Req. No. 10700 Page 1 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
STATE OF OKLAHOMA
1st Session of the 60th Legislature (2025)
HOUSE BILL 1762 By: Kerbs
AS INTRODUCED
An Act relating to children; providing definitions;
directing covered entities to complete and review
impact assessments; requiring covere d entities to
provide impact assessments to Attorney General;
requiring certain default privacy settings; directing
covered entities to publicly provide certain
information in clear language suited to age of
children accessing product; requiring entity pro vide
certain tools; providing information required for
data protection impact assessment; requiring covered
entity act in best interest of children; clarifying
data protection impact assessments are confidential
and not subject to public disclosure; clarif ying
certain information disclosed does not waive
privilege or protection; permitting assessments that
complies with other law; permitting single data
protection impact assessment for similar processing
operations; requiring first impact assessment by
certain date; prohibiting covered entities from
processing personal data of a chil d in way that is
inconsistent with best interest of child; prohibiting
covered entities from profiling a child unless listed
exception applies; prohibiting covered entities from
processing personal data of child that is not
necessary to provide online product; prohibiting
processing certain personal data for purposes other
than reason collected; prohibiting the processing of
certain geolocation information of children;
prohibiting covered entities from using dark patterns
for certain purpose; requiring cove red entity signal
a child when being monitored or tracked; providing
penalties for a covered entity that violates this
act; permitting only Attorney General to initiate
enforcement actions; directing Attorney General
provide notice to covered entities in substantial
Req. No. 10700 Page 2 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
compliance; directing covered entities notify
Attorney General when certain violations are cured;
clarifying Act does not serve as basis for private
right of action; providing list of entities this act
does not apply to; clarifying Act does not impose
certain liability; clarifying Act does not prevent or
preclude a child from deliberately searching for
content; clarifying Act does not require covered
entity to restrict access to online products based
solely on age; clarifying Act applies to certain
covered entities; clarifying that Act does not apply
to online products, services, or features not
accessible by public after certain date; providing
for codification; and pro viding an effective date.
BE IT ENACTED BY THE PEOPLE OF THE STATE OF OKLAHOMA:
SECTION 1. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 8001 of Title 10, unless there
is created a duplication in numbering, reads as follows:
As used in this act:
1. "Affiliate" means a legal entity that controls, is
controlled by or is under common control with another legal entity;
2. "Age-appropriate" means a recognition of the distinct needs
and diversities of children in the following age ranges:
a. up to five (5) years of age,
b. six (6) to nine (9) years of age,
c. ten (10) to twelve (12) years of age,
d. thirteen (13) to fifteen (15) years of age, and
e. sixteen (16) to seventeen (17) years of age;
Req. No. 10700 Page 3 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
3. "Best interest of children " means the use, by a covered
entity, of the personal data of a child or the design of an online
product, service or feature in a way that:
a. will not benefit the covered entity to the detriment
of the child, and
b. will not result in:
(1) reasonably foreseeable and material physical or
financial harm to the child,
(2) reasonably foreseeable and severe psychological
or emotional harm to the child,
(3) a highly offensive intrusion on the reasonable
privacy expectations of the c hild, or
(4) discrimination against the child based upon race,
color, religion, national origin, disability, sex
or sexual orientation;
4. "Child" means a consumer who is under eighteen (18) years of
age;
5. "Collect" means buying, renting, gathering, ob taining,
receiving or accessing personal data pertaining to a consumer by any
means, including receiving personal data from the consumer, either
actively or passively, or by observing the consumer 's behavior;
6. "Common branding" means a shared name, serv ice mark or
trademark that the average consumer would understand that two or
more entities commonly own;
Req. No. 10700 Page 4 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
7. "Consumer" means a natural person who resides in Oklahoma,
however identified, including by a unique identifier;
8. "Control" or "controlled" means:
a. ownership of or the power to vote more than fifty
percent (50%) of the outstanding shares of any class
of voting security of a covered entity,
b. control in any manner over the election of a majority
of the directors or of individuals exercising simi lar
functions of a covered entity, or
c. the power to exercise a controlling influence over the
management of a covered entity;
9. "Covered entity" means a sole proprietorship, partnership,
limited liability company, corporation, association, affiliate , or
other legal entity that is organized or operated for the profit or
