Req. No. 5039 Page 1
STATE OF OKLAHOMA
1st Session of the 59th Legislature (2023)
HOUSE BILL 1030 By: West (Josh)
AS INTRODUCED
An Act relating to privacy of computer data; enacting
the Oklahoma Computer Data Privacy Act; defining
terms; providing for applicability of act to certain
businesses that collect consumers ' personal
information; providing exemptions; prescribing
compliance with other laws and legal proceedings;
requiring act to be liberally constru ed to align its
effects with other laws relating t o privacy and
protection of personal information; providing for
controlling effect of federal law; providing for
construction in event of conflict with state law;
providing for controlling effect of law which
provides greatest privacy or protection to consumers;
providing for preemption of l ocal law; providing
consumers right to request disclosure of certain
information; providin g consumers right to request
deletion of certain information; providing consumers
the right to request and receive a disclosure of
personal information sold or disclosed; providing
consumers right to opt in and out of the sale of
personal information; making legislative findings;
providing contracts or other agreement s purporting to
waive or limit a right, remedy or mean s of
enforcement contrary to public policy; requiring
businesses collecting consumer data information
inform consumer of certain information collected;
prescribing required content of disclosures;
requiring consumer consent; requiring business es to
provide online privacy policy or a notice of
policies; requiring business es to designate and make
available methods for submitting verifiable consumer
request for certain information; requiring businesses
receiving verifiable consumer requests reasonably
verify identity of requesting consumer; requiring
businesses disclose required information within a Req. No. 5039 Page 2
certain period; requiring businesses using de-
identified information not re-identify or attempt to
re-identify certain consumers; requiring permission;
prohibiting discrimin ation against consumers for
exercise of rights; authorizing businesses to offer
financial incentives to consumers for collection,
sale or disclosure of personal information;
prohibiting division of single transactions;
requiring employee training with respect to consumer
inquiries; requiring disclosure of c ertain rights,
requirements and informa tion; providing civil
penalties; authorizing Oklahoma Attorney General to
take certain actions based on violations; authorizing
Attorney General to recover reasonable expenses
incurred in obtaining injunc tive relief or civil
penalties; directing Attorney General to deposit
collected penalties in a dedicated account in the
General Revenue Fund; providing certain immunities;
providing protections to service providers; providing
for codification; and prov iding an effective date.
BE IT ENACTED BY THE PEOPLE OF THE STATE OF OKLAHOMA:
SECTION 1. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.1 of Ti tle 17, unless there
is created a duplication i n numbering, reads a s follows:
This act shall be known and may be cited as the "Oklahoma
Computer Data Privacy Act ".
SECTION 2. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.2 of Title 17, unles s there
is created a duplication in numbering, reads as follows:
As used in this act: Req. No. 5039 Page 3
1. "Aggregate consumer information " means information that
relates to a group or category of consumers from which individu al
consumer identities have been removed and th at is not linked or
reasonably linkable to a particular consumer or household, including
through a device. The term does not include one or more individual
consumer records that have been de -identified;
2. "Biometric information" means an individual's physiological,
biological or behavioral characteristics that can be used, alone or
in combination with other characteristics or other identifying data,
to establish the individual 's identity. The term includes:
a. an image of an iris, retina, fingerprint, face, hand,
palm or vein pattern or a voice recording f rom which
an identifier template can be extracted such as a
faceprint, minutiae template or voiceprint,
b. keystroke patterns or rhythms,
c. gait patterns or rhythms, and
d. sleep, health or exercise data that contains
identifying information;
3. "Business" means a for-profit entity, including a sole
proprietorship, partnership, limited liability company, cor poration,
association or other legal entity that is organized or operated for
the profit or financial benefit of the entity's shareholders or
other owners, but does not include Internet service providers so
long as they are acting in their role as I nternet service providers; Req. No. 5039 Page 4
4. "Business purpose" means the use of personal information
for:
a. the following operational purposes of a business or
service provider, provided that the use of the
information is reasonably necessary and proportionate
to achieve the operational purpose for which th e
information was collected or processed or another
operational purpose that is compatible with the
context in which the information was collected:
(1) auditing related to a current interaction with a
consumer and any concurrent transactions,
including counting ad impressions of unique
visitors, verifying the positioning a nd quality
of ad impressions, and auditing compli ance with a
specification or other standards for ad
impressions,
(2) detecting a security incident, protecting against
malicious, deceptive, fraudulent or illegal
activity, and prosecuting those responsible for
any illegal activity described by this division,
(3) identifying and repairing or removing errors that
impair the intended functionality of computer
hardware or software, Req. No. 5039 Page 5
(4) using personal information in the short term or
for a transient use, provided that the
information is not:
(a) disclosed to a third party, and
(b) used to build a profile about a consumer or
alter an individual consumer 's experience
outside of a current interaction with the
consumer, including the contextual
customization of an adv ertisement displayed
as part of the same interact ion,
(5) performing a service on behalf of the business or
service provider, including:
(a) maintaining or servicing an account,
providing customer service, processing or
fulfilling an order or transactio n,
verifying customer information, processing a
payment, providing financing, providing
advertising or marketing services, or
providing analytic services, or
(b) performing a service simil ar to a service
described by subdivision (a) of this
division on behalf of the business or
service provider, Req. No. 5039 Page 6
(6) undertaking internal research for technological
development and demonstration,
(7) undertaking an activity to:
(a) verify or maintain the quali ty or safety of
a service or device that is owned by,
manufactured by, manufactured for or
controlled by the business , or
(b) improve, upgrade or enhance a service or
device described by subdivision (a) of this
division, or
(8) retention of employment dat a, or
b. another operational purpose for which notice is given
under this act, but specifically excepting cross-
context targeted advertising, unless the customer has
opted in to the same ;
5. "Collect" means to buy, rent, gather, obtain, receive or
access the personal information of a consumer by any means,
including by actively or passively receiving the information from
the consumer or by observing the consumer's behavior;
6. "Commercial purpose" means a purpose that is intended to
result in a profit or o ther tangible benefit or the advancement of a
person's commercial or economic interests, such as by inducing
another person to buy, rent, lease, subscribe to, provide or
exchange products, goods, property, information or services or by Req. No. 5039 Page 7
enabling or effectin g, directly or indirectly, a commercial
transaction. The term does not include the purpose of engaging in
speech recognized by state or federal courts as noncommercial
speech, including political speech and journalism ;
7. "Consumer" means an individual who is a resident of this
state;
8. "De-identified information " means information that cannot
reasonably identify, re late to, describe, be associated with, or be
linked to, directly or indirectly, a particular consumer ;
9. "Device" means any physical obje ct capable of connecting to
the Internet, directly or indirectly, o r to another device;
10. "Genetic Information" mea ns any information, regardless of
its format, that concern s a consumer's genetic characteristics.
