OK
Oklahoma House Bill HB1762

Oklahoma 2025 Regular Session

Oklahoma House Bill HB1762 Compare Versions

Only one version of the bill is available at this time.
OldNewDifferences
11
22
33 Req. No. 10700 Page 1 1
44 2
55 3
66 4
77 5
88 6
99 7
1010 8
1111 9
1212 10
1313 11
1414 12
1515 13
1616 14
1717 15
1818 16
1919 17
2020 18
2121 19
2222 20
2323 21
2424 22
2525 23
2626 24
2727
2828 STATE OF OKLAHOMA
2929
3030 1st Session of the 60th Legislature (2025)
3131
3232 HOUSE BILL 1762 By: Kerbs
3333
3434
3535
3636
3737
3838 AS INTRODUCED
3939
4040 An Act relating to children; providing definitions;
4141 directing covered entities to complete and review
4242 impact assessments; requiring covere d entities to
4343 provide impact assessments to Attorney General;
4444 requiring certain default privacy settings; directing
4545 covered entities to publicly provide certain
4646 information in clear language suited to age of
4747 children accessing product; requiring entity pro vide
4848 certain tools; providing information required for
4949 data protection impact assessment; requiring covered
5050 entity act in best interest of children; clarifying
5151 data protection impact assessments are confidential
5252 and not subject to public disclosure; clarif ying
5353 certain information disclosed does not waive
5454 privilege or protection; permitting assessments that
5555 complies with other law; permitting single data
5656 protection impact assessment for similar processing
5757 operations; requiring first impact assessment by
5858 certain date; prohibiting covered entities from
5959 processing personal data of a chil d in way that is
6060 inconsistent with best interest of child; prohibiting
6161 covered entities from profiling a child unless listed
6262 exception applies; prohibiting covered entities from
6363 processing personal data of child that is not
6464 necessary to provide online product; prohibiting
6565 processing certain personal data for purposes other
6666 than reason collected; prohibiting the processing of
6767 certain geolocation information of children;
6868 prohibiting covered entities from using dark patterns
6969 for certain purpose; requiring cove red entity signal
7070 a child when being monitored or tracked; providing
7171 penalties for a covered entity that violates this
7272 act; permitting only Attorney General to initiate
7373 enforcement actions; directing Attorney General
7474 provide notice to covered entities in substantial
7575
7676 Req. No. 10700 Page 2 1
7777 2
7878 3
7979 4
8080 5
8181 6
8282 7
8383 8
8484 9
8585 10
8686 11
8787 12
8888 13
8989 14
9090 15
9191 16
9292 17
9393 18
9494 19
9595 20
9696 21
9797 22
9898 23
9999 24
100100
101101 compliance; directing covered entities notify
102102 Attorney General when certain violations are cured;
103103 clarifying Act does not serve as basis for private
104104 right of action; providing list of entities this act
105105 does not apply to; clarifying Act does not impose
106106 certain liability; clarifying Act does not prevent or
107107 preclude a child from deliberately searching for
108108 content; clarifying Act does not require covered
109109 entity to restrict access to online products based
110110 solely on age; clarifying Act applies to certain
111111 covered entities; clarifying that Act does not apply
112112 to online products, services, or features not
113113 accessible by public after certain date; providing
114114 for codification; and pro viding an effective date.
