ENGR. H. B. NO. 1030 Page 1 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
ENGROSSED HOUSE
BILL NO. 1030 By: West (Josh), Pae, Fugate,
Alonso-Sandoval, and Sims
of the House
and
Howard of the Senate
An Act relating to privacy of computer data;
enacting the Oklahoma Computer Data Privacy Act;
defining terms; providing for applicability of act
to certain businesses that collect consumers '
personal information; providing exemptions;
prescribing complian ce with other laws and legal
proceedings; requiri ng act to be liberally
construed to align its effects with other laws
relating to privacy and protection of personal
information; providing for controlling effect of
federal law; providing for construction in event of
conflict with state law; providing for controlling
effect of law which provides greatest privacy or
protection to consumers; providing for preemption
of local law; providing consumers right to request
disclosure of certain information; providin g
consumers right to request deletion of certain
information; providing consumers the right to
request and receive a disclosure of personal
information sold or disclosed; providing consumers
right to opt in and out of the sale of personal
information; making legislative findings; providing
contracts or other agreement s purporting to waive
or limit a right, remedy o r means of enforcement
contrary to public policy; requiring businesses
collecting consumer data information inform
consumer of certain information collected;
prescribing required content of disclosures;
requiring consumer consent; requiring business es to
provide online privacy policy or a notice of
policies; requiring business es to designate and
make available methods for submitting verifiable
consumer request for certain information; requiring
ENGR. H. B. NO. 1030 Page 2 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
businesses receiving verifiable consumer requests
reasonably verify identity of requesting consumer;
requiring businesses disclose required information
within a certain period; requiring businesses using
de-identified information not re-identify or
attempt to re-identify certain consumers; requiring
permission; prohibiting discrimination against
consumers for exercise of rights; authorizing
businesses to offer financial incentives to
consumers for collection, sale or disclosure of
personal information; pro hibiting division of
single transactions; requiring employee training
with respect to consumer inquiries; requiring
disclosure of certain rights, requirements and
information; providing civil penalties; authorizing
Oklahoma Attorney General to take certain actions
based on violations; authorizing Attorney General
to recover reasonable expenses incurred in
obtaining injunctive relief or civil pena lties;
directing Attorney General to deposit collected
penalties in a dedicated account in the General
Revenue Fund; providing certain immunities;
providing protections to servi ce providers;
providing for codification; and prov iding an
effective date.
BE IT ENACTED BY THE PEOPLE OF THE STATE OF OKLAHOMA:
SECTION 1. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.1 of Title 17, unless there
is created a duplication i n numbering, reads a s follows:
This act shall be known and may be cited as the "Oklahoma
Computer Data Privacy Act ".
SECTION 2. NEW LAW A new sect ion of law to be codified
in the Oklahoma Statutes as Section 901.2 of Title 17, unles s there
is created a duplication in numbering, reads as follows:
ENGR. H. B. NO. 1030 Page 3 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
As used in this act:
1. "Aggregate consumer information " means information that
relates to a group or ca tegory of consumers from whi ch individual
consumer identities have been removed and th at is not linked or
reasonably linkable to a particular consumer or household, including
through a device. The term does not include one or more individual
consumer records that have been de -identified;
2. "Biometric information" means an individual's physiological,
biological or behavioral characteristics that can be used, alone or
in combination with other characteristics or other identifying data,
to establish the ind ividual's identity. The term includes:
a. an image of an iris, retina, fingerprint, face, hand,
palm or vein pattern or a voice recording f rom which
an identifier template can be extracted such as a
faceprint, minutiae template or voiceprint,
b. keystroke patterns or rhythms,
c. gait patterns or rhythms, and
d. sleep, health or exercise data that contains
identifying information;
3. "Business" means a for-profit entity, including a sole
proprietorship, partnership, limited liability company, cor poration,
association or other legal entity that is organized or operated for
the profit or financial benefit of the entity's shareholders or
ENGR. H. B. NO. 1030 Page 4 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
other owners, but does not include Internet service providers so
long as they are acting in their role as I nternet service providers;
4. "Business purpose" means the use of personal information
for:
a. the following operational purposes of a business or
service provider, provided that the use of the
information is reasonably necessary and proportionate
to achieve the operation al purpose for which th e
information was collected or processed or another
operational purpose that is compatible with the
context in which the information was collected:
(1) auditing related to a current interaction with a
consumer and any concurrent tran sactions,
including counting ad impressions of unique
visitors, verifying the positioning a nd quality
of ad impressions, and auditing compli ance with a
specification or other standards for ad
impressions,
(2) detecting a security incident, protecting again st
malicious, deceptive, fraudulent or illegal
activity, and prosecuting those responsible for
any illegal activity described by this division,
ENGR. H. B. NO. 1030 Page 5 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
(3) identifying and repairing or removing errors that
impair the intended functionality of computer
hardware or software,
(4) using personal information in the short term or
for a transient use, provided that the
information is not:
(a) disclosed to a third party, and
(b) used to build a profile about a consumer or
alter an individual consumer 's experience
outside of a current interaction with the
consumer, including the contextual
customization of an adv ertisement displayed
as part of the same interact ion,
(5) performing a service on behalf of the business or
service provider, including:
(a) maintaining or servicing an account,
providing customer service, processing or
fulfilling an order or transactio n,
verifying customer information, processing a
payment, providing financing, providing
advertising or marketing services, or
providing analytic services, or
(b) performing a service simil ar to a service
described by subdivision (a) of this
ENGR. H. B. NO. 1030 Page 6 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
division on behalf of the business or
service provider,
(6) undertaking internal research for technological
development and demonstration,
(7) undertaking an activity to:
(a) verify or maintain the quali ty or safety of
a service or device that is owned by,
manufactured by, manufactured for or
controlled by the business , or
(b) improve, upgrade or enhance a service or
device described by subdivision (a) of this
division, or
(8) retention of employment data, or
b. another operational purpose for which notice is given
under this act, but specifically excepting cross-
context targeted advertising, unless the customer has
opted in to the same ;
5. "Collect" means to buy, rent, gather, obtain, receive or
access the personal information of a consumer by any means,
including by actively or passively receiving the information from
the consumer or by observing the consumer's behavior;
6. "Commercial purpose" means a purpose that is intended to
result in a profit or o ther tangible benefit or the advancement of a
person's commercial or economic interests, such as by inducing
ENGR. H. B. NO. 1030 Page 7 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
another person to buy, rent, lease, subscribe to, provide or
exchange products, goods, property, information or services or by
enabling or effectin g, directly or indirectly, a commercial
transaction. The term does not include the purpose of engaging in
speech recognized by state or federal courts as noncommercial
speech, including political speech and journalism ;
7. "Consumer" means an individual who is a resident of this
state;
8. "De-identified information " means information that cannot
reasonably identify, re late to, describe, be associated with, or be
linked to, directly or indirectly, a particular consumer ;
9. "Device" means any physical obje ct capable of connecting to
the Internet, directly or indirectly, o r to another device;
10. "Genetic information" means any information, regardless of
its format, that concern s a consumer's genetic characteristics.
