Req. No. 8440 Page 1 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
STATE OF OKLAHOMA
2nd Session of the 58th Legislature (2022)
HOUSE BILL 2968 By: Walke
AS INTRODUCED
An Act relating to privacy of computer data; enacting
the Oklahoma Computer Data Privacy Act of 2022;
providing intent and construction; d efining terms;
prescribing that the Attorney General is responsible
for enforcement; providing disclosure requirements;
providing limitations; providing consumers the right
to opt out of data collection; providing consumers
the right to deletion of their i nformation; providing
exceptions to request for deletion of information;
providing consumers with the right to request for an
audit of their information; providing consumers with
the right to have their personal information
corrected; requiring business to not discriminate;
providing guidelines for implementation; providing
exemptions; preempting intermediate transactions from
circumventing regulations; providing waivers are void
and unenforceable; prohibiting bu sinesses from
modifying or manipulating user interfaces to obscure,
subvert or impair user autonomy, decision -making or
choice; providing severability of provisions;
providing for codification ; and providing an
effective date.
BE IT ENACTED BY THE PEOPLE OF THE STATE OF OKLAHOMA:
SECTION 1. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 20m-1 of Title 74, unless there
is created a duplication in numbering, reads as follows:
Req. No. 8440 Page 2 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
This act shall be known and may be cited as the "Oklahoma
Computer Data Privacy Act of 2022".
SECTION 2. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 20m-2 of Title 74, unless there
is created a duplication in num bering, reads as follows:
The Oklahoma Legislature acknowledges the people 's
Constitutional right to privacy and further acknowledges that any
collection of Oklahoma citizens ' data without their knowledge and
consent is a violation of such right to privacy . This act is
intended to complement other d ata privacy laws, both state and
federal, and to the extent there is a conflict with a state law, the
law conferring the greatest privacy shall control. Further, the
Oklahoma Legislature has determined the provisions of this act are
the least restrictive possible.
SECTION 3. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 20m-3 of Title 74, unless there
is created a duplication in numbering, reads as follow s:
As used in this act:
1. "Aggregate consumer information" means information that
relates to a group of consumers, from which individual consumer
identities have been removed, that is not linked or reasonably
linkable to any consumer or household, includ ing via a device.
Aggregate consumer informat ion does not mean one or more individual
consumer records that have been de -identified;
Req. No. 8440 Page 3 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
2. "Biometric information " means an individual's physiological,
biological or behavioral characteristics or an electronic
representation of such, including an individu al's deoxyribonucleic
acid (DNA), that can be used, singly or in combination with each
other or with other identifying data, to establish an individual's
identity. Biometric information includes, but is not lim ited to,
imagery of the iris, retina, fingerp rint, face, hand, palm, vein
patterns, and voice recordings from which an identifier template,
such as a faceprint, a minutiae template, or a voiceprint, can be
extracted, and keystroke patterns or rhythms, gait patterns or
rhythms, and sleep, health, or e xercise data that contain
identifying information;
3. "Business" means:
a. a sole proprietorship, partnership, limited liability
company, corporation, association, or other legal
entity that collects consumers ' personal information,
or on the behalf of wh ich such information is
collected and that alone, or jointly with others,
determines the purposes and means of the processing of
consumers' personal information, that does business in
the State of Oklahoma, and that satisfies one or more
of the following thresholds:
Req. No. 8440 Page 4 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
(1) has annual gross revenues in excess of Ten
Million Dollars ($10,000,000.00) in the preceding
calendar year,
(2) alone or in combination, annually buys, receives,
shares, or discloses for commercia l purposes,
alone or in combination, the pers onal information
of twenty-five thousand or more consumers,
households or devices, or
(3) derives fifty percent (50%) or more of its annual
revenues from sharing consumers ' personal
information,
b. any entity that controls or is controlled by a
business, as defined in subparagraph a of this
paragraph, and that shares common branding with the
business and with whom the business shares consumers '
personal information. "Control" or "controlled" means
ownership of, or the power to vote, more than fifty
percent (50%) of the outstanding shares of any class
of voting security of a business; control in any
manner over the election of a majority of the
directors, or of individuals exercising similar
functions; or the power to exercise a controlling
influence over the management of a company. "Common
branding" means a shared name, service mark, or
Req. No. 8440 Page 5 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
trademark, such that the average consumer would
understand that two or m ore entities are commonly
owned,
c. a joint venture or partnership composed of businesses
in which each business has at least a forty -percent-
interest. For purposes of this act, the joint venture
or partnership and each business that comprises the
joint venture or partnership shall separately be
considered a single business, except that personal
information in the possession of each business and
disclosed to the joint venture or partnership shall
not be shared with th e other businesses;
4. "Collects", "collected", or "collection" means buying,
renting, gathering, obtaining, receiving, or accessing any pe rsonal
information pertaining to a consumer by any means. This includes
receiving information from the consumer, either actively or
passively, or by observing the consumer 's behavior;
5. "Commercial purposes" means to advance a person 's commercial
or economic interests, such as by inducing another person to buy,
rent, lease, join, subscribe to, provide, or exchange products,
goods, property, information or services, or enabling or effecting,
directly or indirectly, a commercial transaction. Commercial
purposes do not include engaging in speech that state or federal
Req. No. 8440 Page 6 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
courts have recognized as noncommercial speech, including political
speech and journalism.
