OK
Oklahoma Senate Bill SB546

Oklahoma 2025 Regular Session

Oklahoma Senate Bill SB546 Compare Versions

OldNewDifferences
11
22
3-ENGR. S. B. NO. 546 Page 1 1
4-2
5-3
6-4
7-5
8-6
9-7
10-8
11-9
12-10
13-11
14-12
15-13
16-14
17-15
18-16
19-17
20-18
21-19
22-20
23-21
24-22
25-23
26-24
27-
28-ENGROSSED SENATE
29-BILL NO. 546 By: Howard of the Senate
30-
31- and
32-
33- West (Josh) of the House
34-
35-
36-
37-
38-[ data privacy - consumer rights - consumer requests
39-- appeal process - exceptions - privacy notice -
40-disclosures - contracts - data protection assessments
41-- action - penalties - fees and expenses -
42-evidentiary privileges - liability - codification -
43-effective date ]
3+SENATE FLOOR VERSION - SB546 SFLR Page 1
4+(Bold face denotes Committee Amendments) 1
5+2
6+3
7+4
8+5
9+6
10+7
11+8
12+9
13+10
14+11
15+12
16+13
17+14
18+15
19+16
20+17
21+18
22+19
23+20
24+21
25+22
26+23
27+24
28+
29+SENATE FLOOR VERSION
30+February 13, 2025
31+AS AMENDED
32+
33+SENATE BILL NO. 546 By: Howard
34+
35+
36+
37+
38+
39+An Act relating to data privacy; defining terms;
40+establishing consumer rights for processing of
41+certain data; requiring compliance with certain
42+consumer requests; establ ishing procedures for
43+response to certain consumer requests; requiring
44+establishment of certain appeal process; prohibiting
45+certain contractual provisions; requiring
46+establishment of methods for submission of certain
47+consumer requests; establishing duties of controller;
48+prohibiting controller from taking certain actions;
49+providing exceptions ; requiring privacy notice;
50+specifying required contents in privacy notice;
51+requiring certain disclosures; establishing duties of
52+processor; establishing requirements fo r certain
53+contracts; authorizing use of independent assessor
54+under certain circumstances; requiring data
55+protection assessments under certain circumstances;
56+establishing requirements for data protection
57+assessments; requiring availability of data
58+protection assessments to Attorney General upon
59+request; providing for confidentiality of data
60+protection assessments; specifying applicability of
61+requirements for data protection assessments;
62+requiring controller in possession of certain data to
63+take certain actions; providing enforcement authority
64+to the Attorney General; requiring posting of certain
65+information on Attorney General website; requiring
66+notice of certain action; requiring certain period to
67+cure violations before bringing certain action;
68+providing penalties for certain violations;
69+authorizing award of certain fees and expenses;
70+providing for applicability of provisions; providing
71+exceptions to applicability of provisions; exempting
72+certain information; providing for compliance under
73+certain circumstances; construing provisions;
74+authorizing processing of personal data for certain
75+purposes; prohibiting violation of evidentiary
76+
77+SENATE FLOOR VERSION - SB546 SFLR Page 2
78+(Bold face denotes Committee Amendments) 1
79+2
80+3
81+4
82+5
83+6
84+7
85+8
86+9
87+10
88+11
89+12
90+13
91+14
92+15
93+16
94+17
95+18
96+19
97+20
98+21
99+22
100+23
101+24
102+
103+privileges; clarifying certain liability; limiting
104+authorized purposes for processing of certain data;
105+providing for codification; and providing an
106+effective date.
44107
45108
46109
47110
48111 BE IT ENACTED BY THE PEOPLE OF THE STATE OF OKLAHOMA:
49112 SECTION 1. NEW LAW A new section of law to be codified
50113 in the Oklahoma Statutes as Section 300 of Title 75A, unless there
51114 is created a duplication in numbering, reads as follows:
52115 As used in this act:
53116 1. “Affiliate” means a legal entity that controls, is
54117 controlled by, or is under common control with another legal entity
55118 or shares common branding with another legal entity. For purposes
56119 of this paragraph, “control” or “controlled” means the:
57120 a. ownership of, or power to vote, more than fifty
58121 percent (50%) of the outstanding shares of any class
59122 of voting securities of a company,
60-
61-ENGR. S. B. NO. 546 Page 2 1
62-2
63-3
64-4
65-5
66-6
67-7
68-8
69-9
70-10
71-11
72-12
73-13
74-14
75-15
76-16
77-17
78-18
79-19
80-20
81-21
82-22
83-23
84-24
85-
86123 b. control in any manner over the election of a majority
87124 of the directors or of individuals exercising similar
88125 functions, or
89126 c. power to exercise controlling influence over the
90127 management of a company;
91128 2. “Authenticate” means to verify through reasonable means that
92129 the consumer who is entitled to exercise the consumer ’s rights under
130+
131+SENATE FLOOR VERSION - SB546 SFLR Page 3
132+(Bold face denotes Committee Amendments) 1
133+2
134+3
135+4
136+5
137+6
138+7
139+8
140+9
141+10
142+11
143+12
144+13
145+14
146+15
147+16
148+17
149+18
150+19
151+20
152+21
153+22
154+23
155+24
156+
93157 this act is the same consumer exercising such consumer rights with
94158 respect to the personal data at issue;
95159 3. “Biometric data” means data generated by automatic
96160 measurements of an individual ’s biological characteristics that is
97161 used to identify a specific individual. The term includes, but is
98162 not limited to, a fingerprint, voiceprint, eye retina or iris, or
99163 other unique biological pattern or characteristic. The term does
100164 not include a physical or digital photograph, a video or audio
101165 recording, or data generated from a physic al or digital photograph
102166 or a video or audio recording unless such data is generated to
103167 identify a specific individual. The term does not include
104168 information collected, used, or stored for health care treatment,
105169 payment, or operations under the Health Insurance Portability and
106170 Accountability Act of 1996, 42 U.S.C. , Section 1320d et seq.;
107171 4. “Business associate” has the meaning assigned to the term
108172 under the Health Insurance Portability and Accountability Act of
109-
110-ENGR. S. B. NO. 546 Page 3 1
111-2
112-3
113-4
114-5
115-6
116-7
117-8
118-9
119-10
120-11
121-12
122-13
123-14
124-15
125-16
126-17
127-18
128-19
129-20
130-21
131-22
132-23
133-24
134-
135173 1996, 42 U.S.C., Section 1320d et seq. or any regulation adopted
136174 thereunder;
137175 5. “Child” means an individual younger than thirteen (13) years
138176 of age;
139-6. “Children’s Online Privacy Protect ion Act of 1998” means 15
140-U.S.C., Section 6501 et seq. and includes the regulations, rules,
141-guidance, and exemptions adopted pursuant to the act and any
142-subsequent amendments ;
143-7. “Consent”, when referring to a consumer, means a clear
177+6. “Consent”, when referring to a consumer, means a clear
144178 affirmative act signifying a consumer ’s freely given, spec ific,
145179 informed, and unambiguous agreement to process personal data
146180 relating to the consumer. The term includes, but is not limited to,
181+
182+SENATE FLOOR VERSION - SB546 SFLR Page 4
183+(Bold face denotes Committee Amendments) 1
184+2
185+3
186+4
187+5
188+6
189+7
190+8
191+9
192+10
193+11
194+12
195+13
196+14
197+15
198+16
199+17
200+18
201+19
202+20
203+21
204+22
205+23
206+24
207+
147208 a written statement, including a statement written by electronic
148209 means, or any other unambiguous affirmative action. Th e term does
149210 not include:
150211 a. acceptance of a general or broad terms of use or
151212 similar document that contains descriptions of
152213 personal data processing along with other, unrelated
153214 information,
154215 b. hovering over, muting, pausing, or closing a given
155216 piece of content, or
156217 c. agreement obtained through the use of dark patterns;
157-8. “Consumer” means an individual who is a resident of this
218+7. “Consumer” means an individual who is a resident of this
158219 state acting only in an individual or household context. The term
159-