Genetic information includes, but is not limited to:
a. raw sequence data that result from sequencing of a
consumer's complete extracted or a portion of the
extracted DNA,
b. genotypic and phenotypic information that results from
analyzing the raw sequenc e data, and
c. self-reported health information that consu mer submits
to a company regarding the consumer's hea lth
conditions and that is used for scientific r esearch or
product development and analyzed in connection with
the consumer's raw sequence data ; Req. No. 5039 Page 8
11. "Identifier" means data elements or other information that
alone or in conjunction with other information can be used to
identify a particular consumer, h ousehold or device that is linked
to a particular consumer or household;
12. "Internet service provider" means a person who provides a
mass-market retail service by wire or radio that provides the
capability to transmit d ata and to receive data from all o r
substantially all Internet endpoints, including any capabilities
that are incidental to and enable the operations of the service,
excluding dial-up Internet access service;
13. "Person" means an individual, sole proprie torship, firm,
partnership, joint venture, syndicate, business trust, company,
corporation, limited liability company, association, committee and
any other organization or gro up of persons acting in concert;
14. "Personal information " means information th at identifies,
relates to, describes, can be associated with or can reasonably be
linked to, directly or indir ectly, a particular consumer or
household. The term includes the following cat egories of
information if the information identifies, relates to, d escribes,
can be associated with or can reasonably be linked to, directly or
indirectly, a particular consumer or household:
a. an identifier, including a real name, alias, mailing
address, account name, date of birth, driver license
number, unique identif ier, Social Security number, Req. No. 5039 Page 9
passport number, signature, telephone number or other
government-issued identification number, or other
similar identifier,
b. an online identifier, including a n electronic mail
address or Internet Protocol address, or other si milar
identifier,
c. a physical characteristic or description, including a
characteristic of a protected class ification under
state or federal law,
d. commercial information, including:
(1) a record of personal property,
(2) a good or service purchased, ob tained or
considered,
(3) an insurance policy number, or
(4) other purchasing or consuming histories or
tendencies,
e. biometric information and genetic information,
f. Internet or other el ectronic network activity
information, including:
(1) browsing or search history, and
(2) other information regarding a consumer's
interaction with an Internet websi te, application
or advertisement,
g. geolocation data, Req. No. 5039 Page 10
h. audio, electronic, visua l, thermal, olfactory or other
similar information,
i. professional or emplo yment-related information,
j. education information that is not publicly available
that includes personally identifiable information
under the federal Family Educational Rights and
Privacy Act of 1974,
k. financial information, including a financial
institution account number, credit or debit card
number, or password or access code associated with a
credit or debit card or bank account,
l. medical information,
m. health insurance information, or
n. inferences drawn from any of the information listed
under this paragraph to create a profile about a
consumer that reflects the consumer's preferences,
characteristics, psychological trends,
predispositions, behavior, attitudes, intelligence,
abilities or aptitudes;
15. "Processing information " means performing any oper ation or
set of operations on personal da ta or on sets of personal data,
whether or not by automated mean s;
16. "Pseudonymize" or "pseudonymization" means the processing
of personal information in a manner that renders the personal Req. No. 5039 Page 11
information no longer a ttributable to a specific consumer withou t
the use of additional information, provided that the additional
information is kept separately and is subject to technical and
organizational measures t o ensure that the personal information is
not attributed to an identified or identifiable consumer ;
17. "Publicly available information" means information that is
lawfully made available to the public from federal, state or local
government records or information received from widely distributed
media or by the consumer in the public domain. The term does not
include:
a. biometric information or genetic information of a
consumer collected by a business without the
consumer's knowledge or consent, or
b. de-identified or aggregate consumer information;
18. "Service provider" means a for-profit entity as described
by paragraph 3 of this section that processes information on behalf
of a business and to which the business discloses, for a business
purpose, a consumer's personal information under a written contract,
provided that the contract prohibits the entity receiving the
information from retaining, using or disclosing the information for
any purpose other than:
a. providing the services specified in the co ntract with
the business, or Req. No. 5039 Page 12
b. for a purpose permitted by th is act, including for a
commercial purpose other than providing those
specified services;
19. "Third party" means a person who is not:
a. a business to which this act applies that collects
personal information from consumers, or
b. a person to whom the bu siness discloses, for a
business purpose, a consumer's personal information
under a written contract, provided that the contract:
(1) prohibits the person receiving the information
from:
(a) selling the information,
(b) retaining, using or disclosing the
information for any purpose other than
providing the services specified in the
contract, including for a commercial purpose
other than providing those services, and
(c) retaining, using or disclosing the
information outside of the direct business
relationship between the person and the
business, and
(2) includes a certification made by the person
receiving the personal information that the
person understands and will comply with the Req. No. 5039 Page 13
prohibitions under division (1) of this
subparagraph;
20. "Unique identifier" means a persistent identifier that can
be used over time and across different services to re cognize a
consumer, a custodial parent or guardian, or any minor children over
which the parent or g uardian has custody, or a device that is linked
to those individuals. The term includes:
a. a device identifier,
b. an Internet Protocol address,
c. a cookie, beacon, pixel tag, mobile ad id entifier or
similar technology,
d. a customer number, unique pseu donym or user alias,
e. a telephone number, and
f. another form of a persistent or probabilistic
identifier that can be used to identify a particular
consumer or device;
21. "Verifiable consumer request " means a request:
a. that is made by a consumer, a c onsumer on behalf of
the consumer's minor child, or a natural person or
person who is authorized by a consumer to act on the
consumer's behalf, and
b. that a business can reasonably verify, in accordance
with Section 19 of this act, was submitted by the Req. No. 5039 Page 14
consumer about whom the business has collected
personal information; and
22. "Consent" means an act that clearly and conspicuously
communicates the individua l's authorization of an act or pra ctice
that is made in the absence of any mechanism in the user int erface
that has the purpose or substantial effect of obscurin g, subverting
or impairing decision-making or choice to obtain consent.
