OK
Oklahoma House Bill HB2968

Oklahoma 2022 Regular Session

Oklahoma House Bill HB2968 Compare Versions

Only one version of the bill is available at this time.
OldNewDifferences
11
22
33 Req. No. 8440 Page 1 1
44 2
55 3
66 4
77 5
88 6
99 7
1010 8
1111 9
1212 10
1313 11
1414 12
1515 13
1616 14
1717 15
1818 16
1919 17
2020 18
2121 19
2222 20
2323 21
2424 22
2525 23
2626 24
2727
2828 STATE OF OKLAHOMA
2929
3030 2nd Session of the 58th Legislature (2022)
3131
3232 HOUSE BILL 2968 By: Walke
3333
3434
3535
3636
3737
3838 AS INTRODUCED
3939
4040 An Act relating to privacy of computer data; enacting
4141 the Oklahoma Computer Data Privacy Act of 2022;
4242 providing intent and construction; d efining terms;
4343 prescribing that the Attorney General is responsible
4444 for enforcement; providing disclosure requirements;
4545 providing limitations; providing consumers the right
4646 to opt out of data collection; providing consumers
4747 the right to deletion of their i nformation; providing
4848 exceptions to request for deletion of information;
4949 providing consumers with the right to request for an
5050 audit of their information; providing consumers with
5151 the right to have their personal information
5252 corrected; requiring business to not discriminate;
5353 providing guidelines for implementation; providing
5454 exemptions; preempting intermediate transactions from
5555 circumventing regulations; providing waivers are void
5656 and unenforceable; prohibiting bu sinesses from
5757 modifying or manipulating user interfaces to obscure,
5858 subvert or impair user autonomy, decision -making or
5959 choice; providing severability of provisions;
6060 providing for codification ; and providing an
6161 effective date.
6262
6363
6464
6565
6666 BE IT ENACTED BY THE PEOPLE OF THE STATE OF OKLAHOMA:
6767 SECTION 1. NEW LAW A new section of law to be codified
6868 in the Oklahoma Statutes as Section 20m-1 of Title 74, unless there
6969 is created a duplication in numbering, reads as follows:
7070
7171 Req. No. 8440 Page 2 1
7272 2
7373 3
7474 4
7575 5
7676 6
7777 7
7878 8
7979 9
8080 10
8181 11
8282 12
8383 13
8484 14
8585 15
8686 16
8787 17
8888 18
8989 19
9090 20
9191 21
9292 22
9393 23
9494 24
9595
9696 This act shall be known and may be cited as the "Oklahoma
9797 Computer Data Privacy Act of 2022".
9898 SECTION 2. NEW LAW A new section of law to be codified
9999 in the Oklahoma Statutes as Section 20m-2 of Title 74, unless there
100100 is created a duplication in num bering, reads as follows:
101101 The Oklahoma Legislature acknowledges the people 's
102102 Constitutional right to privacy and further acknowledges that any
103103 collection of Oklahoma citizens ' data without their knowledge and
104104 consent is a violation of such right to privacy . This act is
105105 intended to complement other d ata privacy laws, both state and
106106 federal, and to the extent there is a conflict with a state law, the
107107 law conferring the greatest privacy shall control. Further, the
108108 Oklahoma Legislature has determined the provisions of this act are
109109 the least restrictive possible.
110110 SECTION 3. NEW LAW A new section of law to be codified
111111 in the Oklahoma Statutes as Section 20m-3 of Title 74, unless there
112112 is created a duplication in numbering, reads as follow s:
113113 As used in this act:
114114 1. "Aggregate consumer information" means information that
115115 relates to a group of consumers, from which individual consumer
116116 identities have been removed, that is not linked or reasonably
117117 linkable to any consumer or household, includ ing via a device.
