	1026	+	BOLD FACE denotes Committee Amendments. 1
	1027	+	2
	1028	+	3
	1029	+	4
	1030	+	5
	1031	+	6
	1032	+	7
	1033	+	8
	1034	+	9
	1035	+	10
	1036	+	11
	1037	+	12
	1038	+	13
	1039	+	14
	1040	+	15
	1041	+	16
	1042	+	17
	1043	+	18
	1044	+	19
	1045	+	20
	1046	+	21
	1047	+	22
	1048	+	23
	1049	+	24
	1050	+
1277	1051		A right or obligation under this a ct does not apply to the
1278	1052		extent that the exercise of the right or performance of the
1279	1053		obligation infringes on a noncommercial activity of:
1280	1054		1. A publisher, editor, reporter or other person connected with
1281	1055		or employed by a newspaper, magazine or other publication of general
1282	1056		circulation, including a periodical newsletter, pamphlet or report;
1283	1057		2. A radio or television station that holds a license issued by
1284	1058		the Federal Communicati ons Commission; or
1285	1059		3. An entity that provides an information service, including a
1286	1060		press association or wire service.
1287	1061		SECTION 6. NEW LAW A new section of law to be codified
1288	1062		in the Oklahoma Statutes as Section 901.6 of Title 17, unle ss there
1289	1063		is created a duplication in numbering, reads as follows:
1290	1064		This act does not:
1291	1065		1. Restrict a business 's ability to:
1292	1066		a. comply with:
1293		-
1294		-	ENGR. H. B. NO. 1602 Page 26 1
1295		-	2
1296		-	3
1297		-	4
1298		-	5
1299		-	6
1300		-	7
1301		-	8
1302		-	9
1303		-	10
1304		-	11
1305		-	12
1306		-	13
1307		-	14
1308		-	15
1309		-	16
1310		-	17
1311		-	18
1312		-	19
1313		-	20
1314		-	21
1315		-	22
1316		-	23
1317		-	24
1318		-
1319	1067		(1) applicable federal, state or local laws, or
1320	1068		(2) a civil, criminal or regulatory inquiry,
1321	1069		investigation, subpoena or summons by a federal,
1322	1070		state or local authority,
1323	1071		b. cooperate with a law enforcement agency concerning
1324	1072		conduct or activity that the business, a s ervice
1325	1073		provider of the business or a third party reasonably
	1074	+
	1075	+	HB1602 HFLR Page 21
	1076	+	BOLD FACE denotes Committee Amendments. 1
	1077	+	2
	1078	+	3
	1079	+	4
	1080	+	5
	1081	+	6
	1082	+	7
	1083	+	8
	1084	+	9
	1085	+	10
	1086	+	11
	1087	+	12
	1088	+	13
	1089	+	14
	1090	+	15
	1091	+	16
	1092	+	17
	1093	+	18
	1094	+	19
	1095	+	20
	1096	+	21
	1097	+	22
	1098	+	23
	1099	+	24
	1100	+
1326	1101		and in good faith believes may violate other
1327		-	applicable federal, state or local laws,
1328		-	c. pursue or defend against a legal claim,
1329		-	d. detect a security incident; protect against malicious,
1330		-	deceptive, fraudulent or illegal activity; or
1331		-	prosecute those responsible for any illegal activ ity
1332		-	described by this paragraph, or
1333		-	e. assist another party with any of the foregoing; or
	1102	+	applicable federal, state or local laws, or
	1103	+	c. pursue or defend against a legal claim; or
1334	1104		2. Require a business to violate an evidentiary privilege under
1335	1105		federal or state law or prevent a business from disclosing to a
1336	1106		person covered by an evidentiary privileg e the personal information
1337	1107		of a consumer as part of a privileged communication.
1338	1108		SECTION 7. NEW LAW A new section of law to be codified
1339	1109		in the Oklahoma Statutes as Section 901.7 of Title 17, unless there
1340	1110		is created a duplication in n umbering, reads as follows:
1341		-
1342		-	ENGR. H. B. NO. 1602 Page 27 1
1343		-	2
1344		-	3
1345		-	4
1346		-	5
1347		-	6
1348		-	7
1349		-	8
1350		-	9
1351		-	10
1352		-	11
1353		-	12
1354		-	13
1355		-	14
1356		-	15
1357		-	16
1358		-	17
1359		-	18
1360		-	19
1361		-	20
1362		-	21
1363		-	22
1364		-	23
1365		-	24
1366		-
1367	1111		A. This act shall be liberally construed to effect its purposes
1368	1112		and to harmonize, to the extent possible, with other laws of this
1369	1113		state relating to the privacy or protection of personal information.
1370	1114		B. To the extent of a confl ict between a provision of this a ct
1371	1115		and a provision of federal law, including a regulation or an
1372	1116		interpretation of federal law, federal law controls and conflicting
1373		-	requirements or other provisions of this a ct do not apply. Further,
1374		-	should the federal government pass comprehensive data privacy
1375		-	regulations that conflict with the provisions herein, federal law
1376		-	shall prevail.
	1117	+	requirements or other provisions of this a ct do not apply.
1377	1118		C. To the extent of a conflict between a provision of this act
1378	1119		and another statute of this state with respect to the privacy or
1379	1120		protection of consumers ' personal information, the provision of law
1380	1121		that affords the greatest privacy or protection to consumers
1381	1122		prevails.
	1123	+
	1124	+	HB1602 HFLR Page 22
	1125	+	BOLD FACE denotes Committee Amendments. 1
	1126	+	2
	1127	+	3
	1128	+	4
	1129	+	5
	1130	+	6
	1131	+	7
	1132	+	8
	1133	+	9
	1134	+	10
	1135	+	11
	1136	+	12
	1137	+	13
	1138	+	14
	1139	+	15
	1140	+	16
	1141	+	17
	1142	+	18
	1143	+	19
	1144	+	20
	1145	+	21
	1146	+	22
	1147	+	23
	1148	+	24
	1149	+
1382	1150		SECTION 8. NEW LAW A new section of law to be codified
1383	1151		in the Oklahoma Statutes as Section 901.8 of Title 17, unless there
1384	1152		is created a duplication in numbering, reads as follows:
1385	1153		This act preempts and supersedes any ordinance, order or rule
1386	1154		adopted by a political subdivision of this state relating to the
1387	1155		collection or sale by a business of a consumer 's personal
1388	1156		information.
1389		-
1390		-	ENGR. H. B. NO. 1602 Page 28 1
1391		-	2
1392		-	3
1393		-	4
1394		-	5
1395		-	6
1396		-	7
1397		-	8
1398		-	9
1399		-	10
1400		-	11
1401		-	12
1402		-	13
1403		-	14
1404		-	15
1405		-	16
1406		-	17
1407		-	18
1408		-	19
1409		-	20
1410		-	21
1411		-	22
1412		-	23
1413		-	24
1414		-
1415	1157		SECTION 9. NEW LAW A new section of law to be codified
1416	1158		in the Oklahoma Statutes as Section 901.9 of Title 17, unless there
1417	1159		is created a duplication in numbering, reads as follows:
1418		-	Except as used in Section 4 of this act, for purposes of this
1419		-	act, "research" means scientific, systematic study and observation,
1420		-	including basic research or applied research that is in the public
1421		-	interest and that adheres to all other appli cable ethics and privacy
1422		-	laws or studies conducted in the public interest in the area of
1423		-	public health. Research with personal information that may have
1424		-	been collected from a consumer in the course of the consumer 's
1425		-	interactions with a business 's service or device for other purposes
1426		-	must:
1427		-	1. Be compatible with the business purpose for which the
1428		-	personal information was collected;
1429		-	2. Be subsequently pseudonymized and de -identified, or de-
	1160	+	A. The Oklahoma Corporation Commission shall adopt rules
	1161	+	necessary to implement, administer and enforce this act.