Genetic information includes, but is not limited to:
a. raw sequence data that result from sequencing of a
consumer's complete extracted or a portion of the
extracted DNA,
b. genotypic and phenotypic information that results from
analyzing the raw sequenc e data, and
c. self-reported health information t hat consumer submits
to a company regarding the consumer's hea lth
conditions and that is used for scientific r esearch or
ENGR. H. B. NO. 1030 Page 8 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
product development and analyzed in connection with
the consumer's raw sequence data ;
11. "Identifier" means data elements or other in formation that
alone or in conjunction with other information can be used to
identify a particular consumer, h ousehold or device that is linked
to a particular consumer or household;
12. "Internet service provider" means a person who provides a
mass-market retail service by wire or radio that provides the
capability to transmit d ata and to receive data from all o r
substantially all Internet endpoints, including any capabilities
that are incidental to and enable the operations of the service,
excluding dial-up Internet access service;
13. "Person" means an individual, sole proprie torship, firm,
partnership, joint venture, syndicate, business trust, company,
corporation, limited liability company, association, committee and
any other organization or gro up of persons acting in concert;
14. "Personal information " means information th at identifies,
relates to, describes, can be associated with or can reasonably be
linked to, directly or indir ectly, a particular consumer or
household. The term includes the foll owing categories of
information if the information identifies, relates to, d escribes,
can be associated with or can reasonably be linked to, directly or
indirectly, a particular consumer or household:
ENGR. H. B. NO. 1030 Page 9 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
a. an identifier, including a real name, alias, mailing
address, account name, date of birth, driver license
number, unique identif ier, Social Security number,
passport number, signature, telephone number or other
government-issued identification number, or other
similar identifier,
b. an online identifier, in cluding an electronic mail
address or Internet Protocol address, or other si milar
identifier,
c. a physical characteristic or description, including a
characteristic of a protected class ification under
state or federal law,
d. commercial information, inclu ding:
(1) a record of personal property,
(2) a good or service purchased, ob tained or
considered,
(3) an insurance policy number, or
(4) other purchasing or consuming histories or
tendencies,
e. biometric information and genetic information,
f. Internet or other electronic network activity
information, including:
(1) browsing or search history, and
ENGR. H. B. NO. 1030 Page 10 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
(2) other information regarding a consumer's
interaction with an Internet websi te, application
or advertisement,
g. geolocation data,
h. audio, electronic, visua l, thermal, olfactory or other
similar information,
i. professional or emplo yment-related information,
j. education information that is not publicly available
that includes personally identifiable information
under the federal Family Educational Rights and
Privacy Act of 1974,
k. financial information, including a financial
institution account number, credit or debit card
number, or password or access code associated with a
credit or debit card or bank account,
l. medical information,
m. health insurance information, or
n. inferences drawn from any of the information listed
under this paragraph to create a profile about a
consumer that reflects the consumer's preferences,
characteristics, psychological trends,
predispositions, behavior, attitudes, intelligence,
abilities or aptitudes;
ENGR. H. B. NO. 1030 Page 11 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
15. "Processing information " means performing any oper ation or
set of operations on personal da ta or on sets of personal data,
whether or not by automated mean s;
16. "Pseudonymize" or "pseudonymization" means the processing
of personal information in a manner that renders the personal
information no longer a ttributable to a specific consumer withou t
the use of additional information, provided that the additional
information is kept separately and is subject to technical and
organizational measures to ensure that the personal information is
not attributed to an identified or identifiable consumer ;
17. "Publicly available information" means information that is
lawfully made available to the public from federal, state or local
government records or information received from widely distributed
media or by the consumer in the public domain. The term does not
include:
a. biometric information or genetic information of a
consumer collected by a business wit hout the
consumer's knowledge or consent, or
b. de-identified or aggregate consumer information;
18. "Service provider" means a for-profit entity as described
by paragraph 3 of this section that processes information on behalf
of a business and to which t he business discloses, for a business
purpose, a consumer's personal information under a written contract,
provided that the contract prohibits the entity receiving the
ENGR. H. B. NO. 1030 Page 12 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
information from retaining, using or disclosing the information for
any purpose other than:
a. providing the servic es specified in the contract with
the business, or
b. for a purpose permitted by th is act, including for a
commercial purpose other than providing those
specified services;
19. "Third party" means a person who is not:
a. a business to which this act applies that collects
personal information from consumers, or
b. a person to whom the bu siness discloses, for a
business purpose, a consumer's personal information
under a written contract, provided that the contract:
(1) prohibits the person receiving the info rmation
from:
(a) selling the information,
(b) retaining, using or disclosing the
information for any purpose other than
providing the services specified in the
contract, including for a commercial purpose
other than providing t hose services, and
(c) retaining, using or disclosing the
information outside of the direct business
ENGR. H. B. NO. 1030 Page 13 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
relationship between the person and the
business, and
(2) includes a certification made by the person
receiving the personal information that the
person understands and will comply wi th the
prohibitions under division (1) of this
subparagraph;
20. "Unique identifier" means a persistent identifier that can
be used over time and across different services to re cognize a
consumer, a custodial parent or guardian , or any minor children over
which the parent or guardian has custody, or a device that is linked
to those individuals. The term includes:
a. a device identifier,
b. an Internet Protocol address,
c. a cookie, beacon, pixel tag, mobile ad id entifier or
similar technology,
d. a customer number, unique pseudonym or user alias,
e. a telephone number, and
f. another form of a persistent or probabilistic
identifier that can be used to identify a particular
consumer or device;
21. "Verifiable consumer request " means a request:
a. that is made by a consumer, a consumer on behalf of
the consumer's minor child, or a natural person or
ENGR. H. B. NO. 1030 Page 14 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
person who is authorized by a consumer to act on the
consumer's behalf, and
b. that a business can reasonably verify, in accordance
with Section 19 of this act, w as submitted by the
consumer about whom the business has collected
personal information; and
22. "Consent" means an act that clearly and conspicuously
communicates the individua l's authorization of an act or pra ctice
that is made in the absence of any mechanism in the user interface
that has the purpose or substantial effect of obscurin g, subverting
or impairing decision-making or choice to obtain consent.