118118 Aggregate consumer informat ion does not mean one or more individual
119119 consumer records that have been de -identified;
120120
121121 Req. No. 8440 Page 3 1
122122 2
123123 3
124124 4
125125 5
126126 6
127127 7
128128 8
129129 9
130130 10
131131 11
132132 12
133133 13
134134 14
135135 15
136136 16
137137 17
138138 18
139139 19
140140 20
141141 21
142142 22
143143 23
144144 24
145145
146146 2. "Biometric information " means an individual's physiological,
147147 biological or behavioral characteristics or an electronic
148148 representation of such, including an individu al's deoxyribonucleic
149149 acid (DNA), that can be used, singly or in combination with each
150150 other or with other identifying data, to establish an individual's
151151 identity. Biometric information includes, but is not lim ited to,
152152 imagery of the iris, retina, fingerp rint, face, hand, palm, vein
153153 patterns, and voice recordings from which an identifier template,
154154 such as a faceprint, a minutiae template, or a voiceprint, can be
155155 extracted, and keystroke patterns or rhythms, gait patterns or
156156 rhythms, and sleep, health, or e xercise data that contain
157157 identifying information;
158158 3. "Business" means:
159159 a. a sole proprietorship, partnership, limited liability
160160 company, corporation, association, or other legal
161161 entity that collects consumers ' personal information,
162162 or on the behalf of wh ich such information is
163163 collected and that alone, or jointly with others,
164164 determines the purposes and means of the processing of
165165 consumers' personal information, that does business in
166166 the State of Oklahoma, and that satisfies one or more
167167 of the following thresholds:
168168
169169 Req. No. 8440 Page 4 1
170170 2
171171 3
172172 4
173173 5
174174 6
175175 7
176176 8
177177 9
178178 10
179179 11
180180 12
181181 13
182182 14
183183 15
184184 16
185185 17
186186 18
187187 19
188188 20
189189 21
190190 22
191191 23
192192 24
193193
194194 (1) has annual gross revenues in excess of Ten
195195 Million Dollars ($10,000,000.00) in the preceding
196196 calendar year,
197197 (2) alone or in combination, annually buys, receives,
198198 shares, or discloses for commercia l purposes,
199199 alone or in combination, the pers onal information
200200 of twenty-five thousand or more consumers,
201201 households or devices, or
202202 (3) derives fifty percent (50%) or more of its annual
203203 revenues from sharing consumers ' personal
204204 information,
205205 b. any entity that controls or is controlled by a
206206 business, as defined in subparagraph a of this
207207 paragraph, and that shares common branding with the
208208 business and with whom the business shares consumers '
209209 personal information. "Control" or "controlled" means
210210 ownership of, or the power to vote, more than fifty
211211 percent (50%) of the outstanding shares of any class
212212 of voting security of a business; control in any
213213 manner over the election of a majority of the
214214 directors, or of individuals exercising similar
215215 functions; or the power to exercise a controlling
216216 influence over the management of a company. "Common
217217 branding" means a shared name, service mark, or
218218
219219 Req. No. 8440 Page 5 1
220220 2
221221 3
222222 4
223223 5
224224 6
225225 7
226226 8
227227 9
228228 10
229229 11
230230 12
231231 13
232232 14
233233 15
234234 16
235235 17
236236 18
237237 19
238238 20
239239 21
240240 22
241241 23
242242 24
243243
244244 trademark, such that the average consumer would
245245 understand that two or m ore entities are commonly
246246 owned,
247247 c. a joint venture or partnership composed of businesses
248248 in which each business has at least a forty -percent-
249249 interest. For purposes of this act, the joint venture
250250 or partnership and each business that comprises the
251251 joint venture or partnership shall separately be
252252 considered a single business, except that personal
253253 information in the possession of each business and
254254 disclosed to the joint venture or partnership shall
255255 not be shared with th e other businesses;
256256 4. "Collects", "collected", or "collection" means buying,
257257 renting, gathering, obtaining, receiving, or accessing any pe rsonal
258258 information pertaining to a consumer by any means. This includes
259259 receiving information from the consumer, either actively or
260260 passively, or by observing the consumer 's behavior;
261261 5. "Commercial purposes" means to advance a person 's commercial
262262 or economic interests, such as by inducing another person to buy,
263263 rent, lease, join, subscribe to, provide, or exchange products,
264264 goods, property, information or services, or enabling or effecting,
265265 directly or indirectly, a commercial transaction. Commercial
266266 purposes do not include engaging in speech that state or federal
267267
268268 Req. No. 8440 Page 6 1
269269 2
270270 3
271271 4
272272 5
273273 6
274274 7
275275 8
276276 9
277277 10
278278 11
279279 12
280280 13
281281 14
282282 15
283283 16
284284 17
285285 18
286286 19
287287 20
288288 21
289289 22
290290 23
291291 24
292292
293293 courts have recognized as noncommercial speech, including political
294294 speech and journalism.
295295 6. "Consumer" means a natural person who is an Oklahoma
296296 resident. It does not include an employee or contractor of a
297297 business acting in his or her role as an employee or contractor ;
298298 7. "De-identified" means information that cannot reasonably
299299 identify, relate to, describe, reasonably be associated with, or
300300 reasonably be linked, directly or indirectly, to a particular
301301 consumer, provided that the business:
302302 a. takes reasonable measures to ensure that the data
303303 could not be reidentified,
304304 b. publicly commits to maintain and use the data in a de -
305305 identified fashion and not to attempt to reidentify
306306 the data, and
307307 c. contractually prohibits downstream r ecipients from
308308 attempting to reidentify the data;
309309 8. "Designated methods for submitting requests " means a mailing
310310 address, email address, Internet web page, Internet web portal,
311311 telephone number, or other applicable c ontact information, whereby
312312 consumers may submit a request under this act;
313313 9. "Device" means any physical object that is capable of
314314 connecting to the Internet, directly or i ndirectly, or to another
315315 device;
316316
317317 Req. No. 8440 Page 7 1
318318 2
319319 3
320320 4
321321 5
322322 6
323323 7
324324 8
325325 9
326326 10
327327 11
328328 12
329329 13
330330 14
331331 15
332332 16
333333 17
334334 18
335335 19
336336 20
337337 21
338338 22
339339 23
340340 24
341341
342342 10. "Intentionally interacts " means when the consumer intends
343343 to interact with a person via one or more deliberate interactions,
344344 such as visiting the person 's website or purchasing a good or
345345 service from the person. Hovering over, muting, pausing, or closing
346346 a given piece of content, or using a communi cations service to
347347 interact with a third -party website, does not constitute a
348348 consumer's intent to interact with a person ;
349349 11. "Operational purpose" means the use of personal information
350350 when reasonably necessa ry and proportionate to achieve one of the
351351 following purposes, if such usage is limited to the first -party