	1162	+	B. The rules adopted under subsection A of this section must
	1163	+	establish:
	1164	+	1. Procedures governing the determination of, submission of,
	1165	+	and compliance with a verifiable consumer request for information
	1166	+	with the goal of minimizing administrative burdens on consumers and
	1167	+	businesses subject to this a ct by taking into account available
	1168	+	technology and security concerns, including:
	1169	+	a. treating as a verifiable consumer request a request
	1170	+	submitted through a password -protected online account
	1171	+	maintained by the consumer with the business while
	1172	+	logged into the account, and
	1173	+
	1174	+	HB1602 HFLR Page 23
	1175	+	BOLD FACE denotes Committee Amendments. 1
	1176	+	2
	1177	+	3
	1178	+	4
	1179	+	5
	1180	+	6
	1181	+	7
	1182	+	8
	1183	+	9
	1184	+	10
	1185	+	11
	1186	+	12
	1187	+	13
	1188	+	14
	1189	+	15
	1190	+	16
	1191	+	17
	1192	+	18
	1193	+	19
	1194	+	20
	1195	+	21
	1196	+	22
	1197	+	23
	1198	+	24
	1199	+
	1200	+	b. providing a mechanism for a request submitted by a
	1201	+	consumer who does not mainta in an account with the
	1202	+	business;
	1203	+	2. Procedures to facilitate and govern the submission of and
	1204	+	compliance with a request to opt out of or opt in to the sale of
	1205	+	personal information under Section 14 of this act;
	1206	+	3. Guidelines for the development of a recognizable and uniform
	1207	+	opt-in logo or button for use on businesses ' Internet websites in a
	1208	+	manner that promotes consumer awareness of the opportunity to opt in
	1209	+	to the sale of personal infor mation; and
	1210	+	4. Procedures and guidelines, including any necessary
	1211	+	exceptions, to ensure that the notices and information businesses
	1212	+	are required to provide under this a ct, including information
	1213	+	regarding financial incentive offerings, is:
	1214	+	a. provided in a manner that is easily understood by the
	1215	+	average consumer,
	1216	+	b. accessible by consumers with disabilities, and
	1217	+	c. available in the languages primarily used by consumers
	1218	+	to interact with businesses.
	1219	+	C. The Oklahoma Corporation Commission may adopt other rule s
	1220	+	necessary to further the purposes of this a ct, including rules as
	1221	+	necessary to:
	1222	+	1. Update the categories of personal information listed under
	1223	+	paragraph 13 of Section 2 of this act and the definition of
	1224	+
	1225	+	HB1602 HFLR Page 24
	1226	+	BOLD FACE denotes Committee Amendments. 1
	1227	+	2
	1228	+	3
	1229	+	4
	1230	+	5
	1231	+	6
	1232	+	7
	1233	+	8
	1234	+	9
	1235	+	10
	1236	+	11
	1237	+	12
	1238	+	13
	1239	+	14
	1240	+	15
	1241	+	16
	1242	+	17
	1243	+	18
	1244	+	19
	1245	+	20
	1246	+	21
	1247	+	22
	1248	+	23
	1249	+	24
	1250	+
	1251	+	identifier under paragraph 10 of Section 2 of this act to account
	1252	+	for privacy concerns, implementation obstacles, or changes in
	1253	+	technology and data collection methods;
	1254	+	2. Update the designated methods for submitting requests to
	1255	+	facilitate a consumer 's ability to obtain information from a
	1256	+	business under Section 19 of this act; and
	1257	+	3. Establish any exceptions necessary to comply with federal
	1258	+	law or other laws of this state, including laws relating to trade
	1259	+	secrets and intellectual property rights.
	1260	+	SECTION 10. NEW LAW A new section of law to be codified
	1261	+	in the Oklahoma Statutes as Section 901.10 of Title 17, unless there
	1262	+	is created a duplication in numbering, reads as follows:
	1263	+	For purposes of this a ct, "research" means scientific,
	1264	+	systematic study and observation, including basic resear ch or
	1265	+	applied research that is in the public interest and that adheres to
	1266	+	all other applicable ethics and privacy laws or studies conducted in
	1267	+	the public interest in the area of public health. Research with
	1268	+	personal information that may have been collecte d from a consumer in
	1269	+	the course of the consumer 's interactions with a business 's service
	1270	+	or device for other purposes must be:
	1271	+	1. Compatible with the business purpose for which the personal
	1272	+	information was collected;
	1273	+	2. Subsequently pseudonymized and de -identified, or de-
1430	1274		identified and in the aggregate, such that the information cannot
	1275	+
	1276	+	HB1602 HFLR Page 25
	1277	+	BOLD FACE denotes Committee Amendments. 1
	1278	+	2
	1279	+	3
	1280	+	4
	1281	+	5
	1282	+	6
	1283	+	7
	1284	+	8
	1285	+	9
	1286	+	10
	1287	+	11
	1288	+	12
	1289	+	13
	1290	+	14
	1291	+	15
	1292	+	16
	1293	+	17
	1294	+	18
	1295	+	19
	1296	+	20
	1297	+	21
	1298	+	22
	1299	+	23
	1300	+	24
	1301	+
1431	1302		reasonably identify, relate to, describe, be capable of being
1432	1303		associated with, or be linked, directly or indirectly, to a
1433	1304		particular consumer;
1434		-	3. Be made subject to technical safeguards that prohibit re -
	1305	+	3. Made subject to technical safeguards that prohibit re -
1435	1306		identification of the consumer to whom the information may pertain;
1436		-	4. Be subject to business processes that specifically prohibit
1437		-	re-identification of the information;
1438		-
1439		-	ENGR. H. B. NO. 1602 Page 29 1
1440		-	2
1441		-	3
1442		-	4
1443		-	5
1444		-	6
1445		-	7
1446		-	8
1447		-	9
1448		-	10
1449		-	11
1450		-	12
1451		-	13
1452		-	14
1453		-	15
1454		-	16
1455		-	17
1456		-	18
1457		-	19
1458		-	20
1459		-	21
1460		-	22
1461		-	23
1462		-	24
1463		-
1464		-	5. Be made subject to business processes to prevent inadvertent
	1307	+	4. Subject to business processes that specifically prohibit re -
	1308	+	identification of the information;
	1309	+	5. Made subject to business processes to prevent inadverten t
1465	1310		release of de-identified information;
1466		-	6. Be protected from any re -identification attempts;
1467		-	7. Be used solely for research purposes that are compatible
1468		-	~~with~~ the context in which the personal information was collected;
1469		-	8. Not be used for any commercial purpose; and
1470		-	9. Be subjected by the business conducting the research to
	1311	+	6. Protected from any re -identification attempts;
	1312	+	7. Used solely for research purposes that are compatible with
	1313	+	the context in which the personal information was collected;
	1314	+	8. Not used for any commercial purpose; and
	1315	+	9. Subjected by the business conducting the research to
1471	1316		additional security controls that limit access to the research data
1472	1317		to only those individuals in a business as are necessary to carry
1473	1318		out the research purpose.
1474		-	SECTION 10. NEW LAW A new section of law to be codified
1475		-	in the Oklahoma ~~Statu tes~~ as Section 901.~~1 0~~ of Title 17, unless there
	1319	+	SECTION 11. NEW LAW A new section of law to be codified
	1320	+	in the Oklahoma Statutes as Section 901.11 of Title 17, unless there
1476	1321		is created a duplication in numbering, reads as follows:
1477	1322		A. A consumer is entitled to request that a business that
1478	1323		collects the consumer 's personal information disclose to the
1479	1324		consumer the categories and specific items of personal information
1480	1325		the business has collected.
	1326	+
	1327	+	HB1602 HFLR Page 26
	1328	+	BOLD FACE denotes Committee Amendments. 1
	1329	+	2
	1330	+	3
	1331	+	4
	1332	+	5
	1333	+	6
	1334	+	7
	1335	+	8
	1336	+	9
	1337	+	10
	1338	+	11
	1339	+	12
	1340	+	13
	1341	+	14
	1342	+	15
	1343	+	16
	1344	+	17
	1345	+	18
	1346	+	19
	1347	+	20
	1348	+	21
	1349	+	22
	1350	+	23
	1351	+	24
	1352	+
1481	1353		B. To receive the disclosure of information under subsection A
1482	1354		of this section, a consumer must submit to the business a verif iable
1483	1355		consumer request using a method designated by the business under
1484		-	Section 18 of this act.
	1356	+	Section 19 of this act.
1485	1357		C. On receipt of a verifiable consumer request under this
1486	1358		section, a business shall disclose to the consumer in the time and
1487		-	manner provided by Section 20 of this act:
1488		-
1489		-	ENGR. H. B. NO. 1602 Page 30 1
1490		-	2
1491		-	3
1492		-	4
1493		-	5
1494		-	6
1495		-	7
1496		-	8
1497		-	9
1498		-	10
1499		-	11
1500		-	12
1501		-	13
1502		-	14
1503		-	15
1504		-	16
1505		-	17
1506		-	18
1507		-	19
1508		-	20
1509		-	21
1510		-	22
1511		-	23
1512		-	24
1513		-
	1359	+	manner provided by Section 21 of this act:
1514	1360		1. Each enumerated category and item within each category of
1515	1361		personal information under paragraph 13 of Section 2 of this act
1516	1362		that the business collected about the consumer during the twelve
1517	1363		(12) months preceding the date of the request;
1518	1364		2. Each category of sources from which the information was
1519	1365		collected;
1520	1366		3. The business or commercial purpose for collecting or selling
1521	1367		the personal information; and
1522	1368		4. Each category of third parties with whom the business shares
1523	1369		the personal information.
1524	1370		D. This section does not require a business to:
1525	1371		1. Retain a consumer 's personal information that was collected
1526	1372		for a one-time transaction if the information is not sold or
1527	1373		retained in the ordinary course of business; or
1528	1374		2. Re-identify or otherwise link any data that, in the ordinary
1529	1375		course of business, is not maintained in a manner that would be
1530	1376		considered personal information.