SECTION 3. NEW LAW A new section of law to be cod ified
in the Oklahoma Statut es as Section 901.3 of Title 17, unless there
is created a duplication in numbering , reads as follows:
A. This act applies only to:
1. A business that:
a. does business in this state,
b. collects consumers' personal information or has that
information collected on the business's behalf,
c. alone or in conjunction with others, determine s the
purpose for and means of processing consumers'
personal information, and
d. satisfies one or more of the following thresholds:
ENGR. H. B. NO. 1030 Page 15 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
(1) has annual gross revenue in an amount that
exceeds Fifteen Million Dollars ($15,000,000.00),
(2) alone or in combinatio n with others, annually
buys, sells or receives or shares for commercial
purposes the personal information of fifty
thousand or more consumers, h ouseholds or
devices, or
(3) derives twenty-five percent (25%) or more of the
business's annual revenue from se lling consumers'
personal information; and
2. An entity that controls or is controlled by a bu siness
described by paragraph 1 of this subsection and that shares the same
or substantially similar brand name and/or common database for
consumers' personal information. For purposes of this paragraph,
"control" means the:
a. ownership of, or power to v ote, more than fifty
percent (50%) of the outstand ing shares of any class
of voting security of a business,
b. control in any manner over the election of a major ity
of the directors or of individuals exercising similar
functions, or
c. power to exercise a controlling influence over the
management of a company.
ENGR. H. B. NO. 1030 Page 16 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
B. For purposes of this act, a business sells a consumer's
personal information to another business or a third party if the
business sells, rents, discloses, disseminates, makes available,
transfers or otherwise communicates, orally, in writing, or by
electronic or other means , the information to the other business or
third party for monetary or other valuab le consideration.
C. For purposes of this act, a business does not sell a
consumer's personal information if:
1. The consumer directs the busin ess to intentionally disclos e
the information or uses the business to intentionally interact with
a third party, provided that the third party does not sell the
information, unless that disclosure is consistent with this act; or
2. The business:
a. uses or shares an identifier of th e consumer to alert
a third party that the consumer has opted out of the
sale of the information,
b. uses or shares with a service provider a consumer's
personal information that is necessary to perform a
business purpose if:
(1) the business provided noti ce that the information
is being used or shared in the business 's terms
and conditions consistent with Sections 13 and 17
of this act, and
ENGR. H. B. NO. 1030 Page 17 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
(2) the service provider does not further collect,
sell or use the information except as necessary
to perform the business purpose, or
c. transfers to a third party a consumer 's personal
information as an asset that is part of a merger,
acquisition, bankruptcy or other transaction in which
the third party assumes control of all or part of the
business, provided that info rmation is used or shared
consistent with this act.
D. For purposes of paragraph 1 of subsection C of this section,
an intentional interaction occurs if the consumer does one or more
deliberate acts with the intent to interact with a third party.
Placing a cursor over, muting, pausing or closing online content
does not constitute a con sumer's intent to interact with a third
party. Instead, said deliberate act must be consent to such
interaction as defined herein.
SECTION 4. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.4 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. This act does not apply to:
1. Publicly available informatio n;
2. Medical information g overned by state privacy health laws or
protected health information that is collec ted by a covered entity
or business associate governed by the privacy, security and data
ENGR. H. B. NO. 1030 Page 18 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
breach notification rules issued by the United States De partment of
Health and Human Services, Parts 160 and 164 of Title 45 of the Code
of Federal Regulations, establ ished pursuant to the federal Health
Insurance Portability and Accountability Act of 1996 (Publ ic Law
104-191) and the federal Health Information Technology for Economic
and Clinical Health Act, Title XIII of the federal American Recovery
and Reinvestment Act of 2009 (Public Law 111-5);
3. A provider of health care, or a health plan, governed by
state privacy health laws or a covered entity go verned by the
privacy, security and data breach notification rules issued by the
United States Department of Health and Human Services, Parts 160 and
164 of Title 45 of the Code of Federal Regulations, establis hed
pursuant to the federal Health Insurance Porta bility and
Accountability Act of 1996 (Public Law 104-191), to the extent the
provider or covered entity mainta ins, uses and discloses patient
information in the same manner as medical information or protec ted
health information as described in paragraph 2 of this subsection;
4. A business associate of a covered entity governed by the
privacy, security and data breach notification rules issued by the
United States Department of Health and Human Services, Pa rts 160 and
164 of Title 45 of the Code of Federal Regulations, established
pursuant to the federal Health Insurance Portability and
Accountability Act of 1996 ( Public Law 104-191) and the federal
Health Information Technology for Economic and Clinical Hea lth Act,
ENGR. H. B. NO. 1030 Page 19 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Title XIII of the federal American Recove ry and Reinvestment Act of
2009 (Public Law 111-5), to the extent that the business associate
maintains, uses and discloses patient information in the same manner
as medical information or protected health information as described
in paragraph 2 of this subsection;
5. Information that meets both of the following conditions:
a. is de-identified in accordance with t he requirements
for de-identification set forth in Section 164.514 of
Part 164 of Title 45 of the Code of Federal
Regulations, and
b. is derived from patient information tha t was
originally collected, created, transmitted or
maintained by an entity regulat ed by the Health
Insurance Portability and Accountability Act of 1996
or the Federal Policy fo r the Protection of Human
Subjects, also known as t he Common Rule.