160-ENGR. S. B. NO. 546 Page 4 1
161-2
162-3
163-4
164-5
165-6
166-7
167-8
168-9
169-10
170-11
171-12
172-13
173-14
174-15
175-16
176-17
177-18
178-19
179-20
180-21
181-22
182-23
183-24
184-
185220 does not include an individual acting in a commercial or employ ment
186221 context;
187-9. “Controller” means an individual or other person that, alone
222+8. “Controller” means an individual or other person that, alone
188223 or jointly with others, determines the purpose and means of
189224 processing personal data;
190-10. “Covered entity” has the meaning assigned to the term u nder
225+9. “Covered entity” has the meaning assigned to the term under
191226 the Health Insurance Portab ility and Accountability Act of 1996, 42
192227 U.S.C., Section 1320d et seq. or any regulation adopted thereunder ;
193-11. “Dark pattern” means a user interface designed or
228+10. “Dark pattern” means a user interface designed or
194229 manipulated with the effect of substantially subverting or impairing
195230 user autonomy, decision -making, or choice, and includes any practice
196231 the Federal Trade Commission refers to as a dark pattern;
197-12. “Decision that produces a legal or similarly significant
232+
233+SENATE FLOOR VERSION - SB546 SFLR Page 5
234+(Bold face denotes Committee Amendments) 1
235+2
236+3
237+4
238+5
239+6
240+7
241+8
242+9
243+10
244+11
245+12
246+13
247+14
248+15
249+16
250+17
251+18
252+19
253+20
254+21
255+22
256+23
257+24
258+
259+11. “Decision that produces a legal or similarly significant
198260 effect concerning a consumer ” means a decision made by the
199261 controller that results in the provision or denial by the controller
200262 of:
201263 a. financial and lending services,
202264 b. housing, insurance, or health care services,
203265 c. education enrollment,
204266 d. employment opportunities,
205267 e. criminal justice, or
206268 f. access to basic necessities such as food and water ;
207-
208-ENGR. S. B. NO. 546 Page 5 1
209-2
210-3
211-4
212-5
213-6
214-7
215-8
216-9
217-10
218-11
219-12
220-13
221-14
222-15
223-16
224-17
225-18
226-19
227-20
228-21
229-22
230-23
231-24
232-
233-13. “De-identified data” means data that cannot reasonably be
269+12. “De-identified data” means data that cannot reasonably be
234270 linked to an identified or identifiable individual or a device
235271 linked to the individual;
236-14. “Health care provider ” has the meaning assigned to the term
272+13. “Health care provider ” has the meaning assigned to the term
237273 under the Health Insurance Portabilit y and Accountability Act of
238274 1996, 42 U.S.C., Section 1320d et seq.;
239-15. “Health record” means any written, printed, or
275+14. “Health record” means any written, printed, or
240276 electronically recorded material maintained by a health care
241277 provider in the course of providing health care services to an
242278 individual that concerns the individual and t he services provided.
243279 The term includes:
244280 a. the substance of any communication made by an
245281 individual to a health care provider in confidence
282+
283+SENATE FLOOR VERSION - SB546 SFLR Page 6
284+(Bold face denotes Committee Amendments) 1
285+2
286+3
287+4
288+5
289+6
290+7
291+8
292+9
293+10
294+11
295+12
296+13
297+14
298+15
299+16
300+17
301+18
302+19
303+20
304+21
305+22
306+23
307+24
308+
246309 during or in connection with the provision of health
247310 care services, or
248311 b. information otherwise acquired by the health care
249312 provider about an individual in confidence and in
250313 connection with health care services provided to the
251314 individual;
252-16. “Identified or identifiable individual ” means a consumer
315+15. “Identified or identifiable individual ” means a consumer
253316 who can be readily identified, direc tly or indirectly;
254-17. “Institution of higher education ” means:
255-
256-ENGR. S. B. NO. 546 Page 6 1
257-2
258-3
259-4
260-5
261-6
262-7
263-8
264-9
265-10
266-11
267-12
268-13
269-14
270-15
271-16
272-17
273-18
274-19
275-20
276-21
277-22
278-23
279-24
280-
317+16. “Institution of higher education ” means:
281318 a. a public institution that is a member of The Oklahoma
282319 State System of Higher Education or a technology
283320 center school district , or
284321 b. a private institution of higher education;
285-18. “Nonprofit organization ” means:
322+17. “Nonprofit organization” means:
286323 a. a corporation organized under Title 18 of the Oklahoma
287324 Statutes to the extent applicable to nonprofit
288325 corporations,
289326 b. an organization exempt from federal taxation under
290327 Section 501(a), Internal Revenue Code of 1986, as
291328 amended, by being listed as an exempt org anization
292329 under Section 501(c)(3), 501(c)(6), or 501(c)(12) of
293330 that code,
294331 c. a political organization,
295332 d. an organization that is:
333+
334+SENATE FLOOR VERSION - SB546 SFLR Page 7
335+(Bold face denotes Committee Amendments) 1
336+2
337+3
338+4
339+5
340+6
341+7
342+8
343+9
344+10
345+11
346+12
347+13
348+14
349+15
350+16
351+17
352+18
353+19
354+20
355+21
356+22
357+23
358+24
359+
296360 (1) exempt from federal taxation under Section
297361 501(a), Internal Revenue Code of 1986, as
298362 amended, by being listed as an exempt
299363 organization under Section 501(c)(4) of that
300364 code, and
301365 (2) described by Section 363 of Title 36 of the
302366 Oklahoma Statutes, or
303-
304-ENGR. S. B. NO. 546 Page 7 1
305-2
306-3
307-4
308-5
309-6
310-7
311-8
312-9
313-10
314-11
315-12
316-13
317-14
318-15
319-16
320-17
321-18
322-19
323-20
324-21
325-22
326-23
327-24
328-
329367 e. a subsidiary or affiliate of an entity regulated under
330368 Section 151 et seq. of Title 17 of the Oklahoma
331369 Statutes;
332-19. “Personal data” means any information including sensitive
370+18. “Personal data” means any information including sensitive
333371 data that is linked or reasonably linkable to an identified or
334372 identifiable individual. The term includes pseudonymous data when
335373 the data is used by a controller or process or in conjunction with
336374 additional information that reasonably links the data to an
337375 identified or identifiable individual. The term does not include
338376 de-identified data or publicly available information;
339-20. “Political organization” means a party, committee,
377+19. “Political organization ” means a party, committe e,
340378 association, fund, or other or ganization, regardless of whether
341379 incorporated, that is organized and operated primarily for the
342380 purpose of influencing or attempting to influence:
343381 a. the selection, nomination, election, or appointment of
344382 an individual to a federal, state, or local public
345383 office or an office in a political organization,
384+
385+SENATE FLOOR VERSION - SB546 SFLR Page 8
386+(Bold face denotes Committee Amendments) 1
387+2
388+3
389+4
390+5
391+6
392+7
393+8
394+9
395+10
396+11
397+12
398+13
399+14
400+15
401+16
402+17
403+18
404+19
405+20
406+21
407+22
408+23
409+24
410+
346411 regardless of whether the individual is selected,
347412 nominated, elected, or appointed, or
348413 b. the election of a presidential/vice -presidential
349414 elector, regardless of whether the elector is
350415 selected, nominated, elected, or appointed;
351-21. “Precise geolocation data ” means information derived from
416+20. “Precise geolocation data ” means information derived from
352417 technology, including global positioning system level latitude and
353-
354-ENGR. S. B. NO. 546 Page 8 1
355-2
356-3
357-4
358-5
359-6
360-7
361-8
362-9
363-10
364-11
365-12
366-13
367-14
368-15
369-16
370-17
371-18
372-19
373-20
374-21
375-22
376-23
377-24
378-
379418 longitude coordinates or other mechanisms, that directly identifies
380419 the specific location of an individual with precision and accuracy
381420 within a radius of one thousand seven hundred fifty (1,750) feet.