financial benefit of the entity 's shareholders or other owners and
that offers online products, services or features to individuals in
Oklahoma and processes children 's personal data;
10. "Dark pattern" means a user interface designed or
manipulated with the purpose of subverting or impairing user
autonomy, decision making, or choice;
11. "Data protection impact assessment " means a systematic
survey to assess compliance with the duty to act in the best
interest of children;
Req. No. 10700 Page 5 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
12. "Default" means a preselected optio n adopted by a covered
entity for an online product, service, or feature;
13. "De-identified" means information that cannot reasonably be
used to infer information about, or oth erwise be linked to, an
identified or identifiable individual, if a covered entity that
possesses that information:
a. takes reasonable measures to ensure that such
information cannot be associated with an individual,
b. publicly commits to process such in formation only in a
de-identified fashion and not attempt to re -identify
such information, and
c. contractually obligates any recipients of such
information to satisfy the criteria set forth in this
subsection;
14. "Derived data" means data that is create d by the derivation
of information, data, assumptions, correlations, inferences,
predictions or conclusions from facts, evidence, or another source
of information or data about a child or a child 's device;
15. "Personal data" means any information, includ ing derived
data, that is linked or reasonably linkable, alone or in combinati on
with other information, to an identified or identifiable individual.
Personal data does not include de -identified information or publicly
available information;
Req. No. 10700 Page 6 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
16. "Precise geolocation" means any data that is derived from a
device and that is used or intended to be used to locate a consumer
within a geographic area that is equal to or less than the area of a
circle with a radius of one thousand eight hundred (1,800) feet;
17. "Process" or "processing" means conduct or an operation
performed, whether b y manual or automated means, on personal data or
on sets of personal data, such as the collection, use, storage,
disclosure, analysis, deletion, modification or other handling of
personal data;
18. "Profiling" means automated processing of personal data
that uses personal data to evaluate certain aspects relating to a
natural person, including analyzing or predicting aspects concerning
a natural person's performance at work, econ omic situation, health,
personal preferences, interests, reliability, behavior , location or
movements. Profiling does not include the processing of data that
does not result in an assessment or judgment about a natural person;
19. "Reasonably likely to b e accessed" means an online product,
service or feature is accessed or is reasonably likely to be
accessed by children based on any of the following indicators:
a. the online product, service or feature is directed to
children as defined by the federal Chi ldren's Online
Privacy Protection Act of 1998,
b. the online product, service or feature is determined,
based on competent and reliable evidence regarding
Req. No. 10700 Page 7 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
audience composition, to be routinely accessed by a
significant number of children,
c. the online product, service or feature has
advertisements marketed to children,
d. the online product, service or feature is
substantially similar or the same as an online
product, service or feature subject to subparagraph b
of this paragraph,
e. a significant amount o f the audience of the online
product, service or feature is determined, based on
internal company research, to be children, or
f. the covered entity knew or should have known that a
user is a child;
20. "Sell" means selling, renting, releasing, disclosing ,
disseminating, making available, transferring or otherwise
communicating orally, in writing or by electronic or other means, a
consumer's personal data by a covered entity to a third party for
monetary or other valuable consideration. Sell does not include:
a. the disclosure of personal data to a third party who
processes the personal data on behalf of the covered
entity,
b. the disclosure of personal data to a third party with
whom the consumer has a direct relationship for
Req. No. 10700 Page 8 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
purposes of providing an onli ne product, service or
feature requested by the consumer,
c. the disclosure or transfer of personal data to an
affiliate of the covered entity,
d. the disclosure of data that the consumer intentionally
made available to the general public via a channel of
mass media and did not restrict to a specific
audience, or
e. the disclosure or transfer of personal data to a third
party as an asset that is part of the completed or
proposed merger, acquisition, bankruptcy or other
transaction in which the third party a ssumes control
of all or part of the covered entity 's assets;
21. "Sensitive personal data " means personal data that
includes:
a. data revealing racial or ethnic origin, religious
beliefs, mental or physical health condition or
diagnosis, sex life, sexual orientation or citizenship