1531		-	SECTION 11. NEW LAW A new section of law to be codified
1532		-	in the Oklahoma Statutes as Section 901.1 1 of Title 17, unless there
	1377	+
	1378	+	HB1602 HFLR Page 27
	1379	+	BOLD FACE denotes Committee Amendments. 1
	1380	+	2
	1381	+	3
	1382	+	4
	1383	+	5
	1384	+	6
	1385	+	7
	1386	+	8
	1387	+	9
	1388	+	10
	1389	+	11
	1390	+	12
	1391	+	13
	1392	+	14
	1393	+	15
	1394	+	16
	1395	+	17
	1396	+	18
	1397	+	19
	1398	+	20
	1399	+	21
	1400	+	22
	1401	+	23
	1402	+	24
	1403	+
	1404	+	SECTION 12. NEW LAW A new section of law to be codified
	1405	+	in the Oklahoma Statutes as Section 901.12 of Title 17, u nless there
1533	1406		is created a duplication in numbering, reads as follows:
1534	1407		A. A consumer is entitled to request that a business that
1535	1408		collects the consumer 's personal information delete any personal
1536	1409		information the business has collected from the consumer by
1537		-
1538		-	ENGR. H. B. NO. 1602 Page 31 1
1539		-	2
1540		-	3
1541		-	4
1542		-	5
1543		-	6
1544		-	7
1545		-	8
1546		-	9
1547		-	10
1548		-	11
1549		-	12
1550		-	13
1551		-	14
1552		-	15
1553		-	16
1554		-	17
1555		-	18
1556		-	19
1557		-	20
1558		-	21
1559		-	22
1560		-	23
1561		-	24
1562		-
1563	1410		submitting a verifiable consumer request using a method designated
1564		-	by the business under Section 18 of this act .
	1411	+	by the business under Section 19 of this act.
1565	1412		B. Except as provided by s ubsection C of this section, on
1566		-	receipt of a verifiable cons umer request under this section, a
	1413	+	receipt of a verifiable cons umer request under this section a
1567	1414		business shall delete fro m the business's records any personal
1568	1415		information collected from the consumer and direct a service
1569	1416		provider of the business to delete the information from the
1570		-	provider's records in the time provided for in Section 20 of this
1571		-	act.
	1417	+	provider's records.
1572	1418		C. A business or service provider of the business is not
1573	1419		required to comply with a verifiable consumer request received under
1574	1420		this section if the business or service provider needs to retain the
1575	1421		consumer's personal information to:
1576	1422		1. Complete the transaction for which the information was
1577	1423		collected;
1578	1424		2. Provide a good or service r equested by the consumer in the
1579	1425		context of the ongoing business relationship between the business
1580	1426		and consumer;
	1427	+
	1428	+	HB1602 HFLR Page 28
	1429	+	BOLD FACE denotes Committee Amendments. 1
	1430	+	2
	1431	+	3
	1432	+	4
	1433	+	5
	1434	+	6
	1435	+	7
	1436	+	8
	1437	+	9
	1438	+	10
	1439	+	11
	1440	+	12
	1441	+	13
	1442	+	14
	1443	+	15
	1444	+	16
	1445	+	17
	1446	+	18
	1447	+	19
	1448	+	20
	1449	+	21
	1450	+	22
	1451	+	23
	1452	+	24
	1453	+
1581	1454		3. Perform under a contract between the business and the
1582	1455		consumer;
1583	1456		4. Detect a security incident; protect against malicious,
1584	1457		deceptive, fraudulent or illegal activity; or prosecute those
1585	1458		responsible for any illegal activity described by this paragraph;
1586		-
1587		-	ENGR. H. B. NO. 1602 Page 32 1
1588		-	2
1589		-	3
1590		-	4
1591		-	5
1592		-	6
1593		-	7
1594		-	8
1595		-	9
1596		-	10
1597		-	11
1598		-	12
1599		-	13
1600		-	14
1601		-	15
1602		-	16
1603		-	17
1604		-	18
1605		-	19
1606		-	20
1607		-	21
1608		-	22
1609		-	23
1610		-	24
1611		-
1612	1459		5. Identify and repair or remove errors from computer hardware
1613	1460		or software that impair its intended functionality;
1614	1461		6. Exercise free speech or e nsure the right of another consumer
1615	1462		to exercise the right of free speech or another right afforded by
1616	1463		law;
1617	1464		7. Comply with a court order or subpoena or other lawful
1618	1465		process; or
1619	1466		8. Engage in public or peer -reviewed scientific, historical or
1620	1467		statistical research that is in the public interest and that adheres
1621	1468		to all other applicable ethics and privacy laws , provided that:
1622	1469		a. the business's deletion of the information is likely
1623	1470		to render impossible or seriously impair the
1624	1471		achievement of that research, and
1625	1472		b. the consumer has previously provided to the business
1626	1473		informed consent to retain the information for such
1627	1474		use.
1628	1475		D. Where a business, service provider or third party has made a
1629	1476		consumer's personal information public, sai d business, service
1630	1477		provider or third party shall:
	1478	+
	1479	+	HB1602 HFLR Page 29
	1480	+	BOLD FACE denotes Committee Amendments. 1
	1481	+	2
	1482	+	3
	1483	+	4
	1484	+	5
	1485	+	6
	1486	+	7
	1487	+	8
	1488	+	9
	1489	+	10
	1490	+	11
	1491	+	12
	1492	+	13
	1493	+	14
	1494	+	15
	1495	+	16
	1496	+	17
	1497	+	18
	1498	+	19
	1499	+	20
	1500	+	21
	1501	+	22
	1502	+	23
	1503	+	24
	1504	+
1631	1505		1. Take all reasonable steps, including technical measures, to
1632	1506		erase the personal information that the business, service provider
1633		-	or third party made public , taking into account available technology
	1507	+	or third party made public taking into account available technology
1634	1508		and the cost of implementation; and
1635		-
1636		-	ENGR. H. B. NO. 1602 Page 33 1
1637		-	2
1638		-	3
1639		-	4
1640		-	5
1641		-	6
1642		-	7
1643		-	8
1644		-	9
1645		-	10
1646		-	11
1647		-	12
1648		-	13
1649		-	14
1650		-	15
1651		-	16
1652		-	17
1653		-	18
1654		-	19
1655		-	20
1656		-	21
1657		-	22
1658		-	23
1659		-	24
1660		-
1661		-	2. Advise any other business, service provider or third party
1662		-	with whom a contract regarding the consumer exists that the consumer
1663		-	has requested the era sure of any links to, copies of or replication
1664		-	of that personal information.
1665		-	SECTION 12. NEW LAW A n ew section of law to be codified
1666		-	in the Oklahoma Statutes as Section 901.12 of Title 17, unless there
	1509	+	2. Also advise any other business, service provider or third
	1510	+	party with whom a contract regarding the consumer exists that the
	1511	+	consumer has requested the era sure of any links to, copies of or
	1512	+	replication of that personal information.
	1513	+	SECTION 13. NEW LAW A new section of law to be codified
	1514	+	in the Oklahoma Statutes as Section 901.13 of Title 17, unless there
1667	1515		is created a duplication in numbering, reads as follows:
1668	1516		A. A consumer is entitled to request that a business that
1669	1517		sells, or discloses f or a business purpose, the consumer 's personal
1670	1518		information disclose to the consumer:
1671	1519		1. The categories of personal information the business
1672	1520		collected about the consumer;
1673	1521		2. The categories of personal information about the consumer
1674	1522		the business sold, or d isclosed for a business purpose; and
1675	1523		3. The categories of third parties to whom the personal
1676	1524		information was sold or disclosed.
1677	1525		B. To receive the disclosure of information under subsection A
1678	1526		of this section, a consumer must submit to the business a verif iable
1679	1527		consumer request using a method designated by the business under
1680		-	Section 18 of this act .
	1528	+	Section 19 of this act.
