OK
Oklahoma House Bill HB1030

Oklahoma 2023 Regular Session

Oklahoma House Bill HB1030 Compare Versions

OldNewDifferences
11
22
3-ENGR. H. B. NO. 1030 Page 1 1
4-2
5-3
6-4
7-5
8-6
9-7
10-8
11-9
12-10
13-11
14-12
15-13
16-14
17-15
18-16
19-17
20-18
21-19
22-20
23-21
24-22
25-23
26-24
27-
28-ENGROSSED HOUSE
29-BILL NO. 1030 By: West (Josh), Pae, Fugate,
30-Alonso-Sandoval, and Sims
31-of the House
32-
33- and
34-
35- Howard of the Senate
36-
37-
38-
39-
40-
41-
42-An Act relating to privacy of computer data;
43-enacting the Oklahoma Computer Data Privacy Act;
44-defining terms; providing for applicability of act
45-to certain businesses that collect consumers '
46-personal information; providing exemptions;
47-prescribing complian ce with other laws and legal
48-proceedings; requiri ng act to be liberally
49-construed to align its effects with other laws
50-relating to privacy and protection of personal
51-information; providing for controlling effect of
52-federal law; providing for construction in event of
53-conflict with state law; providing for controlling
54-effect of law which provides greatest privacy or
55-protection to consumers; providing for preemption
56-of local law; providing consumers right to request
57-disclosure of certain information; providin g
58-consumers right to request deletion of certain
59-information; providing consumers the right to
60-request and receive a disclosure of personal
61-information sold or disclosed; providing consumers
62-right to opt in and out of the sale of personal
63-information; making legislative findings; providing
64-contracts or other agreement s purporting to waive
65-or limit a right, remedy o r means of enforcement
66-contrary to public policy; requiring businesses
67-collecting consumer data information inform
68-consumer of certain information collected;
3+HB1030 HFLR Page 1
4+BOLD FACE denotes Committee Amendments. 1
5+2
6+3
7+4
8+5
9+6
10+7
11+8
12+9
13+10
14+11
15+12
16+13
17+14
18+15
19+16
20+17
21+18
22+19
23+20
24+21
25+22
26+23
27+24
28+
29+HOUSE OF REPRESENTATIVES - FLOOR VERSION
30+
31+STATE OF OKLAHOMA
32+
33+1st Session of the 59th Legislature (2023)
34+
35+HOUSE BILL 1030 By: West (Josh) and Pae
36+
37+
38+
39+
40+
41+AS INTRODUCED
42+
43+An Act relating to privacy of computer data; enacting
44+the Oklahoma Computer Data Privacy Act; defining
45+terms; providing for applicability of act to certain
46+businesses that collect consumers ' personal
47+information; providing exemptions; prescribing
48+compliance with other laws and legal proceedings;
49+requiring act to be liberally constru ed to align its
50+effects with other laws relating t o privacy and
51+protection of personal information; providing for
52+controlling effect of federal law; providing for
53+construction in event of conflict with state law;
54+providing for controlling effect of law which
55+provides greatest privacy or protection to consumers;
56+providing for preemption of l ocal law; providing
57+consumers right to request disclosure of certain
58+information; providin g consumers right to request
59+deletion of certain information; providing consumers
60+the right to request and receive a disclosure of
61+personal information sold or disclosed; providing
62+consumers right to opt in and out of the sale of
63+personal information; making legislative findings;
64+providing contracts or other agreement s purporting to
65+waive or limit a right, remedy or mean s of
66+enforcement contrary to public policy; requiring
67+businesses collecting consumer data information
68+inform consumer of certain information collected;
6969 prescribing required content of disclosures;
7070 requiring consumer consent; requiring business es to
7171 provide online privacy policy or a notice of
72-policies; requiring business es to designate and
73-make available methods for submitting verifiable
74-consumer request for certain information; requiring
75-
76-ENGR. H. B. NO. 1030 Page 2 1
77-2
78-3
79-4
80-5
81-6
82-7
83-8
84-9
85-10
86-11
87-12
88-13
89-14
90-15
91-16
92-17
93-18
94-19
95-20
96-21
97-22
98-23
99-24
100-
101-businesses receiving verifiable consumer requests
102-reasonably verify identity of requesting consumer;
103-requiring businesses disclose required information
104-within a certain period; requiring businesses using
105-de-identified information not re-identify or
106-attempt to re-identify certain consumers; requiring
107-permission; prohibiting discrimination against
108-consumers for exercise of rights; authorizing
109-businesses to offer financial incentives to
110-consumers for collection, sale or disclosure of
111-personal information; pro hibiting division of
112-single transactions; requiring employee training
113-with respect to consumer inquiries; requiring
114-disclosure of certain rights, requirements and
115-information; providing civil penalties; authorizing
116-Oklahoma Attorney General to take certain actions
117-based on violations; authorizing Attorney General
118-to recover reasonable expenses incurred in
119-obtaining injunctive relief or civil pena lties;
120-directing Attorney General to deposit collected
121-penalties in a dedicated account in the General
122-Revenue Fund; providing certain immunities;
123-providing protections to servi ce providers;
124-providing for codification; and prov iding an
125-effective date.
72+policies; requiring business es to designate and make
73+available methods for submitting verifiable consumer
74+request for certain information; requiring businesses
75+receiving verifiable consumer requests reasonably
76+
77+HB1030 HFLR Page 2
78+BOLD FACE denotes Committee Amendments. 1
79+2
80+3
81+4
82+5
83+6
84+7
85+8
86+9
87+10
88+11
89+12
90+13
91+14
92+15
93+16
94+17
95+18
96+19
97+20
98+21
99+22
100+23
101+24
102+
103+verify identity of requesting consumer; requiring
104+businesses disclose required information within a
105+certain period; requiring businesses using de-
106+identified information not re-identify or attempt to
107+re-identify certain consumers; requiring permission;
108+prohibiting discrimin ation against consumers for
109+exercise of rights; authorizing businesses to offer
110+financial incentives to consumers for collection,
111+sale or disclosure of personal information;
112+prohibiting division of single transactions;
113+requiring employee training with respect to consumer
114+inquiries; requiring disclosure of c ertain rights,
115+requirements and informa tion; providing civil
116+penalties; authorizing Oklahoma Attorney General to
117+take certain actions based on violations; authorizing
118+Attorney General to recover reasonable expenses
119+incurred in obtaining injunc tive relief or civil
120+penalties; directing Attorney General to deposit
121+collected penalties in a dedicated account in the
122+General Revenue Fund; providing certain immunities;
123+providing protections to service providers; providing
124+for codification; and prov iding an effective date.
125+
126126
127127
128128
129129
130130
131131 BE IT ENACTED BY THE PEOPLE OF THE STATE OF OKLAHOMA:
132132 SECTION 1. NEW LAW A new section of law to be codified
133133 in the Oklahoma Statutes as Section 901.1 of Ti tle 17, unless there
134134 is created a duplication i n numbering, reads a s follows:
135135 This act shall be known and may be cited as the "Oklahoma
136136 Computer Data Privacy Act ".
137137 SECTION 2. NEW LAW A new sect ion of law to be codified
138138 in the Oklahoma Statutes as Section 901.2 of Title 17, unles s there
139139 is created a duplication in numbering, reads as follows:
140-
141-ENGR. H. B. NO. 1030 Page 3 1
142-2
143-3
144-4
145-5
146-6
147-7
148-8
149-9
150-10
151-11
152-12
153-13
154-14
155-15
156-16
157-17
158-18
159-19
160-20
161-21
162-22
163-23
164-24
165-
166140 As used in this act:
141+
142+HB1030 HFLR Page 3
143+BOLD FACE denotes Committee Amendments. 1
144+2
145+3
146+4
147+5
148+6
149+7
150+8
151+9
152+10
153+11
154+12
155+13
156+14
157+15
158+16
159+17
160+18
161+19
162+20
163+21
164+22
165+23
166+24
167+
167168 1. "Aggregate consumer information " means information that
168169 relates to a group or ca tegory of consumers from which individu al
169170 consumer identities have been removed and th at is not linked or
170171 reasonably linkable to a particular consumer or household, including
171172 through a device. The term does not include one or more individual
172173 consumer records that have been de -identified;
173174 2. "Biometric information" means an individual's physiological,
174175 biological or behavioral characteristics that can be used, alone or
175176 in combination with other characteristics or other identifying data,
176177 to establish the ind ividual's identity. The term includes:
177178 a. an image of an iris, retina, fingerprint, face, hand,
178179 palm or vein pattern or a voice recording f rom which
179180 an identifier template can be extracted such as a
180181 faceprint, minutiae template or voiceprint,
181182 b. keystroke patterns or rhythms,
182183 c. gait patterns or rhythms, and
183184 d. sleep, health or exercise data that contains
184185 identifying information;
185186 3. "Business" means a for-profit entity, including a sole
186187 proprietorship, partnership, limited liability company, cor poration,
187188 association or other legal entity that is organized or operated for
188189 the profit or financial benefit of the entity's shareholders or
189-
190-ENGR. H. B. NO. 1030 Page 4 1
191-2
192-3
193-4
194-5
195-6
196-7
197-8
198-9
199-10
200-11
201-12
202-13
203-14
204-15
205-16
206-17
207-18
208-19
209-20
210-21
211-22
212-23
213-24
214-
215190 other owners, but does not include Internet service providers so
216191 long as they are acting in their role as I nternet service providers;
192+
193+HB1030 HFLR Page 4
194+BOLD FACE denotes Committee Amendments. 1
195+2
196+3
197+4
198+5
199+6
200+7
201+8
202+9
203+10
204+11
205+12
206+13
207+14
208+15
209+16
210+17
211+18
212+19
213+20
214+21
215+22
216+23
217+24
218+
217219 4. "Business purpose" means the use of personal information
218220 for:
219221 a. the following operational purposes of a business or
220222 service provider, provided that the use of the
221223 information is reasonably necessary and proportionate
222224 to achieve the operation al purpose for which th e
223225 information was collected or processed or another
224226 operational purpose that is compatible with the
225227 context in which the information was collected:
226228 (1) auditing related to a current interaction with a
227229 consumer and any concurrent tran sactions,
228230 including counting ad impressions of unique
229231 visitors, verifying the positioning a nd quality
230232 of ad impressions, and auditing compli ance with a
231233 specification or other standards for ad
232234 impressions,
233235 (2) detecting a security incident, protecting again st
234236 malicious, deceptive, fraudulent or illegal
235237 activity, and prosecuting those responsible for
236238 any illegal activity described by this division,
237-
238-ENGR. H. B. NO. 1030 Page 5 1
239-2
240-3
241-4
242-5
243-6
244-7
245-8
246-9
247-10
248-11
249-12
250-13
251-14
252-15
253-16
254-17
255-18
256-19
257-20
258-21
259-22
260-23
261-24
262-
263239 (3) identifying and repairing or removing errors that
264240 impair the intended functionality of computer
265241 hardware or software,
242+
243+HB1030 HFLR Page 5
244+BOLD FACE denotes Committee Amendments. 1
245+2
246+3
247+4
248+5
249+6
250+7
251+8
252+9
253+10
254+11
255+12
256+13
257+14
258+15
259+16
260+17
261+18
262+19
263+20
264+21
265+22
266+23
267+24
268+
266269 (4) using personal information in the short term or
267270 for a transient use, provided that the
268271 information is not:
269272 (a) disclosed to a third party, and
270273 (b) used to build a profile about a consumer or
271274 alter an individual consumer 's experience
272275 outside of a current interaction with the
273276 consumer, including the contextual
274277 customization of an adv ertisement displayed
275278 as part of the same interact ion,
276279 (5) performing a service on behalf of the business or
277280 service provider, including:
278281 (a) maintaining or servicing an account,
279282 providing customer service, processing or
280283 fulfilling an order or transactio n,
281284 verifying customer information, processing a
282285 payment, providing financing, providing
283286 advertising or marketing services, or
284287 providing analytic services, or
285288 (b) performing a service simil ar to a service
286289 described by subdivision (a) of this
287-
288-ENGR. H. B. NO. 1030 Page 6 1
289-2
290-3
291-4
292-5
293-6
294-7
295-8
296-9
297-10
298-11
299-12
300-13
301-14
302-15
303-16
304-17
305-18
306-19
307-20
308-21
309-22
310-23
311-24
312-
313290 division on behalf of the business or
314291 service provider,
292+
293+HB1030 HFLR Page 6
294+BOLD FACE denotes Committee Amendments. 1
295+2
296+3
297+4
298+5
299+6
300+7
301+8
302+9
303+10
304+11
305+12
306+13
307+14
308+15
309+16
310+17
311+18
312+19
313+20
314+21
315+22
316+23
317+24
318+
315319 (6) undertaking internal research for technological
316320 development and demonstration,
317321 (7) undertaking an activity to:
318322 (a) verify or maintain the quali ty or safety of
319323 a service or device that is owned by,
320324 manufactured by, manufactured for or
321325 controlled by the business , or
322326 (b) improve, upgrade or enhance a service or
323327 device described by subdivision (a) of this
324328 division, or
325329 (8) retention of employment data, or
326330 b. another operational purpose for which notice is given
327331 under this act, but specifically excepting cross-
328332 context targeted advertising, unless the customer has
329333 opted in to the same ;
330334 5. "Collect" means to buy, rent, gather, obtain, receive or
331335 access the personal information of a consumer by any means,
332336 including by actively or passively receiving the information from
333337 the consumer or by observing the consumer's behavior;
334338 6. "Commercial purpose" means a purpose that is intended to
335339 result in a profit or o ther tangible benefit or the advancement of a
336340 person's commercial or economic interests, such as by inducing
337-
338-ENGR. H. B. NO. 1030 Page 7 1
339-2
340-3
341-4
342-5
343-6
344-7
345-8
346-9
347-10
348-11
349-12
350-13
351-14
352-15
353-16
354-17
355-18
356-19
357-20
358-21
359-22
360-23
361-24
362-
363341 another person to buy, rent, lease, subscribe to, provide or
364342 exchange products, goods, property, information or services or by
343+
344+HB1030 HFLR Page 7
345+BOLD FACE denotes Committee Amendments. 1
346+2
347+3
348+4
349+5
350+6
351+7
352+8
353+9
354+10
355+11
356+12
357+13
358+14
359+15
360+16
361+17
362+18
363+19
364+20
365+21
366+22
367+23
368+24
369+
365370 enabling or effectin g, directly or indirectly, a commercial
366371 transaction. The term does not include the purpose of engaging in
367372 speech recognized by state or federal courts as noncommercial
368373 speech, including political speech and journalism ;
369374 7. "Consumer" means an individual who is a resident of this
370375 state;
371376 8. "De-identified information " means information that cannot
372377 reasonably identify, re late to, describe, be associated with, or be
373378 linked to, directly or indirectly, a particular consumer ;
374379 9. "Device" means any physical obje ct capable of connecting to
375380 the Internet, directly or indirectly, o r to another device;
376381 10. "Genetic Information" mea ns any information, regardless of
377382 its format, that concern s a consumer's genetic characteristics.