or immigration status,
b. the processing of geneti c or biometric data for the
purpose of uniquely identifying an individual, or
c. precise geolocation data;
22. "Share" means sharing, renting, releasing, disclosing,
disseminating, making available, transferring or otherwise
Req. No. 10700 Page 9 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
communicating orally, in writing or by electronic or other means, a
consumer's personal data by a covered entity to a third party for
cross-context behavioral advertising, whether or not for monetary or
other valuable consideration, including transactions between a
covered entity and a third party for cross -context behavioral
advertising for the benefit of a covered entity in which no money is
exchanged; and
23. "Third party" means a person other than the con sumer of the
covered entity.
SECTION 2. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 8002 of Title 10, unless there
is created a duplication in numbering, reads as follows:
A. A covered entity sha ll:
1. Complete a data protection impact assessment for any online
product, service or feature that is reasonably likely to be accessed
and maintain documentation of the data protection impact assessment
as long as the online product, service or feature i s reasonably
likely to be accessed;
2. Review all data protection impact assessments as necessary
to account for material changes to data processing pertaining to the
online product, service or feature;
3. Within five (5) business days of a written reque st by the
Attorney General, provide to the Attorney General a list of all data
protection impact assessments the covered entity has completed;
Req. No. 10700 Page 10 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
4. Within seven (7) business days of a written request by the
Attorney General, provide a data protection impact assessment to the
Attorney General pursuant to such a request; provided that the
Attorney General may, in the Attorney General's discretion, extend
the time allowed for a covered entity to produce a data protection
impact assessment;
5. Configure all default privacy settings provided to children
by the online product, service or f eature to settings that offer a
high level of privacy, unless the covered entity can demonstrate a
compelling reason that a different setting is in the best interest
of children;
6. Publicly provide privacy information, terms of service,
policies and community standards in a prominent, precise manner and
use clear language suited to the age of children reasonably likely
to access that online product, service or feature; and
7. Publicly provide prominent, accessible and responsive tools
to help a child or, if applicable, the child 's parent or guardian,
exercise the child's privacy rights and report concerns.
B. The data protection impact assessment required by this
section shall identify the purpose of an online product, service or
feature and how the online product, service or feature uses
children's personal data and determine whether the online product,
service or feature is designed and offered in an age -appropriate
manner consistent with the best interest of children who are
Req. No. 10700 Page 11 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
accessing or reasonably lik ely to access the online product, service
or feature by examining at least the following:
1. Whether the design of the online product, service or feature
could lead to children experiencing or being targeted by harmful, or
potentially harmful, contacts on the online product, service or
feature that would be inconsistent with the best interest of
children reasonably likely to access the online product, service or
feature;
2. Whether the design of the online product, service or feature
could permit children to witness, participate in or be subject to
conduct on the online product, service or feature that would be
inconsistent with the best interest of children reasonably likely to
access the online product, service or feature;
3. Whether the design of the online product, service or feature
is reasonably expected to allow children to be party to or exploited
by a contract on the online product, service or feature;
4. Whether algorithms used by the online product, service or
feature would be inconsistent with the best interest of children
reasonably likely to access the online product, service or feature;
5. Whether targeted advertising systems used by the online
product, service or feature would be inconsistent with the best
interest of children reasonably likely to access the online product,
service or feature;
Req. No. 10700 Page 12 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
6. Whether the online product, service or feature uses system
design features to increase, sustain or extend the use of t he online
product, service or feature by children, including the automatic
playing of media, rewards for time spent and notifications, that
would be inconsistent with the best interest of children reasonably
likely to access the online product, service or feature; and
7. Whether, how and for what purpose the online product,
service or feature collects or processes sensitive personal data of
children and whether those practices would be inconsistent with the
best interest of children reasonably likely to ac cess the online
product, service or feature.