Information that meets the requirements of subparagraph a or b
of this paragraph but is subsequ ently re-identified shall no longer
be eligible for the exemption in this paragraph and shall be subject
to applicable federal and state data pri vacy and security laws,
including, but not limited to, the Health Insurance Portability and
Accountability Act of 1996 and state medical privacy laws;
6. Information that is collected, used or disclosed in
research, as defined in Section 164.501 of Title 45 of the Code of
ENGR. H. B. NO. 1030 Page 20 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Federal Regulations, including, but not limited to, a clinical
trial, and that is conducted i n accordance with applicable ethics,
confidentiality, privacy and security rules of Part 164 of Title 45
of the Code of Federal Regulations, the Federal Policy for the
Protection of Human Subjects, also known as the Common Rule, good
clinical practice guid elines issued by the International Council for
Harmonization, or human subject protection requ irements of the
United States Food and Drug Adminis tration;
7. The sale of personal information to or by a consumer
reporting agency if the information is to be:
a. reported in or used to generate a consumer report, as
defined by Section 1681a(d) of the F air Credit
Reporting Act (15 U.S.C., Section 1681 et seq.), and
b. used solely for a purpose authorized under that act;
8. Personal information collected, proces sed, sold or disclosed
in accordance with:
a. the federal Gramm-Leach-Bliley Act of 1999 (Public Law
106-102) and its implementing regulations, o r
b. the federal Driver's Privacy Protection Act of 1994
(18 U.S.C., Section 2721 et seq.);
9. De-identified or aggregate consumer information; or
10. A consumer's personal information collected or sold by a
business, if every aspect of the collection or sale occurred wholly
outside of this state.
ENGR. H. B. NO. 1030 Page 21 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Provided further, nothing in this act shall be deemed to apply
in any manner to a financial institution or an affiliate of a
financial institution that is subje ct to the federal Gramm-Leach-
Bliley Act of 1999 an d the rules promulgated ther eunder.
B. For the purposes of this section, a business or other person
shall not re-identify, or attempt to re-identify, information that
has met the requirements of paragraphs 2 through 6 of subsection A
of this section, except for one or more of the fo llowing purposes:
1. Treatment, payment or health care operations conducted by a
covered entity or business associate acting on behalf of, and at the
written direction of, the covered entity. For purposes of this
paragraph, "treatment", "payment", "health care operations" and
"covered entity" have the same meaning as defined in Section 164.501
of Title 45 of the Code of Federal Regulations, and "business
associate" has the same meaning as defined in Section 160.103 of
Title 45 of the Code of Federal Regul ations;
2. Public health activities or purposes as described in Section
164.512 of Title 45 of the Code of Federal Regulations;
3. Research, as defined in Section 164.501 of T itle 45 of the
Code of Federal Regulations, that is conducted in accordance wit h
Part 46 of Title 45 of the Code of Federal Regulations and the
Federal Policy for the Protection of Human Subjects, also known as
the Common Rule;
ENGR. H. B. NO. 1030 Page 22 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
4. Pursuant to a contract w here the lawful holder of the de-
identified information expressly engages a per son or entity to
attempt to re-identify the de-identified information in order to
conduct testing, analysis, or validation of de-identification, or
related statistical technique s, if the contract bans any other use
or disclosure of the re-identified information and requires the
return or destruction of the information that was re -identified upon
completion of the contract; and
5. If otherwise required by law.
C. In accordance with paragraphs 2 through 6 of subsection A of
this section, information re-identified pursuant to this section
shall be subject to applicable federal and state da ta privacy and
security laws, including, but not limited to, the Health Insurance
Portability and Accountability Act of 1996 and state health pri vacy
laws.
D. Beginning January 1, 2024, any contract for the sale or
license of de-identified information tha t has met the requirements
of paragraphs 2 through 6 of subsection A of this section, where one
of the parties is a person residing or doing busi ness in the state,
shall include the following, or substantially similar, provisions:
1. A statement that the de-identified information being sold or
licensed includes de-identified patient information;
2. A statement that re-identification, and attempte d re-
identification, of the de-identified information by the purchaser or
ENGR. H. B. NO. 1030 Page 23 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
licensee of the information is proh ibited pursuant to this section;
and
3. A requirement that, unless otherwise required by law, t he
purchaser or licensee of the de-identified information may not
further disclose the de-identified information to any third party
unless the third party is cont ractually bound by the same or
stricter restrictions and conditions.
E. For purposes of this section, "re-identify" means the
process of reversal of de-identification techn iques, including, but
not limited to, the addition of specific pieces of informatio n or
data elements that can, individually or in combination, be used to
uniquely identify an individual or usage.
F. For purposes of paragraph 1 0 of subsection A of this
section, the collection or sale of a consumer's personal information
occurs wholly outside of this state if:
1. The business collects that information while the consumer is
outside of this state;
2. No part of the sale of the in formation occurs in this sta te;
and
3. The business does not sell any personal information of the
consumer collected while the consumer is in this state.
G. For purposes of subsection F of this section, the collection
or sale of a consumer 's personal information does not occur whol ly
outside of this state if a business stores a consumer 's personal
ENGR. H. B. NO. 1030 Page 24 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
information, including on a device, when the consumer is in this
state and subsequently collects or sells tha t stored information
when the consumer and the info rmation are outside of this state.
H. For purposes of this section, all of the following shall
apply:
1. "Business associate" has the same meaning as defined in
Section 160.103 of Title 45 of the Code of Federal Regulations;
2. "Covered entity" has the same meaning as defined in S ection
160.103 of Title 45 of the Code of Federal Regulations;
3. "Identifiable private information" has the same meaning as
defined in Section 46.102 of Title 45 of the Code of Federal
Regulations;
4. "Individually identifiable health information " has the same
meaning as defined in Section 160.103 of Title 45 of the Code of
Federal Regulations;
5. "Medical information" means any individually identifiable
information, in elect ronic or physical form, in possession of or
derived from a provider of health c are, health care service plan,
pharmaceutical company, or contractor regarding a pa tient's medical
history, mental or physical condition, or treatment;
6. "Patient information" means identifiable private
information, protected health information, individually identifiable
health information, or medical information;
ENGR. H. B. NO. 1030 Page 25 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
7. "Protected health information" has the same meaning as
defined in Section 160.103 of Title 45 of the Code of Federal
Regulations; and
8. "Provider of health care " means a person or entity t hat is a
covered entity.