SECTION 3. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.3 of Title 17, unless there
is created a duplication in numbering , reads as follows:
A. This act applies only to:
1. A business that:
a. does business in this state,
b. collects consumers' personal information or has that
information collected on the busines s's behalf,
c. alone or in conjunction with others, determine s the
purpose for and means of processing consumers'
personal information, and
d. satisfies one or more of the following thresholds:
(1) has annual gross reven ue in an amount that
exceeds Fifteen Million Dollars ($15,000,000.00),
(2) alone or in combinatio n with others, annually
buys, sells or receives or shares for commercial
purposes the personal information of fifty Req. No. 5039 Page 15
thousand or more consumers, households or
devices, or
(3) derives twenty-five percent (25%) or more of the
business's annual revenue from se lling consumers'
personal information; and
2. An entity that controls or is controlled by a bu siness
described by paragraph 1 of this subsection and that shares the same
or substantially similar brand name and/or common database for
consumers' personal information. For purposes of this paragraph,
"control" means the:
a. ownership of, or power to v ote, more than fifty
percent (50%) of the outstanding shares of any class
of voting security of a bu siness,
b. control in any manner over the election of a major ity
of the directors or of individuals exercising similar
functions, or
c. power to exercise a controlling influence over the
management of a company.
B. For purposes of this ac t, a business sells a consumer's
personal information to another business or a third party if the
business sells, rents, discloses, disseminates, makes available,
transfers or otherwise communicates, orally, in writing, or by
electronic or other means, the information to t he other business or
third party for monetary or other valuab le consideration. Req. No. 5039 Page 16
C. For purposes of this act, a business does not sell a
consumer's personal information if:
1. The consumer directs the business to intentionally disclose
the information or u ses the business to intentionally interact with
a third party, provided that the third party does not sell the
information, unless that disclosure is consistent with this act; or
2. The business:
a. uses or shares an identifier of the consumer to alert
a third party that the consumer has opted out of the
sale of the information,
b. uses or shares with a service provider a consumer's
personal information that is necessary to perform a
business purpose if:
(1) the business provided notice that the informatio n
is being used or shared in the business 's terms
and conditions consistent with Sections 13 and 17
of this act, and
(2) the service provider does not further collect,
sell or use the information except as necessary
to perform the business purpose, or
c. transfers to a third party a consumer 's personal
information as an asset that is part of a merger,
acquisition, bankruptcy or other transaction in which
the third party assumes control of all or part of the Req. No. 5039 Page 17
business, provided that information is used or sh ared
consistent with this act.
D. For purposes of paragraph 1 of subsection C of this section,
an intentional interaction occurs if the consumer does one or more
deliberate acts with the intent to interact with a third party.
Placing a cursor over, muting , pausing or closing online content
does not constitute a con sumer's intent to interact with a third
party. Instead, said deliberate act must be consent to such
interaction as defined herein.
SECTION 4. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.4 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. This act does not apply to:
1. Publicly available information;
2. Medical information governed by state priva cy health laws or
protected health information that is collec ted by a covered entity
or business associate governed by the privacy, security and data
breach notification rules issued by the United States Department of
Health and Human Services, Parts 160 a nd 164 of Title 45 of the Code
of Federal Regulations, establ ished pursuant to the federal Health
Insurance Portability and Accountability Act of 1996 (Publ ic Law
104-191) and the federal Health Information Technology for Economic
and Clinical Health Act, Title XIII of the federal American Recovery
and Reinvestment Act of 2009 (Public Law 111-5); Req. No. 5039 Page 18
3. A provider of health care, or a health plan, governed by
state privacy health laws or a covered entity go verned by the
privacy, security and data breach notification rules issued by the
United States Department of Health and Human Services, Parts 160 and
164 of Title 45 of the Code of Federal Regulations, establis hed
pursuant to the federal Health Insurance Portability and
Accountability Act of 1996 (Public Law 104-191), to the extent the
provider or covered entity mainta ins, uses and discloses patient
information in the same manner as medical information or protec ted
health information as described in paragraph 2 of this subsection;
4. A business associate of a covered entity governed by the
privacy, security and data breach notification rules issued by the
United States Department of Health and Human Services, Pa rts 160 and
164 of Title 45 of the Code of Federal Regulations, established
pursuant to the federal Health Insurance Portability and
Accountability Act of 1996 ( Public Law 104-191) and the federal
Health Information Technology for Economic and Clinical Hea lth Act,
Title XIII of the federal American Recovery and Reinvestment Act of
2009 (Public Law 111 -5), to the extent that the business associate
maintains, uses and discloses patient information in the same manner
as medical information or protected health information as described
in paragraph 2 of this subsection;
5. Information that meets both of the f ollowing conditions: Req. No. 5039 Page 19
a. is de-identified in accordance with t he requirements
for de-identification set forth in Section 164.514 of
Part 164 of Title 45 of the Code of Federal
Regulations, and
b. is derived from patient information that was
originally collected, created, transmitted or
maintained by an entity regulat ed by the Health
Insurance Portability and Accountability Act of 1996
or the Federal Policy fo r the Protection of Human
Subjects, also known as the Common Rule.
