Req. No. 10418 Page 1 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
STATE OF OKLAHOMA
1st Session of the 60th Legislature (2025)
HOUSE BILL 1388 By: Hasenbeck
AS INTRODUCED
An Act relating to children; providing definitions;
directing covered entities to complete and review
impact assessments; requiring co vered entities to
provide impact assessments to Attorney General;
requiring certain default privacy settings; directing
covered entities to publicly provide certain
information in clear language suited to age of
children accessing product; requiring entity provide
certain tools; providing information required for
data protection impact assessment; requiring covered
entity act in best interest of children; clarifying
data protection impact assessments are confidential
and not subject to public disclosure; cl arifying
certain information disclosed does not waive
privilege or protection; permitting assessments that
complies with other law; permitting single data
protection impact assessment for similar processing
operations; requiring first impact assessment by
certain date; prohibiting covered entities from
processing personal data of a child in way that is
inconsistent with best interest of child; prohibiting
covered entities from profiling a child unless listed
exception applies; prohibiting covered entities f rom
processing personal data of child that is not
necessary to provide online product; prohibiting
processing certain personal data for purposes other
than reason collected; prohibiting the processing of
certain geolocation information of children;
prohibiting covered entities from using dark patterns
for certain purpose; requiring covered entity signal
a child when being monitored or tracked; providing
penalties for a covered entity that violates this
act; permitting only Attorney General to initiate
enforcement actions; directing Attorney General
provide notice to covered entities in substantial
Req. No. 10418 Page 2 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
compliance; directing covered entities notify
Attorney General when certain violations are cured;
clarifying act does not serve as basis for private
right of action; providing list of entities this act
does not apply to; clarifying act does not impose
certain liability; clarifying act does not prevent or
preclude a child from deliberately searching for
content; clarifying act does not require covered
entity to restrict access to online products based
solely on age; clarifying act applies to certain
covered entities; clarifying that act does not apply
to online products, services, or features not
accessible by public after certain date; providing
for codification; and providing an effective date.
BE IT ENACTED BY THE PEOPLE OF THE ST ATE OF OKLAHOMA:
SECTION 1. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 8001 of Title 10, unless there
is created a duplication in numbering, reads as follows:
As used in this act:
1. "Affiliate" means a legal entity that controls, is
controlled by or is under common control with another legal entity;
2. "Age-appropriate" means a recognition of the distinct needs
and diversities of children in the following age ranges:
a. up to five (5) years of age,
b. six (6) to nine(9) years of age,
c. ten (10) to twelve (12) years of age,
d. thirteen (13) to fifteen (15) years of age, and
e. sixteen (16) to seventeen (17) years of age;
Req. No. 10418 Page 3 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
3. "Best interest of children " means the use, by a covered
entity, of the personal data of a child or the design of an online
product, service or feature in a way that:
a. will not benefit the covered entity to the detriment
of the child, and
b. will not result in:
(1) reasonably foreseeable and material physical or
financial harm to the child,
(2) reasonably foreseeable and severe psychological
or emotional harm to the child,
(3) a highly offensive intrusion on the reasonable
privacy expectations of th e child, or
(4) discrimination against the child based upon race,
color, religion, national origin, disability, sex
or sexual orientation;
4. "Child" means a consumer who is under eighteen (18) years of
age;
5. "Collect" means buying, renting, gathering, obtaining,
receiving, or accessing personal data pertaining to a consumer by
any means, including receiving personal data from the consumer,
either actively or passively, or by observing the consumer 's
behavior;
Req. No. 10418 Page 4 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
6. "Common branding" means a shared name, service mark or
trademark that the average consumer would understand that two or
more entities commonly own;
7. "Consumer" means a natural person who resides in Oklahoma,
however identified, including by a unique identifier;
8. "Control" or "controlled" means:
a. ownership of or the power to vote more than fifty
percent (50%) of the outstanding shares of any class
of voting security of a covered entity,
b. control in any manner over the election of a majority
of the directors or of individuals exercising similar
functions of a covered entity, or
c. the power to exercise a controlling influence over the
management of a covered entity;
9. "Covered entity" means a sole proprietorship, partnership,
limited liability company, corporation, association, affiliat e, or
other legal entity that is organized or operated for the profit or
financial benefit of the entity 's shareholders or other owners and
that offers online products, services or features to individuals in
Oklahoma and processes children 's personal data;
10. "Dark pattern" means a user interface designed or
manipulated with the purpose of subverting or impairing user
autonomy, decision making, or choice;
Req. No. 10418 Page 5 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
11. "Data protection impact assessment " means a systematic
survey to assess compliance with the duty to act in the best
interest of children;
12. "Default" means a preselected o ption adopted by a covered
entity for an online product, service, or feature;
13. "De-identified" means information that cannot reasonably
be used to infer information about, or otherwise be linked to, an
identified or identifiable individual, if a covered entity that
possesses that information:
a. takes reasonable measures to ensure that such
information cannot be associated with an individual,
b. publicly commits to process suc h information only in a
de-identified fashion and not attempt to reidentify
such information, and
c. contractually obligates any recipients of such
information to satisfy the criteria set forth in this
subsection;
14. "Derived data" means data that is cre ated by the
derivation of information, data, assumptions, correlations,
inferences, predictions , or conclusions from facts, evidence, or
another source of information or data about a child or a child 's
device;
15. "Personal data" means any information, in cluding derived
data, that is linked or reasonably linkable, alone or in combi nation
Req. No. 10418 Page 6 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
with other information, to an identified or identifiable individual.