6. "Consumer" means a natural person who is an Oklahoma
resident. It does not include an employee or contractor of a
business acting in his or her role as an employee or contractor ;
7. "De-identified" means information that cannot reasonably
identify, relate to, describe, reasonably be associated with, or
reasonably be linked, directly or indirectly, to a particular
consumer, provided that the business:
a. takes reasonable measures to ensure that the data
could not be reidentified,
b. publicly commits to maintain and use the data in a de -
identified fashion and not to attempt to reidentify
the data, and
c. contractually prohibits downstream r ecipients from
attempting to reidentify the data;
8. "Designated methods for submitting requests " means a mailing
address, email address, Internet web page, Internet web portal,
telephone number, or other applicable c ontact information, whereby
consumers may submit a request under this act;
9. "Device" means any physical object that is capable of
connecting to the Internet, directly or i ndirectly, or to another
device;
Req. No. 8440 Page 7 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
10. "Intentionally interacts " means when the consumer intends
to interact with a person via one or more deliberate interactions,
such as visiting the person 's website or purchasing a good or
service from the person. Hovering over, muting, pausing, or closing
a given piece of content, or using a communi cations service to
interact with a third -party website, does not constitute a
consumer's intent to interact with a person ;
11. "Operational purpose" means the use of personal information
when reasonably necessa ry and proportionate to achieve one of the
following purposes, if such usage is limited to the first -party
relationship and customer experience:
a. debugging to identify and repair errors that impair
existing intended functionality,
b. undertaking internal research for technological
development, analytics, and product improvement, based
on information collected by the business,
c. undertaking activities to verify or maintain the
quality or safety of a service or device that is
owned, manufactured, manufactu red for, or controlled
by the business, or to improve, upgrade, or enhance
the service or device that is owned, manufactured,
manufactured for, or controlled by the business,
d. customization of content based on information
collected by the business, or
Req. No. 8440 Page 8 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
e. customization of advertising or marketing ba sed on
information collected by the business;
12. "Person" means an individual, proprietorship, firm,
partnership, joint venture, syndicate, business trust, company,
corporation, limited liability company, asso ciation, committee, and
any other organizatio n or group of persons acting in concert ;
13. "Personal information " means information that identifies or
could reasonably be linked, directly or indirectly, with a
particular consumer, household, or consumer de vice. Personal
information does not include publicly available information. For
the purposes of this paragraph, publicly available means information
that is lawfully mad e available from federal, state or local
government records. Personal information do es not include consumer
information that is d e-identified or aggregate consumer information;
14. "Processing" means any operation or set of operations that
are performed on personal information or on sets of personal
information, whether or not by automat ed means;
15. "Service" or "services" means work, labor, and services,
including services furnished in connection with the production, sale
or repair of goods;
16. "Service provider" means a person who processes personal
information on behalf of a busine ss and to which the business
discloses a consumer's personal information pursuant to a written or
electronic contract, provided that:
Req. No. 8440 Page 9 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
a. the contract prohibits the person from retaining,
using, or disclosing the personal information for any
purpose other than for the specific purpose of
performing the services specified in the contract for
the business, including a prohibition on retaining,
using, or disclosing the personal information for a
commercial purpose other than providing the services
specified in the contract with the business, and
b. the service provider does not combine the personal
information which the service provider receives from ,
or on behalf of, the business with personal
information which the service provider receives from ,
or on behalf of, another person or persons, or
collects from its own interaction with consumers;
17. "Share" means renting, releasing, disclosing,
disseminating, making available, transferring, or otherwise
communicating orally, in writing, or by electronic or other me ans, a
consumer's personal information by the business to a third party for
monetary or other valuable consideration, or otherwise for a
commercial purpose. For purposes of this act, a business does not
share personal information when:
a. a consumer uses or directs the business to
intentionally disclose personal information or uses