Information that meets the requirements of subparagraph a or b
of this paragraph but is subsequ ently re-identified shall no longer
be eligible for the exemption in this paragraph and shall be subject
to applicable federal and state data privacy and security laws,
including, but not limited to, the Health Insurance Portability and
Accountability Act of 1996 and state medical privacy laws;
6. Information that is collected, used or disclosed in
research, as defined in Section 164.501 of Title 45 of the Code of
Federal Regulations, including, but not limited to, a clinical
trial, and that is conducted i n accordance with applicable ethics,
confidentiality, privacy and security rules of Part 164 of Title 45
of the Code of Federal Regulations, the Federal Policy for the
Protection of Human Subject s, also known as the Common Rule, good
clinical practice guid elines issued by the International Council for Req. No. 5039 Page 20
Harmonization, or human subject protection requ irements of the
United States Food and Drug Administration;
7. The sale of personal information t o or by a consumer
reporting agency if the information is to be:
a. reported in or used to generate a consumer report, as
defined by Section 1681a(d) of the F air Credit
Reporting Act (15 U.S.C., Section 1681 et seq.), and
b. used solely for a purpose authoriz ed under that act;
8. Personal information collected, proces sed, sold or disclosed
in accordance with:
a. the federal Gramm-Leach-Bliley Act of 1999 (Public Law
106-102) and its implementing regulations, or
b. the federal Driver's Privacy Protection Act o f 1994
(18 U.S.C., Section 2721 et seq.);
9. De-identified or aggregate consumer information; or
10. A consumer's personal information collected or sold by a
business, if every aspect of the collection or sale occurred wholly
outside of this state.
Provided further, nothing in this act shall be deemed to apply
in any manner to a financial institution or an affiliate of a
financial institution that is subje ct to the federal Gramm-Leach-
Bliley Act of 1999 and the rules promulgated thereunder.
B. For the purposes of this section, a business or other person
shall not re-identify, or attempt to re-identify, information that Req. No. 5039 Page 21
has met the requirements of paragraphs 2 through 6 of subsection A
of this section, except for one or more of the following purposes:
1. Treatment, payment or health care operations conducted by a
covered entity or business associate acting on behalf of, and at the
written direction of, the covered entity. For purposes of this
paragraph, "treatment", "payment", "health care operations " and
"covered entity" have the same meaning as defined in Section 164.501
of Title 45 of the Code of Federal Regulations, and "business
associate" has the same meaning as defined in Section 160.103 of
Title 45 of the Code of Federal Regulations;
2. Public health activities or purposes as described in Section
164.512 of Title 45 of the Code of Federal Regulations;
3. Research, as defined in Section 164.501 of T itle 45 of the
Code of Federal Regulations, that is conducted in accordance with
Part 46 of Title 45 of the Code of Federal Regulations and the
Federal Policy for the Protection of Human Subjects, also known as
the Common Rule;
4. Pursuant to a contract w here the lawful holder of the de-
identified information expressly engages a person or entity to
attempt to re-identify the de-identified information in order to
conduct testing, analysis, or validation of de-identification, or
related statistical technique s, if the contract bans any other use
or disclosure of the re -identified information and requires the Req. No. 5039 Page 22
return or destruction of the information that was re -identified upon
completion of the contract; and
5. If otherwise required by law.
C. In accordance with paragraphs 2 through 6 of subsection A of
this section, information re-identified pursuant to this section
shall be subject to applicable federal and state da ta privacy and
security laws, including, but not limited to, the Health Insurance
Portability and Accountability Act of 1996 and state health privacy
laws.
D. Beginning January 1, 202 4, any contract for the sale or
license of de-identified information tha t has met the requirements
of paragraphs 2 through 6 of subsection A of this section, where one
of the parties is a person residing or doing business in the state,
shall include the following, or substantially similar, provisions:
1. A statement that the de-identified information being sold or
licensed includes de-identified patient information;
2. A statement that re-identification, and attempted re -
identification, of the de -identified information by the purchaser or
licensee of the information is proh ibited pursuant to this section;
and
3. A requirement that, unless otherwise required by law, t he
purchaser or licensee of the de-identified information may not
further disclose the de -identified information to any third party Req. No. 5039 Page 23
unless the third party is cont ractually bound by the same or
stricter restrictions and conditions.
E. For purposes of this section, "re-identify" means the
process of reversal of de -identification techniques, including, but
not limited to, the addition of specific pieces of informatio n or
data elements that can, individually or in combination, be used to
uniquely identify an individual or usage.
F. For purposes of paragraph 10 of s ubsection A of this
section, the collection or sale of a consumer's personal information
occurs wholly outside of this state if:
1. The business collects that information while the consumer is
outside of this state;
2. No part of the sale of the information occurs in this state;
and
3. The business does not sell any personal information of the
consumer collected while the consumer is in this state.
G. For purposes of subsection F of this section, the collection
or sale of a consumer 's personal information does not occur wholly
outside of this state if a business stores a consumer 's personal
information, including on a device, when the consumer is in this
state and subsequently collects or sells tha t stored information
when the consumer and the information are outside of this state.