115115
116116
117117
118118
119119 BE IT ENACTED BY THE PEOPLE OF THE STATE OF OKLAHOMA:
120120 SECTION 1. NEW LAW A new section of law to be codified
121121 in the Oklahoma Statutes as Section 8001 of Title 10, unless there
122122 is created a duplication in numbering, reads as follows:
123123 As used in this act:
124124 1. "Affiliate" means a legal entity that controls, is
125125 controlled by or is under common control with another legal entity;
126126 2. "Age-appropriate" means a recognition of the distinct needs
127127 and diversities of children in the following age ranges:
128128 a. up to five (5) years of age,
129129 b. six (6) to nine (9) years of age,
130130 c. ten (10) to twelve (12) years of age,
131131 d. thirteen (13) to fifteen (15) years of age, and
132132 e. sixteen (16) to seventeen (17) years of age;
133133
134134 Req. No. 10700 Page 3 1
135135 2
136136 3
137137 4
138138 5
139139 6
140140 7
141141 8
142142 9
143143 10
144144 11
145145 12
146146 13
147147 14
148148 15
149149 16
150150 17
151151 18
152152 19
153153 20
154154 21
155155 22
156156 23
157157 24
158158
159159 3. "Best interest of children " means the use, by a covered
160160 entity, of the personal data of a child or the design of an online
161161 product, service or feature in a way that:
162162 a. will not benefit the covered entity to the detriment
163163 of the child, and
164164 b. will not result in:
165165 (1) reasonably foreseeable and material physical or
166166 financial harm to the child,
167167 (2) reasonably foreseeable and severe psychological
168168 or emotional harm to the child,
169169 (3) a highly offensive intrusion on the reasonable
170170 privacy expectations of the c hild, or
171171 (4) discrimination against the child based upon race,
172172 color, religion, national origin, disability, sex
173173 or sexual orientation;
174174 4. "Child" means a consumer who is under eighteen (18) years of
175175 age;
176176 5. "Collect" means buying, renting, gathering, ob taining,
177177 receiving or accessing personal data pertaining to a consumer by any
178178 means, including receiving personal data from the consumer, either
179179 actively or passively, or by observing the consumer 's behavior;
180180 6. "Common branding" means a shared name, serv ice mark or
181181 trademark that the average consumer would understand that two or
182182 more entities commonly own;
183183
184184 Req. No. 10700 Page 4 1
185185 2
186186 3
187187 4
188188 5
189189 6
190190 7
191191 8
192192 9
193193 10
194194 11
195195 12
196196 13
197197 14
198198 15
199199 16
200200 17
201201 18
202202 19
203203 20
204204 21
205205 22
206206 23
207207 24
208208
209209 7. "Consumer" means a natural person who resides in Oklahoma,
210210 however identified, including by a unique identifier;
211211 8. "Control" or "controlled" means:
212212 a. ownership of or the power to vote more than fifty
213213 percent (50%) of the outstanding shares of any class
214214 of voting security of a covered entity,
215215 b. control in any manner over the election of a majority
216216 of the directors or of individuals exercising simi lar
217217 functions of a covered entity, or
218218 c. the power to exercise a controlling influence over the
219219 management of a covered entity;
220220 9. "Covered entity" means a sole proprietorship, partnership,
221221 limited liability company, corporation, association, affiliate , or
222222 other legal entity that is organized or operated for the profit or
223223 financial benefit of the entity 's shareholders or other owners and
224224 that offers online products, services or features to individuals in
225225 Oklahoma and processes children 's personal data;
226226 10. "Dark pattern" means a user interface designed or
227227 manipulated with the purpose of subverting or impairing user
228228 autonomy, decision making, or choice;
229229 11. "Data protection impact assessment " means a systematic
230230 survey to assess compliance with the duty to act in the best
231231 interest of children;
232232
233233 Req. No. 10700 Page 5 1
234234 2
235235 3
236236 4
237237 5
238238 6
239239 7
240240 8
241241 9
242242 10
243243 11
244244 12
245245 13
246246 14
247247 15
248248 16
249249 17
250250 18
251251 19
252252 20
253253 21
254254 22
255255 23
256256 24
257257
258258 12. "Default" means a preselected optio n adopted by a covered
259259 entity for an online product, service, or feature;
260260 13. "De-identified" means information that cannot reasonably be
261261 used to infer information about, or oth erwise be linked to, an
262262 identified or identifiable individual, if a covered entity that
263263 possesses that information:
264264 a. takes reasonable measures to ensure that such
265265 information cannot be associated with an individual,
266266 b. publicly commits to process such in formation only in a
267267 de-identified fashion and not attempt to re -identify
268268 such information, and
269269 c. contractually obligates any recipients of such
270270 information to satisfy the criteria set forth in this
271271 subsection;
272272 14. "Derived data" means data that is create d by the derivation
273273 of information, data, assumptions, correlations, inferences,
274274 predictions or conclusions from facts, evidence, or another source
275275 of information or data about a child or a child 's device;
276276 15. "Personal data" means any information, includ ing derived
277277 data, that is linked or reasonably linkable, alone or in combinati on
278278 with other information, to an identified or identifiable individual.