C. When a covered entity identif ies an online product, service
or feature reasonably likely to be accessed by children that may be
inconsistent with the best interest of children, the covered entity
shall include in a data protection impact assessment a detailed plan
describing the steps the covered entity has taken and will take to
ensure that the online product, service or feature will be
consistent with the best interest of children.
D. A data protection imp act assessment is protected as
confidential and shall be exempt from public di sclosure, including
pursuant to the Oklahoma Open Records Act.
E. To the extent any information contained in a data protection
impact assessment disclosed to the Attorney General includes
information subject to attorney -client privilege or work product
Req. No. 10700 Page 13 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
protection, disclosure pursuant to subsection A of this section
shall not constitute a waiver of that privilege or protection.
F. A data protection impact assessment conducted by a covered
entity for the purpose of compliance with any other law complies
with this section if the data protection impact assessment meets the
requirements of this act.
G. A single data protection impact assessment may contain
multiple similar processing operations that present similar risks
only if each relevant online product, service or feature is
addressed.
H. A covered entity shall complete a data protection impact
assessment on or before January 1, 2026 , for any online product,
service or feature t hat is reasonably likely to be accessed by
children after December 31, 2025.
SECTION 3. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 8003 of Title 10, unless there
is created a duplication in numbe ring, reads as follows:
A covered entity that provides an online product, service or
feature that is reasonably likely to be accessed shall not:
A. Process the personal data of a child in a way that the
covered entity knows, or has reason to know, is inco nsistent with
the best interest of children reasonably likely to access the on line
product, service or feature.
B. Profile a child by default unless:
Req. No. 10700 Page 14 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1. The covered entity can demonstrate that the covered entity
has appropriate safeguards in place to ens ure that profiling is
consistent with the best interest of children reasonably likely to
access the online product, service or feature; and
2. Profiling is necessary to provide the online product,
service or feature requested, and only with respect to the aspects
of the online product, service or feature with which the child is
actively and knowingly engaged; or
3. The covered entity can demonstrate a compelling reason that
profiling is in the best interest of children.
C. Process any personal data that is not necessary to provide
an online product, service or feature with which a child is actively
and knowingly engaged.
D. If the end user is a child, process personal data for any
reason other than a reason for which that personal data was
collected.
E. Process any precise geolocation information of children by
default unless the collection of that precise geolocation
information is strictly necessary for the covered entity to provide
the online product, service or feature requested and then only for
the limited time that the collection of precise geolocation
information is necessary to provide the online product, service or
feature.
Req. No. 10700 Page 15 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
F. Process any precise geolocation information of a child
without providing an obvious sign to the child for the duration of
that collection that precise geolocation information is being
collected.
G. Use dark patterns to cause children to provide personal data
beyond what is reasonably expected to provide that online product,
service or feature, to forego privacy protection s or to take any
action that the covered entity knows, or has reason to know, is not
in the best interest of children reasonably likely to access the
online product, service or feature.
H. Process any personal data that is not reasonably necessary
to provide an online product, service or feature with which a child
is actively and knowingly engaged to reasonably estimate age.
I. Allow a child's parent, guardian or any other consumer to
monitor the child's online activity or track the child 's location
without providing an obvious signal to the child when the child is
being monitored or tracked.