378383 Genetic information includes, but is not limited to:
379384 a. raw sequence data that result from sequencing of a
380385 consumer's complete extracted or a portion of the
381386 extracted DNA,
382387 b. genotypic and phenotypic information that results from
383388 analyzing the raw sequenc e data, and
384389 c. self-reported health information that consu mer submits
385390 to a company regarding the consumer's hea lth
386391 conditions and that is used for scientific r esearch or
387-
388-ENGR. H. B. NO. 1030 Page 8 1
389-2
390-3
391-4
392-5
393-6
394-7
395-8
396-9
397-10
398-11
399-12
400-13
401-14
402-15
403-16
404-17
405-18
406-19
407-20
408-21
409-22
410-23
411-24
412-
413392 product development and analyzed in connection with
414393 the consumer's raw sequence data ;
394+
395+HB1030 HFLR Page 8
396+BOLD FACE denotes Committee Amendments. 1
397+2
398+3
399+4
400+5
401+6
402+7
403+8
404+9
405+10
406+11
407+12
408+13
409+14
410+15
411+16
412+17
413+18
414+19
415+20
416+21
417+22
418+23
419+24
420+
415421 11. "Identifier" means data elements or other information that
416422 alone or in conjunction with other information can be used to
417423 identify a particular consumer, h ousehold or device that is linked
418424 to a particular consumer or household;
419425 12. "Internet service provider" means a person who provides a
420426 mass-market retail service by wire or radio that provides the
421427 capability to transmit d ata and to receive data from all o r
422428 substantially all Internet endpoints, including any capabilities
423429 that are incidental to and enable the operations of the service,
424430 excluding dial-up Internet access service;
425431 13. "Person" means an individual, sole proprie torship, firm,
426432 partnership, joint venture, syndicate, business trust, company,
427433 corporation, limited liability company, association, committee and
428434 any other organization or gro up of persons acting in concert;
429435 14. "Personal information " means information th at identifies,
430436 relates to, describes, can be associated with or can reasonably be
431437 linked to, directly or indir ectly, a particular consumer or
432438 household. The term includes the following cat egories of
433439 information if the information identifies, relates to, d escribes,
434440 can be associated with or can reasonably be linked to, directly or
435441 indirectly, a particular consumer or household:
436-
437-ENGR. H. B. NO. 1030 Page 9 1
438-2
439-3
440-4
441-5
442-6
443-7
444-8
445-9
446-10
447-11
448-12
449-13
450-14
451-15
452-16
453-17
454-18
455-19
456-20
457-21
458-22
459-23
460-24
461-
462442 a. an identifier, including a real name, alias, mailing
463443 address, account name, date of birth, driver license
464444 number, unique identif ier, Social Security number,
445+
446+HB1030 HFLR Page 9
447+BOLD FACE denotes Committee Amendments. 1
448+2
449+3
450+4
451+5
452+6
453+7
454+8
455+9
456+10
457+11
458+12
459+13
460+14
461+15
462+16
463+17
464+18
465+19
466+20
467+21
468+22
469+23
470+24
471+
465472 passport number, signature, telephone number or other
466473 government-issued identification number, or other
467474 similar identifier,
468475 b. an online identifier, including a n electronic mail
469476 address or Internet Protocol address, or other si milar
470477 identifier,
471478 c. a physical characteristic or description, including a
472479 characteristic of a protected class ification under
473480 state or federal law,
474481 d. commercial information, including:
475482 (1) a record of personal property,
476483 (2) a good or service purchased, ob tained or
477484 considered,
478485 (3) an insurance policy number, or
479486 (4) other purchasing or consuming histories or
480487 tendencies,
481488 e. biometric information and genetic information,
482489 f. Internet or other el ectronic network activity
483490 information, including:
484491 (1) browsing or search history, and
485-
486-ENGR. H. B. NO. 1030 Page 10 1
487-2
488-3
489-4
490-5
491-6
492-7
493-8
494-9
495-10
496-11
497-12
498-13
499-14
500-15
501-16
502-17
503-18
504-19
505-20
506-21
507-22
508-23
509-24
510-
511492 (2) other information regarding a consumer's
512493 interaction with an Internet websi te, application
513494 or advertisement,
514495 g. geolocation data,
496+
497+HB1030 HFLR Page 10
498+BOLD FACE denotes Committee Amendments. 1
499+2
500+3
501+4
502+5
503+6
504+7
505+8
506+9
507+10
508+11
509+12
510+13
511+14
512+15
513+16
514+17
515+18
516+19
517+20
518+21
519+22
520+23
521+24
522+
515523 h. audio, electronic, visua l, thermal, olfactory or other
516524 similar information,
517525 i. professional or emplo yment-related information,
518526 j. education information that is not publicly available
519527 that includes personally identifiable information
520528 under the federal Family Educational Rights and
521529 Privacy Act of 1974,
522530 k. financial information, including a financial
523531 institution account number, credit or debit card
524532 number, or password or access code associated with a
525533 credit or debit card or bank account,
526534 l. medical information,
527535 m. health insurance information, or
528536 n. inferences drawn from any of the information listed
529537 under this paragraph to create a profile about a
530538 consumer that reflects the consumer's preferences,
531539 characteristics, psychological trends,
532540 predispositions, behavior, attitudes, intelligence,
533541 abilities or aptitudes;
534-
535-ENGR. H. B. NO. 1030 Page 11 1
536-2
537-3
538-4
539-5
540-6
541-7
542-8
543-9
544-10
545-11
546-12
547-13
548-14
549-15
550-16
551-17
552-18
553-19
554-20
555-21
556-22
557-23
558-24
559-
560542 15. "Processing information " means performing any oper ation or
561543 set of operations on personal da ta or on sets of personal data,
562544 whether or not by automated mean s;
563545 16. "Pseudonymize" or "pseudonymization" means the processing
564546 of personal information in a manner that renders the personal
547+
548+HB1030 HFLR Page 11
549+BOLD FACE denotes Committee Amendments. 1
550+2
551+3
552+4
553+5
554+6
555+7
556+8
557+9
558+10
559+11
560+12
561+13
562+14
563+15
564+16
565+17
566+18
567+19
568+20
569+21
570+22
571+23
572+24
573+
565574 information no longer a ttributable to a specific consumer withou t
566575 the use of additional information, provided that the additional
567576 information is kept separately and is subject to technical and
568577 organizational measures t o ensure that the personal information is
569578 not attributed to an identified or identifiable consumer ;
570579 17. "Publicly available information" means information that is
571580 lawfully made available to the public from federal, state or local
572581 government records or information received from widely distributed
573582 media or by the consumer in the public domain. The term does not
574583 include:
575584 a. biometric information or genetic information of a
576585 consumer collected by a business wit hout the
577586 consumer's knowledge or consent, or
578587 b. de-identified or aggregate consumer information;
579588 18. "Service provider" means a for-profit entity as described
580589 by paragraph 3 of this section that processes information on behalf
581590 of a business and to which t he business discloses, for a business
582591 purpose, a consumer's personal information under a written contract,
583592 provided that the contract prohibits the entity receiving the
584-
585-ENGR. H. B. NO. 1030 Page 12 1
586-2
587-3
588-4
589-5
590-6
591-7
592-8
593-9
594-10
595-11
596-12
597-13
598-14
599-15
600-16
601-17
602-18
603-19
604-20
605-21
606-22
607-23
608-24
609-
610593 information from retaining, using or disclosing the information for
611594 any purpose other than:
612595 a. providing the services specified in the co ntract with
613596 the business, or
597+
598+HB1030 HFLR Page 12
599+BOLD FACE denotes Committee Amendments. 1
600+2
601+3
602+4
603+5
604+6
605+7
606+8
607+9
608+10
609+11
610+12
611+13
612+14
613+15
614+16
615+17
616+18
617+19
618+20
619+21
620+22
621+23
622+24
623+
614624 b. for a purpose permitted by th is act, including for a
615625 commercial purpose other than providing those
616626 specified services;
617627 19. "Third party" means a person who is not:
618628 a. a business to which this act applies that collects
619629 personal information from consumers, or
620630 b. a person to whom the bu siness discloses, for a
621631 business purpose, a consumer's personal information
622632 under a written contract, provided that the contract:
623633 (1) prohibits the person receiving the information
624634 from:
625635 (a) selling the information,
626636 (b) retaining, using or disclosing the
627637 information for any purpose other than
628638 providing the services specified in the
629639 contract, including for a commercial purpose
630640 other than providing t hose services, and
631641 (c) retaining, using or disclosing the
632642 information outside of the direct business
633-
634-ENGR. H. B. NO. 1030 Page 13 1
635-2
636-3
637-4
638-5
639-6
640-7
641-8
642-9
643-10
644-11
645-12
646-13
647-14
648-15
649-16
650-17
651-18
652-19
653-20
654-21
655-22
656-23
657-24
658-
659643 relationship between the person and the
660644 business, and
661645 (2) includes a certification made by the person
662646 receiving the personal information that the
663647 person understands and will comply with the
648+
649+HB1030 HFLR Page 13
650+BOLD FACE denotes Committee Amendments. 1
651+2
652+3
653+4
654+5
655+6
656+7
657+8
658+9
659+10
660+11
661+12
662+13
663+14
664+15
665+16
666+17
667+18
668+19
669+20
670+21
671+22
672+23
673+24
674+
664675 prohibitions under division (1) of this
665676 subparagraph;
666677 20. "Unique identifier" means a persistent identifier that can
667678 be used over time and across different services to re cognize a
668679 consumer, a custodial parent or guardian , or any minor children over
669680 which the parent or g uardian has custody, or a device that is linked
670681 to those individuals. The term includes:
671682 a. a device identifier,
672683 b. an Internet Protocol address,
673684 c. a cookie, beacon, pixel tag, mobile ad id entifier or
674685 similar technology,
675686 d. a customer number, unique pseu donym or user alias,
676687 e. a telephone number, and
677688 f. another form of a persistent or probabilistic
678689 identifier that can be used to identify a particular
679690 consumer or device;
680691 21. "Verifiable consumer request " means a request:
681692 a. that is made by a consumer, a c onsumer on behalf of
682693 the consumer's minor child, or a natural person or
683-
684-ENGR. H. B. NO. 1030 Page 14 1
685-2
686-3
687-4
688-5
689-6
690-7
691-8
692-9
693-10
694-11
695-12
696-13
697-14
698-15
699-16
700-17
701-18
702-19
703-20
704-21
705-22
706-23
707-24
708-
709694 person who is authorized by a consumer to act on the
710695 consumer's behalf, and
711696 b. that a business can reasonably verify, in accordance
712697 with Section 19 of this act, was submitted by the
698+
699+HB1030 HFLR Page 14
700+BOLD FACE denotes Committee Amendments. 1
701+2
702+3
703+4
704+5
705+6
706+7
707+8
708+9
709+10
710+11
711+12
712+13
713+14
714+15
715+16
716+17
717+18
718+19
719+20
720+21
721+22
722+23
723+24
724+
713725 consumer about whom the business has collected
714726 personal information; and
715727 22. "Consent" means an act that clearly and conspicuously
716728 communicates the individua l's authorization of an act or pra ctice
717729 that is made in the absence of any mechanism in the user int erface
718730 that has the purpose or substantial effect of obscurin g, subverting
719731 or impairing decision-making or choice to obtain consent.