352352 relationship and customer experience:
353353 a. debugging to identify and repair errors that impair
354354 existing intended functionality,
355355 b. undertaking internal research for technological
356356 development, analytics, and product improvement, based
357357 on information collected by the business,
358358 c. undertaking activities to verify or maintain the
359359 quality or safety of a service or device that is
360360 owned, manufactured, manufactu red for, or controlled
361361 by the business, or to improve, upgrade, or enhance
362362 the service or device that is owned, manufactured,
363363 manufactured for, or controlled by the business,
364364 d. customization of content based on information
365365 collected by the business, or
366366
367367 Req. No. 8440 Page 8 1
368368 2
369369 3
370370 4
371371 5
372372 6
373373 7
374374 8
375375 9
376376 10
377377 11
378378 12
379379 13
380380 14
381381 15
382382 16
383383 17
384384 18
385385 19
386386 20
387387 21
388388 22
389389 23
390390 24
391391
392392 e. customization of advertising or marketing ba sed on
393393 information collected by the business;
394394 12. "Person" means an individual, proprietorship, firm,
395395 partnership, joint venture, syndicate, business trust, company,
396396 corporation, limited liability company, asso ciation, committee, and
397397 any other organizatio n or group of persons acting in concert ;
398398 13. "Personal information " means information that identifies or
399399 could reasonably be linked, directly or indirectly, with a
400400 particular consumer, household, or consumer de vice. Personal
401401 information does not include publicly available information. For
402402 the purposes of this paragraph, publicly available means information
403403 that is lawfully mad e available from federal, state or local
404404 government records. Personal information do es not include consumer
405405 information that is d e-identified or aggregate consumer information;
406406 14. "Processing" means any operation or set of operations that
407407 are performed on personal information or on sets of personal
408408 information, whether or not by automat ed means;
409409 15. "Service" or "services" means work, labor, and services,
410410 including services furnished in connection with the production, sale
411411 or repair of goods;
412412 16. "Service provider" means a person who processes personal
413413 information on behalf of a busine ss and to which the business
414414 discloses a consumer's personal information pursuant to a written or
415415 electronic contract, provided that:
416416
417417 Req. No. 8440 Page 9 1
418418 2
419419 3
420420 4
421421 5
422422 6
423423 7
424424 8
425425 9
426426 10
427427 11
428428 12
429429 13
430430 14
431431 15
432432 16
433433 17
434434 18
435435 19
436436 20
437437 21
438438 22
439439 23
440440 24
441441
442442 a. the contract prohibits the person from retaining,
443443 using, or disclosing the personal information for any
444444 purpose other than for the specific purpose of
445445 performing the services specified in the contract for
446446 the business, including a prohibition on retaining,
447447 using, or disclosing the personal information for a
448448 commercial purpose other than providing the services
449449 specified in the contract with the business, and
450450 b. the service provider does not combine the personal
451451 information which the service provider receives from ,
452452 or on behalf of, the business with personal
453453 information which the service provider receives from ,
454454 or on behalf of, another person or persons, or
455455 collects from its own interaction with consumers;
456456 17. "Share" means renting, releasing, disclosing,
457457 disseminating, making available, transferring, or otherwise
458458 communicating orally, in writing, or by electronic or other me ans, a
459459 consumer's personal information by the business to a third party for
460460 monetary or other valuable consideration, or otherwise for a
461461 commercial purpose. For purposes of this act, a business does not
462462 share personal information when:
463463 a. a consumer uses or directs the business to
464464 intentionally disclose personal information or uses
465465 the business to intentionally interact with one or
466466
467467 Req. No. 8440 Page 10 1
468468 2
469469 3
470470 4
471471 5
472472 6
473473 7
474474 8
475475 9
476476 10
477477 11
478478 12
479479 13
480480 14
481481 15
482482 16
483483 17
484484 18
485485 19
486486 20
487487 21
488488 22
489489 23
490490 24
491491
492492 more third parties, provided the third party or
493493 parties do not also share the personal information,
494494 unless that disclosure wou ld be consistent with the
495495 provisions of this act,
496496 b. the business discloses the personal information of a
497497 consumer with a service provider and the business has
498498 provided notice that the information is being used or
499499 disclosed in its terms and conditions cons istent with
500500 Section 5 of this act, and
501501 c. when a business transfers to a third party the
502502 personal information of a consumer as an asset that is
503503 part of a merger, acquisition, bankruptcy, or other
504504 transaction in which the third party assumes control
505505 of all or part of the business; provided that
506506 information is used or disclosed consistently with
507507 this act. A third party may not materially alter how
508508 it uses or discloses the personal information of a
509509 consumer in a manner that is materially inconsistent
510510 with the promises made at the time of collection ;
511511 18. "Third party" means a person who is not any of the
512512 following:
513513 a. the business with whom the consumer intentionally
514514 interacts and that collects personal information from
515515
516516 Req. No. 8440 Page 11 1
517517 2
518518 3
519519 4
520520 5
521521 6
522522 7
523523 8
524524 9
525525 10
526526 11
527527 12
528528 13
529529 14
530530 15
531531 16
532532 17
533533 18
534534 19
535535 20
536536 21
537537 22
538538 23
539539 24
540540
541541 the consumer as part of the consumer 's current
542542 interaction with the business under th is act, or
543543 b. a service provider to whom the business discloses a
544544 consumer's personal information pursuant to a written
545545 contract, which includes a certification made by the
546546 person receiving the personal informat ion that the
547547 person understands the restricti ons created under this
548548 act and will comply with them; and
549549 19. "Verifiable consumer request " means a request that is made
550550 by a consumer, by a consumer on behalf of the consumer 's minor
551551 child, or by a natural per son or a person registered with the
552552 Secretary of State, authorized by the consumer to act on the
553553 consumer's behalf, and that the business can reasonably verify. A
554554 business is not obligated to provide any personal information to a
555555 consumer pursuant to Section 8 of this act, to delete personal
556556 information pursuant to Section 6 of this act, or to correct
557557 inaccurate personal information pursuant to Section 9 of this act,
558558 if the business cannot verify that the consumer making the request
559559 is the consumer about w hom the business has collected personal
560560 information or is a person authorized by the consumer to act on such
561561 consumer's behalf.