382-The term does not include the content of communications nor does it
383-include any data generated by or connected to an advanced utility
384-metering infrastructure system or to equipment for use by a utility;
385-22. “Process” or “processing” means any operation or set of
421+The term does not include the content of communications or any data
422+generated by or connected to an advanced utility meterin g
423+infrastructure system or to equ ipment for use by a utility;
424+21. “Process” or “processing” means an operation or set of
386425 operations performed, whether by manual or automated means, on
387426 personal data or on sets of personal data, such as the collection,
388427 use, storage, disclosure, analysis, deletion, or modification of
389428 personal data;
390-23. “Processor” means a person who, or legal entity that,
391-processes personal data on behalf of a controller;
392-24. “Profiling” means any form of solely automated processing
429+22. “Processor” means a person who processes personal data on
430+behalf of a controller or a service provider under contract with the
431+processor;
432+23. “Profiling” means any form of so lely automated processing
393433 performed on personal data to evaluate, analyze, or predict personal
394434 aspects related to an identified or identifiable individual ’s
435+
436+SENATE FLOOR VERSION - SB546 SFLR Page 9
437+(Bold face denotes Committee Amendments) 1
438+2
439+3
440+4
441+5
442+6
443+7
444+8
445+9
446+10
447+11
448+12
449+13
450+14
451+15
452+16
453+17
454+18
455+19
456+20
457+21
458+22
459+23
460+24
461+
395462 economic situation, health, personal preferences, interests,
396463 reliability, behavior, location, or mo vements;
397-25. “Protected health information ” has the meaning assigned to
464+24. “Protected health information ” has the meaning assigned to
398465 the term under the Health Insurance Portability and Accountability
399466 Act of 1996, 42 U.S.C. , Section 1320d et seq. or any regulation
400467 adopted thereunder;
401-26. “Pseudonymous data” means personal data that cannot be
468+25. “Pseudonymous data” means personal data that cannot be
402469 attributed to a specific individual without the use of additional
403-
404-ENGR. S. B. NO. 546 Page 9 1
405-2
406-3
407-4
408-5
409-6
410-7
411-8
412-9
413-10
414-11
415-12
416-13
417-14
418-15
419-16
420-17
421-18
422-19
423-20
424-21
425-22
426-23
427-24
428-
429470 information, provided that the additional information is kept
430471 separately and is subject to appropriate technical and
431472 organizational measures to ensure that the pe rsonal data is not
432473 attributed to an identified or identifiable individual;
433-27. “Publicly available information ” means information that is
474+26. “Publicly available information ” means information that is
434475 lawfully made available through government records, or information
435476 that a business has a reasonable basis to believe is lawfully made
436477 available to the general public through widely distributed media, by
437478 a consumer, or by a person to whom a consumer has disclosed the
438479 information, unless the consumer has restricted the information to a
439480 specific audience;
440-28. “Sale of personal data ” means the exchange of personal data
481+27. “Sale of personal data” means the exchange of personal data
441482 for monetary consideration by the controller to a third party. The
442483 term does not include the:
484+
485+SENATE FLOOR VERSION - SB546 SFLR Page 10
486+(Bold face denotes Committee Amendments) 1
487+2
488+3
489+4
490+5
491+6
492+7
493+8
494+9
495+10
496+11
497+12
498+13
499+14
500+15
501+16
502+17
503+18
504+19
505+20
506+21
507+22
508+23
509+24
510+
443511 a. disclosure of personal data to a processor that
444512 processes the personal data on the controller ’s
445513 behalf,
446514 b. disclosure of personal data to a thir d party for
447515 purposes of providing a product or service requested
448516 by the consumer,
449517 c. disclosure or transfer of personal data to an
450518 affiliate of the controller,
451519 d. disclosure of information or personal data that the
452520 consumer:
453-
454-ENGR. S. B. NO. 546 Page 10 1
455-2
456-3
457-4
458-5
459-6
460-7
461-8
462-9
463-10
464-11
465-12
466-13
467-14
468-15
469-16
470-17
471-18
472-19
473-20
474-21
475-22
476-23
477-24
478-
479521 (1) (a) intentionally made available to the general
480522 public through a mass media channel, and
481523 (b) did not restrict to a specific audience, or
482524 (2) directs the controller to disclose or
483525 intentionally uses the controller to interact
484526 with a third party, or
485527 e. disclosure or transfer of person al data to a third
486528 party as an asset that is part of a proposed or actual
487529 merger, acquisition, bankruptcy, or other transaction
488530 in which the third party assumes control of all or
489531 part of the controller ’s assets;
490-29. “Sensitive data” means a category of personal data. The
532+28. “Sensitive data” means a category of personal data. The
491533 term includes:
534+
535+SENATE FLOOR VERSION - SB546 SFLR Page 11
536+(Bold face denotes Committee Amendments) 1
537+2
538+3
539+4
540+5
541+6
542+7
543+8
544+9
545+10
546+11
547+12
548+13
549+14
550+15
551+16
552+17
553+18
554+19
555+20
556+21
557+22
558+23
559+24
560+
492561 a. personal data revealing racial or ethnic origin,
493562 religious beliefs, mental or physical health
494563 diagnosis, sexual orientation, or citizenship or
495564 immigration status,
496565 b. genetic or biometric data that is processed for the
497566 purpose of uniquely identifying an individual,
498567 c. personal data collected from a known child, or
499568 d. precise geolocation data;
500-30. “State agency” means a department, commission, board,
569+29. “State agency” means a department, commission, board,
501570 office, council, authority, or other age ncy in the executive branch
502571 of state government that is created by the constitution or a statute
503-
504-ENGR. S. B. NO. 546 Page 11 1
505-2
506-3
507-4
508-5
509-6
510-7
511-8
512-9
513-10
514-11
515-12
516-13
517-14
518-15
519-16
520-17
521-18
522-19
523-20
524-21
525-22
526-23
527-24
528-
529572 of this state, including a public university system or public
530573 institution of higher education;
531-31. “Targeted advertising ” means displaying to a consumer an