Personal data does not include de -identified information or publicly
available information;
16. "Precise geolocation" means any data that is derived from
a device and that is used or intended to be used to locate a
consumer within a geographic area that is equal to or less than the
area of a circle with a radius of one thousand eight hundred (1,800)
feet;
17. "Process" or "processing" means conduct or an operation
performed, whether by manual or automated means, on personal data or
on sets of personal data, such as the collection, use, storage,
disclosure, analysis, deletion, modification , or other handling of
personal data;
18. "Profiling" means automated processing of personal data
that uses personal data to evaluate certain aspects relating to a
natural person, including analyzing or predicting aspects concerning
a natural person's performance at work, economic situation, health,
personal preferences, interests, reliability, beh avior, location, or
movements. Profiling does not include the processing of data that
does not result in an assessment or judgment about a natural person;
19. "Reasonably likely to be accessed" means an online
product, service or feature is accessed or is reasonably likely to
be accessed by children based on any of the following indicators:
Req. No. 10418 Page 7 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
a. the online product, service or feature is directed to
children as defined by the feder al Children's Online
Privacy Protection Act of 1998,
b. the online product, se rvice or feature is determined,
based on competent and reliable evidence regarding
audience composition, to be routinely accessed by a
significant number of children,
c. the online product, service or feature has
advertisements marketed to children,
d. the online product, service or feature is
substantially similar or the same as an online
product, service or feature subject to subparagraph b
of this paragraph,
e. a significant amount of the audience of the online
product, service or feature is determined, based on
internal company research, to be children, or
f. the covered entity knew or should have known that a
user is a child;
20. "Sell" means selling, renting, releasing, disc losing,
disseminating, making available, transferring , or otherwise
communicating orally, in writing or by electronic or other means, a
consumer's personal data by a covered entity to a third party for
monetary or other valuable consideration. Sell does not include:
Req. No. 10418 Page 8 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
a. the disclosure of personal data to a third party who
processes the personal data on behalf of the covered
entity,
b. the disclosure of personal data to a third party with
whom the consumer has a direct relationship for
purposes of providing an online product, service or
feature requested by the consumer,
c. the disclosure or transfer of personal data to an
affiliate of the covered entity,
d. the disclosure of data that the consumer intentionally
made available to the general public via a chan nel of
mass media and did not restrict to a specific
audience, or
e. the disclosure or transfer of personal data to a third
party as an asset that is part of the completed or
proposed merger, acquisition, bankruptcy , or other
transaction in which the third party assumes control
of all or part of the covered entity 's assets;
21. "Sensitive personal data " means personal data that
includes:
a. data revealing racial or ethnic origin, religious
beliefs, mental or physical health condition or
diagnosis, sex life, sexual orientation or citizenship
or immigration status,
Req. No. 10418 Page 9 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
b. the processing of genetic or biometric data for the
purpose of uniquely identifying an individual, or
c. precise geolocation data;
22. "Share" means sharing, renting, releasing, disclosing,
disseminating, making available, transferring , or otherwise
communicating orally, in writing or by electronic or other means, a
consumer's personal data by a covered entity to a third party for
cross-context behavioral advertising, whether or not for monetary or
other valuable consideration, including transactions between a
covered entity and a third party for cross -context behavioral
advertising for the benefit of a covered entity in which no money is
exchanged; and
23. "Third party" means a person other tha n the consumer of the
covered entity.