	1529	+
	1530	+	HB1602 HFLR Page 30
	1531	+	BOLD FACE denotes Committee Amendments. 1
	1532	+	2
	1533	+	3
	1534	+	4
	1535	+	5
	1536	+	6
	1537	+	7
	1538	+	8
	1539	+	9
	1540	+	10
	1541	+	11
	1542	+	12
	1543	+	13
	1544	+	14
	1545	+	15
	1546	+	16
	1547	+	17
	1548	+	18
	1549	+	19
	1550	+	20
	1551	+	21
	1552	+	22
	1553	+	23
	1554	+	24
	1555	+
1681	1556		C. On receipt of a verifiable consumer request under this
1682	1557		section, a business shall disclose to the consumer in the time and
1683		-	manner provided by Section 20 of this act :
1684		-
1685		-	ENGR. H. B. NO. 1602 Page 34 1
1686		-	2
1687		-	3
1688		-	4
1689		-	5
1690		-	6
1691		-	7
1692		-	8
1693		-	9
1694		-	10
1695		-	11
1696		-	12
1697		-	13
1698		-	14
1699		-	15
1700		-	16
1701		-	17
1702		-	18
1703		-	19
1704		-	20
1705		-	21
1706		-	22
1707		-	23
1708		-	24
1709		-
	1558	+	manner provided by Section 21 of this act:
1710	1559		1. Each enumerated category of personal information under
1711	1560		paragraph 13 of Section 2 of this act that the business collected
1712	1561		about the consumer during the twelve (12) months preceding the date
1713	1562		of the request;
1714	1563		2. The categories of third parties to whom the business sold
1715	1564		the consumer's personal information during the twelve (12) months
1716		-	preceding the date of the request by reference to each enumerated
	1565	+	preceding the date of the request, by reference to each enumerated
1717	1566		category of information under paragraph 13 of Section 2 of this act
1718	1567		sold to each third party; and
1719	1568		3. The categories of third parties to whom the business
1720	1569		disclosed for a business purpose the consumer 's personal information
1721		-	during the twelve (12) months preceding the date of the request by
	1570	+	during the twelve (12) months preceding the date of the request, by
1722	1571		reference to each enumerated category of information under paragraph
1723	1572		13 of Section 2 of this act disclosed to each third party.
1724	1573		D. A business shall provide the information described by
1725	1574		paragraphs 2 and 3 of subsection C of this section in two separate
1726	1575		lists.
1727	1576		E. A business that did not sell, or disclose for a business
1728	1577		purpose, the consumer 's personal information during the twelve (12)
1729	1578		months preceding the date of receiving the consumer 's verifiable
	1579	+
	1580	+	HB1602 HFLR Page 31
	1581	+	BOLD FACE denotes Committee Amendments. 1
	1582	+	2
	1583	+	3
	1584	+	4
	1585	+	5
	1586	+	6
	1587	+	7
	1588	+	8
	1589	+	9
	1590	+	10
	1591	+	11
	1592	+	12
	1593	+	13
	1594	+	14
	1595	+	15
	1596	+	16
	1597	+	17
	1598	+	18
	1599	+	19
	1600	+	20
	1601	+	21
	1602	+	22
	1603	+	23
	1604	+	24
	1605	+
1730	1606		consumer request under this section shall disclose that fact to the
1731	1607		consumer.
1732		-
1733		-	ENGR. H. B. NO. 1602 Page 35 1
1734		-	2
1735		-	3
1736		-	4
1737		-	5
1738		-	6
1739		-	7
1740		-	8
1741		-	9
1742		-	10
1743		-	11
1744		-	12
1745		-	13
1746		-	14
1747		-	15
1748		-	16
1749		-	17
1750		-	18
1751		-	19
1752		-	20
1753		-	21
1754		-	22
1755		-	23
1756		-	24
1757		-
1758		-	SECTION 13. NEW LAW A new section of law to be codified
1759		-	in the Oklahoma Statutes as Section 901.1 3 of Title 17, unless there
	1608	+	SECTION 14. NEW LAW A new section of law to be codified
	1609	+	in the Oklahoma Statutes as Section 901.14 of Title 17, unless there
1760	1610		is created a duplication in numbering, reads as follows:
1761	1611		A. A consumer is entitled at any time to opt out of the sale of
1762	1612		the consumer's personal information by a business to third parties
1763	1613		by directing the business not to sell the information. A consumer
1764	1614		may authorize another person solely to opt out of the sale of the
1765		-	consumer's personal information on the consumer 's behalf. A
1766		-	business shall comply with a direction not t o sell that is received
1767		-	under this subsection.
1768		-	B. To exercise the right to opt out specified in subsection A
1769		-	of this section, a consumer shall submit to the business a
1770		-	verifiable consumer request using a method designated by the
1771		-	business under Section 18 of this act.
1772		-	C. A business that sells consumers ' personal information to a
1773		-	third party shall provide on the business 's Internet website:
	1615	+	consumer's personal information on the consumer 's behalf. Except as
	1616	+	provided by subsection C of this section, a business shall comply
	1617	+	with a direction not to sell that is received under this subsection.
	1618	+	B. A business that sells to a third party consumers ' personal
	1619	+	information shall provide on the business 's Internet website's home
	1620	+	page:
1774	1621		1. Notice to consumers that:
1775	1622		a. the information may be sold,
1776		-	b. identifies the categories of persons to whom the
1777		-	information will or could be sold, and
1778		-	c. consumers have the right to opt in to the sale; and
1779		-	2. A clear and conspicuous link that enables a consumer, or
1780		-	person authorized by the consumer, to opt in to the sale of the
1781		-	consumer's personal information.
1782		-
1783		-	ENGR. H. B. NO. 1602 Page 36 1
1784		-	2
1785		-	3
1786		-	4
1787		-	5
1788		-	6
1789		-	7
1790		-	8
1791		-	9
1792		-	10
1793		-	11
1794		-	12
1795		-	13
1796		-	14
1797		-	15
1798		-	16
1799		-	17
1800		-	18
1801		-	19
1802		-	20
1803		-	21
1804		-	22
1805		-	23
1806		-	24
1807		-
1808		-	D. A business may not sell to a third party the personal
	1623	+	b. identifies the persons to whom the information will or
	1624	+	could be sold,
	1625	+	c. the pro rata value of the consumer 's personal
	1626	+	information that is being sold, and
	1627	+	d. consumers have the right to opt in to the sale; and
	1628	+
	1629	+	HB1602 HFLR Page 32
	1630	+	BOLD FACE denotes Committee Amendments. 1
	1631	+	2
	1632	+	3
	1633	+	4
	1634	+	5
	1635	+	6
	1636	+	7
	1637	+	8
	1638	+	9
	1639	+	10
	1640	+	11
	1641	+	12
	1642	+	13
	1643	+	14
	1644	+	15
	1645	+	16
	1646	+	17
	1647	+	18
	1648	+	19
	1649	+	20
	1650	+	21
	1651	+	22
	1652	+	23
	1653	+	24
	1654	+
	1655	+	2. A clear and conspicuous link that enables a consumer, person
	1656	+	authorized by the consumer, to opt in to the sale of the consumer 's
	1657	+	personal information.
	1658	+	C. A business may not sell to a third party the personal
1809	1659		information of a consumer who does not opt in to the sale of that
1810	1660		information after the effective date of this act or after a consumer
1811	1661		submits a verifiable request to opt out of any future sale .
1812		-	E. A business may use any personal information collected from
	1662	+	D. A business may use any personal information collected from
1813	1663		the consumer in connect ion with the consumer 's opting out under this
1814	1664		section solely to comply with this section.
1815		-	F. A third party to whom a business has sold the personal
	1665	+	E. A third party to whom a business has sold the personal
1816	1666		information of a consumer may not sell the information unless the
1817	1667		consumer receives explicit notice of the potential sale and is
1818	1668		provided the opportunity to, and in fact does, exercise the right to
1819	1669		opt in to the sale as provided by this section.
1820		-	G. A business may not require a consumer to create an account
	1670	+	F. A business may not require a consumer to create an account
1821	1671		with the business to opt in to the sale of the consume r's personal
1822	1672		information.
1823		-	H. A business or service provider shall implement ~~and~~ maintain
	1673	+	G. A business or service provider shall implement a nd maintain
1824	1674		reasonable security procedures and practices, including
1825	1675		administrative, physical and technical safeguards appropriate to the
1826	1676		nature of the information and the purpose s for which the personal
1827	1677		information will be used, to protect consumers' personal information
1828	1678		from unauthorized use, disclosure, access, destruction or
	1679	+
	1680	+	HB1602 HFLR Page 33
	1681	+	BOLD FACE denotes Committee Amendments. 1
	1682	+	2
	1683	+	3
	1684	+	4
	1685	+	5
	1686	+	6
	1687	+	7
	1688	+	8
	1689	+	9
	1690	+	10
	1691	+	11
	1692	+	12
	1693	+	13
	1694	+	14
	1695	+	15
	1696	+	16
	1697	+	17
	1698	+	18
	1699	+	19
	1700	+	20
	1701	+	21
	1702	+	22
	1703	+	23
	1704	+	24
	1705	+
1829	1706		modification, irrespective of whether a customer has opted in or out
1830	1707		of a sale of data.