720732 SECTION 3. NEW LAW A new section of law to be cod ified
721733 in the Oklahoma Statutes as Section 901.3 of Title 17, unless there
722734 is created a duplication in numbering , reads as follows:
723735 A. This act applies only to:
724736 1. A business that:
725737 a. does business in this state,
726738 b. collects consumers' personal information or has that
727739 information collected on the busines s's behalf,
728740 c. alone or in conjunction with others, determine s the
729741 purpose for and means of processing consumers'
730742 personal information, and
731743 d. satisfies one or more of the following thresholds:
732-
733-ENGR. H. B. NO. 1030 Page 15 1
734-2
735-3
736-4
737-5
738-6
739-7
740-8
741-9
742-10
743-11
744-12
745-13
746-14
747-15
748-16
749-17
750-18
751-19
752-20
753-21
754-22
755-23
756-24
757-
758744 (1) has annual gross revenue in an amount that
759745 exceeds Fifteen Million Dollars ($15,000,000.00),
760746 (2) alone or in combinatio n with others, annually
761747 buys, sells or receives or shares for commercial
762748 purposes the personal information of fifty
749+
750+HB1030 HFLR Page 15
751+BOLD FACE denotes Committee Amendments. 1
752+2
753+3
754+4
755+5
756+6
757+7
758+8
759+9
760+10
761+11
762+12
763+13
764+14
765+15
766+16
767+17
768+18
769+19
770+20
771+21
772+22
773+23
774+24
775+
763776 thousand or more consumers, h ouseholds or
764777 devices, or
765778 (3) derives twenty-five percent (25%) or more of the
766779 business's annual revenue from se lling consumers'
767780 personal information; and
768781 2. An entity that controls or is controlled by a bu siness
769782 described by paragraph 1 of this subsection and that shares the same
770783 or substantially similar brand name and/or common database for
771784 consumers' personal information. For purposes of this paragraph,
772785 "control" means the:
773786 a. ownership of, or power to v ote, more than fifty
774787 percent (50%) of the outstand ing shares of any class
775788 of voting security of a bu siness,
776789 b. control in any manner over the election of a major ity
777790 of the directors or of individuals exercising similar
778791 functions, or
779792 c. power to exercise a controlling influence over the
780793 management of a company.
781-
782-ENGR. H. B. NO. 1030 Page 16 1
783-2
784-3
785-4
786-5
787-6
788-7
789-8
790-9
791-10
792-11
793-12
794-13
795-14
796-15
797-16
798-17
799-18
800-19
801-20
802-21
803-22
804-23
805-24
806-
807794 B. For purposes of this ac t, a business sells a consumer's
808795 personal information to another business or a third party if the
809796 business sells, rents, discloses, disseminates, makes available,
810797 transfers or otherwise communicates, orally, in writing, or by
811798 electronic or other means, the information to t he other business or
812799 third party for monetary or other valuab le consideration.
800+
801+HB1030 HFLR Page 16
802+BOLD FACE denotes Committee Amendments. 1
803+2
804+3
805+4
806+5
807+6
808+7
809+8
810+9
811+10
812+11
813+12
814+13
815+14
816+15
817+16
818+17
819+18
820+19
821+20
822+21
823+22
824+23
825+24
826+
813827 C. For purposes of this act, a business does not sell a
814828 consumer's personal information if:
815829 1. The consumer directs the busin ess to intentionally disclose
816830 the information or u ses the business to intentionally interact with
817831 a third party, provided that the third party does not sell the
818832 information, unless that disclosure is consistent with this act; or
819833 2. The business:
820834 a. uses or shares an identifier of the consumer to alert
821835 a third party that the consumer has opted out of the
822836 sale of the information,
823837 b. uses or shares with a service provider a consumer's
824838 personal information that is necessary to perform a
825839 business purpose if:
826840 (1) the business provided notice that the informatio n
827841 is being used or shared in the business 's terms
828842 and conditions consistent with Sections 13 and 17
829843 of this act, and
830-
831-ENGR. H. B. NO. 1030 Page 17 1
832-2
833-3
834-4
835-5
836-6
837-7
838-8
839-9
840-10
841-11
842-12
843-13
844-14
845-15
846-16
847-17
848-18
849-19
850-20
851-21
852-22
853-23
854-24
855-
856844 (2) the service provider does not further collect,
857845 sell or use the information except as necessary
858846 to perform the business purpose, or
859847 c. transfers to a third party a consumer 's personal
860848 information as an asset that is part of a merger,
861849 acquisition, bankruptcy or other transaction in which
862850 the third party assumes control of all or part of the
851+
852+HB1030 HFLR Page 17
853+BOLD FACE denotes Committee Amendments. 1
854+2
855+3
856+4
857+5
858+6
859+7
860+8
861+9
862+10
863+11
864+12
865+13
866+14
867+15
868+16
869+17
870+18
871+19
872+20
873+21
874+22
875+23
876+24
877+
863878 business, provided that information is used or sh ared
864879 consistent with this act.
865880 D. For purposes of paragraph 1 of subsection C of this section,
866881 an intentional interaction occurs if the consumer does one or more
867882 deliberate acts with the intent to interact with a third party.
868883 Placing a cursor over, muting , pausing or closing online content
869884 does not constitute a con sumer's intent to interact with a third
870885 party. Instead, said deliberate act must be consent to such
871886 interaction as defined herein.
872887 SECTION 4. NEW LAW A new section of law to be codified
873888 in the Oklahoma Statutes as Section 901.4 of Title 17, unless there
874889 is created a duplication in numbering, reads as follows:
875890 A. This act does not apply to:
876891 1. Publicly available informatio n;
877892 2. Medical information governed by state priva cy health laws or
878893 protected health information that is collec ted by a covered entity
879894 or business associate governed by the privacy, security and data
880-
881-ENGR. H. B. NO. 1030 Page 18 1
882-2
883-3
884-4
885-5
886-6
887-7
888-8
889-9
890-10
891-11
892-12
893-13
894-14
895-15
896-16
897-17
898-18
899-19
900-20
901-21
902-22
903-23
904-24
905-
906895 breach notification rules issued by the United States De partment of
907896 Health and Human Services, Parts 160 a nd 164 of Title 45 of the Code
908897 of Federal Regulations, establ ished pursuant to the federal Health
909898 Insurance Portability and Accountability Act of 1996 (Publ ic Law
910899 104-191) and the federal Health Information Technology for Economic
911900 and Clinical Health Act, Title XIII of the federal American Recovery
912901 and Reinvestment Act of 2009 (Public Law 111-5);
902+
903+HB1030 HFLR Page 18
904+BOLD FACE denotes Committee Amendments. 1
905+2
906+3
907+4
908+5
909+6
910+7
911+8
912+9
913+10
914+11
915+12
916+13
917+14
918+15
919+16
920+17
921+18
922+19
923+20
924+21
925+22
926+23
927+24
928+
913929 3. A provider of health care, or a health plan, governed by
914930 state privacy health laws or a covered entity go verned by the
915931 privacy, security and data breach notification rules issued by the
916932 United States Department of Health and Human Services, Parts 160 and
917933 164 of Title 45 of the Code of Federal Regulations, establis hed
918934 pursuant to the federal Health Insurance Porta bility and
919935 Accountability Act of 1996 (Public Law 104-191), to the extent the
920936 provider or covered entity mainta ins, uses and discloses patient
921937 information in the same manner as medical information or protec ted
922938 health information as described in paragraph 2 of this subsection;
923939 4. A business associate of a covered entity governed by the
924940 privacy, security and data breach notification rules issued by the
925941 United States Department of Health and Human Services, Pa rts 160 and
926942 164 of Title 45 of the Code of Federal Regulations, established
927943 pursuant to the federal Health Insurance Portability and
928944 Accountability Act of 1996 ( Public Law 104-191) and the federal
929945 Health Information Technology for Economic and Clinical Hea lth Act,
930-
931-ENGR. H. B. NO. 1030 Page 19 1
932-2
933-3
934-4
935-5
936-6
937-7
938-8
939-9
940-10
941-11
942-12
943-13
944-14
945-15
946-16
947-17
948-18
949-19
950-20
951-21
952-22
953-23
954-24
955-
956946 Title XIII of the federal American Recove ry and Reinvestment Act of
957947 2009 (Public Law 111 -5), to the extent that the business associate
958948 maintains, uses and discloses patient information in the same manner
959949 as medical information or protected health information as described
960950 in paragraph 2 of this subsection;
961951 5. Information that meets both of the f ollowing conditions:
952+
953+HB1030 HFLR Page 19
954+BOLD FACE denotes Committee Amendments. 1
955+2
956+3
957+4
958+5
959+6
960+7
961+8
962+9
963+10
964+11
965+12
966+13
967+14
968+15
969+16
970+17
971+18
972+19
973+20
974+21
975+22
976+23
977+24
978+
962979 a. is de-identified in accordance with t he requirements
963980 for de-identification set forth in Section 164.514 of
964981 Part 164 of Title 45 of the Code of Federal
965982 Regulations, and
966983 b. is derived from patient information that was
967984 originally collected, created, transmitted or
968985 maintained by an entity regulat ed by the Health
969986 Insurance Portability and Accountability Act of 1996
970987 or the Federal Policy fo r the Protection of Human
971988 Subjects, also known as t he Common Rule.
972989 Information that meets the requirements of subparagraph a or b
973990 of this paragraph but is subsequ ently re-identified shall no longer
974991 be eligible for the exemption in this paragraph and shall be subject
975992 to applicable federal and state data pri vacy and security laws,
976993 including, but not limited to, the Health Insurance Portability and
977994 Accountability Act of 1996 and state medical privacy laws;
978995 6. Information that is collected, used or disclosed in
979996 research, as defined in Section 164.501 of Title 45 of the Code of
980-
981-ENGR. H. B. NO. 1030 Page 20 1
982-2
983-3
984-4
985-5
986-6
987-7
988-8
989-9
990-10
991-11
992-12
993-13
994-14
995-15
996-16
997-17
998-18
999-19
1000-20
1001-21
1002-22
1003-23
1004-24
1005-
1006997 Federal Regulations, including, but not limited to, a clinical
1007998 trial, and that is conducted i n accordance with applicable ethics,
1008999 confidentiality, privacy and security rules of Part 164 of Title 45
10091000 of the Code of Federal Regulations, the Federal Policy for the
10101001 Protection of Human Subject s, also known as the Common Rule, good
10111002 clinical practice guid elines issued by the International Council for
1003+
1004+HB1030 HFLR Page 20
1005+BOLD FACE denotes Committee Amendments. 1
1006+2
1007+3
1008+4
1009+5
1010+6
1011+7
1012+8
1013+9
1014+10
1015+11
1016+12
1017+13
1018+14
1019+15
1020+16
1021+17
1022+18
1023+19
1024+20
1025+21
1026+22
1027+23
1028+24
1029+
10121030 Harmonization, or human subject protection requ irements of the
10131031 United States Food and Drug Adminis tration;
10141032 7. The sale of personal information t o or by a consumer
10151033 reporting agency if the information is to be:
10161034 a. reported in or used to generate a consumer report, as
10171035 defined by Section 1681a(d) of the F air Credit
10181036 Reporting Act (15 U.S.C., Section 1681 et seq.), and
10191037 b. used solely for a purpose authoriz ed under that act;
10201038 8. Personal information collected, proces sed, sold or disclosed
10211039 in accordance with:
10221040 a. the federal Gramm-Leach-Bliley Act of 1999 (Public Law
10231041 106-102) and its implementing regulations, o r
10241042 b. the federal Driver's Privacy Protection Act o f 1994
10251043 (18 U.S.C., Section 2721 et seq.);
10261044 9. De-identified or aggregate consumer information; or
10271045 10. A consumer's personal information collected or sold by a
10281046 business, if every aspect of the collection or sale occurred wholly
10291047 outside of this state.
1030-
1031-ENGR. H. B. NO. 1030 Page 21 1
1032-2
1033-3
1034-4
1035-5
1036-6
1037-7
1038-8
1039-9
1040-10
1041-11
1042-12
1043-13
1044-14
1045-15
1046-16
1047-17
1048-18
1049-19
1050-20
1051-21
1052-22
1053-23
1054-24
1055-
10561048 Provided further, nothing in this act shall be deemed to apply
10571049 in any manner to a financial institution or an affiliate of a
10581050 financial institution that is subje ct to the federal Gramm-Leach-
10591051 Bliley Act of 1999 an d the rules promulgated thereunder.
10601052 B. For the purposes of this section, a business or other person
10611053 shall not re-identify, or attempt to re-identify, information that
1054+
1055+HB1030 HFLR Page 21
1056+BOLD FACE denotes Committee Amendments. 1
1057+2
1058+3
1059+4
1060+5
1061+6
1062+7
1063+8
1064+9
1065+10
1066+11
1067+12
1068+13
1069+14
1070+15
1071+16
1072+17
1073+18
1074+19
1075+20
1076+21
1077+22
1078+23
1079+24
1080+
10621081 has met the requirements of paragraphs 2 through 6 of subsection A
10631082 of this section, except for one or more of the following purposes:
10641083 1. Treatment, payment or health care operations conducted by a
10651084 covered entity or business associate acting on behalf of, and at the
10661085 written direction of, the covered entity. For purposes of this
10671086 paragraph, "treatment", "payment", "health care operations " and
10681087 "covered entity" have the same meaning as defined in Section 164.501
10691088 of Title 45 of the Code of Federal Regulations, and "business
10701089 associate" has the same meaning as defined in Section 160.103 of
10711090 Title 45 of the Code of Federal Regulations;
10721091 2. Public health activities or purposes as described in Section
10731092 164.512 of Title 45 of the Code of Federal Regulations;
10741093 3. Research, as defined in Section 164.501 of T itle 45 of the
10751094 Code of Federal Regulations, that is conducted in accordance with
10761095 Part 46 of Title 45 of the Code of Federal Regulations and the
10771096 Federal Policy for the Protection of Human Subjects, also known as
10781097 the Common Rule;
1079-
1080-ENGR. H. B. NO. 1030 Page 22 1
1081-2
1082-3
1083-4
1084-5
1085-6
1086-7
1087-8
1088-9
1089-10
1090-11
1091-12
1092-13
1093-14
1094-15
1095-16
1096-17
1097-18
1098-19
1099-20
1100-21
1101-22
1102-23
1103-24
1104-
11051098 4. Pursuant to a contract w here the lawful holder of the de-
11061099 identified information expressly engages a person or entity to
11071100 attempt to re-identify the de-identified information in order to
11081101 conduct testing, analysis, or validation of de-identification, or
11091102 related statistical technique s, if the contract bans any other use
11101103 or disclosure of the re-identified information and requires the
1104+
1105+HB1030 HFLR Page 22
1106+BOLD FACE denotes Committee Amendments. 1
1107+2
1108+3
1109+4
1110+5
1111+6
1112+7
1113+8
1114+9
1115+10
1116+11
1117+12
1118+13
1119+14
1120+15
1121+16
1122+17
1123+18
1124+19
1125+20
1126+21
1127+22
1128+23
1129+24
1130+
11111131 return or destruction of the information that was re -identified upon
11121132 completion of the contract; and
11131133 5. If otherwise required by law.
11141134 C. In accordance with paragraphs 2 through 6 of subsection A of
11151135 this section, information re-identified pursuant to this section
11161136 shall be subject to applicable federal and state da ta privacy and
11171137 security laws, including, but not limited to, the Health Insurance
11181138 Portability and Accountability Act of 1996 and state health pri vacy
11191139 laws.
11201140 D. Beginning January 1, 202 4, any contract for the sale or
11211141 license of de-identified information tha t has met the requirements
11221142 of paragraphs 2 through 6 of subsection A of this section, where one
11231143 of the parties is a person residing or doing busi ness in the state,
11241144 shall include the following, or substantially similar, provisions:
11251145 1. A statement that the de-identified information being sold or
11261146 licensed includes de-identified patient information;
11271147 2. A statement that re-identification, and attempte d re-
11281148 identification, of the de -identified information by the purchaser or
1129-
1130-ENGR. H. B. NO. 1030 Page 23 1
1131-2
1132-3
1133-4
1134-5
1135-6
1136-7
1137-8
1138-9
1139-10
1140-11
1141-12
1142-13
1143-14
1144-15
1145-16
1146-17
1147-18
1148-19
1149-20
1150-21
1151-22
1152-23
1153-24
1154-
11551149 licensee of the information is proh ibited pursuant to this section;
11561150 and
11571151 3. A requirement that, unless otherwise required by law, t he
11581152 purchaser or licensee of the de-identified information may not
11591153 further disclose the de -identified information to any third party
1154+
1155+HB1030 HFLR Page 23
1156+BOLD FACE denotes Committee Amendments. 1
1157+2
1158+3
1159+4
1160+5
1161+6
1162+7
1163+8
1164+9
1165+10
1166+11
1167+12
1168+13
1169+14
1170+15
1171+16
1172+17
1173+18
1174+19
1175+20
1176+21
1177+22
1178+23
1179+24
1180+
11601181 unless the third party is cont ractually bound by the same or
11611182 stricter restrictions and conditions.
11621183 E. For purposes of this section, "re-identify" means the
11631184 process of reversal of de-identification techniques, including, but
11641185 not limited to, the addition of specific pieces of informatio n or
11651186 data elements that can, individually or in combination, be used to
11661187 uniquely identify an individual or usage.
11671188 F. For purposes of paragraph 1 0 of subsection A of this
11681189 section, the collection or sale of a consumer's personal information
11691190 occurs wholly outside of this state if:
11701191 1. The business collects that information while the consumer is
11711192 outside of this state;
11721193 2. No part of the sale of the in formation occurs in this state;
11731194 and
11741195 3. The business does not sell any personal information of the
11751196 consumer collected while the consumer is in this state.
11761197 G. For purposes of subsection F of this section, the collection
11771198 or sale of a consumer 's personal information does not occur wholly
11781199 outside of this state if a business stores a consumer 's personal
1179-
1180-ENGR. H. B. NO. 1030 Page 24 1
1181-2
1182-3
1183-4
1184-5
1185-6
1186-7
1187-8
1188-9
1189-10
1190-11
1191-12
1192-13
1193-14
1194-15
1195-16
1196-17
1197-18
1198-19
1199-20
1200-21
1201-22
1202-23
1203-24
1204-
12051200 information, including on a device, when the consumer is in this
12061201 state and subsequently collects or sells tha t stored information
12071202 when the consumer and the info rmation are outside of this state.
12081203 H. For purposes of this section, all of the following shall
12091204 apply:
1205+
1206+HB1030 HFLR Page 24
1207+BOLD FACE denotes Committee Amendments. 1
1208+2
1209+3
1210+4
1211+5
1212+6
1213+7
1214+8
1215+9
1216+10
1217+11
1218+12
1219+13
1220+14
1221+15
1222+16
1223+17
1224+18
1225+19
1226+20
1227+21
1228+22
1229+23
1230+24
1231+
12101232 1. "Business associate" has the same meaning as defined in
12111233 Section 160.103 of Title 45 of the Code of Federal Regulations;
12121234 2. "Covered entity" has the same meaning as defined in Section
12131235 160.103 of Title 45 of the Code of Federal Regulations;
12141236 3. "Identifiable private information" has the same meaning as
12151237 defined in Section 46.102 of Title 45 of the Code of Federal
12161238 Regulations;
12171239 4. "Individually identifiable health information " has the same
12181240 meaning as defined in Section 160.103 of Title 45 of the Code of
12191241 Federal Regulations;
12201242 5. "Medical information" means any individually identifiable
12211243 information, in elect ronic or physical form, in possession of or
12221244 derived from a provider of health care, health care servi ce plan,
12231245 pharmaceutical company, or contractor regarding a pa tient's medical
12241246 history, mental or physical condition, or treatment;
12251247 6. "Patient information" means identifiable private
12261248 information, protected health information, individually identifiable
12271249 health information, or medical information;
1228-
1229-ENGR. H. B. NO. 1030 Page 25 1
1230-2
1231-3
1232-4
1233-5
1234-6
1235-7
1236-8
1237-9
1238-10
1239-11
1240-12
1241-13
1242-14
1243-15
1244-16
1245-17
1246-18
1247-19
1248-20
1249-21
1250-22
1251-23
1252-24
1253-
12541250 7. "Protected health information" has the same meaning as
12551251 defined in Section 160.103 of Title 45 of the Code of Federal
12561252 Regulations; and
12571253 8. "Provider of health care " means a person or entity that is a
12581254 covered entity.
1255+
1256+HB1030 HFLR Page 25
1257+BOLD FACE denotes Committee Amendments. 1
1258+2
1259+3
1260+4
1261+5
1262+6
1263+7
1264+8
1265+9
1266+10
1267+11
1268+12
1269+13
1270+14
1271+15
1272+16
1273+17
1274+18
1275+19
1276+20
1277+21
1278+22
1279+23
1280+24
1281+
12591282 SECTION 5. NEW LAW A new section o f law to be codified
12601283 in the Oklahoma Statutes as Section 901.5 of Title 17, unless there
12611284 is created a duplication in numbering, reads as follows:
12621285 A right or obligation under this a ct does not apply to the
12631286 extent that the exercise of the right or performanc e of the
12641287 obligation infringes on a noncommercial activity of:
12651288 1. A publisher, editor, reporter or other person connected with
12661289 or employed by a newspaper, magazine or other publication of general
12671290 circulation, including a periodical , newsletter, pamphlet or report;
12681291 2. A radio or television station that holds a license issued by
12691292 the Federal Communicat ions Commission;
12701293 3. A nonprofit that provides programing to radio or television
12711294 networks; or
12721295 4. An entity that provides an information service, including a
12731296 press association or wire service.