SECTION 5. NEW LAW A new section o f law to be codified
in the Oklahoma Statutes as Section 901.5 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A right or obligation under this act does not apply to the
extent that the exercise of the right or performanc e of the
obligation infringes on a noncommercial activity of:
1. A publisher, editor, reporter or other person connected with
or employed by a newspaper, magazine or other publication of general
circulation, including a periodical , newsletter, pamphlet or report;
2. A radio or television station that holds a license issued by
the Federal Communicat ions Commission;
3. A nonprofit that provides programing to radio or television
networks; or
4. An entity that provides an information service, including a
press association or wire service.
SECTION 6. NEW LAW A new section of law to be c odified
in the Oklahoma Statute s as Section 901.6 of Title 17, unl ess there
is created a duplication in numbering, reads as follows:
This act does not:
ENGR. H. B. NO. 1030 Page 26 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1. Restrict a business's ability to:
a. comply with:
(1) applicable federal, state or local laws, or
(2) a civil, criminal or regulatory inquiry,
investigation, subpoena or summons by a federal,
state or local authority,
b. cooperate with a law enforceme nt agency concerning
conduct or activity th at the business, a service
provider of the business or a third party reasonably
and in good faith believes may violate other
applicable federal, state or local laws,
c. pursue or defend against a legal claim,
d. detect a security incident; protect against malicious,
deceptive, fraudulent or illegal activity; or
prosecute those responsible for any illegal activity
described by this paragraph, or
e. assist another party with any of the foregoing; or
2. Require a business to violate an evidentiary privilege u nder
federal or state law or prevent a business from disclosin g to a
person covered by an evi dentiary privilege the personal inf ormation
of a consumer as part of a privileged communication.
SECTION 7. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.7 of Titl e 17, unless there
is created a duplication in numbering, reads as follows:
ENGR. H. B. NO. 1030 Page 27 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
A. This act shall be liberally construed to effect its purposes
and to harmonize, to the extent possible, with other laws of this
state relating to the privacy or protection of pe rsonal information.
B. To the extent of a conflict between a provision of this act
and a provision of federal law, including a regulation or an
interpretation of federal law, federal law contro ls and conflicting
requirements or other provisions of this a ct do not apply. Further,
should the federal government pass compr ehensive data privacy
regulations that conflict with the provisions herein, federal l aw
shall prevail.
C. To the extent of a co nflict between a provision of this act
and another statute of this state with respect to the privacy or
protection of consumers ' personal information, the provision of law
that affords the greatest privacy or prot ection to consumers
prevails.
SECTION 8. NEW LAW A new section of law to be codif ied
in the Oklahoma Statutes as Section 901.8 of Title 17, unless there
is created a duplication in numbering, reads as follows:
This act preempts and supersedes any ordinance, order or rule
adopted by a political subdivision of this state relating to the
collection or sale by a busines s of a consumer's personal
information.
ENGR. H. B. NO. 1030 Page 28 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
SECTION 9. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901. 9 of Title 17, unless there
is created a duplication in numbering, reads as follows:
Except as used in Section 4 of this act, for pu rposes of this
act, "research" means scientific, systematic study and observation,
including basic research or applied research that is in the public
interest and that adheres to all other a pplicable ethics and privacy
laws or studies conducted in the publ ic interest in the area of
public health. Research with personal information that ma y have
been collected from a consumer in th e course of the consumer's
interactions with a business 's service or device for other purpose s
must:
1. Be compatible with the business purpose for which the
personal information was collected;
2. Be subsequently pseudonymized and de-identified, or de-
identified and in the aggregate, such that the information canno t
reasonably identify, relate t o, describe, be capable of being
associated with, or be linked, directly or indirectly, to a
particular consumer;
3. Be made subject to technical safeguards that prohibit re-
identification of the consumer to whom the informa tion may pertain;
4. Be subject to business processes that specif ically prohibit
re-identification of the information;
ENGR. H. B. NO. 1030 Page 29 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
5. Be made subject to business processes to prevent inadvertent
release of de-identified information;
6. Be protected from any re -identification attempts;
7. Be used solely for research purposes that are compatible
with the context in which the personal information was collected;
8. Not be used for any commercial purpose; an d
9. Be subjected by the business conducting the research to
additional security controls th at limit access to the research dat a
to only those individuals in a business as are necessary to carry
out the research purpose.
SECTION 10. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.10 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. A consumer is entitled to request that a business that
collects the consumer 's personal information disclose to the
consumer the categories and specific items of personal inf ormation
the business has collected .
B. To receive the disclosure of information under subsection A
of this section, a consumer must submit to the business a veri fiable
consumer request using a method designated by the busin ess under
Section 18 of this act.
C. On receipt of a verifiable c onsumer request under this
section, a business shall disclose to the consumer in the time and
manner provided by Section 20 of this act:
ENGR. H. B. NO. 1030 Page 30 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1. Each enumerated category and item within each cat egory of
personal information u nder paragraph 14 of Section 2 of this act
that the business collected about the consumer during the twelve
(12) months preceding the date of the request;
2. Each category of sources from which the information was
collected;
3. The business or commercial purpose for collecting or selling
the personal information; and
4. Each category of third parties with whom the busine ss shares
the personal information.
D. This section does not require a business to:
1. Retain a consume r's personal information that w as collected
for a one-time transaction if the information is not sold or
retained in the ordinary course of business; o r
2. Re-identify or otherwise link any dat a that, in the ordinary
course of business, is not maintained in a manner that would be
considered personal information.
SECTION 11. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.11 of Title 17, unless there
is created a duplication in numbering, reads as f ollows:
A. A consumer is entit led to request that a business that
collects the consumer's personal information delete any personal
information the business has collected from the consumer by
ENGR. H. B. NO. 1030 Page 31 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
submitting a verifiable consumer request using a method designat ed
by the business under Sectio n 18 of this act.