the business to intentionally interact with one or
Req. No. 8440 Page 10 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
more third parties, provided the third party or
parties do not also share the personal information,
unless that disclosure wou ld be consistent with the
provisions of this act,
b. the business discloses the personal information of a
consumer with a service provider and the business has
provided notice that the information is being used or
disclosed in its terms and conditions cons istent with
Section 5 of this act, and
c. when a business transfers to a third party the
personal information of a consumer as an asset that is
part of a merger, acquisition, bankruptcy, or other
transaction in which the third party assumes control
of all or part of the business; provided that
information is used or disclosed consistently with
this act. A third party may not materially alter how
it uses or discloses the personal information of a
consumer in a manner that is materially inconsistent
with the promises made at the time of collection ;
18. "Third party" means a person who is not any of the
following:
a. the business with whom the consumer intentionally
interacts and that collects personal information from
Req. No. 8440 Page 11 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
the consumer as part of the consumer 's current
interaction with the business under th is act, or
b. a service provider to whom the business discloses a
consumer's personal information pursuant to a written
contract, which includes a certification made by the
person receiving the personal informat ion that the
person understands the restricti ons created under this
act and will comply with them; and
19. "Verifiable consumer request " means a request that is made
by a consumer, by a consumer on behalf of the consumer 's minor
child, or by a natural per son or a person registered with the
Secretary of State, authorized by the consumer to act on the
consumer's behalf, and that the business can reasonably verify. A
business is not obligated to provide any personal information to a
consumer pursuant to Section 8 of this act, to delete personal
information pursuant to Section 6 of this act, or to correct
inaccurate personal information pursuant to Section 9 of this act,
if the business cannot verify that the consumer making the request
is the consumer about w hom the business has collected personal
information or is a person authorized by the consumer to act on such
consumer's behalf.
SECTION 4. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 20m-4 of Title 74, unless there
is created a duplication i n numbering, reads as follows:
Req. No. 8440 Page 12 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
The Attorney General shall be responsible for enforcing this
act. Any person, business, or service provider that violates this
act may be liable for a civil penalty of up to Seven Thousand Five
Hundred Dollars ($7,500.00) for each intentional violation and up to
Two Thousand Five Hundred D ollars ($2,500.00) for each unintentional
violation. The court may consider punitive damages in addition to
the statutorily provided damages if requested by the Attorney
General. Additionally, the Attorney General may seek injunctive
relief to prevent repe titive violations of this act. The Attorney
General shall be entitled to recover all reasonable fees and costs,
including any expert witne ss fees, if a prevailing party. Any funds
recovered under this statute shall be retained in a dedicated
revolving account for the Attorney General.
SECTION 5. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Sect ion 20m-5 of Title 74, unless there
is created a duplication in numbering, reads as follows:
A business covered by this act shall disclose the following
information to consumers in a clear and conspicuous manner in its
privacy policies, which shall be writ ten in plain language and shall
be available prior to any data collection, and shall be updated if
any terms or conditions change:
1. The manner and method by which a consumer may exercise his
or her rights pursuant to Sections 6, 7, 8, and 9 of this act;
2. The personal infor mation collected from consumers;
Req. No. 8440 Page 13 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
3. The reasons the business collects, discloses, or retains
personal information;
4. Whether the business discloses personal information and, if
so, what information is disclosed and to whom ;
5. Whether the business shares personal informatio n with
service providers and, if so, the categories of service providers ;
and
6. The length of time that the business retains personal
information.
SECTION 6. NEW LAW A new section of la w to be codified
in the Oklahoma Statutes as Section 20m-6 of Title 74, unless there
is created a duplication in numbering, reads as follows:
A. A business covered by this act shall only collect and/or
share information with third parties that is reasonab ly necessary to
provide a good or service to a consumer who has requested the same
or is reasonably necessary for security purposes or fraud detection.
The monetization of personal information shall never be considered
reasonably necessary for any purpose .