562562 SECTION 4. NEW LAW A new section of law to be codified
563563 in the Oklahoma Statutes as Section 20m-4 of Title 74, unless there
564564 is created a duplication i n numbering, reads as follows:
565565
566566 Req. No. 8440 Page 12 1
567567 2
568568 3
569569 4
570570 5
571571 6
572572 7
573573 8
574574 9
575575 10
576576 11
577577 12
578578 13
579579 14
580580 15
581581 16
582582 17
583583 18
584584 19
585585 20
586586 21
587587 22
588588 23
589589 24
590590
591591 The Attorney General shall be responsible for enforcing this
592592 act. Any person, business, or service provider that violates this
593593 act may be liable for a civil penalty of up to Seven Thousand Five
594594 Hundred Dollars ($7,500.00) for each intentional violation and up to
595595 Two Thousand Five Hundred D ollars ($2,500.00) for each unintentional
596596 violation. The court may consider punitive damages in addition to
597597 the statutorily provided damages if requested by the Attorney
598598 General. Additionally, the Attorney General may seek injunctive
599599 relief to prevent repe titive violations of this act. The Attorney
600600 General shall be entitled to recover all reasonable fees and costs,
601601 including any expert witne ss fees, if a prevailing party. Any funds
602602 recovered under this statute shall be retained in a dedicated
603603 revolving account for the Attorney General.
604604 SECTION 5. NEW LAW A new section of law to be codified
605605 in the Oklahoma Statutes as Sect ion 20m-5 of Title 74, unless there
606606 is created a duplication in numbering, reads as follows:
607607 A business covered by this act shall disclose the following
608608 information to consumers in a clear and conspicuous manner in its
609609 privacy policies, which shall be writ ten in plain language and shall
610610 be available prior to any data collection, and shall be updated if
611611 any terms or conditions change:
612612 1. The manner and method by which a consumer may exercise his
613613 or her rights pursuant to Sections 6, 7, 8, and 9 of this act;
614614 2. The personal infor mation collected from consumers;
615615
616616 Req. No. 8440 Page 13 1
617617 2
618618 3
619619 4
620620 5
621621 6
622622 7
623623 8
624624 9
625625 10
626626 11
627627 12
628628 13
629629 14
630630 15
631631 16
632632 17
633633 18
634634 19
635635 20
636636 21
637637 22
638638 23
639639 24
640640
641641 3. The reasons the business collects, discloses, or retains
642642 personal information;
643643 4. Whether the business discloses personal information and, if
644644 so, what information is disclosed and to whom ;
645645 5. Whether the business shares personal informatio n with
646646 service providers and, if so, the categories of service providers ;
647647 and
648648 6. The length of time that the business retains personal
649649 information.
650650 SECTION 6. NEW LAW A new section of la w to be codified
651651 in the Oklahoma Statutes as Section 20m-6 of Title 74, unless there
652652 is created a duplication in numbering, reads as follows:
653653 A. A business covered by this act shall only collect and/or
654654 share information with third parties that is reasonab ly necessary to
655655 provide a good or service to a consumer who has requested the same
656656 or is reasonably necessary for security purposes or fraud detection.
657657 The monetization of personal information shall never be considered
658658 reasonably necessary for any purpose .
659659 B. A business covered by this a ct shall limit its use and
660660 retention of a consumer 's personal information to that which is
661661 reasonably necessary to provide a service or conduct an activity
662662 that a consumer has requested or for a related operational purpose .