B. Except as provided by subsection C of this section, on
receipt of a verifiable cons umer request under this section, a
business shall delete f rom the business's records any personal
information collected from the consumer and direct a service
provider of the business to delete the information from the
provider's records in the time provided for in Secti on 20 of this
act.
C. A business or servic e provider of the business is not
required to comply with a ve rifiable consumer request recei ved under
this section if the busin ess or service provider needs to retain the
consumer's personal information to:
1. Complete the transaction for which the infor mation was
collected;
2. Provide a good or service requested by the consumer in the
context of the ongoing business relationshi p between the business
and consumer;
3. Perform under a contract between the busines s and the
consumer;
4. Detect a security incident; protect against malicious,
deceptive, fraudulent or illegal activity; or prosecute those
responsible for any illegal ac tivity described by this paragraph;
ENGR. H. B. NO. 1030 Page 32 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
5. Identify and repair or remove errors from com puter hardware
or software that impair its intended functionality;
6. Exercise free speech or ensure the right of another consumer
to exercise the right of free speech or another right afforded by
law;
7. Comply with a court order or subpoena or other la wful
process; or
8. Engage in public or pe er-reviewed scientific, historical or
statistical research tha t is in the public interest and that adheres
to all other applicab le ethics and privacy laws, provided that:
a. the business's deletion of the informat ion is likely
to render impossible or serio usly impair the
achievement of that research, and
b. the consumer has previously provided to the business
informed consent to re tain the information for such
use.
D. Where a business, service provider or third party has made a
consumer's personal information public, said business, service
provider or third party shall:
1. Take all reasonable ste ps, including technical measures, t o
erase the personal information that the business, service provider
or third party made public, taking into account available t echnology
and the cost of implementation; and
ENGR. H. B. NO. 1030 Page 33 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
2. Advise any other business, service provider or third party
with whom a contract regarding the consumer exists that the consumer
has requested the era sure of any links to, copies of or replication
of that personal information.
SECTION 12. NEW LAW A new section of law to be cod ified
in the Oklahoma Statutes as Section 901.12 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. A consumer is entitled to r equest that a business that
sells, or discloses for a business purpose, the consumer's personal
information disclose to the cons umer:
1. The categories of personal information the business
collected about the con sumer;
2. The categories of personal infor mation about the consumer
the business sold, or disclosed for a business purpose; and
3. The categories of third parties to who m the personal
information was sold or disclosed.
B. To receive the disclosure of in formation under subsection A
of this section, a consumer must submit to the business a verifiable
consumer request using a method design ated by the business under
Section 18 of this act.
C. On receipt of a verifiable consumer request under this
section, a business shall disclose to the consumer in the time and
manner provided by Section 20 of this act :
ENGR. H. B. NO. 1030 Page 34 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1. Each enumerated category of pers onal information under
paragraph 14 of Section 2 of this act that the business collected
about the consumer during the twelve (12) months preceding the date
of the request;
2. The categories of third parties to whom the busi ness sold
the consumer's personal information during the twelve (12) months
preceding the date of the request by reference to each enumerated
category of information under paragraph 14 of Section 2 of this act
sold to each third party; and
3. The categories of third parties to whom the business
disclosed for a business purpose the consumer's personal information
during the twelve (12) months preceding the date of the request by
reference to each enumerated category of information under paragraph
14 of Section 2 of this act disclosed to each third party.
D. A business shall provide the information described by
paragraphs 2 and 3 of subsection C of this s ection in two separate
lists.
E. A business that did not sell, or disclose for a business
purpose, the consumer's personal information during the twelve (12)
months preceding the date of receiving the consumer's verifiable
consumer request under this sect ion shall disclose that fact to the
consumer.
ENGR. H. B. NO. 1030 Page 35 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
SECTION 13. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.1 3 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. A consumer is entitled at any time to opt ou t of the sale of
the consumer's personal information by a busi ness to third parties
by directing the business not to sell the in formation. A consumer
may authorize another person solely to opt out of the sale of the
consumer's personal information on the consumer's behalf. A
business shall comply with a direction n ot to sell that is received
under this subsection.
B. To exercise the right to opt out specified in subsection A
of this section, a consumer shall sub mit to the business a
verifiable consumer r equest using a method designated by the
business under Section 18 of this act.
C. A business that sells consumers' personal information to a
third party shall provide on the business's Internet website:
1. Notice to consumers that:
a. the information may be sold,
b. identifies the categories of persons to whom the
information will or could be so ld, and
c. consumers have the right to opt in to the sale via
consent; and
ENGR. H. B. NO. 1030 Page 36 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
2. A clear and conspicuous link that enables a consumer, or
person authorized by the co nsumer, to consent to the sale of the
consumer's personal information.
D. A business may not sell to a third party the personal
information of a consumer who does not consent to the sale of that
information after the effective date of this act or after a consumer
submits a verifiable request to opt out of any future sale .
E. A business may use any person al information collected fro m
the consumer in connection with the consumer's opting out under this
section solely to comply with this section.
F. A third party to whom a business has sold the personal
information of a consumer ma y not sell the information unless the
consumer receives explicit notice of the potential sale and is
provided the opportunity to, and in fact does, consent to the sale
as provided by this section.
G. A business may not require a consu mer to create an account
with the business to opt in to the sale of the consumer's personal
information.
H. A business or service provider shall implement an d maintain
reasonable security procedures a nd practices, including
administrative, physical and te chnical safeguards appropriate to the
nature of the information and the purposes for which the personal
information will be used, to protect consumers ' personal information
from unauthorized use, discl osure, access, destruction or
ENGR. H. B. NO. 1030 Page 37 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
modification, irrespectiv e of whether a customer has consented to
opt in or out of a sale of data.
SECTION 14. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.1 4 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. The Legislature of the State of Oklahoma finds t hat
individuals within Oklahoma have a right to prohibit retention, use
or disclosure of their own personal data.
B. The Legislature of the State of Oklahoma further finds that
individuals within Oklahoma have previously b een exploited for
monetary gain and manipulation by private ventures in utilization of
private data.