H. For purposes of this section, all of the following shall
apply: Req. No. 5039 Page 24
1. "Business associate" has the same meaning as defined in
Section 160.103 of Title 45 of the Code of Federal Regulations;
2. "Covered entity" has the same meaning as defined in Section
160.103 of Title 45 of the Code of Federal Regulations;
3. "Identifiable private information" has the same meaning as
defined in Section 46.102 of Title 45 of the Code of Federal
Regulations;
4. "Individually identifiable health information " has the same
meaning as defined in Section 160.103 of Title 45 of the Code of
Federal Regulations;
5. "Medical information" means any individually identifiable
information, in elect ronic or physical form, in possession of or
derived from a provider of health care, health care servi ce plan,
pharmaceutical company, or contractor regarding a pa tient's medical
history, mental or physical condition, or treatment;
6. "Patient information" means identifiable private
information, protected health information , individually identifiable
health information, or medical information;
7. "Protected health information" has the same meaning as
defined in Section 160.103 of Title 45 of the Code of Federal
Regulations; and
8. "Provider of health care " means a person or entity that is a
covered entity. Req. No. 5039 Page 25
SECTION 5. NEW LAW A new section o f law to be codified
in the Oklahoma Statutes as Section 901.5 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A right or obligation under this a ct does not apply to the
extent that the exercise of the right or performanc e of the
obligation infringes on a noncommercial activity of:
1. A publisher, editor, reporter or other person connected with
or employed by a newspaper, magazine or other publication of general
circulation, including a periodical , newsletter, pamphlet or report;
2. A radio or television station that holds a license issued by
the Federal Communicat ions Commission;
3. A nonprofit that provides programing to radio or television
networks; or
4. An entity that provides an information service, including a
press association or wire service.
SECTION 6. NEW LAW A new section of law to be c odified
in the Oklahoma Statute s as Section 901.6 of Title 17, unl ess there
is created a duplication in numbering, reads as follows:
This act does not:
1. Restrict a business's ability to:
a. comply with:
(1) applicable federal, state or local laws, or Req. No. 5039 Page 26
(2) a civil, criminal or regulatory inquiry,
investigation, subpoena or summons by a federal,
state or local authority,
b. cooperate with a law enforceme nt agency concerning
conduct or activity th at the business, a service
provider of the business or a third party reasonably
and in good faith believes may violate other
applicable federal, state or local laws,
c. pursue or defend against a legal claim,
d. detect a security incident; protect against malicious,
deceptive, fraudulent or illegal activity; or
prosecute those responsible for any illegal activity
described by this paragraph, or
e. assist another party with any of the foregoing; or
2. Require a business to violate an evidentiary privilege u nder
federal or state law or prevent a business from disclosin g to a
person covered by an evi dentiary privilege the personal inf ormation
of a consumer as part of a privileged communication.
SECTION 7. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.7 of Titl e 17, unless there
is created a duplication in numbering, reads as follows:
A. This act shall be liberally construed to effect its purposes
and to harmonize, to the extent possible, with other laws of this
state relating to the privacy or protection of pe rsonal information. Req. No. 5039 Page 27
B. To the extent of a conflict between a provision of this act
and a provision of federal law, including a regulation or an
interpretation of federal law, federal law contro ls and conflicting
requirements or other provisions of this a ct do not apply. Further,
should the federal government pass compr ehensive data privacy
regulations that conflict with the provisions herein, federal l aw
shall prevail.
C. To the extent of a co nflict between a provision of this act
and another statute of this state with respect to the privacy or
protection of consumers ' personal information, the provision of law
that affords the greatest privacy or prot ection to consumers
prevails.
SECTION 8. NEW LAW A new section of law to be codif ied
in the Oklahoma Statutes as Section 901.8 of Title 17, unless there
is created a duplication in numbering, reads as follows:
This act preempts and supersedes any ordinance, order or rule
adopted by a political subdivision of this state relating to the
collection or sale by a busines s of a consumer's personal
information.
SECTION 9. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901. 9 of Title 17, unless there
is created a duplication in numbering, reads as follows:
Except as used in Section 4 of this act, for pu rposes of this
act, "research" means scientific, systematic study and observation, Req. No. 5039 Page 28
including basic research or applied research that is in the public
interest and that adheres to all other a pplicable ethics and privacy
laws or studies conducted in the publ ic interest in the area of
public health. Research with personal information that ma y have
been collected from a consumer in th e course of the consumer's
interactions with a business 's service or device for other purpose s
must:
1. Be compatible with the business purpose for which the
personal information was collected;
2. Be subsequently pseudonymized and de-identified, or de-
identified and in the aggregate, such that the information canno t
reasonably identify, relate t o, describe, be capable of being
associated with, or be linked, directly or indirectly, to a
particular consumer;
3. Be made subject to technical safeguards that prohibit re-
identification of the consumer to whom the informa tion may pertain;
4. Be subject to business processes that specif ically prohibit
re-identification of the information;
5. Be made subject to business processes to prevent inadvertent
release of de-identified information;
6. Be protected from any re -identification attempts;
7. Be used solely for research purposes that are compatible
with the context in which the personal information was collected;
8. Not be used for any commercial purpose; an d Req. No. 5039 Page 29
9. Be subjected by the business conducting the research to
additional security controls th at limit access to the research dat a
to only those individuals in a business as are necessary to carry
out the research purpose.
SECTION 10. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.10 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. A consumer is entitled to request that a business that
collects the consumer 's personal information disclose to the
consumer the categories and specific items of personal inf ormation
the business has collected .
B. To receive the disclosure of information under subsection A
of this section, a consumer must submit to the business a veri fiable
consumer request using a method designated by the busin ess under
Section 18 of this act.
C. On receipt of a verifiable c onsumer request under this
section, a business shall disclose to the consumer in the time and
manner provided by Section 20 of this act:
1. Each enumerated category and item within each cat egory of
personal information u nder paragraph 14 of Section 2 of this act
that the business collected about the consumer during the twelve
(12) months preceding the date of the request;
2. Each category of sources from which the information was
collected; Req. No. 5039 Page 30
3. The business or commercial purpose for collecting or selling
the personal information; and
4. Each category of third parties with whom the busine ss shares
the personal information.
D. This section does not require a business to:
1. Retain a consume r's personal information that w as collected
for a one-time transaction if the information is not sold or
retained in the ordinary course of business; o r
2. Re-identify or otherwise link any dat a that, in the ordinary
course of business, is not maintained in a manner that would be
considered personal information.
SECTION 11. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.11 of Title 17, unless there
is created a duplication in numbering, reads as f ollows:
A. A consumer is entit led to request that a business that
collects the consumer's personal information delete any personal
information the business has collected from the consumer by
submitting a verifiable consumer request using a method designat ed
by the business under Sectio n 18 of this act.