574+30. “Targeted advertising ” means displaying to a consumer an
532575 advertisement that is selected base d on personal data obtained from
533576 that consumer’s activities over time and across nonaffiliated
534577 websites or online applications to predict the consumer ’s
535578 preferences or interests. The term does not include:
536579 a. an advertisement that is:
537580 (1) based on activities within a controller ’s own
538581 websites or online applications,
539582 (2) based on the context of a consumer ’s current
540583 search query, visit to a website, or online
541584 application, or
585+
586+SENATE FLOOR VERSION - SB546 SFLR Page 12
587+(Bold face denotes Committee Amendments) 1
588+2
589+3
590+4
591+5
592+6
593+7
594+8
595+9
596+10
597+11
598+12
599+13
600+14
601+15
602+16
603+17
604+18
605+19
606+20
607+21
608+22
609+23
610+24
611+
542612 (3) directed to a consumer in response to the
543613 consumer’s request for information or feedback,
544614 or
545615 b. the processing of personal data solely for measuring
546616 or reporting advertising performance, reach, or
547617 frequency;
548-32. “Third party” means a person other than the consumer, the
549-controller, the processor, or an affiliate of the controller or
618+31. “Third party” means a person other than the consumer, the
619+controller, the processor, a ser vice provider under contract with
620+the controller or processor, or an affiliate of the controller or
550621 processor; and
551-
552-ENGR. S. B. NO. 546 Page 12 1
553-2
554-3
555-4
556-5
557-6
558-7
559-8
560-9
561-10
562-11
563-12
564-13
565-14
566-15
567-16
568-17
569-18
570-19
571-20
572-21
573-22
574-23
575-24
576-
577-33. “Trade secret” means information incl uding a formula,
622+32. “Trade secret” means information including a formula,
578623 pattern, compilation, program, device, method, technique, or
579624 process, that:
580625 a. derives independent economic value, actual or
581626 potential, from not being generally known to, and not
582627 being readily ascertainable by proper means by, other
583628 persons who can obtain economic value from its
584629 disclosure or use, and
585630 b. is the subject of efforts that a re reasonable under
586631 the circumstances to maintain its secrecy.
587632 SECTION 2. NEW LAW A new section of law to be codified
588633 in the Oklahoma Statutes as Section 301 of Title 75A, unless there
589634 is created a duplication in numbering, reads as follows:
635+
636+SENATE FLOOR VERSION - SB546 SFLR Page 13
637+(Bold face denotes Committee Amendments) 1
638+2
639+3
640+4
641+5
642+6
643+7
644+8
645+9
646+10
647+11
648+12
649+13
650+14
651+15
652+16
653+17
654+18
655+19
656+20
657+21
658+22
659+23
660+24
661+
590662 A. A consumer is entitled to exercise the consumer rights
591663 authorized by this section at any time by submitting a request to a
592664 controller specifying the consumer rights the consumer wishes to
593665 exercise. With respect to the processing of personal data belonging
594666 to a known child, a parent or legal guardian of the child may
595667 exercise the consumer rights on behalf of the child.
596668 B. A controller shall comply with an authenticated consumer
597669 request to exercise the right to:
598670 1. Confirm whether a controlle r is processing the consumer ’s
599671 personal data and to access the personal data;
600-
601-ENGR. S. B. NO. 546 Page 13 1
602-2
603-3
604-4
605-5
606-6
607-7
608-8
609-9
610-10
611-11
612-12
613-13
614-14
615-15
616-16
617-17
618-18
619-19
620-20
621-21
622-22
623-23
624-24
625-
626672 2. Correct inaccuracies in the consumer ’s personal data,
627673 considering the nature of the personal data and the purposes of the
628674 processing of the consumer ’s personal data;
629675 3. Delete personal data provided by or obtained about the
630676 consumer;
631677 4. If the data is available in a digital format, obtain a copy
632678 of the consumer’s personal data that the consumer previously
633679 provided to the controller in a portable and, to the extent
634680 technically feasible, readily usable format that allows the consumer
635681 to transmit the data to another controller without hindrance, where
636682 the processing is carried out by automated means; or
637683 5. Opt out of the processing of the personal data for purposes
638684 of:
639685 a. targeted advertising,
686+
687+SENATE FLOOR VERSION - SB546 SFLR Page 14
688+(Bold face denotes Committee Amendments) 1
689+2
690+3
691+4
692+5
693+6
694+7
695+8
696+9
697+10
698+11
699+12
700+13
701+14
702+15
703+16
704+17
705+18
706+19
707+20
708+21
709+22
710+23
711+24
712+
640713 b. the sale of personal data, or
641714 c. profiling in furtherance of a decision that produces a
642715 legal or similarly significant effect concerning the
643716 consumer.
644717 SECTION 3. NEW LAW A new section of law to be codified
645718 in the Oklahoma Statutes as Section 302 of Title 75A, unless there
646719 is created a duplication in numbering, reads as follows:
647720 A. Except as otherwise provided by this act, a controller shall
648721 comply with a request submitted by a consumer to exercise the
649-
650-ENGR. S. B. NO. 546 Page 14 1
651-2
652-3
653-4
654-5
655-6
656-7
657-8
658-9
659-10
660-11
661-12
662-13
663-14
664-15
665-16
666-17
667-18
668-19
669-20
670-21
671-22
672-23
673-24
674-
675722 consumer’s rights pursuant to Section 2 of this act as provided by
676723 this section.
677724 B. A controller shall respond to the consumer request no later
678725 than forty-five (45) days after the date of receipt of the request.
679726 The controller may extend the response period once by an additional
680727 forty-five (45) days when reasonably necessary, considering the
681728 complexity and number of the consumer ’s requests. The controller
682729 shall inform the consumer of an extension within the initial forty-
683730 five-day response period and of the reason f or the extension.
684731 C. If a controller declines to take action regarding the
685732 consumer’s request, the controller shall inform the consumer no
686733 later than the forty -five (45) days after the date of receipt of the
687734 request of the justification for declining to t ake action and
688735 provide instructions on how to appeal the decision in accordance
689736 with Section 4 of this act.