663663 C. A business covered by this a ct shall apprise any consumer
664664 whose data is collected that th e consumer has the right to opt out
665665
666666 Req. No. 8440 Page 14 1
667667 2
668668 3
669669 4
670670 5
671671 6
672672 7
673673 8
674674 9
675675 10
676676 11
677677 12
678678 13
679679 14
680680 15
681681 16
682682 17
683683 18
684684 19
685685 20
686686 21
687687 22
688688 23
689689 24
690690
691691 of personalized advertising and the business shall have the duty to
692692 comply with the request promptly and free of charge. Such
693693 notification shall be made in a clear and c onspicuous manner on the
694694 business's homepage.
695695 SECTION 7. NEW LAW A new section of law to be codified
696696 in the Oklahoma Statutes as Section 20m-7 of Title 74, unless there
697697 is created a duplication in numbering, reads as follows:
698698 A. Consumers have the right to request that a business delete
699699 any personal information retained by the business about the
700700 consumer, and a business covered by this act shall inform consumers
701701 of such right in accordanc e with Section 5 of this act.
702702 B. Upon receipt of a verifiable consumer request to delete a
703703 consumer's personal information, a business shall delete the
704704 personal information from its records and advise any service
705705 providers holding the consumer 's personal information to delete the
706706 consumer's personal information as well.
707707 C. If the consumer's personal information is necessary :
708708 1. To complete the transaction tha t was requested by the
709709 consumer;
710710 2. To fulfill contractual obligations between the consumer and
711711 the business;
712712 3. To detect or act upon secur ity threats, including malicious
713713 or illegal activities, to prosecute individuals respo nsible for
714714 security threats;
715715
716716 Req. No. 8440 Page 15 1
717717 2
718718 3
719719 4
720720 5
721721 6
722722 7
723723 8
724724 9
725725 10
726726 11
727727 12
728728 13
729729 14
730730 15
731731 16
732732 17
733733 18
734734 19
735735 20
736736 21
737737 22
738738 23
739739 24
740740
741741 4. To ensure quality control functions ;
742742 5. To exercise constitutionally protected speech;
743743 6. To engage in public- or peer-reviewed research that adheres
744744 to all applicable ethics and privacy laws; or
745745 7. To comply with legal obligations,
746746 then the business shall have the right to reject such consumer 's
747747 request and shall advise the consumer of the re ason why such request
748748 was rejected.
749749 SECTION 8. NEW LAW A new section of law to be codified
750750 in the Oklahoma Statutes as Section 20m-8 of Title 74, unless there
751751 is created a duplication in numbering, reads as follows:
752752 After receiving a verifiable consumer request from a consumer
753753 requesting to know what information is retained by a business about
754754 the consumer, the business shall disclose the specific personal
755755 information retained by the business about the consumer. Such
756756 disclosure shall be in an electronic, portable , machine-readable,
757757 and readily useable format to the consumer. Additionally, to the
758758 extent the business has disclosed personal information of a consumer
759759 to a third party or service provider, said business shall disclose,
760760 in the same manner and method as previously des cribed, the names and
761761 contact information of such third parties or service providers.
762762 SECTION 9. NEW LAW A new section of law to be codified
763763 in the Oklahoma Statutes as Section 20m-9 of Title 74, unless there
764764 is created a duplicatio n in numbering, reads as follows:
765765
766766 Req. No. 8440 Page 16 1
767767 2
768768 3
769769 4
770770 5
771771 6
772772 7
773773 8
774774 9
775775 10
776776 11
777777 12
778778 13
779779 14
780780 15
781781 16
782782 17
783783 18
784784 19
785785 20
786786 21
787787 22
788788 23
789789 24
790790
791791 A business shall advise a consumer, in accordance with Section
792792 11 of this act that the consumer has the right to request correction
793793 of inaccurate personal information, and a con sumer shall have the
794794 right to require a busin ess to correct such inaccurate information.
795795 Upon receipt of a verifiable consumer request, a business shall take
796796 all reasonable steps to correct the inaccurate information, in
797797 accordance with Section 11 of this act.
798798 SECTION 10. NEW LAW A new section of law to be codified
799799 in the Oklahoma Statutes as Section 20m-10 of Title 74, unless there
800800 is created a duplication in numbering, reads as follows:
801801 No business shall deny goods or services to a consumer by virtue
802802 of the consumer's exercise of any rights in this act. Further, no
803803 business shall charge a different price or provide a different
804804 quality of service or good by virtue of the consumer 's exercise of
805805 any rights under this act. Provided, a business may offer
806806 discounted or free goods or services to a consumer if the consumer
807807 voluntarily participates in a program that rewards consumers for
808808 repeated transactions with the business and if the business does not
809809 share the consumer's data with third parties.
810810 SECTION 11. NEW LAW A new section of law to be codified
811811 in the Oklahoma Statutes as Section 20m-11 of Title 74, unless there
812812 is created a duplication in numbering, reads as follows:
813813 A. A business covered by this act shall provide at least two
814814 points of contact that are easily accessible and readily
815815
816816 Req. No. 8440 Page 17 1
817817 2
818818 3
819819 4
820820 5
821821 6
822822 7
823823 8
824824 9
825825 10
826826 11
827827 12
828828 13
829829 14
830830 15
831831 16
832832 17
833833 18
834834 19
835835 20
836836 21
837837 22
838838 23
839839 24
840840
841841 identifiable by which a consumer may make the requests permitted
842842 under this act, at least one of which must be the business 's
843843 website, unless a business covered by this act does not have a
844844 website, in which case the busine ss must provide a telephone number
845845 as one of the two methods by which a co nsumer may contact the
846846 business.