B. Except as provided by subsection C of this section, on
receipt of a verifiable cons umer request under this section, a
business shall delete f rom the business's records any personal
information collected from the consumer and direct a service
provider of the business to delete the information from the Req. No. 5039 Page 31
provider's records in the time provided for in Secti on 20 of this
act.
C. A business or servic e provider of the business is not
required to comply with a ve rifiable consumer request recei ved under
this section if the busin ess or service provider needs to retain the
consumer's personal information to:
1. Complete the transaction for which the infor mation was
collected;
2. Provide a good or service requested by the consumer in the
context of the ongoing business relationshi p between the business
and consumer;
3. Perform under a contract between the busines s and the
consumer;
4. Detect a security incident; protect against malicious,
deceptive, fraudulent or illegal activity; or prosecute those
responsible for any illegal ac tivity described by this paragraph;
5. Identify and repair or remove errors from com puter hardware
or software that impair its intended functionality;
6. Exercise free speech or ensure the right of another consumer
to exercise the right of free speech or another right afforded by
law;
7. Comply with a court order or subpoena or other la wful
process; or Req. No. 5039 Page 32
8. Engage in public or pe er-reviewed scientific, historical or
statistical research tha t is in the public interest and that adheres
to all other applicab le ethics and privacy laws, provided that:
a. the business's deletion of the informat ion is likely
to render impossible or serio usly impair the
achievement of that research, and
b. the consumer has previously provided to the business
informed consent to re tain the information for such
use.
D. Where a business, service provider or third party has made a
consumer's personal information public, said business, service
provider or third party shall:
1. Take all reasonable ste ps, including technical measures, t o
erase the personal information that the business, service provider
or third party made public, taking into account available t echnology
and the cost of implementation; and
2. Advise any other business, service provider or third party
with whom a contract regarding the consumer exists that the consumer
has requested the era sure of any links to, copies of or replication
of that personal information.
SECTION 12. NEW LAW A new section of law to be cod ified
in the Oklahoma Statutes as Section 901.12 of Title 17, unless there
is created a duplication in numbering, reads as follows: Req. No. 5039 Page 33
A. A consumer is entitled to r equest that a business that
sells, or discloses for a business purpose, the consumer's personal
information disclose to the cons umer:
1. The categories of personal information the business
collected about the con sumer;
2. The categories of personal infor mation about the consumer
the business sold, or disclosed for a business purpose; and
3. The categories of third parties to who m the personal
information was sold or disclosed.
B. To receive the disclosure of in formation under subsection A
of this section, a consumer must submit to the business a verifiable
consumer request using a method design ated by the business unde r
Section 18 of this act.
C. On receipt of a verifiable consumer request under this
section, a business shall disclose to the consumer in the time and
manner provided by Section 20 of this act :
1. Each enumerated category of pers onal information under
paragraph 14 of Section 2 of this act that the business collected
about the consumer during the twelve (12) months preceding the date
of the request;
2. The categories of third parties to whom the busi ness sold
the consumer's personal information during the twelve (12) months
preceding the date of the request by reference to each enumerated Req. No. 5039 Page 34
category of information under paragraph 14 of Section 2 of this act
sold to each third party; and
3. The categories of third parties to whom the business
disclosed for a business purpose the consumer's personal information
during the twelve (12) months preceding the date of the request by
reference to each enumerated category of information under paragraph
14 of Section 2 of this act disclosed to each third party.
D. A business shall provide the information described by
paragraphs 2 and 3 of subsection C of this s ection in two separate
lists.
E. A business that did not sell, or disclose for a business
purpose, the consumer's personal information during the twelve (12)
months preceding the date of receiving the consumer's verifiable
consumer request under this sect ion shall disclose that fact to the
consumer.
SECTION 13. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.1 3 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. A consumer is entitled at any time to opt ou t of the sale of
the consumer's personal information by a busi ness to third parties
by directing the business not to sell the in formation. A consumer
may authorize another person solely to opt out of the sale of the
consumer's personal information on the consumer's behalf. A Req. No. 5039 Page 35
business shall comply with a direction n ot to sell that is received
under this subsection.
B. To exercise the right to opt out specified in subsection A
of this section, a consumer shall sub mit to the business a
verifiable consumer r equest using a method designated by the
business under Section 18 of this act.
C. A business that sells consumers ' personal information to a
third party shall provide on the business's Internet website:
1. Notice to consumers that:
a. the information may be sold,
b. identifies the categories of persons to whom the
information will or could be so ld, and
c. consumers have the right to opt in to the sale via
consent; and
2. A clear and conspicuous link that enables a consumer, or
person authorized by the co nsumer, to consent to the sale of the
consumer's personal information.
D. A business may not sell to a th ird party the personal
information of a consumer who does not consent to the sale of that
information after the effective date of this act or after a consumer
submits a verifiable request to opt out of any future sale .
E. A business may use any personal in formation collected from
the consumer in connection with the consumer's opting out under this
section solely to comply with this section. Req. No. 5039 Page 36
F. A third party to whom a business has sold the personal
information of a consumer ma y not sell the information unle ss the
consumer receives explicit n otice of the potential sale and is
provided the opportunity to, and in fact does, consent to the sale
as provided by this section.
G. A business may not require a consu mer to create an account
with the business to opt in to the sale of the consumer's personal
information.
H. A business or service provider shall implement an d maintain
reasonable security procedures a nd practices, including
administrative, physical and te chnical safeguards appropriate to the
nature of the information an d the purposes for which the personal
information will be used, to protect consumers ' personal information
from unauthorized use, discl osure, access, destruction or
modification, irrespectiv e of whether a customer has consented to
opt in or out of a sale of data.
SECTION 14. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.1 4 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. The Legislature of the State of Oklahoma finds tha t
individuals within Oklahoma have a right to prohibit retention, use
or disclosure of their own personal data.