12741297 SECTION 6. NEW LAW A new section of law to be c odified
12751298 in the Oklahoma Statute s as Section 901.6 of Title 17, unl ess there
12761299 is created a duplication in numbering, reads as follows:
12771300 This act does not:
1278-
1279-ENGR. H. B. NO. 1030 Page 26 1
1280-2
1281-3
1282-4
1283-5
1284-6
1285-7
1286-8
1287-9
1288-10
1289-11
1290-12
1291-13
1292-14
1293-15
1294-16
1295-17
1296-18
1297-19
1298-20
1299-21
1300-22
1301-23
1302-24
1303-
13041301 1. Restrict a business's ability to:
13051302 a. comply with:
13061303 (1) applicable federal, state or local laws, or
1304+
1305+HB1030 HFLR Page 26
1306+BOLD FACE denotes Committee Amendments. 1
1307+2
1308+3
1309+4
1310+5
1311+6
1312+7
1313+8
1314+9
1315+10
1316+11
1317+12
1318+13
1319+14
1320+15
1321+16
1322+17
1323+18
1324+19
1325+20
1326+21
1327+22
1328+23
1329+24
1330+
13071331 (2) a civil, criminal or regulatory inquiry,
13081332 investigation, subpoena or summons by a federal,
13091333 state or local authority,
13101334 b. cooperate with a law enforceme nt agency concerning
13111335 conduct or activity th at the business, a service
13121336 provider of the business or a third party reasonably
13131337 and in good faith believes may violate other
13141338 applicable federal, state or local laws,
13151339 c. pursue or defend against a legal claim,
13161340 d. detect a security incident; protect against malicious,
13171341 deceptive, fraudulent or illegal activity; or
13181342 prosecute those responsible for any illegal activity
13191343 described by this paragraph, or
13201344 e. assist another party with any of the foregoing; or
13211345 2. Require a business to violate an evidentiary privilege u nder
13221346 federal or state law or prevent a business from disclosin g to a
13231347 person covered by an evi dentiary privilege the personal inf ormation
13241348 of a consumer as part of a privileged communication.
13251349 SECTION 7. NEW LAW A new section of law to be codified
13261350 in the Oklahoma Statutes as Section 901.7 of Titl e 17, unless there
13271351 is created a duplication in numbering, reads as follows:
1328-
1329-ENGR. H. B. NO. 1030 Page 27 1
1330-2
1331-3
1332-4
1333-5
1334-6
1335-7
1336-8
1337-9
1338-10
1339-11
1340-12
1341-13
1342-14
1343-15
1344-16
1345-17
1346-18
1347-19
1348-20
1349-21
1350-22
1351-23
1352-24
1353-
13541352 A. This act shall be liberally construed to effect its purposes
13551353 and to harmonize, to the extent possible, with other laws of this
13561354 state relating to the privacy or protection of pe rsonal information.
1355+
1356+HB1030 HFLR Page 27
1357+BOLD FACE denotes Committee Amendments. 1
1358+2
1359+3
1360+4
1361+5
1362+6
1363+7
1364+8
1365+9
1366+10
1367+11
1368+12
1369+13
1370+14
1371+15
1372+16
1373+17
1374+18
1375+19
1376+20
1377+21
1378+22
1379+23
1380+24
1381+
13571382 B. To the extent of a conflict between a provision of this act
13581383 and a provision of federal law, including a regulation or an
13591384 interpretation of federal law, federal law contro ls and conflicting
13601385 requirements or other provisions of this a ct do not apply. Further,
13611386 should the federal government pass compr ehensive data privacy
13621387 regulations that conflict with the provisions herein, federal l aw
13631388 shall prevail.
13641389 C. To the extent of a co nflict between a provision of this act
13651390 and another statute of this state with respect to the privacy or
13661391 protection of consumers ' personal information, the provision of law
13671392 that affords the greatest privacy or prot ection to consumers
13681393 prevails.
13691394 SECTION 8. NEW LAW A new section of law to be codif ied
13701395 in the Oklahoma Statutes as Section 901.8 of Title 17, unless there
13711396 is created a duplication in numbering, reads as follows:
13721397 This act preempts and supersedes any ordinance, order or rule
13731398 adopted by a political subdivision of this state relating to the
13741399 collection or sale by a busines s of a consumer's personal
13751400 information.
1376-
1377-ENGR. H. B. NO. 1030 Page 28 1
1378-2
1379-3
1380-4
1381-5
1382-6
1383-7
1384-8
1385-9
1386-10
1387-11
1388-12
1389-13
1390-14
1391-15
1392-16
1393-17
1394-18
1395-19
1396-20
1397-21
1398-22
1399-23
1400-24
1401-
14021401 SECTION 9. NEW LAW A new section of law to be codified
14031402 in the Oklahoma Statutes as Section 901. 9 of Title 17, unless there
14041403 is created a duplication in numbering, reads as follows:
14051404 Except as used in Section 4 of this act, for pu rposes of this
14061405 act, "research" means scientific, systematic study and observation,
1406+
1407+HB1030 HFLR Page 28
1408+BOLD FACE denotes Committee Amendments. 1
1409+2
1410+3
1411+4
1412+5
1413+6
1414+7
1415+8
1416+9
1417+10
1418+11
1419+12
1420+13
1421+14
1422+15
1423+16
1424+17
1425+18
1426+19
1427+20
1428+21
1429+22
1430+23
1431+24
1432+
14071433 including basic research or applied research that is in the public
14081434 interest and that adheres to all other a pplicable ethics and privacy
14091435 laws or studies conducted in the publ ic interest in the area of
14101436 public health. Research with personal information that ma y have
14111437 been collected from a consumer in th e course of the consumer's
14121438 interactions with a business 's service or device for other purpose s
14131439 must:
14141440 1. Be compatible with the business purpose for which the
14151441 personal information was collected;
14161442 2. Be subsequently pseudonymized and de-identified, or de-
14171443 identified and in the aggregate, such that the information canno t
14181444 reasonably identify, relate t o, describe, be capable of being
14191445 associated with, or be linked, directly or indirectly, to a
14201446 particular consumer;
14211447 3. Be made subject to technical safeguards that prohibit re-
14221448 identification of the consumer to whom the informa tion may pertain;
14231449 4. Be subject to business processes that specif ically prohibit
14241450 re-identification of the information;
1425-
1426-ENGR. H. B. NO. 1030 Page 29 1
1427-2
1428-3
1429-4
1430-5
1431-6
1432-7
1433-8
1434-9
1435-10
1436-11
1437-12
1438-13
1439-14
1440-15
1441-16
1442-17
1443-18
1444-19
1445-20
1446-21
1447-22
1448-23
1449-24
1450-
14511451 5. Be made subject to business processes to prevent inadvertent
14521452 release of de-identified information;
14531453 6. Be protected from any re -identification attempts;
14541454 7. Be used solely for research purposes that are compatible
14551455 with the context in which the personal information was collected;
14561456 8. Not be used for any commercial purpose; an d
1457+
1458+HB1030 HFLR Page 29
1459+BOLD FACE denotes Committee Amendments. 1
1460+2
1461+3
1462+4
1463+5
1464+6
1465+7
1466+8
1467+9
1468+10
1469+11
1470+12
1471+13
1472+14
1473+15
1474+16
1475+17
1476+18
1477+19
1478+20
1479+21
1480+22
1481+23
1482+24
1483+
14571484 9. Be subjected by the business conducting the research to
14581485 additional security controls th at limit access to the research dat a
14591486 to only those individuals in a business as are necessary to carry
14601487 out the research purpose.
14611488 SECTION 10. NEW LAW A new section of law to be codified
14621489 in the Oklahoma Statutes as Section 901.10 of Title 17, unless there
14631490 is created a duplication in numbering, reads as follows:
14641491 A. A consumer is entitled to request that a business that
14651492 collects the consumer 's personal information disclose to the
14661493 consumer the categories and specific items of personal inf ormation
14671494 the business has collected .
14681495 B. To receive the disclosure of information under subsection A
14691496 of this section, a consumer must submit to the business a veri fiable
14701497 consumer request using a method designated by the busin ess under
14711498 Section 18 of this act.
14721499 C. On receipt of a verifiable c onsumer request under this
14731500 section, a business shall disclose to the consumer in the time and
14741501 manner provided by Section 20 of this act:
1475-
1476-ENGR. H. B. NO. 1030 Page 30 1
1477-2
1478-3
1479-4
1480-5
1481-6
1482-7
1483-8
1484-9
1485-10
1486-11
1487-12
1488-13
1489-14
1490-15
1491-16
1492-17
1493-18
1494-19
1495-20
1496-21
1497-22
1498-23
1499-24
1500-
15011502 1. Each enumerated category and item within each cat egory of
15021503 personal information u nder paragraph 14 of Section 2 of this act
15031504 that the business collected about the consumer during the twelve
15041505 (12) months preceding the date of the request;
15051506 2. Each category of sources from which the information was
15061507 collected;
1508+
1509+HB1030 HFLR Page 30
1510+BOLD FACE denotes Committee Amendments. 1
1511+2
1512+3
1513+4
1514+5
1515+6
1516+7
1517+8
1518+9
1519+10
1520+11
1521+12
1522+13
1523+14
1524+15
1525+16
1526+17
1527+18
1528+19
1529+20
1530+21
1531+22
1532+23
1533+24
1534+
15071535 3. The business or commercial purpose for collecting or selling
15081536 the personal information; and
15091537 4. Each category of third parties with whom the busine ss shares
15101538 the personal information.
15111539 D. This section does not require a business to:
15121540 1. Retain a consume r's personal information that w as collected
15131541 for a one-time transaction if the information is not sold or
15141542 retained in the ordinary course of business; o r
15151543 2. Re-identify or otherwise link any dat a that, in the ordinary
15161544 course of business, is not maintained in a manner that would be
15171545 considered personal information.
15181546 SECTION 11. NEW LAW A new section of law to be codified
15191547 in the Oklahoma Statutes as Section 901.11 of Title 17, unless there
15201548 is created a duplication in numbering, reads as f ollows:
15211549 A. A consumer is entit led to request that a business that
15221550 collects the consumer's personal information delete any personal
15231551 information the business has collected from the consumer by
1524-
1525-ENGR. H. B. NO. 1030 Page 31 1
1526-2
1527-3
1528-4
1529-5
1530-6
1531-7
1532-8
1533-9
1534-10
1535-11
1536-12
1537-13
1538-14
1539-15
1540-16
1541-17
1542-18
1543-19
1544-20
1545-21
1546-22
1547-23
1548-24
1549-
15501552 submitting a verifiable consumer request using a method designat ed
15511553 by the business under Sectio n 18 of this act.
15521554 B. Except as provided by subsection C of this section, on
15531555 receipt of a verifiable cons umer request under this section, a
15541556 business shall delete f rom the business's records any personal
15551557 information collected from the consumer and direct a service
15561558 provider of the business to delete the information from the
1559+
1560+HB1030 HFLR Page 31
1561+BOLD FACE denotes Committee Amendments. 1
1562+2
1563+3
1564+4
1565+5
1566+6
1567+7
1568+8
1569+9
1570+10
1571+11
1572+12
1573+13
1574+14
1575+15
1576+16
1577+17
1578+18
1579+19
1580+20
1581+21
1582+22
1583+23
1584+24
1585+
15571586 provider's records in the time provided for in Secti on 20 of this
15581587 act.