847847 B. Any disclosure and/or delivery of information from a
848848 business to a consumer under this act must be provided free of
849849 charge and within forty-five (45) days of receipt of a verifiable
850850 consumer request. If it is not reasonably possible to provide the
851851 information within forty-five (45) days, the business may extend the
852852 deadline by forty-five (45) days by providing notice to the consumer
853853 of such election and the basis for the same .
854854 C. If personal information is collected by a business to verify
855855 the consumer's identity, then that personal information is limited
856856 in usage solely to the verification process and shall thereafter be
857857 permanently deleted.
858858 D. A business is not obligated to provide the inf ormation
859859 identified in Section 8 of this act more than twice during any
860860 twelve-month period for each consumer .
861861 E. A business or service provider shall implement and maintain
862862 reasonable security procedures and practices, including
863863 administrative, physical, and technical safeguards, appropriate to
864864 the nature of the information and the purposes for which the
865865
866866 Req. No. 8440 Page 18 1
867867 2
868868 3
869869 4
870870 5
871871 6
872872 7
873873 8
874874 9
875875 10
876876 11
877877 12
878878 13
879879 14
880880 15
881881 16
882882 17
883883 18
884884 19
885885 20
886886 21
887887 22
888888 23
889889 24
890890
891891 personal information will be used, to protect consumers ' personal
892892 information from unauthorized use, disclo sure, access, destruction,
893893 or modification.
894894 SECTION 12. NEW LAW A new section of law to be codified
895895 in the Oklahoma Statutes as Section 20m-12 of Title 74, unless there
896896 is created a duplication in numbering, reads as follows:
897897 A. The obligations imposed on businesses by this act shall not
898898 restrict a business's or service provider 's ability to:
899899 1. Comply with federal, state, or local laws ;
900900 2. Comply with a civil, criminal, or regulato ry inquiry,
901901 investigation, subpoena, or summons b y federal, state, or local
902902 authorities;
903903 3. Cooperate with law enforcement agencies concerning conduct
904904 or activity that the business, service provider, or third party
905905 reasonably and in good faith believes ma y violate federal, state, or
906906 local law;
907907 4. Exercise or defend legal claims ;
908908 5. Collect, use, retain, share, or disclose consumer
909909 information that is de -identified or in the aggregate de rived from
910910 personal information; and
911911 6. Collect or share a consumer 's personal information if every
912912 aspect of that commercial conduct takes place wholly outside of the
913913 State of Oklahoma. For purposes of this act, commercial conduct
914914 takes place wholly outside of the State of Oklahoma if a business
915915
916916 Req. No. 8440 Page 19 1
917917 2
918918 3
919919 4
920920 5
921921 6
922922 7
923923 8
924924 9
925925 10
926926 11
927927 12
928928 13
929929 14
930930 15
931931 16
932932 17
933933 18
934934 19
935935 20
936936 21
937937 22
938938 23
939939 24
940940
941941 collected that informatio n while the consumer was present outside of
942942 the State of Oklahoma, no part of the sharing of the consumer 's
943943 personal information occurred in the State of Oklahoma, and no
944944 personal information was collected while the consumer was present in
945945 the State of Oklahoma is shared. This paragraph shall not permit a
946946 business from storing, including on a device, personal information
947947 about a consumer when the consumer is present in the S tate of
948948 Oklahoma and then later collecting that personal information when
949949 the consumer and stored personal information is located outside of
950950 the State of Oklahoma.
951951 B. Nothing in this act shall require a business to violate an
952952 evidentiary privilege under Oklahoma law or federal law , or prevent
953953 a business from providing the personal info rmation of a consumer who
954954 is covered by an evident iary privilege under Oklahoma law as part of
955955 a privileged communication.