B. A business covered by this a ct shall limit its use and
retention of a consumer 's personal information to that which is
reasonably necessary to provide a service or conduct an activity
that a consumer has requested or for a related operational purpose .
C. A business covered by this a ct shall apprise any consumer
whose data is collected that th e consumer has the right to opt out
Req. No. 8440 Page 14 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
of personalized advertising and the business shall have the duty to
comply with the request promptly and free of charge. Such
notification shall be made in a clear and c onspicuous manner on the
business's homepage.
SECTION 7. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 20m-7 of Title 74, unless there
is created a duplication in numbering, reads as follows:
A. Consumers have the right to request that a business delete
any personal information retained by the business about the
consumer, and a business covered by this act shall inform consumers
of such right in accordanc e with Section 5 of this act.
B. Upon receipt of a verifiable consumer request to delete a
consumer's personal information, a business shall delete the
personal information from its records and advise any service
providers holding the consumer 's personal information to delete the
consumer's personal information as well.
C. If the consumer's personal information is necessary :
1. To complete the transaction tha t was requested by the
consumer;
2. To fulfill contractual obligations between the consumer and
the business;
3. To detect or act upon secur ity threats, including malicious
or illegal activities, to prosecute individuals respo nsible for
security threats;
Req. No. 8440 Page 15 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
4. To ensure quality control functions ;
5. To exercise constitutionally protected speech;
6. To engage in public- or peer-reviewed research that adheres
to all applicable ethics and privacy laws; or
7. To comply with legal obligations,
then the business shall have the right to reject such consumer 's
request and shall advise the consumer of the re ason why such request
was rejected.
SECTION 8. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 20m-8 of Title 74, unless there
is created a duplication in numbering, reads as follows:
After receiving a verifiable consumer request from a consumer
requesting to know what information is retained by a business about
the consumer, the business shall disclose the specific personal
information retained by the business about the consumer. Such
disclosure shall be in an electronic, portable , machine-readable,
and readily useable format to the consumer. Additionally, to the
extent the business has disclosed personal information of a consumer
to a third party or service provider, said business shall disclose,
in the same manner and method as previously des cribed, the names and
contact information of such third parties or service providers.
SECTION 9. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 20m-9 of Title 74, unless there
is created a duplicatio n in numbering, reads as follows:
Req. No. 8440 Page 16 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
A business shall advise a consumer, in accordance with Section
11 of this act that the consumer has the right to request correction
of inaccurate personal information, and a con sumer shall have the
right to require a busin ess to correct such inaccurate information.
Upon receipt of a verifiable consumer request, a business shall take
all reasonable steps to correct the inaccurate information, in
accordance with Section 11 of this act.
SECTION 10. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 20m-10 of Title 74, unless there
is created a duplication in numbering, reads as follows:
No business shall deny goods or services to a consumer by virtue
of the consumer's exercise of any rights in this act. Further, no
business shall charge a different price or provide a different
quality of service or good by virtue of the consumer 's exercise of
any rights under this act. Provided, a business may offer
discounted or free goods or services to a consumer if the consumer
voluntarily participates in a program that rewards consumers for
repeated transactions with the business and if the business does not
share the consumer's data with third parties.
SECTION 11. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 20m-11 of Title 74, unless there
is created a duplication in numbering, reads as follows:
A. A business covered by this act shall provide at least two
points of contact that are easily accessible and readily
Req. No. 8440 Page 17 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
identifiable by which a consumer may make the requests permitted
under this act, at least one of which must be the business 's
website, unless a business covered by this act does not have a
website, in which case the busine ss must provide a telephone number
as one of the two methods by which a co nsumer may contact the
business.
B. Any disclosure and/or delivery of information from a
business to a consumer under this act must be provided free of
charge and within forty-five (45) days of receipt of a verifiable
consumer request. If it is not reasonably possible to provide the
information within forty-five (45) days, the business may extend the
deadline by forty-five (45) days by providing notice to the consumer
of such election and the basis for the same .
C. If personal information is collected by a business to verify
the consumer's identity, then that personal information is limited
in usage solely to the verification process and shall thereafter be
permanently deleted.
D. A business is not obligated to provide the inf ormation
identified in Section 8 of this act more than twice during any
twelve-month period for each consumer .
E. A business or service provider shall implement and maintain
reasonable security procedures and practices, including
administrative, physical, and technical safeguards, appropriate to
the nature of the information and the purposes for which the
Req. No. 8440 Page 18 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
personal information will be used, to protect consumers ' personal
information from unauthorized use, disclo sure, access, destruction,
or modification.