15591588 C. A business or servic e provider of the business is not
15601589 required to comply with a ve rifiable consumer request recei ved under
15611590 this section if the busin ess or service provider needs to retain the
15621591 consumer's personal information to:
15631592 1. Complete the transaction for which the infor mation was
15641593 collected;
15651594 2. Provide a good or service requested by the consumer in the
15661595 context of the ongoing business relationshi p between the business
15671596 and consumer;
15681597 3. Perform under a contract between the busines s and the
15691598 consumer;
15701599 4. Detect a security incident; protect against malicious,
15711600 deceptive, fraudulent or illegal activity; or prosecute those
15721601 responsible for any illegal ac tivity described by this paragraph;
1573-
1574-ENGR. H. B. NO. 1030 Page 32 1
1575-2
1576-3
1577-4
1578-5
1579-6
1580-7
1581-8
1582-9
1583-10
1584-11
1585-12
1586-13
1587-14
1588-15
1589-16
1590-17
1591-18
1592-19
1593-20
1594-21
1595-22
1596-23
1597-24
1598-
15991602 5. Identify and repair or remove errors from com puter hardware
16001603 or software that impair its intended functionality;
16011604 6. Exercise free speech or ensure the right of another consumer
16021605 to exercise the right of free speech or another right afforded by
16031606 law;
16041607 7. Comply with a court order or subpoena or other la wful
16051608 process; or
1609+
1610+HB1030 HFLR Page 32
1611+BOLD FACE denotes Committee Amendments. 1
1612+2
1613+3
1614+4
1615+5
1616+6
1617+7
1618+8
1619+9
1620+10
1621+11
1622+12
1623+13
1624+14
1625+15
1626+16
1627+17
1628+18
1629+19
1630+20
1631+21
1632+22
1633+23
1634+24
1635+
16061636 8. Engage in public or pe er-reviewed scientific, historical or
16071637 statistical research tha t is in the public interest and that adheres
16081638 to all other applicab le ethics and privacy laws, provided that:
16091639 a. the business's deletion of the informat ion is likely
16101640 to render impossible or serio usly impair the
16111641 achievement of that research, and
16121642 b. the consumer has previously provided to the business
16131643 informed consent to re tain the information for such
16141644 use.
16151645 D. Where a business, service provider or third party has made a
16161646 consumer's personal information public, said business, service
16171647 provider or third party shall:
16181648 1. Take all reasonable ste ps, including technical measures, t o
16191649 erase the personal information that the business, service provider
16201650 or third party made public, taking into account available t echnology
16211651 and the cost of implementation; and
1622-
1623-ENGR. H. B. NO. 1030 Page 33 1
1624-2
1625-3
1626-4
1627-5
1628-6
1629-7
1630-8
1631-9
1632-10
1633-11
1634-12
1635-13
1636-14
1637-15
1638-16
1639-17
1640-18
1641-19
1642-20
1643-21
1644-22
1645-23
1646-24
1647-
16481652 2. Advise any other business, service provider or third party
16491653 with whom a contract regarding the consumer exists that the consumer
16501654 has requested the era sure of any links to, copies of or replication
16511655 of that personal information.
16521656 SECTION 12. NEW LAW A new section of law to be cod ified
16531657 in the Oklahoma Statutes as Section 901.12 of Title 17, unless there
16541658 is created a duplication in numbering, reads as follows:
1659+
1660+HB1030 HFLR Page 33
1661+BOLD FACE denotes Committee Amendments. 1
1662+2
1663+3
1664+4
1665+5
1666+6
1667+7
1668+8
1669+9
1670+10
1671+11
1672+12
1673+13
1674+14
1675+15
1676+16
1677+17
1678+18
1679+19
1680+20
1681+21
1682+22
1683+23
1684+24
1685+
16551686 A. A consumer is entitled to r equest that a business that
16561687 sells, or discloses for a business purpose, the consumer's personal
16571688 information disclose to the cons umer:
16581689 1. The categories of personal information the business
16591690 collected about the con sumer;
16601691 2. The categories of personal infor mation about the consumer
16611692 the business sold, or disclosed for a business purpose; and
16621693 3. The categories of third parties to who m the personal
16631694 information was sold or disclosed.
16641695 B. To receive the disclosure of in formation under subsection A
16651696 of this section, a consumer must submit to the business a verifiable
16661697 consumer request using a method design ated by the business under
16671698 Section 18 of this act.
16681699 C. On receipt of a verifiable consumer request under this
16691700 section, a business shall disclose to the consumer in the time and
16701701 manner provided by Section 20 of this act :
1671-
1672-ENGR. H. B. NO. 1030 Page 34 1
1673-2
1674-3
1675-4
1676-5
1677-6
1678-7
1679-8
1680-9
1681-10
1682-11
1683-12
1684-13
1685-14
1686-15
1687-16
1688-17
1689-18
1690-19
1691-20
1692-21
1693-22
1694-23
1695-24
1696-
16971702 1. Each enumerated category of pers onal information under
16981703 paragraph 14 of Section 2 of this act that the business collected
16991704 about the consumer during the twelve (12) months preceding the date
17001705 of the request;
17011706 2. The categories of third parties to whom the busi ness sold
17021707 the consumer's personal information during the twelve (12) months
17031708 preceding the date of the request by reference to each enumerated
1709+
1710+HB1030 HFLR Page 34
1711+BOLD FACE denotes Committee Amendments. 1
1712+2
1713+3
1714+4
1715+5
1716+6
1717+7
1718+8
1719+9
1720+10
1721+11
1722+12
1723+13
1724+14
1725+15
1726+16
1727+17
1728+18
1729+19
1730+20
1731+21
1732+22
1733+23
1734+24
1735+
17041736 category of information under paragraph 14 of Section 2 of this act
17051737 sold to each third party; and
17061738 3. The categories of third parties to whom the business
17071739 disclosed for a business purpose the consumer's personal information
17081740 during the twelve (12) months preceding the date of the request by
17091741 reference to each enumerated category of information under paragraph
17101742 14 of Section 2 of this act disclosed to each third party.
17111743 D. A business shall provide the information described by
17121744 paragraphs 2 and 3 of subsection C of this s ection in two separate
17131745 lists.
17141746 E. A business that did not sell, or disclose for a business
17151747 purpose, the consumer's personal information during the twelve (12)
17161748 months preceding the date of receiving the consumer's verifiable
17171749 consumer request under this sect ion shall disclose that fact to the
17181750 consumer.
1719-
1720-ENGR. H. B. NO. 1030 Page 35 1
1721-2
1722-3
1723-4
1724-5
1725-6
1726-7
1727-8
1728-9
1729-10
1730-11
1731-12
1732-13
1733-14
1734-15
1735-16
1736-17
1737-18
1738-19
1739-20
1740-21
1741-22
1742-23
1743-24
1744-
17451751 SECTION 13. NEW LAW A new section of law to be codified
17461752 in the Oklahoma Statutes as Section 901.1 3 of Title 17, unless there
17471753 is created a duplication in numbering, reads as follows:
17481754 A. A consumer is entitled at any time to opt ou t of the sale of
17491755 the consumer's personal information by a busi ness to third parties
17501756 by directing the business not to sell the in formation. A consumer
17511757 may authorize another person solely to opt out of the sale of the
17521758 consumer's personal information on the consumer's behalf. A
1759+
1760+HB1030 HFLR Page 35
1761+BOLD FACE denotes Committee Amendments. 1
1762+2
1763+3
1764+4
1765+5
1766+6
1767+7
1768+8
1769+9
1770+10
1771+11
1772+12
1773+13
1774+14
1775+15
1776+16
1777+17
1778+18
1779+19
1780+20
1781+21
1782+22
1783+23
1784+24
1785+
17531786 business shall comply with a direction n ot to sell that is received
17541787 under this subsection.
17551788 B. To exercise the right to opt out specified in subsection A
17561789 of this section, a consumer shall sub mit to the business a
17571790 verifiable consumer r equest using a method designated by the
17581791 business under Section 18 of this act.
17591792 C. A business that sells consumers' personal information to a
17601793 third party shall provide on the business's Internet website:
17611794 1. Notice to consumers that:
17621795 a. the information may be sold,
17631796 b. identifies the categories of persons to whom the
17641797 information will or could be so ld, and
17651798 c. consumers have the right to opt in to the sale via
17661799 consent; and
1767-
1768-ENGR. H. B. NO. 1030 Page 36 1
1769-2
1770-3
1771-4
1772-5
1773-6
1774-7
1775-8
1776-9
1777-10
1778-11
1779-12
1780-13
1781-14
1782-15
1783-16
1784-17
1785-18
1786-19
1787-20
1788-21
1789-22
1790-23
1791-24
1792-
17931800 2. A clear and conspicuous link that enables a consumer, or
17941801 person authorized by the co nsumer, to consent to the sale of the
17951802 consumer's personal information.
17961803 D. A business may not sell to a third party the personal
17971804 information of a consumer who does not consent to the sale of that
17981805 information after the effective date of this act or after a consumer
17991806 submits a verifiable request to opt out of any future sale .
18001807 E. A business may use any person al information collected from
18011808 the consumer in connection with the consumer's opting out under this
18021809 section solely to comply with this section.
1810+
1811+HB1030 HFLR Page 36
1812+BOLD FACE denotes Committee Amendments. 1
1813+2
1814+3
1815+4
1816+5
1817+6
1818+7
1819+8
1820+9
1821+10
1822+11
1823+12
1824+13
1825+14
1826+15
1827+16
1828+17
1829+18
1830+19
1831+20
1832+21
1833+22
1834+23
1835+24
1836+
18031837 F. A third party to whom a business has sold the personal
18041838 information of a consumer ma y not sell the information unless the
18051839 consumer receives explicit n otice of the potential sale and is
18061840 provided the opportunity to, and in fact does, consent to the sale
18071841 as provided by this section.
18081842 G. A business may not require a consu mer to create an account
18091843 with the business to opt in to the sale of the consumer's personal
18101844 information.
18111845 H. A business or service provider shall implement an d maintain
18121846 reasonable security procedures a nd practices, including
18131847 administrative, physical and te chnical safeguards appropriate to the
18141848 nature of the information and the purposes for which the personal
18151849 information will be used, to protect consumers ' personal information
18161850 from unauthorized use, discl osure, access, destruction or
1817-
1818-ENGR. H. B. NO. 1030 Page 37 1
1819-2
1820-3
1821-4
1822-5
1823-6
1824-7
1825-8
1826-9
1827-10
1828-11
1829-12
1830-13
1831-14
1832-15
1833-16
1834-17
1835-18
1836-19
1837-20
1838-21
1839-22
1840-23
1841-24
1842-
18431851 modification, irrespectiv e of whether a customer has consented to
18441852 opt in or out of a sale of data.
18451853 SECTION 14. NEW LAW A new section of law to be codified
18461854 in the Oklahoma Statutes as Section 901.1 4 of Title 17, unless there
18471855 is created a duplication in numbering, reads as follows:
18481856 A. The Legislature of the State of Oklahoma finds tha t
18491857 individuals within Oklahoma have a right to prohibit retention, use
18501858 or disclosure of their own personal data.
18511859 B. The Legislature of the State of Oklahoma further finds that
18521860 individuals within Oklahoma have previously b een exploited for
1861+
1862+HB1030 HFLR Page 37
1863+BOLD FACE denotes Committee Amendments. 1
1864+2
1865+3
1866+4
1867+5
1868+6
1869+7
1870+8
1871+9
1872+10
1873+11
1874+12
1875+13
1876+14
1877+15
1878+16
1879+17
1880+18
1881+19
1882+20
1883+21
1884+22
1885+23
1886+24
1887+
18531888 monetary gain and manipulation by private ventures in utilization of
18541889 private data.
18551890 C. The Legislature of the State of Oklahoma further finds that
18561891 the protection of individuals within Oklahoma and their data is a
18571892 core governmental functio n in order to protect the health, s afety
18581893 and welfare of individuals within Oklahoma.
18591894 D. The Legislature of the Stat e of Oklahoma further finds that
18601895 the terms and conditions set forth in this act are the least
18611896 restrictive alternative necessary to protect i ndividuals within
18621897 Oklahoma and their rights and that the use of a strictly "opt-out"
18631898 method for data privacy is inef fectual and poses an immediate risk
18641899 to the health, safety and welfare of individuals within Oklahoma.
1865-
1866-ENGR. H. B. NO. 1030 Page 38 1
1867-2
1868-3
1869-4
1870-5
1871-6
1872-7
1873-8
1874-9
1875-10
1876-11
1877-12
1878-13
1879-14
1880-15
1881-16
1882-17
1883-18
1884-19
1885-20
1886-21
1887-22
1888-23
1889-24
1890-
18911900 SECTION 15. NEW LAW A new section of law to be cod ified
18921901 in the Oklahoma Statutes as Section 901.15 of Title 17, unless there
18931902 is created a duplication in numbering, reads as f ollows:
18941903 A. A provision of a contract or other agreement that purp orts
18951904 to waive or limit a right, remedy or means of enforcement und er this
18961905 act is contrary to public policy and is void.