1831		-
1832		-	ENGR. H. B. NO. 1602 Page 37 1
1833		-	2
1834		-	3
1835		-	4
1836		-	5
1837		-	6
1838		-	7
1839		-	8
1840		-	9
1841		-	10
1842		-	11
1843		-	12
1844		-	13
1845		-	14
1846		-	15
1847		-	16
1848		-	17
1849		-	18
1850		-	19
1851		-	20
1852		-	21
1853		-	22
1854		-	23
1855		-	24
1856		-
1857		-	SECTION 14. NEW LAW A new section of law to be codified
1858		-	in the Oklahoma Statutes as Section 901.1 4 of Title 17, unless there
	1708	+	SECTION 15. NEW LAW A new section of law to be codified
	1709	+	in the Oklahoma Statutes as Section 901.15 of Title 17, unless there
1859	1710		is created a duplication in numbering, reads as follows:
1860	1711		A. The Legislature of the State of Oklahoma finds that
1861	1712		individuals within Oklahoma have a r ight to prohibit retention, use
1862	1713		or disclosure of their own personal data.
1863	1714		B. The Legislature of the State of Oklahoma further finds that
1864	1715		individuals within Oklahoma have previously been exploited for
1865	1716		monetary gain and manipulation by private ventures in utilization of
1866	1717		private data.
1867	1718		C. The Legislature of the State of Oklahoma further finds that
1868	1719		the protection of individuals within Oklahoma and their data is a
1869	1720		core governmental function in orde r to protect the health, safety
1870	1721		and welfare of individuals within Oklahoma.
1871	1722		D. The Legislature of the State of Oklahoma further finds that
1872	1723		the terms and conditions set forth in this a ct are the least
1873	1724		restrictive alternative necessary to protect individuals within
1874	1725		Oklahoma and their rights and that the use of a strictly "opt-out"
1875	1726		method for data privacy is ineffectual and poses an immed iate risk
1876	1727		to the health, safety and welfare of individuals within Oklahoma.
1877		-	SECTION 15. NEW LAW A new section of law to be codified
1878		-	in the Oklahoma Statutes as Section 901.1 5 of Title 17, unless there
1879		-	is created a duplication in numbering, reads as follows:
1880		-
1881		-	ENGR. H. B. NO. 1602 Page 38 1
1882		-	2
1883		-	3
1884		-	4
1885		-	5
1886		-	6
1887		-	7
1888		-	8
1889		-	9
1890		-	10
1891		-	11
1892		-	12
1893		-	13
1894		-	14
1895		-	15
1896		-	16
1897		-	17
1898		-	18
1899		-	19
1900		-	20
1901		-	21
1902		-	22
1903		-	23
1904		-	24
1905		-
	1728	+
	1729	+	HB1602 HFLR Page 34
	1730	+	BOLD FACE denotes Committee Amendments. 1
	1731	+	2
	1732	+	3
	1733	+	4
	1734	+	5
	1735	+	6
	1736	+	7
	1737	+	8
	1738	+	9
	1739	+	10
	1740	+	11
	1741	+	12
	1742	+	13
	1743	+	14
	1744	+	15
	1745	+	16
	1746	+	17
	1747	+	18
	1748	+	19
	1749	+	20
	1750	+	21
	1751	+	22
	1752	+	23
	1753	+	24
	1754	+
	1755	+	SECTION 16. NEW LAW A new section of law to be codified
	1756	+	in the Oklahoma Statutes as Section 901.16 of Title 17, unless there
	1757	+	is created a duplication in numbering, reads as follows:
1906	1758		A. A provision of a contract or other agreement that purports
1907	1759		to waive or limit a right, remedy or m eans of enforcement under this
1908	1760		act is contrary to public policy and is void.
1909	1761		B. This section does not prevent a consumer from:
1910	1762		1. Declining to request information from a business;
1911	1763		2. Declining to opt in to a business's sale of the consumer 's
1912	1764		personal information; or
1913	1765		3. Authorizing a busi ness to sell the consumer 's personal
1914	1766		information after previously opting out.
1915		-	SECTION 16. NEW LAW A new section of law to be codified
1916		-	in the Oklahoma Statutes as Section 901.16 of Title 17, unless there
	1767	+	SECTION 17. NEW LAW A new section of law to be codified
	1768	+	in the Oklahoma Statutes as Section 901.17 of Title 17, unless there
1917	1769		is created a duplication in nu mbering, reads as follows:
1918	1770		A. After the effective date of this act, a business shall not
1919		-	collect a consumer's personal information directly from the consumer
1920		-	prior to notifying the consumer of each category of personal
1921		-	information to be collected and for what purposes information will
1922		-	be used, as well as obtaining the consumer's consent, which may be
1923		-	provided electronically by the consumer, to collect a consumer 's
1924		-	personal information.
	1771	+	collect a consumer's personal information prior to notifying the
	1772	+	consumer of each category of personal information to be collected
	1773	+	and the purposes for which the cate gory of information will be used
	1774	+	and obtains the consumer 's consent, which may be provided
	1775	+	electronically, to collect a consumer 's personal information.
1925	1776		B. A business may not collect an additional category of
1926		-	personal information directly from the consumer or use personal
1927		-	information collected for an additional purpose unless the business
1928		-	provides notice to the consumer of the additional category or
1929		-	purpose in accordance with s ubsection A of this section.
1930		-
1931		-	ENGR. H. B. NO. 1602 Page 39 1
1932		-	2
1933		-	3
1934		-	4
1935		-	5
1936		-	6
1937		-	7
1938		-	8
1939		-	9
1940		-	10
1941		-	11
1942		-	12
1943		-	13
1944		-	14
1945		-	15
1946		-	16
1947		-	17
1948		-	18
1949		-	19
1950		-	20
1951		-	21
1952		-	22
1953		-	23
1954		-	24
1955		-
	1777	+	personal information or use personal informati on collected for an
	1778	+	additional purpose unless the business provides notice to the
	1779	+
	1780	+	HB1602 HFLR Page 35
	1781	+	BOLD FACE denotes Committee Amendments. 1
	1782	+	2
	1783	+	3
	1784	+	4
	1785	+	5
	1786	+	6
	1787	+	7
	1788	+	8
	1789	+	9
	1790	+	10
	1791	+	11
	1792	+	12
	1793	+	13
	1794	+	14
	1795	+	15
	1796	+	16
	1797	+	17
	1798	+	18
	1799	+	19
	1800	+	20
	1801	+	21
	1802	+	22
	1803	+	23
	1804	+	24
	1805	+
	1806	+	consumer of the additional category or purpose in accordance with
	1807	+	subsection A of this section.
1956	1808		C. If a third party that assumes control of all or part of a
1957	1809		business as described by subparagraph c of paragraph 2 of subsection
1958		-	C of Section 3 of this act materially alters the practices of the
	1810	+	D of Section 3 of this act materially alters the practices of the
1959	1811		business in how personal information is used or shared, and the
1960	1812		practices are materially inconsistent with a notice provided to a
1961	1813		consumer under subsection A or B of this section, the third party
1962	1814		must notify the consumer of the third party 's new or changed
1963	1815		practices in a conspicuous manner that allows the consumer to easily
1964	1816		exercise a right provided under this act before the third party use s
1965	1817		or shares the personal information.
1966	1818		D. Subsection C of this section does not authorize a business
1967	1819		to make a material, retroactive change or other change to a
1968	1820		business's privacy policy in a manner that would be a deceptive
1969	1821		trade practice actionable under Oklahoma law.