B. The Legislature of the State of Oklahoma further finds that
individuals within Oklahoma have previously b een exploited for Req. No. 5039 Page 37
monetary gain and manipulation by private ventures in utilization of
private data.
C. The Legislature of the State of Oklahoma further finds that
the protection of individuals within Oklahoma and their data is a
core governmental functio n in order to protect the health, s afety
and welfare of individuals within Oklahoma.
D. The Legislature of the Stat e of Oklahoma further finds that
the terms and conditions set forth in this act are the least
restrictive alternative necessary to protect i ndividuals within
Oklahoma and their rights and that the use of a strictly "opt-out"
method for data privacy is inef fectual and poses an immediate risk
to the health, safety and welfare of individuals within Oklahoma.
SECTION 15. NEW LAW A new section of law to be cod ified
in the Oklahoma Statutes as Section 901.15 of Title 17, unless there
is created a duplication in numbering, reads as f ollows:
A. A provision of a contract or other agreement that purp orts
to waive or limit a right, remedy or means of enforcement und er this
act is contrary to public policy and is void.
B. This section does not p revent a consumer from:
1. Declining to request information from a business;
2. Declining to consent to a business's sale of the consumer 's
personal information; or
3. Authorizing a business to sell the consumer's personal
information after previously o pting out. Req. No. 5039 Page 38
SECTION 16. NEW LAW A new section of law to be codified
in the Oklahoma Stat utes as Section 901.16 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. After the effective date of this act, a business shall not
collect a consumer's personal information directly from the consumer
prior to notifying the consumer of each category of personal
information to be colle cted and for what purposes information will
be used, as well as obtaining the consumer's consent to opt in to
collection, which may be provided electronically by the consumer, to
collect a consumer's personal information.
B. A business may not collect an additional category of
personal information directly from the consumer or use personal
information collected for an additio nal purpose unless the business
provides notice to the consumer of the additional category or
purpose in accordance with s ubsection A of this section.
C. If a third party that assumes control of all or part of a
business as described by subparagraph c of paragraph 2 of subsection
C of Section 3 of this act materially alters the practices of the
business in how personal infor mation is used or shared, and the
practices are materially inconsistent with a notice provi ded to a
consumer under subsection A or B of this section, the third party
must notify the consumer of the third party 's new or changed
practices in a conspicuous manner that allows the consumer to easily Req. No. 5039 Page 39
exercise a right provided under this act before the third-party
collector uses or shares the p ersonal information.
D. Subsection C of this section does not authorize a business
to make a material, retroactive change or other change to a
business's privacy policy in a manner that would be a deceptive
trade practice actionable under Oklahoma law.
SECTION 17. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.17 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. A business that collects, sells or for a business purpose
discloses a consumer's personal information shall disclose the
following information in the business's online privacy polic y or
other notice of the business's policies:
1. A description of a consumer 's rights under Sections 10, 11,
12, 13 and 16 of this act and designated methods for submitting a
verifiable consumer request under this act;
2. For a business that collects per sonal information ab out
consumers, a description of the consumer's right to request the
deletion of the consumer's personal information;
3. Separate lists containing the categories of consumers '
personal information describe d by paragraph 14 of Section 2 of this
act that, during the twelve (12) months preceding the date the
business updated the information as required by subsection C of this
section, the business: Req. No. 5039 Page 40
a. collected,
b. sold, if applicable, or
c. disclosed for a business purpose, if applicable ;
4. The categories o f sources from which the information under
paragraph 3 of this subsection is collected;
5. The business or commercial purposes for collecting personal
information;
6. If the business does not sell consum ers' personal
information or disclose the informati on for a business or commercial
purpose, a statement of that fact;
7. The categories of third parties t o whom the business sells
or discloses personal information;
8. If the business sells consumers ' personal information, the
Internet link required by subsection C of Section 13 of this act;
and
9. If applicable, the financial incentives offered to consumers
under Section 23 of this act.
B. If a business described by subsection A of this section does
not have an online privacy policy or other notice of t he business's
policies, the business shall make the informati on required under
subsection A of this section available to consumers on the
business's Internet website or another website the business
maintains that is dedicated to consume rs in this state. Req. No. 5039 Page 41
C. A business must update the information required by
subsection A of this section at least once each yea r.
SECTION 18. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.18 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. A business shall designate and make availabl e to consumers,
in a form that is reasonably accessible, at least two methods for
submitting a verifiable consumer request for infor mation required to
be disclosed or deleted under this act. The methods must incl ude,
at a minimum:
1. A toll-free telephone number that a consumer may call to
submit the request; and
2. The business's Internet website at w hich the consumer may
submit the request.
B. The methods designated under subsection A of this section
may also include:
1. A mailing address;
2. An electronic mail address; or
3. Another Internet webpage or portal .
C. A business may not require a con sumer to create an account
with the business to submit a verifiable consumer request.
SECTION 19. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.19 of Title 17, unless there
is created a duplicati on in numbering, reads as follo ws: Req. No. 5039 Page 42
A. A business that receives a verifiable consumer request under
Section 10, 11, 12 or 13 of this act shall promptly take steps to
reasonably verify that:
1. The consumer who is the subject of the request is a consumer
about whom the business has coll ected, sold, or for a business
purpose disclosed personal information; and
2. The request is made by:
a. the consumer,
b. a consumer on behalf of the consumer's minor child, or
c. a person authorized to act on the consumer 's behalf.
B. A business may use any personal information collected from
the consumer in connection with the busi ness's verification of a
request under this section solely to verify the request.
C. A business that is unable to verify a consumer request und er
this section is not required to comply with the request.