SECTION 12. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 20m-12 of Title 74, unless there
is created a duplication in numbering, reads as follows:
A. The obligations imposed on businesses by this act shall not
restrict a business's or service provider 's ability to:
1. Comply with federal, state, or local laws ;
2. Comply with a civil, criminal, or regulato ry inquiry,
investigation, subpoena, or summons b y federal, state, or local
authorities;
3. Cooperate with law enforcement agencies concerning conduct
or activity that the business, service provider, or third party
reasonably and in good faith believes ma y violate federal, state, or
local law;
4. Exercise or defend legal claims ;
5. Collect, use, retain, share, or disclose consumer
information that is de -identified or in the aggregate de rived from
personal information; and
6. Collect or share a consumer 's personal information if every
aspect of that commercial conduct takes place wholly outside of the
State of Oklahoma. For purposes of this act, commercial conduct
takes place wholly outside of the State of Oklahoma if a business
Req. No. 8440 Page 19 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
collected that informatio n while the consumer was present outside of
the State of Oklahoma, no part of the sharing of the consumer 's
personal information occurred in the State of Oklahoma, and no
personal information was collected while the consumer was present in
the State of Oklahoma is shared. This paragraph shall not permit a
business from storing, including on a device, personal information
about a consumer when the consumer is present in the S tate of
Oklahoma and then later collecting that personal information when
the consumer and stored personal information is located outside of
the State of Oklahoma.
B. Nothing in this act shall require a business to violate an
evidentiary privilege under Oklahoma law or federal law , or prevent
a business from providing the personal info rmation of a consumer who
is covered by an evident iary privilege under Oklahoma law as part of
a privileged communication.
C. 1. This act shall not apply to any of the following:
a. protected health information that is collected by a
covered entity or bu siness associate governed by the
privacy, security, and breach notification rules
issued by the United States Department of Health and
Human Services, Parts 160 and 164 of Title 45 of the
Code of Federal Regulations, established pursuant to
the Health Insurance Portability and Accountability
Act of 1996 (Public Law 104-191) and the Health
Req. No. 8440 Page 20 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Information Technology for Economic and Clinical
Health Act (Public Law 111 -5),
b. a covered entity governed by the privacy, security,
and breach notification rules issued by the United
States Department of Health and Hum an Services, Parts
160 and 164 of Title 45 of the Code of Federal
Regulations, established pursuant to the Health
Insurance Portability and Accountability Act of 1996
(Public Law 104-191), to the extent the provider or
covered entity maintains patient info rmation in the
same manner as medical information or protected health
information as described in subparagraph a of this
paragraph, and
c. personal information collected as part of a clinical
trial subject to the Federal Policy for the Protection
of Human Subjects, also known as the Common Rule,
pursuant to good clinical practice guidelines issued
by the International Council for Harmonisation of
Technical Requirements for Human Use or pursuant to
human subject protection requirements of the United
States Food and Drug Administration.
2. For purposes of this subsection, the definition of "medical
information" means any individually identifiable information, in
electronic or physical form, in possession of or derived from a
Req. No. 8440 Page 21 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
provider of health care, health ca re service plan, pharmaceutical
company, or contractor regarding a patient's medical history, mental
or physical condition, or treatment. "Individually identifiable"
means that the medical information inclu des or contains any element
of personal identifyi ng information sufficient to allow
identification of the individual, such as the patient's name,
address, electronic mail address, telephone number, or Social
Security number, or other information that, alon e or in combination
with other publicly available information, reveals the individual's
identity. Furthermore, the definitions of "business associate",
"covered entity", and "protected health information " in Section
160.103 of Title 45 of the Code of Fede ral Regulations shall apply.
D. This act shall not apply to activity involving the
collection, maintenance, disclosure, sale, communication, or use of
any personal information bearing on a consumer 's credit worthiness,
credit standing, credit capacity, ch aracter, general reputation,
personal characteris tics, or mode of living by a consumer reporting
agency, as defined by subdivision (f) of Section 1681a of Title 15
of the United States Code, by a furnisher of information, as set
forth in Section 1681s -2 of Title 15 of the United States Code, who
provides information for use in a consumer report, as defined in
subdivision (d) of Section 1681a of Title 15 of the United States
Code, and by a user of a consumer report as set forth in Section
1681b of Title 15 of the United States Code. This subsection shall
Req. No. 8440 Page 22 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
only apply to the extent that such activity involving the
collection, maintenance, disclosure, sale, communication, or use of
such information by that agency, furnisher, or user is subject to
regulation under the Fair Credit Reporting Act, Section 1681 et seq.
of Title 15 of the United States Code and the information is not
collected, maintained, disclosed, sold, communicated, or used except
as authorized by the Fair Credit Reporting Act.