1970		-	SECTION 17. NEW LAW A new section of law to be codified
1971		-	in the Oklahoma Statutes as Section 901.17 of Title 17, unless there
	1822	+	SECTION 18. NEW LAW A new section of law to be codified
	1823	+	in the Oklahoma Statutes as Section 901.18 of Title 17, unless there
1972	1824		is created a duplication in numbering, reads as follows:
1973	1825		A. A business that collects, sells or for a business purpose
1974	1826		discloses a consumer 's personal information shall disclose the
1975	1827		following information in the business 's online privacy policy or
1976	1828		other notice of the business 's policies:
1977		-	1. A description of a consumer 's rights under Sections 10 , 11,
1978		-	12, 13 and 16 of this act and designated methods for submitting a
1979		-	verifiable consumer request under this act;
1980		-
1981		-	ENGR. H. B. NO. 1602 Page 40 1
1982		-	2
1983		-	3
1984		-	4
1985		-	5
1986		-	6
1987		-	7
1988		-	8
1989		-	9
1990		-	10
1991		-	11
1992		-	12
1993		-	13
1994		-	14
1995		-	15
1996		-	16
1997		-	17
1998		-	18
1999		-	19
2000		-	20
2001		-	21
2002		-	22
2003		-	23
2004		-	24
2005		-
	1829	+
	1830	+	HB1602 HFLR Page 36
	1831	+	BOLD FACE denotes Committee Amendments. 1
	1832	+	2
	1833	+	3
	1834	+	4
	1835	+	5
	1836	+	6
	1837	+	7
	1838	+	8
	1839	+	9
	1840	+	10
	1841	+	11
	1842	+	12
	1843	+	13
	1844	+	14
	1845	+	15
	1846	+	16
	1847	+	17
	1848	+	18
	1849	+	19
	1850	+	20
	1851	+	21
	1852	+	22
	1853	+	23
	1854	+	24
	1855	+
	1856	+	1. A description of a consumer 's rights under Sections 11, 1 3
	1857	+	and 23 of this act and designated methods for submitting a
	1858	+	verifiable consumer request for information under this act;
2006	1859		2. For a business that collects personal information about
2007	1860		consumers, a description of the consumer 's right to request the
2008	1861		deletion of the consumer's personal information;
2009	1862		3. Separate lists containing the categories of consumers '
2010	1863		personal information described by paragraph 13 of Section 2 of this
2011	1864		act that, during the twelve (12) months preceding the date the
2012		-	business updated the ~~information~~ as required by subsection C of this
	1865	+	business updated the informa tion as required by subsection B of this
2013	1866		section, the business:
2014	1867		a. collected,
2015	1868		b. sold, if applicable, or
2016	1869		c. disclosed for a business purpose, if applicable ;
2017	1870		4. The categories of sources from which the information under
2018	1871		paragraph 3 of this subsection is collected;
2019	1872		5. The business or commercial purposes for collecting personal
2020	1873		information;
2021	1874		6. If the business does not sell consumers ' personal
2022	1875		information or disclose the information for a business or commercial
2023	1876		purpose, a statement of that fact;
2024	1877		7. The categories of third parties to whom the business sells
2025	1878		or discloses personal information;
	1879	+
	1880	+	HB1602 HFLR Page 37
	1881	+	BOLD FACE denotes Committee Amendments. 1
	1882	+	2
	1883	+	3
	1884	+	4
	1885	+	5
	1886	+	6
	1887	+	7
	1888	+	8
	1889	+	9
	1890	+	10
	1891	+	11
	1892	+	12
	1893	+	13
	1894	+	14
	1895	+	15
	1896	+	16
	1897	+	17
	1898	+	18
	1899	+	19
	1900	+	20
	1901	+	21
	1902	+	22
	1903	+	23
	1904	+	24
	1905	+
2026	1906		8. If the business sells consumers ' personal information, the
2027		-	Internet link required by subsection C of Section 13 of this act ;
	1907	+	Internet link required by subsection B of Section 14 of this act ;
2028	1908		and
2029		-
2030		-	ENGR. H. B. NO. 1602 Page 41 1
2031		-	2
2032		-	3
2033		-	4
2034		-	5
2035		-	6
2036		-	7
2037		-	8
2038		-	9
2039		-	10
2040		-	11
2041		-	12
2042		-	13
2043		-	14
2044		-	15
2045		-	16
2046		-	17
2047		-	18
2048		-	19
2049		-	20
2050		-	21
2051		-	22
2052		-	23
2053		-	24
2054		-
2055	1909		9. If applicable, the financial ince ntives offered to consumers
2056		-	under Section 23 of this act .
	1910	+	under Section 24 of this act.
2057	1911		B. If a business described by subsection A of this section does
2058	1912		not have an online privacy policy or other notice of the business 's
2059	1913		policies, the business shall make the information required under
2060	1914		subsection A of this section available to consumers on the
2061	1915		business's Internet website or another website the business
2062	1916		maintains that is dedicated to consumers in this state.
2063	1917		C. A business must update the information required by
2064	1918		subsection A of this section at least once each year.
2065		-	SECTION 18. NEW LAW A new section of law to be codified
2066		-	in the Oklahoma ~~Statute s~~ as Section 901.18 of Title 17, unless there
	1919	+	SECTION 19. NEW LAW A new section of law to be codified
	1920	+	in the Oklahoma Statutes as Section 901.1 9 of Title 17, unless there
2067	1921		is created a duplication in numbering, reads as follows:
2068	1922		A. A business shall de signate and make available to consumers,
2069	1923		in a form that is reasonably accessible, at least two methods for
2070	1924		submitting a verifiable consumer request for information required to
2071	1925		be disclosed or deleted under this a ct. The methods must include,
2072	1926		at a minimum:
2073	1927		1. A toll-free telephone number that a consumer may call to
2074	1928		submit the request; and
	1929	+
	1930	+	HB1602 HFLR Page 38
	1931	+	BOLD FACE denotes Committee Amendments. 1
	1932	+	2
	1933	+	3
	1934	+	4
	1935	+	5
	1936	+	6
	1937	+	7
	1938	+	8
	1939	+	9
	1940	+	10
	1941	+	11
	1942	+	12
	1943	+	13
	1944	+	14
	1945	+	15
	1946	+	16
	1947	+	17
	1948	+	18
	1949	+	19
	1950	+	20
	1951	+	21
	1952	+	22
	1953	+	23
	1954	+	24
	1955	+
2075	1956		2. The business's Internet website at which the consumer may
2076		-	submit the request.
	1957	+	submit the request, if the business maintains an Internet website.
2077	1958		B. The methods designated under subsection A of this section
2078	1959		may also include:
2079		-
2080		-	ENGR. H. B. NO. 1602 Page 42 1
2081		-	2
2082		-	3
2083		-	4
2084		-	5
2085		-	6
2086		-	7
2087		-	8
2088		-	9
2089		-	10
2090		-	11
2091		-	12
2092		-	13
2093		-	14
2094		-	15
2095		-	16
2096		-	17
2097		-	18
2098		-	19
2099		-	20
2100		-	21
2101		-	22
2102		-	23
2103		-	24
2104		-
2105	1960		1. A mailing address;
2106		-	2. An electronic mail address; or
2107		-	3. Another Internet webpage or portal .
	1961	+	2. An electronic mail address;
	1962	+	3. Another Internet web page or portal;
	1963	+	4. Another contact information; or
	1964	+	5. Any consumer-friendly method approved by the Oklahoma
	1965	+	Corporation Commission unde r Section 9 of this act.
2108	1966		C. A business may not require a consumer to create an account
2109	1967		with the business to submit a verifiable consumer request.
2110		-	SECTION 19. NEW LAW A new section of law to be codified
2111		-	in the Oklahoma Statutes as ~~Section~~ 901. 19 of Title 17, unless there
2112		-	is created a duplication ~~i n~~ numbering, reads as follows:
2113		-	A. A business that receives a ~~verifiable~~ consumer request under
2114		-	~~Section 10, 11, 12~~ or 13 of this act shall promptly take steps to
2115		-	~~reasonably verify~~ that:
	1968	+	SECTION 20. NEW LAW A new section of law to be codified
	1969	+	in the Oklahoma Statutes as Se ction 901.20 of Title 17, unless there
	1970	+	is created a duplication in numbering, reads as follows:
	1971	+	A. A business that receives a consumer request under Section 11
	1972	+	or 13 of this act shall promptly take steps to reasonably verify, in
	1973	+	accordance with rules adop ted under Section 9 of this act, that:
2116	1974		1. The consumer who is the subject of the request is a consumer
2117	1975		about whom the business has collected, sold, or for a business
2118	1976		purpose disclosed personal information; and
2119	1977		2. The request is made by:
2120	1978		a. the consumer,
2121	1979		b. a consumer on behalf of the consumer 's minor child, or
	1980	+
	1981	+	HB1602 HFLR Page 39
	1982	+	BOLD FACE denotes Committee Amendments. 1
	1983	+	2
	1984	+	3
	1985	+	4
	1986	+	5
	1987	+	6
	1988	+	7
	1989	+	8
	1990	+	9
	1991	+	10
	1992	+	11
	1993	+	12
	1994	+	13
	1995	+	14
	1996	+	15
	1997	+	16
	1998	+	17
	1999	+	18
	2000	+	19
	2001	+	20
	2002	+	21
	2003	+	22
	2004	+	23
	2005	+	24
	2006	+
2122	2007		c. a person authorized to act on the consumer 's behalf.
2123	2008		B. A business may use any personal information collected from
2124	2009		the consumer in connection with the business 's verification of a
2125	2010		request under this section solely to verify the request.
2126	2011		C. A business that is unable to verify a consumer request under
2127	2012		this section is not required to comply with the request.
2128		-
2129		-	ENGR. H. B. NO. 1602 Page 43 1
2130		-	2
2131		-	3
2132		-	4
2133		-	5
2134		-	6
2135		-	7
2136		-	8
2137		-	9
2138		-	10
2139		-	11
2140		-	12
2141		-	13
2142		-	14
2143		-	15
2144		-	16
2145		-	17
2146		-	18
2147		-	19
2148		-	20
2149		-	21
2150		-	22
2151		-	23
2152		-	24
2153		-
2154		-	SECTION 20. NEW LAW A new section of law to be codified
2155		-	in the Oklahoma Statutes as Section 901.2 0 of Title 17, unless there
	2013	+	SECTION 21. NEW LAW A new section of law to be codified
	2014	+	in the Oklahoma Statutes as Section 901.21 of Title 17, unless there
2156	2015		is created a duplication in numbering, reads as follows:
2157	2016		A. Not later than forty-five (45) days after the date a
2158		-	business receives a verifiable ~~consume r~~ request under Section ~~10,~~
2159		-	~~11, 12 or~~ 13 of this act , the business shall disclose free of charge
2160		-	~~to the~~ consumer the information required to be disclosed ~~un der~~ those
2161		-	sections ~~or take the requested actions, as applicable~~ .