18971906 B. This section does not p revent a consumer from:
18981907 1. Declining to request information from a business;
18991908 2. Declining to consent to a business's sale of the consumer 's
19001909 personal information; or
19011910 3. Authorizing a business to sell the consumer's personal
19021911 information after previously o pting out.
1912+
1913+HB1030 HFLR Page 38
1914+BOLD FACE denotes Committee Amendments. 1
1915+2
1916+3
1917+4
1918+5
1919+6
1920+7
1921+8
1922+9
1923+10
1924+11
1925+12
1926+13
1927+14
1928+15
1929+16
1930+17
1931+18
1932+19
1933+20
1934+21
1935+22
1936+23
1937+24
1938+
19031939 SECTION 16. NEW LAW A new section of law to be codified
19041940 in the Oklahoma Stat utes as Section 901.16 of Title 17, unless there
19051941 is created a duplication in numbering, reads as follows:
19061942 A. After the effective date of this act, a business shall not
19071943 collect a consumer's personal information directly from the consumer
19081944 prior to notifying the consumer of each category of personal
19091945 information to be colle cted and for what purposes information will
19101946 be used, as well as obtaining the consumer's consent to opt in to
19111947 collection, which may be provided electronically by the consumer, to
19121948 collect a consumer's personal information.
19131949 B. A business may not collect an additional category of
19141950 personal information directly from the consumer or use personal
1915-
1916-ENGR. H. B. NO. 1030 Page 39 1
1917-2
1918-3
1919-4
1920-5
1921-6
1922-7
1923-8
1924-9
1925-10
1926-11
1927-12
1928-13
1929-14
1930-15
1931-16
1932-17
1933-18
1934-19
1935-20
1936-21
1937-22
1938-23
1939-24
1940-
19411951 information collected for an additio nal purpose unless the business
19421952 provides notice to the consumer of the additional category or
19431953 purpose in accordance with s ubsection A of this section.
19441954 C. If a third party that assumes control of all or part of a
19451955 business as described by subparagraph c of paragraph 2 of subsection
19461956 C of Section 3 of this act materially alters the practices of the
19471957 business in how personal infor mation is used or shared, and the
19481958 practices are materially inconsistent with a notice provi ded to a
19491959 consumer under subsection A or B of this section, the third party
19501960 must notify the consumer of the third party 's new or changed
19511961 practices in a conspicuous manner that allows the consumer to easily
1962+
1963+HB1030 HFLR Page 39
1964+BOLD FACE denotes Committee Amendments. 1
1965+2
1966+3
1967+4
1968+5
1969+6
1970+7
1971+8
1972+9
1973+10
1974+11
1975+12
1976+13
1977+14
1978+15
1979+16
1980+17
1981+18
1982+19
1983+20
1984+21
1985+22
1986+23
1987+24
1988+
19521989 exercise a right provided under this act before the third-party
19531990 collector uses or shares the p ersonal information.
19541991 D. Subsection C of this section does not authorize a business
19551992 to make a material, retroactive change or other change to a
19561993 business's privacy policy in a manner that would be a deceptive
19571994 trade practice actionable under Oklahoma law.
19581995 SECTION 17. NEW LAW A new section of law to be codified
19591996 in the Oklahoma Statutes as Section 901.17 of Title 17, unless there
19601997 is created a duplication in numbering, reads as follows:
19611998 A. A business that collects, sells or for a business purpose
19621999 discloses a consumer's personal information shall disclose the
19632000 following information in the business's online privacy polic y or
19642001 other notice of the business's policies:
1965-
1966-ENGR. H. B. NO. 1030 Page 40 1
1967-2
1968-3
1969-4
1970-5
1971-6
1972-7
1973-8
1974-9
1975-10
1976-11
1977-12
1978-13
1979-14
1980-15
1981-16
1982-17
1983-18
1984-19
1985-20
1986-21
1987-22
1988-23
1989-24
1990-
19912002 1. A description of a consumer 's rights under Sections 10, 11,
19922003 12, 13 and 16 of this act and designated methods for submitting a
19932004 verifiable consumer request under this act;
19942005 2. For a business that collects per sonal information ab out
19952006 consumers, a description of the consumer's right to request the
19962007 deletion of the consumer's personal information;
19972008 3. Separate lists containing the categories of consumers '
19982009 personal information describe d by paragraph 14 of Section 2 of this
19992010 act that, during the twelve (12) months preceding the date the
20002011 business updated the information as required by subsection C of this
20012012 section, the business:
2013+
2014+HB1030 HFLR Page 40
2015+BOLD FACE denotes Committee Amendments. 1
2016+2
2017+3
2018+4
2019+5
2020+6
2021+7
2022+8
2023+9
2024+10
2025+11
2026+12
2027+13
2028+14
2029+15
2030+16
2031+17
2032+18
2033+19
2034+20
2035+21
2036+22
2037+23
2038+24
2039+
20022040 a. collected,
20032041 b. sold, if applicable, or
20042042 c. disclosed for a business purpose, if applicable ;
20052043 4. The categories o f sources from which the information under
20062044 paragraph 3 of this subsection is collected;
20072045 5. The business or commercial purposes for collecting personal
20082046 information;
20092047 6. If the business does not sell consum ers' personal
20102048 information or disclose the informati on for a business or commercial
20112049 purpose, a statement of that fact;
20122050 7. The categories of third parties t o whom the business sells
20132051 or discloses personal information;
2014-
2015-ENGR. H. B. NO. 1030 Page 41 1
2016-2
2017-3
2018-4
2019-5
2020-6
2021-7
2022-8
2023-9
2024-10
2025-11
2026-12
2027-13
2028-14
2029-15
2030-16
2031-17
2032-18
2033-19
2034-20
2035-21
2036-22
2037-23
2038-24
2039-
20402052 8. If the business sells consumers ' personal information, the
20412053 Internet link required by subsection C of Section 13 of this act;
20422054 and
20432055 9. If applicable, the financial incentives offered to consumers
20442056 under Section 23 of this act.
20452057 B. If a business described by subsection A of this section does
20462058 not have an online privacy policy or other notice of t he business's
20472059 policies, the business shall make the informati on required under
20482060 subsection A of this section available to consumers on the
20492061 business's Internet website or another website the business
20502062 maintains that is dedicated to consume rs in this state.
2063+
2064+HB1030 HFLR Page 41
2065+BOLD FACE denotes Committee Amendments. 1
2066+2
2067+3
2068+4
2069+5
2070+6
2071+7
2072+8
2073+9
2074+10
2075+11
2076+12
2077+13
2078+14
2079+15
2080+16
2081+17
2082+18
2083+19
2084+20
2085+21
2086+22
2087+23
2088+24
2089+
20512090 C. A business must update the information required by
20522091 subsection A of this section at least once each yea r.
20532092 SECTION 18. NEW LAW A new section of law to be codified
20542093 in the Oklahoma Statutes as Section 901.18 of Title 17, unless there
20552094 is created a duplication in numbering, reads as follows:
20562095 A. A business shall designate and make availabl e to consumers,
20572096 in a form that is reasonably accessible, at least two methods for
20582097 submitting a verifiable consumer request for infor mation required to
20592098 be disclosed or deleted under this act. The methods must incl ude,
20602099 at a minimum:
20612100 1. A toll-free telephone number that a consumer may call to
20622101 submit the request; and
2063-
2064-ENGR. H. B. NO. 1030 Page 42 1
2065-2
2066-3
2067-4
2068-5
2069-6
2070-7
2071-8
2072-9
2073-10
2074-11
2075-12
2076-13
2077-14
2078-15
2079-16
2080-17
2081-18
2082-19
2083-20
2084-21
2085-22
2086-23
2087-24
2088-
20892102 2. The business's Internet website at w hich the consumer may
20902103 submit the request.
20912104 B. The methods designated under subsection A of this section
20922105 may also include:
20932106 1. A mailing address;
20942107 2. An electronic mail address; or
20952108 3. Another Internet webpage or portal .
20962109 C. A business may not require a con sumer to create an account
20972110 with the business to submit a verifiable consumer request.
20982111 SECTION 19. NEW LAW A new section of law to be codified
20992112 in the Oklahoma Statutes as Section 901.19 of Title 17, unless there
21002113 is created a duplicati on in numbering, reads as follo ws:
2114+
2115+HB1030 HFLR Page 42
2116+BOLD FACE denotes Committee Amendments. 1
2117+2
2118+3
2119+4
2120+5
2121+6
2122+7
2123+8
2124+9
2125+10
2126+11
2127+12
2128+13
2129+14
2130+15
2131+16
2132+17
2133+18
2134+19
2135+20
2136+21
2137+22
2138+23
2139+24
2140+
21012141 A. A business that receives a verifiable consumer request under
21022142 Section 10, 11, 12 or 13 of this act shall promptly take steps to
21032143 reasonably verify that:
21042144 1. The consumer who is the subject of the request is a consumer
21052145 about whom the business has coll ected, sold, or for a business
21062146 purpose disclosed personal information; and
21072147 2. The request is made by:
21082148 a. the consumer,
21092149 b. a consumer on behalf of the consumer's minor child, or
21102150 c. a person authorized to act on the consumer 's behalf.
2111-
2112-ENGR. H. B. NO. 1030 Page 43 1
2113-2
2114-3
2115-4
2116-5
2117-6
2118-7
2119-8
2120-9
2121-10
2122-11
2123-12
2124-13
2125-14
2126-15
2127-16
2128-17
2129-18
2130-19
2131-20
2132-21
2133-22
2134-23
2135-24
2136-
21372151 B. A business may use any personal information collected from
21382152 the consumer in connection with the busi ness's verification of a
21392153 request under this section solely to verify the request.
21402154 C. A business that is unable to verify a consumer request und er
21412155 this section is not required to comply with the request.
21422156 SECTION 20. NEW LAW A new sec tion of law to be codified
21432157 in the Oklahoma Statutes as Section 901.20 of Title 17, unless there
21442158 is created a duplication in numbering, reads as follows:
21452159 A. Not later than forty-five (45) days after the date a
21462160 business receives a verifiable consume r request under Section 10,
21472161 11, 12 or 13 of this ac t, the business shall disclose free of charge
21482162 to the consumer the information required to be disclose d under those
21492163 sections or take the requested action s, as applicable.
2164+
2165+HB1030 HFLR Page 43
2166+BOLD FACE denotes Committee Amendments. 1
2167+2
2168+3
2169+4
2170+5
2171+6
2172+7
2173+8
2174+9
2175+10
2176+11
2177+12
2178+13
2179+14
2180+15
2181+16
2182+17
2183+18
2184+19
2185+20
2186+21
2187+22
2188+23
2189+24
2190+
21502191 B. A business may extend the time in which to comply with
21512192 subsection A of this section once by an additional forty-five (45)
21522193 days if reasonably necessary or by an additional ninety (90) days
21532194 after taking into account the number and compl exity of verifiable
21542195 consumer requests received by the busines s. A business that extends
21552196 the time in which to comply with subsection A of this section shall
21562197 notify the consumer of the extension and reason for the delay within
21572198 the period prescribed by that subsection.
21582199 C. The disclosure required by subsection A of this section
21592200 must:
2160-
2161-ENGR. H. B. NO. 1030 Page 44 1
2162-2
2163-3
2164-4
2165-5
2166-6
2167-7
2168-8
2169-9
2170-10
2171-11
2172-12
2173-13
2174-14
2175-15
2176-16
2177-17
2178-18
2179-19
2180-20
2181-21
2182-22
2183-23
2184-24
2185-
21862201 1. Cover personal information collected, sold or disclosed for
21872202 a business purpose, as applicable, during the twelve (12) months
21882203 preceding the date the busine ss receives the requ est; and
21892204 2. Be made in writing and delivered to the consumer :
21902205 a. by mail or electronically, at the cons umer's option,
21912206 if the consumer does not have an account with the
21922207 business, or
21932208 b. through the consumer 's account with the business.