737+
738+SENATE FLOOR VERSION - SB546 SFLR Page 15
739+(Bold face denotes Committee Amendments) 1
740+2
741+3
742+4
743+5
744+6
745+7
746+8
747+9
748+10
749+11
750+12
751+13
752+14
753+15
754+16
755+17
756+18
757+19
758+20
759+21
760+22
761+23
762+24
763+
690764 D. A controller shall provide information in response to a
691765 consumer request free of charge, up to twice annually per consumer.
692766 If a request from a consumer is manifestly unfounded, excessive, or
693767 repetitive, the controller may charge the consumer a reasonable fee
694768 to cover the administrative costs of complying with the request or
695769 may decline to act on the request. The controller shall bear the
696770 burden of demonstrating for purposes of this subsection that a
697771 request is manifestly unfounded, excessive, or repetitive.
698-
699-ENGR. S. B. NO. 546 Page 15 1
700-2
701-3
702-4
703-5
704-6
705-7
706-8
707-9
708-10
709-11
710-12
711-13
712-14
713-15
714-16
715-17
716-18
717-19
718-20
719-21
720-22
721-23
722-24
723-
724772 E. If a controller is unable to authenticate the request using
725773 commercially reasonable efforts, the controller shall not be
726774 required to comply with a consumer request submitted under Section 2
727775 of this act and may request that the consumer provide additional
728776 information reasonably necessary to authenticate the consumer and
729777 the consumer’s request.
730778 F. A controller that has obtained personal dat a about a
731779 consumer from a source other than the consumer shall be considered
732780 to be in compliance with a consumer ’s request to delete that
733781 personal data pursuant to paragraph 3 of subsection B of Section 2
734782 of this act by:
735783 1. Retaining a record of the delet ion request and the minimum
736784 data necessary for the purpose of ensuring the consumer ’s personal
737785 data remains deleted from the business ’s records and not using the
738786 retained data for any other purpose under this act; or
787+
788+SENATE FLOOR VERSION - SB546 SFLR Page 16
789+(Bold face denotes Committee Amendments) 1
790+2
791+3
792+4
793+5
794+6
795+7
796+8
797+9
798+10
799+11
800+12
801+13
802+14
803+15
804+16
805+17
806+18
807+19
808+20
809+21
810+22
811+23
812+24
813+
739814 2. Opting the consumer out of the proc essing of that personal
740815 data for any purpose other than a purpose that is exempt under this
741816 act.
742817 SECTION 4. NEW LAW A new section of law to be codified
743818 in the Oklahoma Statutes as Section 303 of Title 75A, unless there
744819 is created a duplication in numbering, reads as follows:
745820 A. A controller shall establish a process for a consumer to
746821 appeal the controller ’s refusal to take action on a request within a
747822 reasonable period of time after the consumer ’s receipt of the
748-
749-ENGR. S. B. NO. 546 Page 16 1
750-2
751-3
752-4
753-5
754-6
755-7
756-8
757-9
758-10
759-11
760-12
761-13
762-14
763-15
764-16
765-17
766-18
767-19
768-20
769-21
770-22
771-23
772-24
773-
774823 decision under subse ction C of Section 3 of this act. The appeal
775824 process shall be conspicuously available and similar to the process
776825 for initiating action to exercise consumer rights by submitting a
777826 request under Section 2 of this act.
778827 B. A controller shall inform the consu mer in writing of any
779828 action taken or not taken in response to an appeal under this
780829 section no later than sixty (60) days after the date of receipt of
781830 the appeal including a written explanation of the reason or reasons
782831 for the decision. If the controller denies an appeal, the
783832 controller shall provide the consumer with the online mechanism
784833 described by subsection B of Section 12 of this act through which
785834 the consumer may contact the Attorney General to submit a complaint.
786835 SECTION 5. NEW LAW A new section of law to be codified
787836 in the Oklahoma Statutes as Section 304 of Title 75A, unless there
788837 is created a duplication in numbering, reads as follows:
838+
839+SENATE FLOOR VERSION - SB546 SFLR Page 17
840+(Bold face denotes Committee Amendments) 1
841+2
842+3
843+4
844+5
845+6
846+7
847+8
848+9
849+10
850+11
851+12
852+13
853+14
854+15
855+16
856+17
857+18
858+19
859+20
860+21
861+22
862+23
863+24
864+
789865 Any provision of a contract or agreement that waives or limits a
790866 consumer right describe d by Section 2, 3, or 4 of this a ct shall be
791867 deemed to be contrary to public policy and shall be void and
792868 unenforceable.
793869 SECTION 6. NEW LAW A new section of law to be codified
794870 in the Oklahoma Statutes as Section 305 of Title 75A, unless there
795871 is created a duplication in numbering, reads as follows:
796-
797-ENGR. S. B. NO. 546 Page 17 1
798-2
799-3
800-4
801-5
802-6
803-7
804-8
805-9
806-10
807-11
808-12
809-13
810-14
811-15
812-16
813-17
814-18
815-19
816-20
817-21
818-22
819-23
820-24
821-
822-A. A controller shall establish two or more secure and reliable
872+A controller shall establish two or more secure and reliable
823873 methods to enable consumers to submit a request to exercise their
824874 consumer rights under this act. The methods shall consider:
825875 1. The ways in which consumers n ormally interact with the
826876 controller;
827877 2. The necessity for secure and reliable communications of
828878 those requests; and
829879 3. The ability of the controller to authenticate the identity
830880 of the consumer making the request.
831881 B. A controller shall not require a consumer to create a new
832882 account to exercise the consumer ’s rights under this act but may
833883 require a consumer to use an existing account.
834884 C. Except as provided by subsection D of this section, if the
835885 controller maintains an I nternet website, the controller s hall
836886 provide a mechanism on the website for consumers to submit requests
837887 for information required to be disclosed under this act.
888+
889+SENATE FLOOR VERSION - SB546 SFLR Page 18
890+(Bold face denotes Committee Amendments) 1
891+2
892+3
893+4
894+5
895+6
896+7
897+8
898+9
899+10
900+11
901+12
902+13
903+14
904+15
905+16
906+17
907+18
908+19
909+20
910+21
911+22
912+23
913+24
914+
838915 D. A controller that operates exclusively online and has a
839916 direct relationship with a consum er from whom the controller
840917 collects personal information shall only be required to provide an
841918 electronic mail address for the submission of requests described by
842919 subsection C of this section.