956956 C. 1. This act shall not apply to any of the following:
957957 a. protected health information that is collected by a
958958 covered entity or bu siness associate governed by the
959959 privacy, security, and breach notification rules
960960 issued by the United States Department of Health and
961961 Human Services, Parts 160 and 164 of Title 45 of the
962962 Code of Federal Regulations, established pursuant to
963963 the Health Insurance Portability and Accountability
964964 Act of 1996 (Public Law 104-191) and the Health
965965
966966 Req. No. 8440 Page 20 1
967967 2
968968 3
969969 4
970970 5
971971 6
972972 7
973973 8
974974 9
975975 10
976976 11
977977 12
978978 13
979979 14
980980 15
981981 16
982982 17
983983 18
984984 19
985985 20
986986 21
987987 22
988988 23
989989 24
990990
991991 Information Technology for Economic and Clinical
992992 Health Act (Public Law 111 -5),
993993 b. a covered entity governed by the privacy, security,
994994 and breach notification rules issued by the United
995995 States Department of Health and Hum an Services, Parts
996996 160 and 164 of Title 45 of the Code of Federal
997997 Regulations, established pursuant to the Health
998998 Insurance Portability and Accountability Act of 1996
999999 (Public Law 104-191), to the extent the provider or
10001000 covered entity maintains patient info rmation in the
10011001 same manner as medical information or protected health
10021002 information as described in subparagraph a of this
10031003 paragraph, and
10041004 c. personal information collected as part of a clinical
10051005 trial subject to the Federal Policy for the Protection
10061006 of Human Subjects, also known as the Common Rule,
10071007 pursuant to good clinical practice guidelines issued
10081008 by the International Council for Harmonisation of
10091009 Technical Requirements for Human Use or pursuant to
10101010 human subject protection requirements of the United
10111011 States Food and Drug Administration.
10121012 2. For purposes of this subsection, the definition of "medical
10131013 information" means any individually identifiable information, in
10141014 electronic or physical form, in possession of or derived from a
10151015
10161016 Req. No. 8440 Page 21 1
10171017 2
10181018 3
10191019 4
10201020 5
10211021 6
10221022 7
10231023 8
10241024 9
10251025 10
10261026 11
10271027 12
10281028 13
10291029 14
10301030 15
10311031 16
10321032 17
10331033 18
10341034 19
10351035 20
10361036 21
10371037 22
10381038 23
10391039 24
10401040
10411041 provider of health care, health ca re service plan, pharmaceutical
10421042 company, or contractor regarding a patient's medical history, mental
10431043 or physical condition, or treatment. "Individually identifiable"
10441044 means that the medical information inclu des or contains any element
10451045 of personal identifyi ng information sufficient to allow
10461046 identification of the individual, such as the patient's name,
10471047 address, electronic mail address, telephone number, or Social
10481048 Security number, or other information that, alon e or in combination
10491049 with other publicly available information, reveals the individual's
10501050 identity. Furthermore, the definitions of "business associate",
10511051 "covered entity", and "protected health information " in Section
10521052 160.103 of Title 45 of the Code of Fede ral Regulations shall apply.
10531053 D. This act shall not apply to activity involving the
10541054 collection, maintenance, disclosure, sale, communication, or use of
10551055 any personal information bearing on a consumer 's credit worthiness,
10561056 credit standing, credit capacity, ch aracter, general reputation,
10571057 personal characteris tics, or mode of living by a consumer reporting
10581058 agency, as defined by subdivision (f) of Section 1681a of Title 15
10591059 of the United States Code, by a furnisher of information, as set
10601060 forth in Section 1681s -2 of Title 15 of the United States Code, who
10611061 provides information for use in a consumer report, as defined in
10621062 subdivision (d) of Section 1681a of Title 15 of the United States
10631063 Code, and by a user of a consumer report as set forth in Section
10641064 1681b of Title 15 of the United States Code. This subsection shall
10651065
10661066 Req. No. 8440 Page 22 1
10671067 2
10681068 3
10691069 4
10701070 5
10711071 6
10721072 7
10731073 8
10741074 9
10751075 10
10761076 11
10771077 12
10781078 13
10791079 14
10801080 15
10811081 16
10821082 17
10831083 18
10841084 19
10851085 20
10861086 21
10871087 22
10881088 23
10891089 24
10901090
10911091 only apply to the extent that such activity involving the
10921092 collection, maintenance, disclosure, sale, communication, or use of
10931093 such information by that agency, furnisher, or user is subject to
10941094 regulation under the Fair Credit Reporting Act, Section 1681 et seq.
10951095 of Title 15 of the United States Code and the information is not
10961096 collected, maintained, disclosed, sold, communicated, or used except
10971097 as authorized by the Fair Credit Reporting Act.
10981098 E. This act shall not apply to personal information collected,
10991099 processed, sold, or disclosed pursuant to the federal Gramm -Leach-
11001100 Bliley Act (Public Law 106 -102), and implementing regulations.
11011101 F. This act shall not apply to personal information collected,
11021102 processed, sold, or disclosed pursuant to the Driver 's Privacy
11031103 Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.) ;
11041104 G. Notwithstanding a business 's obligations to respond to and
11051105 honor consumer rights requ ests pursuant to this title:
11061106 1. If a business does not take action o n the request of a
11071107 consumer, the business shall i nform the consumer, without delay and
11081108 at the latest within the time period permitted by this act, of the
11091109 reasons for not taking action and any rights the consumer may have
11101110 to appeal the decision to the busin ess;
11111111 2. If requests from a consumer are manifest ly unfounded or
11121112 excessive, in particular because of his or her repetitive character,
11131113 a business may either charge a reasonable fee, taking into account
11141114 the administrative costs of providing the information o r
11151115
11161116 Req. No. 8440 Page 23 1
11171117 2
11181118 3
11191119 4
11201120 5
11211121 6
11221122 7
11231123 8
11241124 9
11251125 10
11261126 11
11271127 12
11281128 13
11291129 14
11301130 15
11311131 16
11321132 17
11331133 18
11341134 19
11351135 20
11361136 21
11371137 22
11381138 23
11391139 24
11401140
11411141 communication or taking the action requested, o r refuse to act on
11421142 the request and notify the consumer of the reason for refusing the
11431143 request. The business shall bear the burden of demonstrating that
11441144 any verifiable consumer request is manifestly unfounde d or
11451145 excessive.