21942209 D. An electronic dis closure under subsection C of this section
21952210 must be in a readily accessible format that allows the consum er to
21962211 electronically transmit the information to another person or entity.
21972212 E. A business is not requ ired to make the disclosure required
21982213 by subsection A of this section to the same consumer more than once
21992214 in a twelve-month period.
2215+
2216+HB1030 HFLR Page 44
2217+BOLD FACE denotes Committee Amendments. 1
2218+2
2219+3
2220+4
2221+5
2222+6
2223+7
2224+8
2225+9
2226+10
2227+11
2228+12
2229+13
2230+14
2231+15
2232+16
2233+17
2234+18
2235+19
2236+20
2237+21
2238+22
2239+23
2240+24
2241+
22002242 F. Notwithstanding subsection A of this section, if a
22012243 consumer's verifiable consumer request is manifestly baseless or
22022244 excessive, in particular because of repetitiveness, a bu siness may
22032245 charge a reasonable fee after taking into account the administrative
22042246 costs of compliance or r efusal to comply with the request. The
22052247 business has the burden of demonstrating that a request is
22062248 manifestly baseless or excessive.
22072249 G. A business that does not comply with a consumer's verifiable
22082250 consumer request under subsection A of this section shall notify the
22092251 consumer, within the time the business is required to respond to a
2210-
2211-ENGR. H. B. NO. 1030 Page 45 1
2212-2
2213-3
2214-4
2215-5
2216-6
2217-7
2218-8
2219-9
2220-10
2221-11
2222-12
2223-13
2224-14
2225-15
2226-16
2227-17
2228-18
2229-19
2230-20
2231-21
2232-22
2233-23
2234-24
2235-
22362252 request under this sect ion, of the reasons for the ref usal and the
22372253 rights the consumer may have to appeal that decision.
22382254 SECTION 21. NEW LAW A new section of law to be codified
22392255 in the Oklahoma Statutes as Section 901.2 1 of Title 17, unless there
22402256 is created a duplication in numbering, re ads as follows:
22412257 A. A business that uses de-identified information may not re -
22422258 identify or attempt to re-identify a consumer who is the subject of
22432259 de-identified information without obtaining the consumer 's consent
22442260 or authorization.
22452261 B. A business that uses de-identified information shall
22462262 implement:
22472263 1. Technical safeguards and business processes to prohibit re-
22482264 identification of the consumer to whom the information may pertain;
22492265 and
2266+
2267+HB1030 HFLR Page 45
2268+BOLD FACE denotes Committee Amendments. 1
2269+2
2270+3
2271+4
2272+5
2273+6
2274+7
2275+8
2276+9
2277+10
2278+11
2279+12
2280+13
2281+14
2282+15
2283+16
2284+17
2285+18
2286+19
2287+20
2288+21
2289+22
2290+23
2291+24
2292+
22502293 2. Business processes to prevent inadvertent r elease of de-
22512294 identified information.
22522295 C. This act may not be construed to require a business to re-
22532296 identify or otherwise link information that is not maint ained in a
22542297 manner that would be considered personal information.
22552298 SECTION 22. NEW LAW A new section of law to be codified
22562299 in the Oklahoma Statutes as Section 901.22 of Title 17, unless there
22572300 is created a duplication in numbering, read s as follows:
22582301 A. A business may not discriminate against a consumer because
22592302 the consumer exercised a right under this act, including by:
2260-
2261-ENGR. H. B. NO. 1030 Page 46 1
2262-2
2263-3
2264-4
2265-5
2266-6
2267-7
2268-8
2269-9
2270-10
2271-11
2272-12
2273-13
2274-14
2275-15
2276-16
2277-17
2278-18
2279-19
2280-20
2281-21
2282-22
2283-23
2284-24
2285-
22862303 1. Denying a good or service to the consumer;
22872304 2. Charging the consumer a different price or rate for a good
22882305 or service, including denying the use of a discount or other benefit
22892306 or imposing a penalty;
22902307 3. Providing a different level or quality of a good or service
22912308 to the consumer; or
22922309 4. Suggesting that the consumer will be char ged a different
22932310 price or rate for, or provi ded a different level or quality of, a
22942311 good or service.
22952312 B. This section does not prohibit a business from offering or
22962313 charging a consumer a different p rice or rate for a good or service,
22972314 or offering or providing to the consumer a different level or
22982315 quality of a good or service, if the difference is reasonably
2316+
2317+HB1030 HFLR Page 46
2318+BOLD FACE denotes Committee Amendments. 1
2319+2
2320+3
2321+4
2322+5
2323+6
2324+7
2325+8
2326+9
2327+10
2328+11
2329+12
2330+13
2331+14
2332+15
2333+16
2334+17
2335+18
2336+19
2337+20
2338+21
2339+22
2340+23
2341+24
2342+
22992343 related to the value provided to the consumer by the consumer's
23002344 data.
23012345 SECTION 23. NEW LAW A new section of law to be codified
23022346 in the Oklahoma Statutes as Section 901.2 3 of Title 17, unless there
23032347 is created a duplication in numbering, reads as follows:
23042348 A. Subject to subsection B of this section, a business may
23052349 offer a financial incentive to a consumer, including a payment as
23062350 compensation, for the collection, sale or disclosure of the
23072351 consumer's personal information.
23082352 B. A business may enroll a customer in a financial incentive
23092353 program only if the business pro vides to the consume r a clear
2310-
2311-ENGR. H. B. NO. 1030 Page 47 1
2312-2
2313-3
2314-4
2315-5
2316-6
2317-7
2318-8
2319-9
2320-10
2321-11
2322-12
2323-13
2324-14
2325-15
2326-16
2327-17
2328-18
2329-19
2330-20
2331-21
2332-22
2333-23
2334-24
2335-
23362354 description of the material terms of the program an d obtains the
23372355 consumer's prior opt-in consent, which:
23382356 1. Contains a clear description of those material terms; and
23392357 2. May be revoked by the co nsumer at any time.
23402358 C. A business may not use fina ncial incentive practices that
23412359 are unjust, unreasonable, coer cive or usurious in nature.
23422360 SECTION 24. NEW LAW A new section of law to be codified
23432361 in the Oklahoma Statutes as Section 9 01.24 of Title 17, unless there
23442362 is created a duplication in numbering, reads as follows:
23452363 A. A business may not divide a single transaction into more
23462364 than one transaction with the intent to avoid the requirements of
23472365 this act.
2366+
2367+HB1030 HFLR Page 47
2368+BOLD FACE denotes Committee Amendments. 1
2369+2
2370+3
2371+4
2372+5
2373+6
2374+7
2375+8
2376+9
2377+10
2378+11
2379+12
2380+13
2381+14
2382+15
2383+16
2384+17
2385+18
2386+19
2387+20
2388+21
2389+22
2390+23
2391+24
2392+
23482393 B. For purposes of this a ct, two or more substantially simil ar
23492394 or related transactions are considered a single transaction if the
23502395 transactions:
23512396 1. Are entered into contemporaneously; and
23522397 2. Have at least one common party.
23532398 C. A court shall disregard any intermediate transactions
23542399 conducted by a business with the i ntent to avoid the requirements of
23552400 this act, including the disclosure of informat ion by a business to a
23562401 third party to avoid complying with the requirements under this act
23572402 applicable to a sale of the information.
2358-
2359-ENGR. H. B. NO. 1030 Page 48 1
2360-2
2361-3
2362-4
2363-5
2364-6
2365-7
2366-8
2367-9
2368-10
2369-11
2370-12
2371-13
2372-14
2373-15
2374-16
2375-17
2376-18
2377-19
2378-20
2379-21
2380-22
2381-23
2382-24
2383-
23842403 SECTION 25. NEW LAW A new section of law to be codified
23852404 in the Oklahoma Statutes as Section 901.2 5 of Title 17, unless there
23862405 is created a duplication in numbering, reads as follows:
23872406 A business shall ensure that each person responsible for
23882407 handling consumer inquiries about the business's privacy practices
23892408 or compliance with this act is informed of the requirements of this
23902409 act and of how to direct a consumer in exercising any of the rights
23912410 to which a consumer is entitled under this a ct.
23922411 SECTION 26. NEW LAW A new section of law to be codified
23932412 in the Oklahoma Statutes as Section 901.2 6 of Title 17, unless there
23942413 is created a duplication in numbering, reads as follows:
23952414 A. A person who violates this a ct is liable to this state for
23962415 injunctive relief and/or a civil penalty in an amo unt not to exceed:
2416+
2417+HB1030 HFLR Page 48
2418+BOLD FACE denotes Committee Amendments. 1
2419+2
2420+3
2421+4
2422+5
2423+6
2424+7
2425+8
2426+9
2427+10
2428+11
2429+12
2430+13
2431+14
2432+15
2433+16
2434+17
2435+18
2436+19
2437+20
2438+21
2439+22
2440+23
2441+24
2442+
23972443 1. Two Thousand Five Hundred Dollars ($2, 500.00) for each
23982444 violation; or
23992445 2. Seven Thousand Five Hundred Dollars ($7,500.00) for each
24002446 violation, if the violation is intentional.
24012447 B. The Oklahoma Attorney General is entitled to recover
24022448 reasonable expenses, including reasonable attorney fees, court costs
24032449 and investigatory costs, incurred in obtaining injunctive relief or
24042450 civil penalties, or both, under this section. Amounts collected
24052451 under this section shall be deposite d in a dedicated acc ount in the
24062452 General Revenue Fund and shall be appropriated only for the purposes
24072453 of the administration and enforcement of this act.
2408-
2409-ENGR. H. B. NO. 1030 Page 49 1
2410-2
2411-3
2412-4
2413-5
2414-6
2415-7
2416-8
2417-9
2418-10
2419-11
2420-12
2421-13
2422-14
2423-15
2424-16
2425-17
2426-18
2427-19
2428-20
2429-21
2430-22
2431-23
2432-24
2433-
24342454 SECTION 27. NEW LAW A new section of law to be cod ified
24352455 in the Oklahoma Statutes as Section 901.27 of Title 17, unless there
24362456 is created a duplication in numbering , reads as follows:
24372457 A business that disclos es to a third party, or discloses for a
24382458 business purpose to a service provider, a consumer 's personal
24392459 information in compliance with this act may not be held liable for a
24402460 violation of this act by the third party o r service provider if the
24412461 business does not have actual knowledge or a reasonable belief that
24422462 the third party or service provider intends to vio late this act.
24432463 SECTION 28. NEW LAW A new section of law to be codified
24442464 in the Oklahoma Statutes as Section 901.28 of Title 17, unless there
24452465 is created a duplication in numbering, reads as follows:
2466+
2467+HB1030 HFLR Page 49
2468+BOLD FACE denotes Committee Amendments. 1
2469+2
2470+3
2471+4
2472+5
2473+6
2474+7
2475+8
2476+9
2477+10
2478+11
2479+12
2480+13
2481+14
2482+15
2483+16
2484+17
2485+18
2486+19
2487+20
2488+21
2489+22
2490+23
2491+24
2492+
24462493 A business's service provider may no t be held liable for a
24472494 violation of this act by the business.
2448-SECTION 29. This act shall become effective one (1) year after
2449-enactment.
2450-
2451-ENGR. H. B. NO. 1030 Page 50 1
2452-2
2453-3
2454-4
2455-5
2456-6
2457-7
2458-8
2459-9
2460-10
2461-11
2462-12
2463-13
2464-14
2465-15
2466-16
2467-17
2468-18
2469-19
2470-20
2471-21
2472-22
2473-23
2474-24
2475-
2476-Passed the House of Representatives the 8th day of March, 2023.
2477-
2478-
2479-
2480-
2481- Presiding Officer of the House
2482- of Representatives
2483-
2484-
2485-Passed the Senate the ____ day of __________, 2023.
2486-
2487-
2488-
2489-
2490- Presiding Officer of the Senate
2491-
2495+SECTION 29. This act shall become effective January 1, 2024.
2496+
2497+COMMITTEE REPORT BY: COMMITTEE ON GOVERNMENT MODERNIZATION AND
2498+TECHNOLOGY, dated 02/21/2023 - DO PASS, As Coauthored.