279279 Personal data does not include de -identified information or publicly
280280 available information;
281281
282282 Req. No. 10700 Page 6 1
283283 2
284284 3
285285 4
286286 5
287287 6
288288 7
289289 8
290290 9
291291 10
292292 11
293293 12
294294 13
295295 14
296296 15
297297 16
298298 17
299299 18
300300 19
301301 20
302302 21
303303 22
304304 23
305305 24
306306
307307 16. "Precise geolocation" means any data that is derived from a
308308 device and that is used or intended to be used to locate a consumer
309309 within a geographic area that is equal to or less than the area of a
310310 circle with a radius of one thousand eight hundred (1,800) feet;
311311 17. "Process" or "processing" means conduct or an operation
312312 performed, whether b y manual or automated means, on personal data or
313313 on sets of personal data, such as the collection, use, storage,
314314 disclosure, analysis, deletion, modification or other handling of
315315 personal data;
316316 18. "Profiling" means automated processing of personal data
317317 that uses personal data to evaluate certain aspects relating to a
318318 natural person, including analyzing or predicting aspects concerning
319319 a natural person's performance at work, econ omic situation, health,
320320 personal preferences, interests, reliability, behavior , location or
321321 movements. Profiling does not include the processing of data that
322322 does not result in an assessment or judgment about a natural person;
323323 19. "Reasonably likely to b e accessed" means an online product,
324324 service or feature is accessed or is reasonably likely to be
325325 accessed by children based on any of the following indicators:
326326 a. the online product, service or feature is directed to
327327 children as defined by the federal Chi ldren's Online
328328 Privacy Protection Act of 1998,
329329 b. the online product, service or feature is determined,
330330 based on competent and reliable evidence regarding
331331
332332 Req. No. 10700 Page 7 1
333333 2
334334 3
335335 4
336336 5
337337 6
338338 7
339339 8
340340 9
341341 10
342342 11
343343 12
344344 13
345345 14
346346 15
347347 16
348348 17
349349 18
350350 19
351351 20
352352 21
353353 22
354354 23
355355 24
356356
357357 audience composition, to be routinely accessed by a
358358 significant number of children,
359359 c. the online product, service or feature has
360360 advertisements marketed to children,
361361 d. the online product, service or feature is
362362 substantially similar or the same as an online
363363 product, service or feature subject to subparagraph b
364364 of this paragraph,
365365 e. a significant amount o f the audience of the online
366366 product, service or feature is determined, based on
367367 internal company research, to be children, or
368368 f. the covered entity knew or should have known that a
369369 user is a child;
370370 20. "Sell" means selling, renting, releasing, disclosing ,
371371 disseminating, making available, transferring or otherwise
372372 communicating orally, in writing or by electronic or other means, a
373373 consumer's personal data by a covered entity to a third party for
374374 monetary or other valuable consideration. Sell does not include:
375375 a. the disclosure of personal data to a third party who
376376 processes the personal data on behalf of the covered
377377 entity,
378378 b. the disclosure of personal data to a third party with
379379 whom the consumer has a direct relationship for
380380
381381 Req. No. 10700 Page 8 1
382382 2
383383 3
384384 4
385385 5
386386 6
387387 7
388388 8
389389 9
390390 10
391391 11
392392 12
393393 13
394394 14
395395 15
396396 16
397397 17
398398 18
399399 19
400400 20
401401 21
402402 22
403403 23
404404 24
405405
406406 purposes of providing an onli ne product, service or
407407 feature requested by the consumer,
408408 c. the disclosure or transfer of personal data to an
409409 affiliate of the covered entity,
410410 d. the disclosure of data that the consumer intentionally
411411 made available to the general public via a channel of
412412 mass media and did not restrict to a specific
413413 audience, or
414414 e. the disclosure or transfer of personal data to a third
415415 party as an asset that is part of the completed or
416416 proposed merger, acquisition, bankruptcy or other
417417 transaction in which the third party a ssumes control
418418 of all or part of the covered entity 's assets;
419419 21. "Sensitive personal data " means personal data that
420420 includes:
421421 a. data revealing racial or ethnic origin, religious
422422 beliefs, mental or physical health condition or
423423 diagnosis, sex life, sexual orientation or citizenship
424424 or immigration status,
425425 b. the processing of geneti c or biometric data for the
426426 purpose of uniquely identifying an individual, or
427427 c. precise geolocation data;
428428 22. "Share" means sharing, renting, releasing, disclosing,
429429 disseminating, making available, transferring or otherwise
430430
431431 Req. No. 10700 Page 9 1
432432 2
433433 3
434434 4
435435 5
436436 6
437437 7
438438 8
439439 9
440440 10
441441 11
442442 12
443443 13
444444 14
445445 15
446446 16
447447 17
448448 18
449449 19
450450 20
451451 21
452452 22
453453 23
454454 24
455455
456456 communicating orally, in writing or by electronic or other means, a
457457 consumer's personal data by a covered entity to a third party for
458458 cross-context behavioral advertising, whether or not for monetary or
459459 other valuable consideration, including transactions between a
460460 covered entity and a third party for cross -context behavioral
461461 advertising for the benefit of a covered entity in which no money is
462462 exchanged; and
463463 23. "Third party" means a person other than the con sumer of the
464464 covered entity.