C. The Legislature of the State of Oklahoma further finds that
the protection of individuals within Oklahoma and their data is a
core governmental functio n in order to protect the health, safety
and welfare of individuals within Oklahoma.
D. The Legislature of the Stat e of Oklahoma further finds that
the terms and conditions set forth in this act are the least
restrictive alternative necessary to protect i ndividuals within
Oklahoma and their rights and that the use of a strictly "opt-out"
method for data privacy is inef fectual and poses an immediate risk
to the health, safety and welfare of individuals within Oklahoma.
ENGR. H. B. NO. 1030 Page 38 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
SECTION 15. NEW LAW A new section of law to be c odified
in the Oklahoma Statutes as Section 901.15 of Title 17, unless there
is created a duplication in numbering, reads as f ollows:
A. A provision of a contract or other agreement that purp orts
to waive or limit a right, remedy or means of enforcement u nder this
act is contrary to public policy and is void.
B. This section does not p revent a consumer from:
1. Declining to request information from a business;
2. Declining to consent to a business's sale of the consumer 's
personal information; or
3. Authorizing a business to sell the consumer's personal
information after previously o pting out.
SECTION 16. NEW LAW A new section of law to be codified
in the Oklahoma Stat utes as Section 901.16 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. After the effective date of this act, a business shall not
collect a consumer's personal information directly from the consumer
prior to notifying the consumer of each category of personal
information to be co llected and for what purposes information will
be used, as well as obtaining the consumer's consent to opt in to
collection, which may be provided electronically by the consumer, to
collect a consumer's personal information.
B. A business may not collect an additional category of
personal information directly from the consumer or use personal
ENGR. H. B. NO. 1030 Page 39 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
information collected for an additio nal purpose unless the business
provides notice to the consumer of the additional category or
purpose in accordance with s ubsection A of this section.
C. If a third party that assumes control of all or part of a
business as described by subparagraph c of paragraph 2 of subsection
C of Section 3 of this act materially alters the practices of the
business in how personal infor mation is used or shared, and the
practices are materially inconsistent with a notice provi ded to a
consumer under subsection A or B of this section, the third party
must notify the consumer of the third party 's new or changed
practices in a conspicuous manner that allows the consumer to easily
exercise a right provided under this act before the third-party
collector uses or shares the p ersonal information.
D. Subsection C of this section does not authorize a business
to make a material, retroactive change or othe r change to a
business's privacy policy in a manner that would be a deceptive
trade practice actionable under Oklahoma law.
SECTION 17. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.17 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. A business that collects, sells or for a business purpose
discloses a consumer's personal information shall disclose the
following information in the business's online privacy pol icy or
other notice of the business's policies:
ENGR. H. B. NO. 1030 Page 40 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1. A description of a consumer 's rights under Sections 10, 11,
12, 13 and 16 of this act and designated methods for submitting a
verifiable consumer request under this act;
2. For a business that collects p ersonal information about
consumers, a description of the consumer's right to request the
deletion of the consumer's personal information;
3. Separate lists containing the categories of consumers '
personal information describe d by paragraph 14 of Section 2 of this
act that, during the twelve (12) months preceding the date the
business updated the information as required by subsection C of this
section, the business:
a. collected,
b. sold, if applicable, or
c. disclosed for a business purpose, if applicable ;
4. The categories of sources from which the information under
paragraph 3 of this subsection is collected;
5. The business or commercial purposes for collecting personal
information;
6. If the business does not sell consum ers' personal
information or disclose the information for a business or commercial
purpose, a statement of that fact;
7. The categories of third parties t o whom the business sells
or discloses personal information;
ENGR. H. B. NO. 1030 Page 41 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
8. If the business sells consumers ' personal information, the
Internet link required by subsection C of Section 13 of this act;
and
9. If applicable, the financial incentives offered to consumers
under Section 23 of this act.
B. If a business described by subsection A of this section does
not have an online privacy polic y or other notice of the business's
policies, the business shall make the informati on required under
subsection A of this section available to consumers on the
business's Internet website or another website the business
maintains that is dedicated to consu mers in this state.
C. A business must update the information required by
subsection A of this section at least once each yea r.
SECTION 18. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.18 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. A business shall designate and make availabl e to consumers,
in a form that is reasonably accessible, at least two methods for
submitting a verifiable consumer request for inf ormation required to
be disclosed or deleted under this act. The methods must incl ude,
at a minimum:
1. A toll-free telephone number that a consumer may call to
submit the request; and
ENGR. H. B. NO. 1030 Page 42 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
2. The business's Internet website at w hich the consumer may
submit the request.
B. The methods designated under subsection A of this section
may also include:
1. A mailing address;
2. An electronic mail address; or
3. Another Internet webpage or portal .
C. A business may not require a con sumer to create an account
with the business to submit a verifiable consumer request.
SECTION 19. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.19 of Title 17, unless there
is created a duplicati on in numbering, reads as fol lows:
A. A business that receives a verifiable consumer request under
Section 10, 11, 12 or 13 of this act shall promptly take steps to
reasonably verify that:
1. The consumer who is the subject of the request is a consumer
about whom the business has co llected, sold, or for a business
purpose disclosed personal information; and
2. The request is made by:
a. the consumer,
b. a consumer on behalf of the consumer's minor child, or
c. a person authorized to act on the consumer 's behalf.
ENGR. H. B. NO. 1030 Page 43 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
B. A business may u se any personal information collected from
the consumer in connection with the busi ness's verification of a
request under this section solely to verify the request.
C. A business that is unable to verify a consumer request und er
this section is not requir ed to comply with the request.
SECTION 20. NEW LAW A new sec tion of law to be codified
in the Oklahoma Statutes as Section 901.20 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. Not later than forty-five (45) days after the date a
business receives a verifiable consume r request under Section 10,
11, 12 or 13 of this ac t, the business shall disclose free of charge
to the consumer the information required to be disclose d under those
sections or take the requested actions, as applicable.