SECTION 2. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 8002 of Title 10, unless there
is created a duplication in numbering, reads as follows:
A. A covered entity shall:
1. Complete a data protection impact assessment for any online
product, service or feature that is reasonably likely to be accessed
and maintain documentation of the data protection impact assessment
as long as the online product, service or feature is reasonably
likely to be accessed;
Req. No. 10418 Page 10 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
2. Review all data protection impact assessments as necessary
to account for material changes to data processing pertaining to the
online product, service or feature;
3. Within five (5) business days of a writ ten request by the
Attorney General, provide to the Attorney General a list of all data
protection impact assessments the covered entity has completed;
4. Within seven (7) business days of a written request by the
Attorney General, provide a data protecti on impact assessment to the
Attorney General pursuant to such a request; provided that the
Attorney General may, at the Attorney General's discretion, extend
the time allowed for a covered entity to produce a data protection
impact assessment;
5. Configure all default privacy settings provided to children
by the online product, ser vice or feature to settings that offer a
high level of privacy, unless the covered entity can demonstrate a
compelling reason that a different setting is in the best interest
of children;
6. Publicly provide privacy information, terms of service,
policies, and community standards in a prominent, precise manner and
use clear language suited to the age of children reasonably likely
to access that online product, service or feature; and
7. Publicly provide prominent, accessible and responsive tools
to help a child or, if applicable, the child 's parent or guardian,
exercise the child's privacy rights and report concerns.
Req. No. 10418 Page 11 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
B. The data protection impact assessment required by this
section shall identify the purpose of an online product, service or
feature and how the online product, service or feature uses
children's personal data and determine whether the online product,
service or feature is designed and offered in an age -appropriate
manner consistent with the best interest of children who are
accessing or reasonably likely to access the online product, service
or feature by examining at least the following:
1. Whether the design of the online product, service or feature
could lead to children experiencing or being targeted by harmful, or
potentially harmful, contacts on the online product, service or
feature that would be inconsistent with the best interest of
children reasonably likely to access the online product, service or
feature;
2. Whether the design of the online product, service or feature
could permit children to witness, participate in or be subject to
conduct on the online product, service or feature that would be
inconsistent with the best interest of children reasonably likely to
access the online product, service or feature;
3. Whether the design of the online product, service or feature
is reasonably expected to allow children to be party to or exploited
by a contract on the online product, service or feature;
Req. No. 10418 Page 12 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
4. Whether algorithms used by the online product, service or
feature would be inconsi stent with the best interest of children
reasonably likely to access the online product, service or feature;
5. Whether targeted advertising systems used by the online
product, service or feature would be inconsistent with the best
interest of children reasonably likely to access the online product,
service or feature;
6. Whether the online product, service or feature uses system
design features to increase, sustain or extend th e use of the online
product, service or feature by children, including the aut omatic
playing of media, rewards for time spent and notifications, that
would be inconsistent with the best interest of children reasonably
likely to access the online product, s ervice or feature; and
7. Whether, how and for what purpose the online product,
service or feature collects or processes sensitive personal data of
children and whether those practices would be inconsistent with the
best interest of children reasonably li kely to access the online
product, service or feature.
C. When a covered entity identifies an online product, service
or feature reasonably likely to be accessed by children that may be
inconsistent with the best interest of children, the covered entity
shall include in a data protection impact assessment a detailed plan
describing the steps the covered entity has taken and will take to
Req. No. 10418 Page 13 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
ensure that the online product, service or feature will be
consistent with the best interest of children.
D. A data protection impact assessment is protected as
confidential and shall be exempt from public disclosure, including
pursuant to the Oklahoma Open Records Act.
E. To the extent any information contained in a data protection
impact assessment disclosed to the Attorney General includes
information subject to attorney -client privilege or work product
protection, disclosure pursuant to subsection A of this section
shall not constitute a waiver of that privilege or protection.
F. A data protection impact assessment con ducted by a covered
entity for the purpose of compliance with any other law co mplies
with this section if the data protection impact assessment meets the
requirements of this act.
G. A single data protection impact assessment may contain
multiple similar processing operations that present similar risks
only if each relevant online product, service or feature is
addressed.
H. A covered entity shall complete a data protection impact
assessment on or before J anuary 1, 2026, for any online product,
service or feature that is reasonably likely to be accessed by
children after December 31, 2025.
Req. No. 10418 Page 14 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
SECTION 3. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 8003 of Title 10, unless there
is created a duplicatio n in numbering, reads as follows:
A covered entity that provides an online product, service or
feature that is reasonably likely to be accessed shall not:
A. Process the personal data of a child in a way that the
covered entity knows, or has reason to kno w, is inconsistent with
the best interest of children reasonably likely to acc ess the online
product, service or feature.
B. Profile a child by default unless:
1. The covered entity can demonstrate that the covered entity
has appropriate safeguards in pl ace to ensure that profiling is
consistent with the best interest of children reasonably likely to
access the online product, service or feature; and
2. Profiling is necessary to provide the online product,
service or feature requested, and only with resp ect to the aspects
of the online product, service or feature with which the ch ild is
actively and knowingly engaged; or
3. The covered entity can demonstrate a compelling reason that
profiling is in the best interest of children.
C. Process any personal data that is not necessary to provide
an online product, service or feature with which a child is actively
and knowingly engaged.
Req. No. 10418 Page 15 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
D. If the end user is a child, process personal data for any
reason other than a reason for which that personal data was
collected.