465465 SECTION 2. NEW LAW A new section of law to be codified
466466 in the Oklahoma Statutes as Section 8002 of Title 10, unless there
467467 is created a duplication in numbering, reads as follows:
468468 A. A covered entity sha ll:
469469 1. Complete a data protection impact assessment for any online
470470 product, service or feature that is reasonably likely to be accessed
471471 and maintain documentation of the data protection impact assessment
472472 as long as the online product, service or feature i s reasonably
473473 likely to be accessed;
474474 2. Review all data protection impact assessments as necessary
475475 to account for material changes to data processing pertaining to the
476476 online product, service or feature;
477477 3. Within five (5) business days of a written reque st by the
478478 Attorney General, provide to the Attorney General a list of all data
479479 protection impact assessments the covered entity has completed;
480480
481481 Req. No. 10700 Page 10 1
482482 2
483483 3
484484 4
485485 5
486486 6
487487 7
488488 8
489489 9
490490 10
491491 11
492492 12
493493 13
494494 14
495495 15
496496 16
497497 17
498498 18
499499 19
500500 20
501501 21
502502 22
503503 23
504504 24
505505
506506 4. Within seven (7) business days of a written request by the
507507 Attorney General, provide a data protection impact assessment to the
508508 Attorney General pursuant to such a request; provided that the
509509 Attorney General may, in the Attorney General's discretion, extend
510510 the time allowed for a covered entity to produce a data protection
511511 impact assessment;
512512 5. Configure all default privacy settings provided to children
513513 by the online product, service or f eature to settings that offer a
514514 high level of privacy, unless the covered entity can demonstrate a
515515 compelling reason that a different setting is in the best interest
516516 of children;
517517 6. Publicly provide privacy information, terms of service,
518518 policies and community standards in a prominent, precise manner and
519519 use clear language suited to the age of children reasonably likely
520520 to access that online product, service or feature; and
521521 7. Publicly provide prominent, accessible and responsive tools
522522 to help a child or, if applicable, the child 's parent or guardian,
523523 exercise the child's privacy rights and report concerns.