	2017	+	business receives a verifiable consumer request under Section 11 or
	2018	+	13 of this act, the business shall disclose free of charge to the
	2019	+	consumer the information required to be disclosed under those
	2020	+	sections.
2162	2021		B. A business may extend the time in which to comply with
2163	2022		subsection A of this section once by an additional forty-five (45)
2164	2023		days if reasonably necessary or by an additional ninety (90) days
2165	2024		after taking into account the number and complexity of verifiable
2166	2025		consumer requests received by the business. A business that extends
2167	2026		the time in which to comply with subsection A of this section shall
2168	2027		notify the consumer of the extension and reason for the delay within
2169	2028		the period prescribed by that subsection.
2170	2029		C. The disclosure required by subsection A of this section
2171	2030		must:
	2031	+
	2032	+	HB1602 HFLR Page 40
	2033	+	BOLD FACE denotes Committee Amendments. 1
	2034	+	2
	2035	+	3
	2036	+	4
	2037	+	5
	2038	+	6
	2039	+	7
	2040	+	8
	2041	+	9
	2042	+	10
	2043	+	11
	2044	+	12
	2045	+	13
	2046	+	14
	2047	+	15
	2048	+	16
	2049	+	17
	2050	+	18
	2051	+	19
	2052	+	20
	2053	+	21
	2054	+	22
	2055	+	23
	2056	+	24
	2057	+
2172	2058		1. Cover personal information collected, sold or disclosed for
2173	2059		a business purpose, as applicable, during the twelve (12) months
2174	2060		preceding the date the business receives the request; and
2175	2061		2. Be made in writing and delivered to the consumer:
2176		-
2177		-	ENGR. H. B. NO. 1602 Page 44 1
2178		-	2
2179		-	3
2180		-	4
2181		-	5
2182		-	6
2183		-	7
2184		-	8
2185		-	9
2186		-	10
2187		-	11
2188		-	12
2189		-	13
2190		-	14
2191		-	15
2192		-	16
2193		-	17
2194		-	18
2195		-	19
2196		-	20
2197		-	21
2198		-	22
2199		-	23
2200		-	24
2201		-
2202	2062		a. by mail or electronically, at the consumer 's option,
2203	2063		if the consumer does not have an a ccount with the
2204	2064		business, or
2205	2065		b. through the consumer 's account with the business.
2206	2066		D. An electronic disclosure under subsection C of this section
2207	2067		must be in a readily accessible format that allows the consumer to
2208	2068		electronically transmit the information to another person or entity.
2209	2069		E. A business is not required to make the disclosure required
2210	2070		by subsection A of this section to the same consumer more than once
2211	2071		in a twelve-month period.
2212	2072		F. Notwithstanding subsection A of this section, if a
2213	2073		consumer's verifiable consumer request is manifestly baseless or
2214	2074		excessive, in particular because of repetitiveness, a business may
2215	2075		charge a reasonable fee after taking into account the administrative
2216	2076		costs of compliance or refusal to comply with the request. The
2217	2077		business has the burden of demonstrating that a request is
2218	2078		manifestly baseless or excessive.
2219	2079		G. A business that does not comply with a consumer 's verifiable
2220	2080		consumer request under subsection A of this section shall notify the
2221	2081		consumer, within the time the business is required to respond to a
	2082	+
	2083	+	HB1602 HFLR Page 41
	2084	+	BOLD FACE denotes Committee Amendments. 1
	2085	+	2
	2086	+	3
	2087	+	4
	2088	+	5
	2089	+	6
	2090	+	7
	2091	+	8
	2092	+	9
	2093	+	10
	2094	+	11
	2095	+	12
	2096	+	13
	2097	+	14
	2098	+	15
	2099	+	16
	2100	+	17
	2101	+	18
	2102	+	19
	2103	+	20
	2104	+	21
	2105	+	22
	2106	+	23
	2107	+	24
	2108	+
2222	2109		request under this section, of the reasons for the refusal and the
2223	2110		rights the consumer may have to appeal that decision.
2224		-
2225		-	ENGR. H. B. NO. 1602 Page 45 1
2226		-	2
2227		-	3
2228		-	4
2229		-	5
2230		-	6
2231		-	7
2232		-	8
2233		-	9
2234		-	10
2235		-	11
2236		-	12
2237		-	13
2238		-	14
2239		-	15
2240		-	16
2241		-	17
2242		-	18
2243		-	19
2244		-	20
2245		-	21
2246		-	22
2247		-	23
2248		-	24
2249		-
2250		-	SECTION 21. NEW LAW A new section of law to be codified
2251		-	in the Oklahoma Statutes as Section 901.2 1 of Title 17, unless there
	2111	+	SECTION 22. NEW LAW A new section of law to be codified
	2112	+	in the Oklahoma Statutes as Section 901.22 of Title 17, unless there
2252	2113		is created a duplication in numbering, reads as follows:
2253	2114		A. A business that uses de -identified information may not re -
2254	2115		identify or attempt to re -identify a consumer who is the subject of
2255	2116		de-identified information w ithout obtaining the consumer 's consent
2256	2117		or authorization.
2257	2118		B. A business that uses de -identified information shall
2258	2119		implement:
2259	2120		1. Technical safeguards and business processes to prohibit re -
2260	2121		identification of the consumer to whom the information may pertain;
2261	2122		and
2262	2123		2. Business processes to prevent inadvertent release of de -
2263	2124		identified information.
2264	2125		C. This act may not be construed to require a business to re -
2265	2126		identify or otherwise link information that is not maintained in a
2266	2127		manner that would be considered person al information.
2267		-	SECTION 22. NEW LAW A new section of law to be codified
2268		-	in the Oklahoma Statutes as Section 901.~~2 2~~ of Title 17, unless there
	2128	+	SECTION 23. NEW LAW A new section of law to be codified
	2129	+	in the Oklahoma Statutes as Section 901.23 of Title 17, unless there
2269	2130		is created a duplication in numbering, reads as follows:
2270	2131		A. A business may not discriminate against a consumer because
2271	2132		the consumer exercised a right under this a ct, including by:
	2133	+
	2134	+	HB1602 HFLR Page 42
	2135	+	BOLD FACE denotes Committee Amendments. 1
	2136	+	2
	2137	+	3
	2138	+	4
	2139	+	5
	2140	+	6
	2141	+	7
	2142	+	8
	2143	+	9
	2144	+	10
	2145	+	11
	2146	+	12
	2147	+	13
	2148	+	14
	2149	+	15
	2150	+	16
	2151	+	17
	2152	+	18
	2153	+	19
	2154	+	20
	2155	+	21
	2156	+	22
	2157	+	23
	2158	+	24
	2159	+
2272	2160		1. Denying a good or service to the consumer;
2273		-
2274		-	ENGR. H. B. NO. 1602 Page 46 1
2275		-	2
2276		-	3
2277		-	4
2278		-	5
2279		-	6
2280		-	7
2281		-	8
2282		-	9
2283		-	10
2284		-	11
2285		-	12
2286		-	13
2287		-	14
2288		-	15
2289		-	16
2290		-	17
2291		-	18
2292		-	19
2293		-	20
2294		-	21
2295		-	22
2296		-	23
2297		-	24
2298		-
2299	2161		2. Charging the consumer a different price or rate for a good
2300	2162		or service, including denying the use of a discount or ot her benefit
2301	2163		or imposing a penalty;
2302	2164		3. Providing a different level or quality of a good or service
2303	2165		to the consumer; or
2304	2166		4. Suggesting that the consumer will be charged a different
2305	2167		price or rate for, or provided a different level or quality of, a
2306	2168		good or service.
2307	2169		B. This section does not prohibit a business from offering or
2308	2170		charging a consumer a different price or rate for a good or service,
2309	2171		or offering or providing to the consumer a different level or
2310	2172		quality of a good or service, if the difference is reas onably
2311	2173		related to the value provided to the consumer by the consumer 's
2312	2174		data.
2313		-	SECTION 23. NEW LAW A new section of law to be codified
2314		-	in the Oklahoma Statutes as Section 901.~~2 3~~ of Title 17, unless there
	2175	+	SECTION 24. NEW LAW A new section of law to be codified
	2176	+	in the Oklahoma Statutes as Section 901.24 of Title 17, unless there
2315	2177		is created a duplication in num bering, reads as follows:
2316	2178		A. Subject to subsection B of this section, a business may
2317	2179		offer a financial incentive to a consumer, including a payment as
2318	2180		compensation, for the collection, sale or disclosure of the
2319	2181		consumer's personal information.