843920 SECTION 7. NEW LAW A new section of law to be codified
844921 in the Oklahoma Statutes as Section 306 of Title 75A, unless there
845922 is created a duplication in numbering, reads as follows:
846-
847-ENGR. S. B. NO. 546 Page 18 1
848-2
849-3
850-4
851-5
852-6
853-7
854-8
855-9
856-10
857-11
858-12
859-13
860-14
861-15
862-16
863-17
864-18
865-19
866-20
867-21
868-22
869-23
870-24
871-
872923 A. A controller shall:
873924 1. Limit the collection of personal data to what is adequate,
874925 relevant, and reasonably nece ssary in relation to the purposes for
875926 which that personal data is processed, as disclosed to the consumer;
876927 and
877928 2. For purposes of protecting the confidentiality, integrity,
878929 and accessibility of personal data, establish, implement, and
879930 maintain reasonable administrative, technical, and ph ysical data
880931 security practices that are appropriate to the volume and nature of
881932 the personal data at issue.
882933 B. A controller shall not:
883934 1. Except as otherwise provided by this act, process personal
884935 data for a purpose that is neither reasonably necessary to nor
885936 compatible with the disclosed purpose for which the personal data is
886937 processed, as disclosed to the consumer, unless the controller
887938 obtains the consumer ’s consent;
939+
940+SENATE FLOOR VERSION - SB546 SFLR Page 19
941+(Bold face denotes Committee Amendments) 1
942+2
943+3
944+4
945+5
946+6
947+7
948+8
949+9
950+10
951+11
952+12
953+13
954+14
955+15
956+16
957+17
958+18
959+19
960+20
961+21
962+22
963+23
964+24
965+
888966 2. Process personal data in violation of state and f ederal laws
889967 that prohibit unlawfu l discrimination against consumers;
890968 3. Discriminate against a consumer for exercising any consumer
891969 rights contained in this act, including by denying goods or
892970 services, charging different prices or rates for goods or servi ces,
893971 or providing a different level of quality of goods or services to
894972 the consumer; or
895-
896-ENGR. S. B. NO. 546 Page 19 1
897-2
898-3
899-4
900-5
901-6
902-7
903-8
904-9
905-10
906-11
907-12
908-13
909-14
910-15
911-16
912-17
913-18
914-19
915-20
916-21
917-22
918-23
919-24
920-
921973 4. Process the sensitive data of a consumer without obtaining
922974 the consumer’s consent or, in the case of processing the sensitive
923975 data of a known child, without process ing that data in accordance
924-with the Children’s Online Privacy Protection Act of 1998.
976+with the Children’s Online Privacy Protection Act of 1998, 15
977+U.S.C., Section 6501 et seq.
925978 C. Paragraph 3 of s ubsection B of this section shall not be
926979 construed to require a controller to provide a product or service
927980 that requires the personal data of a consumer that the controller
928981 does not collect or maintain or to prohibit a controller from
929982 offering a different price, rate, level, quality, or selection of
930983 goods or services to a consumer, including offering goods or
931984 services for no fee, if the consumer has exe rcised the consumer’s
932985 right to opt out under Section 2 of this act or the offer is related
933986 to a consumer’s voluntary participation in a bona fide loyalty,
934987 rewards, premium features, discounts, or club card program.
988+
989+SENATE FLOOR VERSION - SB546 SFLR Page 20
990+(Bold face denotes Committee Amendments) 1
991+2
992+3
993+4
994+5
995+6
996+7
997+8
998+9
999+10
1000+11
1001+12
1002+13
1003+14
1004+15
1005+16
1006+17
1007+18
1008+19
1009+20
1010+21
1011+22
1012+23
1013+24
1014+
9351015 SECTION 8. NEW LAW A new section of law to be codified
9361016 in the Oklahoma Statutes as Section 307 of Title 75A, unless there
9371017 is created a duplication in numbering, reads as follows:
9381018 A. A controller shall provide consumers with a reasonably
9391019 accessible and clear privacy notice that includes:
9401020 1. The categories of personal data processed by the controller,
9411021 including, if applicable, any sensitive data processed by the
9421022 controller;
9431023 2. The purpose for processing personal data;
944-
945-ENGR. S. B. NO. 546 Page 20 1
946-2
947-3
948-4
949-5
950-6
951-7
952-8
953-9
954-10
955-11
956-12
957-13
958-14
959-15
960-16
961-17
962-18
963-19
964-20
965-21
966-22
967-23
968-24
969-
9701024 3. How consumers may exercise their consumer rights under
9711025 Sections 2 through 6 of this act, including the process by which a
9721026 consumer may appeal a controller ’s decision with regard to the
9731027 consumer’s request;
9741028 4. If applicable, the categories of personal data that the
9751029 controller shares with third parties; and
9761030 5. If applicable, the categories of third parties with whom the
9771031 controller shares personal data.
9781032 B. If a controller sells personal data to third parties or
9791033 processes personal data for targeted advertising, the controller
9801034 shall clearly and conspicuously disclose on the notice required by
9811035 subsection A of this section such process and the manner in which a
9821036 consumer may exercise the right to opt out of such process.
1037+
1038+SENATE FLOOR VERSION - SB546 SFLR Page 21
1039+(Bold face denotes Committee Amendments) 1
1040+2
1041+3
1042+4
1043+5
1044+6
1045+7
1046+8
1047+9
1048+10
1049+11
1050+12
1051+13
1052+14
1053+15
1054+16
1055+17
1056+18
1057+19
1058+20
1059+21
1060+22
1061+23
1062+24
1063+
9831064 SECTION 9. NEW LAW A new section of l aw to be codified
9841065 in the Oklahoma Statutes as Section 308 of Title 75A, unless there
9851066 is created a duplication in numbering, reads as follows:
9861067 A. A processor shall adhere to the instructions of a controller
9871068 and shall assist the controller in meeting or com plying with the
9881069 controller’s duties or requirements under this act, including:
9891070 1. Taking into account the nature of processing and the
9901071 information available to the processor, a ssisting the controller in
9911072 responding to consumer rights requests submitted und er Section 2 of
9921073 this act by using appropriate technical and organizational measures,
9931074 as reasonably practicable;
994-
995-ENGR. S. B. NO. 546 Page 21 1
996-2
997-3
998-4
999-5
1000-6
1001-7
1002-8
1003-9
1004-10
1005-11
1006-12
1007-13
1008-14
1009-15
1010-16
1011-17
1012-18
1013-19
1014-20
1015-21
1016-22
1017-23
1018-24
1019-
10201075 2. Taking into account the nature of processing and the
10211076 information available to the processor, a ssisting the controller
10221077 with regard to complyi ng with the requirement relating to the
10231078 security of processing personal data and to the notification of a
10241079 breach of security of the processor ’s system under the Security
10251080 Breach Notification Act, Section 161 et seq. of Title 24 of the
10261081 Oklahoma Statutes; and
10271082 3. Providing necessary informat ion to enable the controller to
10281083 conduct and document data protection assessments under Section 10 of
10291084 this act.