524524 B. The data protection impact assessment required by this
525525 section shall identify the purpose of an online product, service or
526526 feature and how the online product, service or feature uses
527527 children's personal data and determine whether the online product,
528528 service or feature is designed and offered in an age -appropriate
529529 manner consistent with the best interest of children who are
530530
531531 Req. No. 10700 Page 11 1
532532 2
533533 3
534534 4
535535 5
536536 6
537537 7
538538 8
539539 9
540540 10
541541 11
542542 12
543543 13
544544 14
545545 15
546546 16
547547 17
548548 18
549549 19
550550 20
551551 21
552552 22
553553 23
554554 24
555555
556556 accessing or reasonably lik ely to access the online product, service
557557 or feature by examining at least the following:
558558 1. Whether the design of the online product, service or feature
559559 could lead to children experiencing or being targeted by harmful, or
560560 potentially harmful, contacts on the online product, service or
561561 feature that would be inconsistent with the best interest of
562562 children reasonably likely to access the online product, service or
563563 feature;
564564 2. Whether the design of the online product, service or feature
565565 could permit children to witness, participate in or be subject to
566566 conduct on the online product, service or feature that would be
567567 inconsistent with the best interest of children reasonably likely to
568568 access the online product, service or feature;
569569 3. Whether the design of the online product, service or feature
570570 is reasonably expected to allow children to be party to or exploited
571571 by a contract on the online product, service or feature;
572572 4. Whether algorithms used by the online product, service or
573573 feature would be inconsistent with the best interest of children
574574 reasonably likely to access the online product, service or feature;
575575 5. Whether targeted advertising systems used by the online
576576 product, service or feature would be inconsistent with the best
577577 interest of children reasonably likely to access the online product,
578578 service or feature;
579579
580580 Req. No. 10700 Page 12 1
581581 2
582582 3
583583 4
584584 5
585585 6
586586 7
587587 8
588588 9
589589 10
590590 11
591591 12
592592 13
593593 14
594594 15
595595 16
596596 17
597597 18
598598 19
599599 20
600600 21
601601 22
602602 23
603603 24
604604
605605 6. Whether the online product, service or feature uses system
606606 design features to increase, sustain or extend the use of t he online
607607 product, service or feature by children, including the automatic
608608 playing of media, rewards for time spent and notifications, that
609609 would be inconsistent with the best interest of children reasonably
610610 likely to access the online product, service or feature; and
611611 7. Whether, how and for what purpose the online product,
612612 service or feature collects or processes sensitive personal data of
613613 children and whether those practices would be inconsistent with the
614614 best interest of children reasonably likely to ac cess the online
615615 product, service or feature.
616616 C. When a covered entity identif ies an online product, service
617617 or feature reasonably likely to be accessed by children that may be
618618 inconsistent with the best interest of children, the covered entity
619619 shall include in a data protection impact assessment a detailed plan
620620 describing the steps the covered entity has taken and will take to
621621 ensure that the online product, service or feature will be
622622 consistent with the best interest of children.
623623 D. A data protection imp act assessment is protected as
624624 confidential and shall be exempt from public di sclosure, including
625625 pursuant to the Oklahoma Open Records Act.
626626 E. To the extent any information contained in a data protection
627627 impact assessment disclosed to the Attorney General includes
628628 information subject to attorney -client privilege or work product
629629
630630 Req. No. 10700 Page 13 1
631631 2
632632 3
633633 4
634634 5
635635 6
636636 7
637637 8
638638 9
639639 10
640640 11
641641 12
642642 13
643643 14
644644 15
645645 16
646646 17
647647 18
648648 19
649649 20
650650 21
651651 22
652652 23
653653 24
654654
655655 protection, disclosure pursuant to subsection A of this section
656656 shall not constitute a waiver of that privilege or protection.
657657 F. A data protection impact assessment conducted by a covered
658658 entity for the purpose of compliance with any other law complies
659659 with this section if the data protection impact assessment meets the
660660 requirements of this act.
661661 G. A single data protection impact assessment may contain
662662 multiple similar processing operations that present similar risks
663663 only if each relevant online product, service or feature is
664664 addressed.
665665 H. A covered entity shall complete a data protection impact
666666 assessment on or before January 1, 2026 , for any online product,
667667 service or feature t hat is reasonably likely to be accessed by
668668 children after December 31, 2025.
669669 SECTION 3. NEW LAW A new section of law to be codified
670670 in the Oklahoma Statutes as Section 8003 of Title 10, unless there
671671 is created a duplication in numbe ring, reads as follows:
672672 A covered entity that provides an online product, service or
673673 feature that is reasonably likely to be accessed shall not:
674674 A. Process the personal data of a child in a way that the
675675 covered entity knows, or has reason to know, is inco nsistent with
676676 the best interest of children reasonably likely to access the on line
677677 product, service or feature.