2320	2182		B. A business may enroll a customer in a financial incentive
2321	2183		program only if the business provides to the consumer a clear
2322	2184
2323		-	ENGR. H. B. NO. 1602 Page 47 1
	2185	+	HB1602 HFLR Page 43
	2186	+	BOLD FACE denotes Committee Amendments. 1
2324	2187		2
2325	2188		3
2326	2189		4
2327	2190		5
2328	2191		6
2329	2192		7
2330	2193		8
2331	2194		9
2332	2195		10
2333	2196		11
2334	2197		12
2335	2198		13
2336	2199		14
2337	2200		15
2338	2201		16
2339	2202		17
2340	2203		18
2341	2204		19
2342	2205		20
2343	2206		21
2344	2207		22
2345	2208		23
2346	2209		24
2347	2210
2348	2211		description of the material terms of the program and obtains the
2349	2212		consumer's prior opt-in consent, which:
2350	2213		1. Contains a clear description of th ose material terms; and
2351	2214		2. May be revoked by the consumer at any time.
2352	2215		C. A business may not use financial incentive practices that
2353	2216		are unjust, unreasonable, coercive or usurious in nature.
2354		-	SECTION 24. NEW LAW A new section of law to be codified
2355		-	in the Oklahoma Statutes as Section 901.~~2 4~~ of Title 17, unless there
	2217	+	SECTION 25. NEW LAW A new section of law to be codified
	2218	+	in the Oklahoma Statutes as Section 901.25 of Title 17, unless there
2356	2219		is created a duplication in numbering, reads as follows:
2357	2220		A. A business may not divide a single transaction into more
2358	2221		than one transaction with the intent to avoid the requirements of
2359	2222		this act.
2360	2223		B. For purposes of this a ct, two or more substantially similar
2361	2224		or related transactions are considered a single transaction if the
2362	2225		transactions:
2363	2226		1. Are entered into contemporaneously; and
2364	2227		2. Have at least one common party.
2365	2228		C. A court shall disregard any intermediate transactions
2366	2229		conducted by a business with the intent to avoid the requirements of
2367	2230		this act, including the disclosure of information by a business to a
2368	2231		third party to avoid complying with the requirements under this act
2369	2232		applicable to a sale of the information.
2370	2233
2371		-	ENGR. H. B. NO. 1602 Page 48 1
2372		-	2
2373		-	3
2374		-	4
2375		-	5
2376		-	6
2377		-	7
2378		-	8
2379		-	9
2380		-	10
2381		-	11
2382		-	12
2383		-	13
2384		-	14
2385		-	15
2386		-	16
2387		-	17
2388		-	18
2389		-	19
2390		-	20
2391		-	21
2392		-	22
2393		-	23
2394		-	24
2395		-
2396		-	SECTION 25. NEW LAW A new section of law to be codified
2397		-	in the Oklahoma Statutes as Section 901.2 5 of Title 17, unless there
	2234	+	HB1602 HFLR Page 44
	2235	+	BOLD FACE denotes Committee Amendments. 1
	2236	+	2
	2237	+	3
	2238	+	4
	2239	+	5
	2240	+	6
	2241	+	7
	2242	+	8
	2243	+	9
	2244	+	10
	2245	+	11
	2246	+	12
	2247	+	13
	2248	+	14
	2249	+	15
	2250	+	16
	2251	+	17
	2252	+	18
	2253	+	19
	2254	+	20
	2255	+	21
	2256	+	22
	2257	+	23
	2258	+	24
	2259	+
	2260	+	SECTION 26. NEW LAW A new section of law to be codified
	2261	+	in the Oklahoma Statutes as Section 901.26 of Title 17, unless there
2398	2262		is created a duplication in numbering, reads as follows:
2399	2263		A business shall ensure that each person responsible for
2400	2264		handling consumer inquiries about the business 's privacy practices
2401	2265		or compliance with this act is informed of the requirements of this
2402	2266		act and of how to direct a consumer in exercising any of the rights
2403	2267		to which a consumer is entitled under this a ct.
2404		-	SECTION 26. NEW LAW A new section of law to be codified
2405		-	in the Oklahoma Statutes as Section 901.~~2 6~~ of Title 17, unless there
	2268	+	SECTION 27. NEW LAW A new section of law to be codified
	2269	+	in the Oklahoma Statutes as Section 901.27 of Title 17, unless there
2406	2270		is created a duplication in numbering, reads as follows:
2407	2271		A. A person who violates this a ct is liable to this state for
2408	2272		injunctive relief and/or a civil penalty in an amount not to exceed:
2409	2273		1. Two Thousand Five Hundred Dollars ($2,500.00) for each
2410	2274		violation; or
2411	2275		2. Seven Thousand Five Hundred Dollars ($7,500.00) for each
2412	2276		violation, if the violation is intentional.
2413		-	B. The Oklahoma ~~Attorney General~~ is entitled to recover
	2277	+	B. The Oklahoma Corporation Commission is entitled to recover
2414	2278		reasonable expenses, including reasonable attorney fees, court costs
2415	2279		and investigatory costs, incurred in obtaining injunctive relief or
2416	2280		civil penalties, or both, under this section. Amounts collected
2417	2281		under this section shall be deposited in a dedicated account in the
2418		-	General Revenue Fund and ~~shall~~ be appropriated only for the purposes
	2282	+	General Revenue Fund and may be appropriated only for the purposes
2419	2283		of the administration and enforcement of this a ct.
2420	2284
2421		-	ENGR. H. B. NO. 1602 Page 49 1
2422		-	2
2423		-	3
2424		-	4
2425		-	5
2426		-	6
2427		-	7
2428		-	8
2429		-	9
2430		-	10
2431		-	11
2432		-	12
2433		-	13
2434		-	14
2435		-	15
2436		-	16
2437		-	17
2438		-	18
2439		-	19
2440		-	20
2441		-	21
2442		-	22
2443		-	23
2444		-	24
2445		-
2446		-	SECTION 27. NEW LAW A new section of law to be codifie d
2447		-	in the Oklahoma Statutes as Section 901.2 7 of Title 17, unless there
	2285	+	HB1602 HFLR Page 45
	2286	+	BOLD FACE denotes Committee Amendments. 1
	2287	+	2
	2288	+	3
	2289	+	4
	2290	+	5
	2291	+	6
	2292	+	7
	2293	+	8
	2294	+	9
	2295	+	10
	2296	+	11
	2297	+	12
	2298	+	13
	2299	+	14
	2300	+	15
	2301	+	16
	2302	+	17
	2303	+	18
	2304	+	19
	2305	+	20
	2306	+	21
	2307	+	22
	2308	+	23
	2309	+	24
	2310	+
	2311	+	C. Additionally, consumers shall have a private right of action
	2312	+	against a person who violates this act. In addition to any actual
	2313	+	damages that may have been sustained, consumers shall also be
	2314	+	entitled to injunctive relief and /or statutory damages in an amount
	2315	+	not to exceed Two Thousand Five Hundred Dollars ($2,500 .00) for each
	2316	+	violation, or Seven Thousand Five Hundred Dollars ($7,500.00) for
	2317	+	each violation, if the violation was intentional.
	2318	+	SECTION 28. NEW LAW A new section of law to be codified
	2319	+	in the Oklahoma Statutes as Section 901.28 of Title 17, unless there
2448	2320		is created a duplication in numbering, reads as follows:
2449	2321		A business that discloses to a third party, or discloses for a
2450	2322		business purpose to a service provider, a consumer 's personal
2451	2323		information in compliance with this a ct may not be held liable for a
2452	2324		violation of this act by the third party or service provider if the
2453	2325		business does not have actual knowledge or a reasonable belief that
2454	2326		the third party or service provider intends to violate th is act.
2455		-	SECTION 28. NEW LAW A new section of law to be codified
2456		-	in the Oklahoma Statutes as Section 901.~~2 8~~ of Title 17, unless there
	2327	+	SECTION 29. NEW LAW A new section of law to be codified
	2328	+	in the Oklahoma Statutes as Section 901.29 of Title 17, unless there
2457	2329		is created a duplication in numbering, reads as follows:
2458	2330		A business's service provider may not be he ld liable for a
2459	2331		violation of this act by the business.
2460		-	SECTION 29. This act shall become effective January 1, 2023.
2461		-	Passed the House of Representatives the 4th day of March, 2021.
2462		-
2463		-
2464		-
2465		-
2466		-	Presiding Officer of the House
2467		-	of Representatives
2468		-
2469		-
2470		-	Passed the Senate the ___ day of __________, 2021.
2471		-
2472		-
2473		-
2474		-
2475		-	Presiding Officer of the Senate
2476		-
2477		-
	2332	+	SECTION 30. This act shall become effective November 1, 2021.
	2333	+
	2334	+	COMMITTEE REPORT BY: COMMITTEE ON TECHNOLOGY, dated 02/10/2021 - DO
	2335	+	PASS, As Coauthored.