SECTION 20. NEW LAW A new sec tion of law to be codified
in the Oklahoma Statutes as Section 901.20 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. Not later than forty-five (45) days after the date a
business receives a verifiable consume r request under Section 10,
11, 12 or 13 of this ac t, the business shall disclose free of charge
to the consumer the information required to be disclose d under those
sections or take the requested action s, as applicable. Req. No. 5039 Page 43
B. A business may extend the time in which to comply with
subsection A of this section once by an additional forty-five (45)
days if reasonably necessary or by an additional ninety (90) days
after taking into account the number and compl exity of verifiable
consumer requests received by the busines s. A business that extends
the time in which to comply with subsection A of this section shall
notify the consumer of the extension and reason for the delay within
the period prescribed by that subsection.
C. The disclosure required by subsection A of this section
must:
1. Cover personal information collected, sold or disclosed for
a business purpose, as applicable, during the twelve (12) months
preceding the date the busine ss receives the requ est; and
2. Be made in writing and delivered to the consumer :
a. by mail or electronically, at the cons umer's option,
if the consumer does not have an account with the
business, or
b. through the consumer 's account with the business.
D. An electronic dis closure under subsection C of this section
must be in a readily accessible format that allows the consum er to
electronically transmit the information to another person or entity.
E. A business is not requ ired to make the disclosure required
by subsection A of this section to the same consumer more than once
in a twelve-month period. Req. No. 5039 Page 44
F. Notwithstanding subsection A of this section, if a
consumer's verifiable consumer request is manifestly baseless or
excessive, in particular because of repetitiveness, a bu siness may
charge a reasonable fee after taking into account the administrative
costs of compliance or r efusal to comply with the request. The
business has the burden of demonstrating that a request is
manifestly baseless or excessive.
G. A business that does not comply with a consumer's verifiable
consumer request under subsection A of this section shall notify the
consumer, within the time the business is required to respond to a
request under this sect ion, of the reasons for the ref usal and the
rights the consumer may have to appeal that decision.
SECTION 21. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.2 1 of Title 17, unless there
is created a duplication in numbering, re ads as follows:
A. A business that uses de-identified information may not re -
identify or attempt to re-identify a consumer who is the subject of
de-identified information without obtaining the consumer 's consent
or authorization.
B. A business that uses de-identified information shall
implement:
1. Technical safeguards and business processes to prohibit re-
identification of the consumer to whom the information may pertain;
and Req. No. 5039 Page 45
2. Business processes to prevent inadvertent r elease of de-
identified information.
C. This act may not be construed to require a business to re-
identify or otherwise link information that is not maint ained in a
manner that would be considered personal information.
SECTION 22. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.22 of Title 17, unless there
is created a duplication in numbering, read s as follows:
A. A business may not discriminate against a consumer because
the consumer exercised a right under this act, including by:
1. Denying a good or service to the consumer;
2. Charging the consumer a different price or rate for a good
or service, including denying the use of a discount or other benefit
or imposing a penalty;
3. Providing a different level or quality of a good or service
to the consumer; or
4. Suggesting that the consumer will be char ged a different
price or rate for, or provi ded a different level or quality of, a
good or service.
B. This section does not prohibit a business from offering or
charging a consumer a different p rice or rate for a good or service,
or offering or providing to the consumer a different level or
quality of a good or service, if the difference is reasonably Req. No. 5039 Page 46
related to the value provided to the consumer by the consumer's
data.
SECTION 23. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.2 3 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. Subject to subsection B of this section, a business may
offer a financial incentive to a consumer, including a payment as
compensation, for the collection, sale or disclosure of the
consumer's personal information.
B. A business may enroll a customer in a financial incentive
program only if the business pro vides to the consume r a clear
description of the material terms of the program an d obtains the
consumer's prior opt-in consent, which:
1. Contains a clear description of those material terms; and
2. May be revoked by the co nsumer at any time.
C. A business may not use fina ncial incentive practices that
are unjust, unreasonable, coer cive or usurious in nature.
SECTION 24. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 9 01.24 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. A business may not divide a single transaction into more
than one transaction with the intent to avoid the requirements of
this act. Req. No. 5039 Page 47
B. For purposes of this a ct, two or more substantially simil ar
or related transactions are considered a single transaction if the
transactions:
1. Are entered into contemporaneously; and
2. Have at least one common party.
C. A court shall disregard any intermediate transactions
conducted by a business with the i ntent to avoid the requirements of
this act, including the disclosure of informat ion by a business to a
third party to avoid complying with the requirements under this act
applicable to a sale of the information.
SECTION 25. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.2 5 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A business shall ensure that each person responsible for
handling consumer inquiries about the business's privacy practices
or compliance with this act is informed of the requirements of this
act and of how to direct a consumer in exercising any of the rights
to which a consumer is entitled under this a ct.
SECTION 26. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.2 6 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. A person who violates this a ct is liable to this state for
injunctive relief and/or a civil penalty in an amo unt not to exceed: Req. No. 5039 Page 48
1. Two Thousand Five Hundred Dollars ($2, 500.00) for each
violation; or
2. Seven Thousand Five Hundred Dollars ($7,500.00) for each
violation, if the violation is intentional.
B. The Oklahoma Attorney General is entitled to recover
reasonable expenses, including reasonable attorney fees, court costs
and investigatory costs, incurred in obtaining injunctive relief or
civil penalties, or both, under this section. Amounts collected
under this section shall be deposite d in a dedicated acc ount in the
General Revenue Fund and shall be appropriated only for the purposes
of the administration and enforcement of this act.
SECTION 27. NEW LAW A new section of law to be cod ified
in the Oklahoma Statutes as Section 901.27 of Title 17, unless there
is created a duplication in numbering , reads as follows:
A business that disclos es to a third party, or discloses for a
business purpose to a service provider, a consumer 's personal
information in compliance with this act may not be held liable for a
violation of this act by the third party o r service provider if the
business does not have actual knowledge or a reasonable belief that
the third party or service provider intends to vio late this act.
SECTION 28. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.28 of Title 17, unless there
is created a duplication in numbering, reads as follows: Req. No. 5039 Page 49
A business's service provider may no t be held liable for a
violation of this act by the business.
SECTION 29. This act shall become effective January 1, 2024.
59-1-5039 MJ 11/01/22