678678 B. Profile a child by default unless:
679679
680680 Req. No. 10700 Page 14 1
681681 2
682682 3
683683 4
684684 5
685685 6
686686 7
687687 8
688688 9
689689 10
690690 11
691691 12
692692 13
693693 14
694694 15
695695 16
696696 17
697697 18
698698 19
699699 20
700700 21
701701 22
702702 23
703703 24
704704
705705 1. The covered entity can demonstrate that the covered entity
706706 has appropriate safeguards in place to ens ure that profiling is
707707 consistent with the best interest of children reasonably likely to
708708 access the online product, service or feature; and
709709 2. Profiling is necessary to provide the online product,
710710 service or feature requested, and only with respect to the aspects
711711 of the online product, service or feature with which the child is
712712 actively and knowingly engaged; or
713713 3. The covered entity can demonstrate a compelling reason that
714714 profiling is in the best interest of children.
715715 C. Process any personal data that is not necessary to provide
716716 an online product, service or feature with which a child is actively
717717 and knowingly engaged.
718718 D. If the end user is a child, process personal data for any
719719 reason other than a reason for which that personal data was
720720 collected.
721721 E. Process any precise geolocation information of children by
722722 default unless the collection of that precise geolocation
723723 information is strictly necessary for the covered entity to provide
724724 the online product, service or feature requested and then only for
725725 the limited time that the collection of precise geolocation
726726 information is necessary to provide the online product, service or
727727 feature.
728728
729729 Req. No. 10700 Page 15 1
730730 2
731731 3
732732 4
733733 5
734734 6
735735 7
736736 8
737737 9
738738 10
739739 11
740740 12
741741 13
742742 14
743743 15
744744 16
745745 17
746746 18
747747 19
748748 20
749749 21
750750 22
751751 23
752752 24
753753
754754 F. Process any precise geolocation information of a child
755755 without providing an obvious sign to the child for the duration of
756756 that collection that precise geolocation information is being
757757 collected.
758758 G. Use dark patterns to cause children to provide personal data
759759 beyond what is reasonably expected to provide that online product,
760760 service or feature, to forego privacy protection s or to take any
761761 action that the covered entity knows, or has reason to know, is not
762762 in the best interest of children reasonably likely to access the
763763 online product, service or feature.
764764 H. Process any personal data that is not reasonably necessary
765765 to provide an online product, service or feature with which a child
766766 is actively and knowingly engaged to reasonably estimate age.
767767 I. Allow a child's parent, guardian or any other consumer to
768768 monitor the child's online activity or track the child 's location
769769 without providing an obvious signal to the child when the child is
770770 being monitored or tracked.
771771 SECTION 4. NEW LAW A new section of law to be codified
772772 in the Oklahoma Statutes as Section 8004 of Title 10, unless there
773773 is created a duplica tion in numbering, reads as follows:
774774 A. A covered entity that violates this act shall be:
775775 1. Subject to injunctive relief to cease or correct the
776776 violation;
777777
778778 Req. No. 10700 Page 16 1
779779 2
780780 3
781781 4
782782 5
783783 6
784784 7
785785 8
786786 9
787787 10
788788 11
789789 12
790790 13
791791 14
792792 15
793793 16
794794 17
795795 18
796796 19
797797 20
798798 21
799799 22
800800 23
801801 24
802802
803803 2. Liable for a civil penalty of not more than Two Thousand
804804 Five Hundred Dollars ($2,500.00) per affected child for each
805805 negligent violation; and
806806 3. Liable for a civil penalty of not more than Seven Thousand
807807 Five Hundred Dollars ($7,500.00) per affected child for each
808808 intentional violation.
809809 B. Enforcement actions pursuant to subsection A of this section
810810 shall only be initiated by the Attorney General.
811811 C. If a covered entity is in substantial compliance with the
812812 requirements of Sections 3 through 5 of this act, the Attorney
813813 General shall provide written notice to the covered entity, before
814814 initiating an action pursuant to subsection A of this section,
815815 identifying the specific provisions of that act that the Attorney
816816 General alleges have been or are being violated.
817817 D. If a covered entity in compliance with subsection H of this
818818 section cures the alleged violations identified in a notice pursuant
819819 to subsection C of this section and provides the Attorney General a
820820 written statement that the alleged violations have been cured and
821821 sufficient measures have been taken to prevent future violations,
822822 the covered entity shall not be liable for a civil penalty for any
823823 violation cured pursuant to this subsection.
824824 E. Nothing in this act shall be interpreted to serve as the
825825 basis for a private right of action under this act or any other law.