E. This act shall not apply to personal information collected,
processed, sold, or disclosed pursuant to the federal Gramm -Leach-
Bliley Act (Public Law 106 -102), and implementing regulations.
F. This act shall not apply to personal information collected,
processed, sold, or disclosed pursuant to the Driver 's Privacy
Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.) ;
G. Notwithstanding a business 's obligations to respond to and
honor consumer rights requ ests pursuant to this title:
1. If a business does not take action o n the request of a
consumer, the business shall i nform the consumer, without delay and
at the latest within the time period permitted by this act, of the
reasons for not taking action and any rights the consumer may have
to appeal the decision to the busin ess;
2. If requests from a consumer are manifest ly unfounded or
excessive, in particular because of his or her repetitive character,
a business may either charge a reasonable fee, taking into account
the administrative costs of providing the information o r
Req. No. 8440 Page 23 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
communication or taking the action requested, o r refuse to act on
the request and notify the consumer of the reason for refusing the
request. The business shall bear the burden of demonstrating that
any verifiable consumer request is manifestly unfounde d or
excessive.
H. A business that discloses per sonal information to a service
provider in compliance with this act shall select as service
providers entities that are capable of adhering to the restrictions
set forth in this act, and enforce compliance i n adhering to these
restrictions, through effecti ve enforceable contractual obligations
and regular evaluation of compliance. A service provider shall not
be liable under this title for the obligations of a business for
which it provides services as set forth in this act; provided that
the service provider shall be liable for its own violations of this
act.
I. This act shall not be constru ed to require a business to:
1. Comply with a verifiable consumer request to access, delete,
or correct personal info rmation pursuant to Sections 7, 8, or 9 of
this act if all of the following are true:
a. (1) the business is not reasonably capable of linking
or associating the request with the personal
information, or
Req. No. 8440 Page 24 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
(2) it would be unreasonably burdensome for the
business to link or associate the request wit h
the personal information ,
b. the business does not use the information to recognize
or respond to the specific consumer who is the subject
of the personal information or link or associate the
personal information with other personal information
about the same specific consumer, and
c. the business does not share the personal information
to any third party, or otherwise voluntarily disclose
the personal information to any third party other than
a service provider except as otherwise permitted in
this subsection.
2. Maintain information in identifiable, linkable or associable
form, or to collect, obtain, retain, or access any data or
technology, in order to be capable of linking or associating a
verifiable consumer request with personal information.
J. Nothing herein shall apply to the publication of newsworthy
information to the public, or to the collection or editing of
information for that purpose.
SECTION 13. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Secti on 20m-13 of Title 74, unless there
is created a duplication in numbering, reads as follows:
Req. No. 8440 Page 25 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
If a series of steps or transactions were component parts of a
single transaction intended from the beginning to b e taken with the
intention of avoiding the reach of this title, a court shall
disregard the intermediate steps or transactions for purposes of
effectuating the purposes of this title.
SECTION 14. NEW LAW A new section of law to be co dified
in the Oklahoma Statutes as Section 20m-14 of Title 74, unless there
is created a duplication in numbering, reads as follows:
Any provision of a contract or agreement of any kind, including
an arbitration agreement, that purports to waive or limit i n any way
rights under this title, including, but not limited to, any right to
a remedy or means of enforcement, shall be deemed contrary to public
policy and shall be void and unenforceable.
SECTION 15. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Sectio n 20m-15 of Title 74, unless there
is created a duplication in numbering, reads as follows:
It shall be unlawful for any company to design, modify, or
manipulate a user interface with the purpose or substant ial effect
of obscuring, subverting, or impairing user autonomy, decision -
making, or choice, as further defined by regulation.
SECTION 16. The provisions of this act are severable and if any
part or provision shall be held void the decision of the court so
holding shall not affect or impa ir any of the remaining parts or
provisions of this act.
Req. No. 8440 Page 26 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
SECTION 17. This act shall become effective November 1, 202 3.
58-2-8440 JL 09/09/21