B. A business may extend the time in which to comply with
subsection A of this section once by an additional forty-five (45)
days if reasonably necessary or by an additional ninety (90) days
after taking into accoun t the number and complexity of verifiable
consumer requests received by the busines s. A business that extends
the time in which to comply with subsection A of this section shall
notify the consumer of the extension and reason for the delay within
the period prescribed by that subsection.
C. The disclosure required by subsection A of this section
must:
ENGR. H. B. NO. 1030 Page 44 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1. Cover personal information collected, sold or disclosed for
a business purpose, as applicable, during the twelve (12) months
preceding the date the busi ness receives the request; and
2. Be made in writing and delivered to the consumer :
a. by mail or electronically, at the cons umer's option,
if the consumer does not have an account with the
business, or
b. through the consumer 's account with the business.
D. An electronic disclosure under subsection C of this section
must be in a readily accessible format that allows the consum er to
electronically transmit the information to another person or entity.
E. A business is not requ ired to make the disclosure required
by subsection A of this section to the same consumer more than once
in a twelve-month period.
F. Notwithstanding subsection A of this section, if a
consumer's verifiable consumer request is manifestly baseless or
excessive, in particular because o f repetitiveness, a business may
charge a reasonable fee after taking into account the administrative
costs of compliance or r efusal to comply with the request. The
business has the burden of demonstrating that a request is
manifestly baseless or excessiv e.
G. A business that does not comply with a consumer's verifiable
consumer request under subsection A of this section shall notify the
consumer, within the time the business is required to respond to a
ENGR. H. B. NO. 1030 Page 45 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
request under this sect ion, of the reasons for the r efusal and the
rights the consumer may have to appeal that decision.
SECTION 21. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.2 1 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. A business that uses de-identified information may not re -
identify or attempt to re-identify a consumer who is the subject of
de-identified information without obtaining the consumer 's consent
or authorization.
B. A business that use s de-identified information shall
implement:
1. Technical safeguards and business processes to prohibit re-
identification of the consumer to whom the information may pertain;
and
2. Business processes to prevent inadvertent r elease of de-
identified information.
C. This act may not be construed to require a business to re-
identify or otherwise link information that is not maint ained in a
manner that would be considered personal information.
SECTION 22. NEW LAW A new section of law t o be codified
in the Oklahoma Statutes as Section 901.22 of Title 17, unless there
is created a duplication in numbering, read s as follows:
A. A business may not discriminate against a consumer because
the consumer exercised a right under this act, including by:
ENGR. H. B. NO. 1030 Page 46 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1. Denying a good or service to the consumer;
2. Charging the consumer a different price or rate for a good
or service, including denying the use of a discount or other benefit
or imposing a penalty;
3. Providing a different level or quality of a good or service
to the consumer; or
4. Suggesting that the consumer will be char ged a different
price or rate for, or provi ded a different level or quality of, a
good or service.
B. This section does not prohibit a business from offering or
charging a consumer a different price or rate for a good or service,
or offering or providing to the consumer a different level or
quality of a good or service, if the difference is reasonably
related to the value provided to the consumer by the consumer's
data.
SECTION 23. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.2 3 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. Subject to subsection B of this section, a business may
offer a financial incentive to a consumer, including a payment as
compensation, for the collection, sale or disclosure of the
consumer's personal information.
B. A business may enroll a customer in a financial incentive
program only if the business p rovides to the consumer a clear
ENGR. H. B. NO. 1030 Page 47 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
description of the material terms of the program an d obtains the
consumer's prior opt-in consent, which:
1. Contains a clear description of those material terms; and
2. May be revoked by the co nsumer at any time.
C. A business may not use financial incentive practices that
are unjust, unreasonable, coer cive or usurious in nature.
SECTION 24. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 9 01.24 of Title 17, unless the re
is created a duplication in numbering, reads as follows:
A. A business may not divide a single transaction into more
than one transaction with the intent to avoid the requirements of
this act.
B. For purposes of this a ct, two or more substantially sim ilar
or related transactions are considered a single transaction if the
transactions:
1. Are entered into contemporaneously; and
2. Have at least one common party.
C. A court shall disregard any intermediate transactions
conducted by a business with the intent to avoid the requirements of
this act, including the disclosure of informat ion by a business to a
third party to avoid complying with the requirements under this act
applicable to a sale of the information.
ENGR. H. B. NO. 1030 Page 48 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
SECTION 25. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.2 5 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A business shall ensure that each person responsible for
handling consumer inquiries about t he business's privacy practices
or compliance with this act is informed of the requirements of this
act and of how to direct a consumer in exercising any of the rights
to which a consumer is entitled under this a ct.
SECTION 26. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.2 6 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A. A person who violates this a ct is liable to this state for
injunctive relief and/or a civil penalty in an amount not to exceed:
1. Two Thousand Five Hundred Dollars ($2, 500.00) for each
violation; or
2. Seven Thousand Five Hundred Dollars ($7,500.00) for each
violation, if the violation is intentional.
B. The Oklahoma Attorney General is entitled to recover
reasonable expenses, including reasonable attorney fees, court costs
and investigatory costs, incurred in obtaining injunctive relief or
civil penalties, or both, under this section. Amounts collected
under this section shall be deposi ted in a dedicated account in the
General Revenue Fund and shall be appropriated only for the purposes
of the administration and enforcement of this act.
ENGR. H. B. NO. 1030 Page 49 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
SECTION 27. NEW LAW A new section of law to be cod ified
in the Oklahoma Statute s as Section 901.27 of Title 17, unless there
is created a duplication in numbering , reads as follows:
A business that disclos es to a third party, or discloses for a
business purpose to a service provider, a consumer 's personal
information in compliance wi th this act may not be held liable for a
violation of this act by the third party o r service provider if the
business does not have actual knowledge or a reasonable belief that
the third party or service provider intends to vio late this act.
SECTION 28. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.28 of Title 17, unless there
is created a duplication in numbering, reads as follows:
A business's service provider may no t be held liable for a
violation of this act by the business.
SECTION 29. This act shall become effective one (1) year after
enactment.
ENGR. H. B. NO. 1030 Page 50 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Passed the House of Representatives the 8th day of March, 2023.
Presiding Officer of the House
of Representatives
Passed the Senate the ____ day of __________, 2023.
Presiding Officer of the Senate