11461146 H. A business that discloses per sonal information to a service
11471147 provider in compliance with this act shall select as service
11481148 providers entities that are capable of adhering to the restrictions
11491149 set forth in this act, and enforce compliance i n adhering to these
11501150 restrictions, through effecti ve enforceable contractual obligations
11511151 and regular evaluation of compliance. A service provider shall not
11521152 be liable under this title for the obligations of a business for
11531153 which it provides services as set forth in this act; provided that
11541154 the service provider shall be liable for its own violations of this
11551155 act.
11561156 I. This act shall not be constru ed to require a business to:
11571157 1. Comply with a verifiable consumer request to access, delete,
11581158 or correct personal info rmation pursuant to Sections 7, 8, or 9 of
11591159 this act if all of the following are true:
11601160 a. (1) the business is not reasonably capable of linking
11611161 or associating the request with the personal
11621162 information, or
11631163
11641164 Req. No. 8440 Page 24 1
11651165 2
11661166 3
11671167 4
11681168 5
11691169 6
11701170 7
11711171 8
11721172 9
11731173 10
11741174 11
11751175 12
11761176 13
11771177 14
11781178 15
11791179 16
11801180 17
11811181 18
11821182 19
11831183 20
11841184 21
11851185 22
11861186 23
11871187 24
11881188
11891189 (2) it would be unreasonably burdensome for the
11901190 business to link or associate the request wit h
11911191 the personal information ,
11921192 b. the business does not use the information to recognize
11931193 or respond to the specific consumer who is the subject
11941194 of the personal information or link or associate the
11951195 personal information with other personal information
11961196 about the same specific consumer, and
11971197 c. the business does not share the personal information
11981198 to any third party, or otherwise voluntarily disclose
11991199 the personal information to any third party other than
12001200 a service provider except as otherwise permitted in
12011201 this subsection.
12021202 2. Maintain information in identifiable, linkable or associable
12031203 form, or to collect, obtain, retain, or access any data or
12041204 technology, in order to be capable of linking or associating a
12051205 verifiable consumer request with personal information.
12061206 J. Nothing herein shall apply to the publication of newsworthy
12071207 information to the public, or to the collection or editing of
12081208 information for that purpose.
12091209 SECTION 13. NEW LAW A new section of law to be codified
12101210 in the Oklahoma Statutes as Secti on 20m-13 of Title 74, unless there
12111211 is created a duplication in numbering, reads as follows:
12121212
12131213 Req. No. 8440 Page 25 1
12141214 2
12151215 3
12161216 4
12171217 5
12181218 6
12191219 7
12201220 8
12211221 9
12221222 10
12231223 11
12241224 12
12251225 13
12261226 14
12271227 15
12281228 16
12291229 17
12301230 18
12311231 19
12321232 20
12331233 21
12341234 22
12351235 23
12361236 24
12371237
12381238 If a series of steps or transactions were component parts of a
12391239 single transaction intended from the beginning to b e taken with the
12401240 intention of avoiding the reach of this title, a court shall
12411241 disregard the intermediate steps or transactions for purposes of
12421242 effectuating the purposes of this title.
12431243 SECTION 14. NEW LAW A new section of law to be co dified
12441244 in the Oklahoma Statutes as Section 20m-14 of Title 74, unless there
12451245 is created a duplication in numbering, reads as follows:
12461246 Any provision of a contract or agreement of any kind, including
12471247 an arbitration agreement, that purports to waive or limit i n any way
12481248 rights under this title, including, but not limited to, any right to
12491249 a remedy or means of enforcement, shall be deemed contrary to public
12501250 policy and shall be void and unenforceable.
12511251 SECTION 15. NEW LAW A new section of law to be codified
12521252 in the Oklahoma Statutes as Sectio n 20m-15 of Title 74, unless there
12531253 is created a duplication in numbering, reads as follows:
12541254 It shall be unlawful for any company to design, modify, or
12551255 manipulate a user interface with the purpose or substant ial effect
12561256 of obscuring, subverting, or impairing user autonomy, decision -
12571257 making, or choice, as further defined by regulation.
12581258 SECTION 16. The provisions of this act are severable and if any
12591259 part or provision shall be held void the decision of the court so
12601260 holding shall not affect or impa ir any of the remaining parts or
12611261 provisions of this act.
12621262
12631263 Req. No. 8440 Page 26 1
12641264 2
12651265 3
12661266 4
12671267 5
12681268 6
12691269 7
12701270 8
12711271 9
12721272 10
12731273 11
12741274 12
12751275 13
12761276 14
12771277 15
12781278 16
12791279 17
12801280 18
12811281 19
12821282 20
12831283 21
12841284 22
12851285 23
12861286 24
12871287
12881288 SECTION 17. This act shall become effective November 1, 202 3.
12891289
12901290 58-2-8440 JL 09/09/21