826826
827827 Req. No. 10700 Page 17 1
828828 2
829829 3
830830 4
831831 5
832832 6
833833 7
834834 8
835835 9
836836 10
837837 11
838838 12
839839 13
840840 14
841841 15
842842 16
843843 17
844844 18
845845 19
846846 20
847847 21
848848 22
849849 23
850850 24
851851
852852 SECTION 5. NEW LAW A new section of law to be codified
853853 in the Oklahoma Statute s as Section 8005 of Title 10, unless there
854854 is created a duplication in numbering, reads as follows:
855855 This act shall not apply to:
856856 A. Protected health information that is collect ed by a covered
857857 entity associate governed by the privacy, security and breach
858858 notification rules issued by the United States Department of Health
859859 and Human Services, Parts 160 and 164 of Title 45 of the Code of
860860 Federal Regulations, established pursuant to the federal Health
861861 Insurance Portability and Accountability Act of 1996.
862862 B. A covered entity governed by the privacy, security and
863863 breach notification rules issued by the United States Department of
864864 Health and Human Services, Parts 160 and 164 of Title 45 of the Code
865865 of Federal Regulations, established pursuant to the federal Health
866866 Insurance Portability and Accountability Act of 1996, to the extent
867867 the provider or covered entity maintains patient information in the
868868 same manner as medical information or pr otected health information
869869 as described in subsection A of this section.
870870 C. Information collected as part of a clinical trial subject to
871871 the federal policy for the protection of human subjects, also known
872872 as the common rule, pursuant to good clinical prac tice guidelines
873873 issued by the International Council for Harmonization of Technical
874874 Requirements for Pharmaceuticals for Human Use or pursuant to human
875875
876876 Req. No. 10700 Page 18 1
877877 2
878878 3
879879 4
880880 5
881881 6
882882 7
883883 8
884884 9
885885 10
886886 11
887887 12
888888 13
889889 14
890890 15
891891 16
892892 17
893893 18
894894 19
895895 20
896896 21
897897 22
898898 23
899899 24
900900
901901 subject protection requirements of the United States Food and Drug
902902 Administration.
903903 D. A telecommunications service as defined in 47 U.S.C. Section
904904 153.
905905 E. The delivery or use of a p hysical product.
906906 SECTION 6. NEW LAW A new section of law to be codified
907907 in the Oklahoma Statutes as Section 8006 of Title 10, unless there
908908 is created a duplication in numbering, reads as follows:
909909 Nothing in this act shall be interpreted or construed to:
910910 A. Impose liability in a manner that is inconsistent with 47
911911 U.S.C., Section 230.
912912 B. Prevent or preclude a child from deliberately or
913913 independently search ing for, or specifically requesting, content.
914914 C. Require a covered entity to restrict access to online
915915 products, services, or features based solely on age.
916916 SECTION 7. NEW LAW A new section of law to be codified
917917 in the Oklahoma Stat utes as Section 8007 of Title 10, unless there
918918 is created a duplication in numbering, reads as follows:
919919 A. This act shall apply to covered entities in Oklahoma or
920920 persons that provide online products, services, or features that are
921921 targeted to residents o f this state and that during the preceding
922922 calendar year:
923923 1. Controlled or processed the personal data of not fewer than
924924 one hundred thousand (100,000) consumers, excluding personal data
925925
926926 Req. No. 10700 Page 19 1
927927 2
928928 3
929929 4
930930 5
931931 6
932932 7
933933 8
934934 9
935935 10
936936 11
937937 12
938938 13
939939 14
940940 15
941941 16
942942 17
943943 18
944944 19
945945 20
946946 21
947947 22
948948 23
949949 24
950950
951951 controlled or processed solely for the purpose of completing a
952952 payment transaction; or
953953 2. Controlled or processed the personal data of not fewer than
954954 twenty-five thousand (25,000) consumers and derived more than
955955 twenty-five percent (25%) of the covered entity 's gross revenue from
956956 the sale of personal data.
957957 B. This act does not apply to an online product, service, or
958958 feature that is not accessible by the public after December 31,
959959 2025.
960960 SECTION 8. This act shall become effective November 1, 2025.
961961
962962 60-1-10700 MJ 01/14/25