SECTION 4. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 8004 of Title 10, unless there
is created a duplica tion in numbering, reads as follows:
A. A covered entity that violates this act shall be:
1. Subject to injunctive relief to cease or correct the
violation;
Req. No. 10700 Page 16 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
2. Liable for a civil penalty of not more than Two Thousand
Five Hundred Dollars ($2,500.00) per affected child for each
negligent violation; and
3. Liable for a civil penalty of not more than Seven Thousand
Five Hundred Dollars ($7,500.00) per affected child for each
intentional violation.
B. Enforcement actions pursuant to subsection A of this section
shall only be initiated by the Attorney General.
C. If a covered entity is in substantial compliance with the
requirements of Sections 3 through 5 of this act, the Attorney
General shall provide written notice to the covered entity, before
initiating an action pursuant to subsection A of this section,
identifying the specific provisions of that act that the Attorney
General alleges have been or are being violated.
D. If a covered entity in compliance with subsection H of this
section cures the alleged violations identified in a notice pursuant
to subsection C of this section and provides the Attorney General a
written statement that the alleged violations have been cured and
sufficient measures have been taken to prevent future violations,
the covered entity shall not be liable for a civil penalty for any
violation cured pursuant to this subsection.
E. Nothing in this act shall be interpreted to serve as the
basis for a private right of action under this act or any other law.
Req. No. 10700 Page 17 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
SECTION 5. NEW LAW A new section of law to be codified
in the Oklahoma Statute s as Section 8005 of Title 10, unless there
is created a duplication in numbering, reads as follows:
This act shall not apply to:
A. Protected health information that is collect ed by a covered
entity associate governed by the privacy, security and breach
notification rules issued by the United States Department of Health
and Human Services, Parts 160 and 164 of Title 45 of the Code of
Federal Regulations, established pursuant to the federal Health
Insurance Portability and Accountability Act of 1996.
B. A covered entity governed by the privacy, security and
breach notification rules issued by the United States Department of
Health and Human Services, Parts 160 and 164 of Title 45 of the Code
of Federal Regulations, established pursuant to the federal Health
Insurance Portability and Accountability Act of 1996, to the extent
the provider or covered entity maintains patient information in the
same manner as medical information or pr otected health information
as described in subsection A of this section.
C. Information collected as part of a clinical trial subject to
the federal policy for the protection of human subjects, also known
as the common rule, pursuant to good clinical prac tice guidelines
issued by the International Council for Harmonization of Technical
Requirements for Pharmaceuticals for Human Use or pursuant to human
Req. No. 10700 Page 18 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
subject protection requirements of the United States Food and Drug
Administration.
D. A telecommunications service as defined in 47 U.S.C. Section
153.
E. The delivery or use of a p hysical product.
SECTION 6. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 8006 of Title 10, unless there
is created a duplication in numbering, reads as follows:
Nothing in this act shall be interpreted or construed to:
A. Impose liability in a manner that is inconsistent with 47
U.S.C., Section 230.
B. Prevent or preclude a child from deliberately or
independently search ing for, or specifically requesting, content.
C. Require a covered entity to restrict access to online
products, services, or features based solely on age.
SECTION 7. NEW LAW A new section of law to be codified
in the Oklahoma Stat utes as Section 8007 of Title 10, unless there
is created a duplication in numbering, reads as follows:
A. This act shall apply to covered entities in Oklahoma or
persons that provide online products, services, or features that are
targeted to residents o f this state and that during the preceding
calendar year:
1. Controlled or processed the personal data of not fewer than
one hundred thousand (100,000) consumers, excluding personal data
Req. No. 10700 Page 19 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
controlled or processed solely for the purpose of completing a
payment transaction; or
2. Controlled or processed the personal data of not fewer than
twenty-five thousand (25,000) consumers and derived more than
twenty-five percent (25%) of the covered entity 's gross revenue from
the sale of personal data.
B. This act does not apply to an online product, service, or
feature that is not accessible by the public after December 31,
2025.
SECTION 8. This act shall become effective November 1, 2025.
60-1-10700 MJ 01/14/25