10301085 B. A contract between a controller and a processor shall govern
10311086 the processor’s data processing procedures with respect to
1087+
1088+SENATE FLOOR VERSION - SB546 SFLR Page 22
1089+(Bold face denotes Committee Amendments) 1
1090+2
1091+3
1092+4
1093+5
1094+6
1095+7
1096+8
1097+9
1098+10
1099+11
1100+12
1101+13
1102+14
1103+15
1104+16
1105+17
1106+18
1107+19
1108+20
1109+21
1110+22
1111+23
1112+24
1113+
10321114 processing performed on behalf of the controller. The contract
10331115 shall include:
10341116 1. Clear instructions for processing data;
10351117 2. The nature and purpose of processing;
10361118 3. The type of data subject to processing;
10371119 4. The duration of processing;
10381120 5. The rights and obligations of bo th parties; and
10391121 6. A requirement that the processor shall:
10401122 a. ensure that each person processing personal data is
10411123 subject to a duty of confidentiality with respect to
10421124 the data,
1043-
1044-ENGR. S. B. NO. 546 Page 22 1
1045-2
1046-3
1047-4
1048-5
1049-6
1050-7
1051-8
1052-9
1053-10
1054-11
1055-12
1056-13
1057-14
1058-15
1059-16
1060-17
1061-18
1062-19
1063-20
1064-21
1065-22
1066-23
1067-24
1068-
10691125 b. at the controller’s direction, delete or r eturn all
10701126 personal data to the controller as requested after the
10711127 provision of the service is completed, unless
10721128 retention of the personal data is required by law,
10731129 c. make available to the controller, upon reasonable
10741130 request, all information in the processor ’s possession
10751131 necessary to demonstrate the processor’s compliance
10761132 with the requirements of this act,
10771133 d. allow, and cooperate with, reasonable assessments by
10781134 the controller or the controller ’s designated
10791135 assessor, and
10801136 e. engage any subcontractor pursuant to a written
10811137 contract that requires the subcontractor to meet the
1138+
1139+SENATE FLOOR VERSION - SB546 SFLR Page 23
1140+(Bold face denotes Committee Amendments) 1
1141+2
1142+3
1143+4
1144+5
1145+6
1146+7
1147+8
1148+9
1149+10
1150+11
1151+12
1152+13
1153+14
1154+15
1155+16
1156+17
1157+18
1158+19
1159+20
1160+21
1161+22
1162+23
1163+24
1164+
10821165 requirements of the processor with respect to the
10831166 personal data.
10841167 C. Notwithstanding the requirement described by subparagraph d
10851168 of paragraph 6 of subsection B of this section, a processor, in the
10861169 alternative, may arrange for a qualified and independent assessor to
10871170 conduct an assessment of the processor ’s policies and technical and
10881171 organizational measures in support of the requirements under this
10891172 act using an appropriate and accepted control st andard or framework
10901173 and assessment procedure. The processor shall provide a report of
10911174 the assessment to the controller on request.
1092-
1093-ENGR. S. B. NO. 546 Page 23 1
1094-2
1095-3
1096-4
1097-5
1098-6
1099-7
1100-8
1101-9
1102-10
1103-11
1104-12
1105-13
1106-14
1107-15
1108-16
1109-17
1110-18
1111-19
1112-20
1113-21
1114-22
1115-23
1116-24
1117-
11181175 D. The provisions of t his section shall not be construed to
11191176 relieve a controller or a processor from the liabilities impose d on
11201177 the controller or processor due to its role in the processing
11211178 relationship as described by this act.
11221179 E. A determination of whether a person is acting as a
11231180 controller or processor with respect to a specific processing of
11241181 data is a fact-based determination that depends on the context in
11251182 which personal data is to be processed. A processor that continues
11261183 to adhere to a controller ’s instructions with respect to a specific
11271184 processing of personal data remains in the role of a processor.
11281185 SECTION 10. NEW LAW A new sect ion of law to be codified
11291186 in the Oklahoma Statutes as Section 309 of Title 75A, unless there
11301187 is created a duplication in numbering, reads as follows:
1188+
1189+SENATE FLOOR VERSION - SB546 SFLR Page 24
1190+(Bold face denotes Committee Amendments) 1
1191+2
1192+3
1193+4
1194+5
1195+6
1196+7
1197+8
1198+9
1199+10
1200+11
1201+12
1202+13
1203+14
1204+15
1205+16
1206+17
1207+18
1208+19
1209+20
1210+21
1211+22
1212+23
1213+24
1214+
11311215 A. A controller shall conduct and document a data protection
11321216 assessment of each of the following processing activities involving
11331217 personal data:
11341218 1. The processing of personal data for purposes of targeted
11351219 advertising;
11361220 2. The sale of personal data;
11371221 3. The processing of personal data for purposes of profiling,
11381222 if the profiling presents a reasonably foreseeabl e risk of:
11391223 a. unfair or deceptive treatment of or unlawful disparate
11401224 impact on consumers,
1141-
1142-ENGR. S. B. NO. 546 Page 24 1
1143-2
1144-3
1145-4
1146-5
1147-6
1148-7
1149-8
1150-9
1151-10
1152-11
1153-12
1154-13
1155-14
1156-15
1157-16
1158-17
1159-18
1160-19
1161-20
1162-21
1163-22
1164-23
1165-24
1166-
11671225 b. financial, physical, or reputational injury to
11681226 consumers,
11691227 c. a physical or other intrusion on the solitude or
11701228 seclusion, or the pr ivate affairs or concerns, of
11711229 consumers, if the intrusion would be offensive to a
11721230 reasonable person, or
11731231 d. other substantial injury to consumers;
11741232 4. The processing of sensitive data; and
11751233 5. Any processing activities involving personal data that
11761234 present a heightened risk of harm to consu mers.
11771235 B. A data protection assessment conducted under subsection A of
11781236 this section shall:
11791237 1. Identify and weigh the direct or indirect benefits that may
11801238 flow from the processing to the controller, the consumer, other
1239+
1240+SENATE FLOOR VERSION - SB546 SFLR Page 25
1241+(Bold face denotes Committee Amendments) 1
1242+2
1243+3
1244+4
1245+5
1246+6
1247+7
1248+8
1249+9
1250+10
1251+11
1252+12
1253+13
1254+14
1255+15
1256+16
1257+17
1258+18
1259+19
1260+20
1261+21
1262+22
1263+23
1264+24
1265+
11811266 stakeholders, and the public, against the potential risks to the
11821267 rights of the consumer associated with that processing, as mitigated
11831268 by safeguards that can be employed by the controller to reduce the
11841269 risks; and
11851270 2. Factor into the assessment the:
11861271 a. use of de-identified data,
11871272 b. reasonable expectations of consumers,
11881273 c. context of the processing, and
11891274 d. relationship between the controller and the consumer
11901275 whose personal data will be processed.
1191-
1192-ENGR. S. B. NO. 546 Page 25 1
1193-2
1194-3
1195-4
1196-5
1197-6
1198-7
1199-8
1200-9
1201-10
1202-11
1203-12
1204-13
1205-14
1206-15
1207-16
1208-17
1209-18
1210-19
1211-20
1212-21
1213-22
1214-23
1215-24
1216-
12171276 C. A controller shall make a data protection assessment
12181277 available to the Attorney General upon written request pursuant to a
12191278 civil investigation demand.