E. Process any precise geolocation information of children by
default unless the collection of that precise geolocation
information is strictly necessary for the covered entity to provide
the online product, service or feature requested and then on ly for
the limited time that the collection of precise geolocation
information is necessary to provide the online product, service or
feature.
F. Process any precise geolocation information of a child
without providing an obvious sign to the child for the duration of
that collection that precise geolocation information is being
collected.
G. Use dark patterns to cause children to provide personal data
beyond what is reasonably expected to provide that online product,
service or feature, to forego privacy protections or to take any
action that the covered entity knows, or has reason to know, is not
in the best interest of children reasonably likely to access the
online product, service or feature.
H. Process any personal data that is not reasonably necessa ry
to provide an online product, service or feature with which a child
is actively and knowingly engaged to reasonably estimate age.
Req. No. 10418 Page 16 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
I. Allow a child's parent, guardian or any other consumer to
monitor the child's online activity or track the child 's location
without providing an obvious signal to the child when the child is
being monitored or tracked.
SECTION 4. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 8004 of Title 10, unless there
is created a duplication in numbering, reads as follows:
A. A covered entity that viola tes this act shall be:
1. Subject to injunctive relief to cease or correct the
violation;
2. Liable for a civil penalty of not more than Two Thousand
Five Hundred Dollars ($2,5 00.00) per affected child for each
negligent violation; and
3. Liable for a civil penalty of not more than Seven Thousand
Five Hundred Dollars ($7,500.00) per affected child for each
intentional violation.
B. Enforcement actions pursuant to subsection A of this section
shall only be initiated by the Attorney General.
C. If a covered entity is in substantial compliance with the
requirements of Sections 3 through 5 of this act, the Attorney
General shall provide written notice to the covered entity, before
initiating an action pursuant to subsection A of this section,
identifying the specific provisions of that act that the Attorney
General alleges have been or are being violated.
Req. No. 10418 Page 17 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
D. If a covered entity in compliance with subsection H of
Section 4 of this act cures the alleged violations identified in a
notice pursuant to subsection C of this section and provides the
Attorney General a written statement that the alleged violations
have been cured and sufficient measures have been taken to prevent
future violations, the covered entity shall not be liable for a
civil penalty for any violation cured pursuant to this subsection.
E. Nothing in this act shall be interpreted to serve as the
basis for a private right of action under this act or any other law.
SECTION 5. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 8005 of Title 10, unless there
is created a duplication in numbering, reads as follows:
This act shall not apply to:
A. Protected health informat ion that is collected by a covered
entity associate governed by the privacy, security and breach
notification rules issued by the United States Department of Health
and Human Services, Parts 160 and 164 of Title 45 of the Code of
Federal Regulations, estab lished pursuant to the federal Health
Insurance Portability and Accountability Act of 1996.
B. A covered entity governed by the privacy, security and
breach notification rules issued by the United States Department of
Health and Human Services, Parts 160 and 164 of Title 45 of the Code
of Federal Regulations, established pursuant to the federal Health
Insurance Portability and Accountability Act of 1996, to the extent
Req. No. 10418 Page 18 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
the provider or covered entity maintains patient information in the
same manner as medica l information or protected health information
as described in subsection A of this section.
C. Information collected as part of a clinical trial subject to
the federal policy for the protection of human subjects, also known
as the common rule, pursuant to good clinical practice guidelines
issued by the international council for harmonization of technical
requirements for pharmaceuticals for human use or pursuant to human
subject protection requirements of the United States Food and Drug
Administration.
D. A telecommunications service as defined in 47 U.S.C. ,
Section 153.
E. The delivery or use of a physical product.
SECTION 6. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 8006 of Title 10, unless there
is created a duplication in numbering, reads as follows:
Nothing in this act shall be interpreted or construed to:
A. Impose liability in a manner that is inconsistent with 47
U.S.C., Section 230.
B. Prevent or preclude a child from deliberately or
independently searching for, or specifically requesting, content.
C. Require a covered entity to restrict access to online
products, services, or features based solely on age.
Req. No. 10418 Page 19 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
SECTION 7. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 8007 of Title 10, unless there
is created a duplication in numbering, reads as follows:
A. This act shall apply to covered entities in Oklahoma or
persons that provide online products, services , or features that are
targeted to residents of this state and that during the preceding
calendar year:
1. Controlled or processed the personal data of not fewer than
one hundred thousand (100,000) consumers, excluding personal data
controlled or processed solely for the purpose o f completing a
payment transaction; or
2. Controlled or processed the personal data of not fewer than
twenty-five thousand (25,000) consumers and derived more than
twenty-five percent (25%) of the covered entity 's gross revenue from
the sale of personal d ata.
B. This act does not apply to an online product, service , or
feature that is not accessible by the public after December 31,
2025.
SECTION 8. This act shall become effective November 1, 2025.
60-1-10418 MJ 01/09/25