12201279 D. A data protection assessment shall be confidential and
12211280 exempt from public inspection and copying under the Oklahoma Open
12221281 Records Act, Section 24A.1 et seq. of Title 5 1 of the Oklahoma
12231282 Statutes. Disclosure of a data protection assessment in compliance
12241283 with a request from the Attorney General shall not constitute a
12251284 waiver of attorney-client privilege or work product protection with
12261285 respect to the assessment and any info rmation contained in the
12271286 assessment.
12281287 E. A single data protection assessment may address a comparable
12291288 set of processing operations that include similar activities.
1289+
1290+SENATE FLOOR VERSION - SB546 SFLR Page 26
1291+(Bold face denotes Committee Amendments) 1
1292+2
1293+3
1294+4
1295+5
1296+6
1297+7
1298+8
1299+9
1300+10
1301+11
1302+12
1303+13
1304+14
1305+15
1306+16
1307+17
1308+18
1309+19
1310+20
1311+21
1312+22
1313+23
1314+24
1315+
12301316 F. A data protection assessment conducted by a controller for
12311317 the purpose of compliance wit h other laws or regulations may
12321318 constitute compliance with the requirements of this section if the
12331319 assessment has a reasonably comparable scope and effect.
12341320 G. A data protection assessment as required by this section
12351321 shall apply to processing activities th at commence on or after the
12361322 effective date of this act and shall not be retroactive.
12371323 SECTION 11. NEW LAW A new section of law to be codified
12381324 in the Oklahoma Statutes as Section 310 of Title 75A, unless there
12391325 is created a duplication in numbering, reads as follows:
12401326 A. A controller in possession of de-identified data shall:
1241-
1242-ENGR. S. B. NO. 546 Page 26 1
1243-2
1244-3
1245-4
1246-5
1247-6
1248-7
1249-8
1250-9
1251-10
1252-11
1253-12
1254-13
1255-14
1256-15
1257-16
1258-17
1259-18
1260-19
1261-20
1262-21
1263-22
1264-23
1265-24
1266-
12671327 1. Take reasonable measures to ensure that the data cannot be
12681328 associated with an individual;
1269-2. Publicly commit to process such data only in a de -identified
1270-fashion and not attempt to reidentify the data; and
1329+2. Publicly commit to maintaining and using de-identified data
1330+without attempting to reidentify the data; and
12711331 3. Contractually obligate any recipient of the de-identified
1272-data to comply with the requirements of this subsection.
1332+data to comply with the provisions of this act.
12731333 B. The provisions of this act shall not be construed to require
12741334 a controller or processor to:
12751335 1. Reidentify de-identified data or pseudonymous data;
12761336 2. Maintain data in identifiable form or obtain, retain, or
12771337 access any data or technology for the purpose of allowing the
12781338 controller or processor to associate a consumer request with
12791339 personal data; or
1340+
1341+SENATE FLOOR VERSION - SB546 SFLR Page 27
1342+(Bold face denotes Committee Amendments) 1
1343+2
1344+3
1345+4
1346+5
1347+6
1348+7
1349+8
1350+9
1351+10
1352+11
1353+12
1354+13
1355+14
1356+15
1357+16
1358+17
1359+18
1360+19
1361+20
1362+21
1363+22
1364+23
1365+24
1366+
12801367 3. Comply with an authenticated consumer rights request under
12811368 Section 2 of this act, if the controller:
12821369 a. is not reasonably capable of associating the request
12831370 with the personal data or it would be unreasonably
12841371 burdensome for the controller to associate the reque st
12851372 with the personal data,
12861373 b. does not use the personal data to recognize or respond
12871374 to the specific consumer who is the subject of the
12881375 personal data or associate the personal data with
12891376 other personal data about the same specific consumer,
12901377 and
1291-
1292-ENGR. S. B. NO. 546 Page 27 1
1293-2
1294-3
1295-4
1296-5
1297-6
1298-7
1299-8
1300-9
1301-10
1302-11
1303-12
1304-13
1305-14
1306-15
1307-16
1308-17
1309-18
1310-19
1311-20
1312-21
1313-22
1314-23
1315-24
1316-
13171378 c. does not sell the personal data to any third party or
13181379 otherwise voluntarily disclose the personal data to
13191380 any third party other than a processor, except as
13201381 otherwise permitted by this section.
13211382 C. The consumer rights under paragraphs 1 through 4 of
13221383 subsection B of Section 2 of this act and control ler duties under
13231384 Section 7 of this act shall not apply to pseudonymous data in cases
13241385 in which the controller is able to demonstrate any information
13251386 necessary to identify the consumer is kept separately and is subject
13261387 to effective technical and organizational controls that prevent the
13271388 controller from accessing the information.
13281389 D. A controller that discloses pseudonymous data or de-
13291390 identified data shall exercise reasonable oversight to monitor
1391+
1392+SENATE FLOOR VERSION - SB546 SFLR Page 28
1393+(Bold face denotes Committee Amendments) 1
1394+2
1395+3
1396+4
1397+5
1398+6
1399+7
1400+8
1401+9
1402+10
1403+11
1404+12
1405+13
1406+14
1407+15
1408+16
1409+17
1410+18
1411+19
1412+20
1413+21
1414+22
1415+23
1416+24
1417+
13301418 compliance with any contractual commitments to which the
13311419 pseudonymous data or de-identified data is subject and shall take
13321420 appropriate steps to address any breach of the contractual
13331421 commitments.
13341422 SECTION 12. NEW LAW A new section of law to be codified
13351423 in the Oklahoma Statutes as Section 311 of Title 75A, unless there
13361424 is created a duplication in numbering, reads as follows:
13371425 A. The Attorney General has exclusive authority to enforce the
13381426 provisions of this act.
13391427 B. The Attorney General shall post on the Attorney Genera l’s
13401428 Internet website:
1341-
1342-ENGR. S. B. NO. 546 Page 28 1
1343-2
1344-3
1345-4
1346-5
1347-6
1348-7
1349-8
1350-9
1351-10
1352-11
1353-12
1354-13
1355-14
1356-15
1357-16
1358-17
1359-18
1360-19
1361-20
1362-21
1363-22
1364-23
1365-24
1366-
13671429 1. Information relating to:
13681430 a. the responsibilities of a controller under this act ,
13691431 b. the responsibilities of a processor under this act ,
13701432 and
13711433 c. a consumer’s rights under this act ; and
13721434 2. An online mechanism through which a consume r may submit a
13731435 complaint under this act to the Attorney General.
13741436 SECTION 13. NEW LAW A new section of law to be codified
13751437 in the Oklahoma Statutes as Section 312 of Title 75A, unless there
13761438 is created a duplication in numbering, reads as follows
13771439 Before bringing an act ion under Section 14 of this act, the
13781440 Attorney General shall notify the controller or processor in
13791441 writing, no later than thirty (30) days before bringing the action,
1442+
1443+SENATE FLOOR VERSION - SB546 SFLR Page 29
1444+(Bold face denotes Committee Amendments) 1
1445+2
1446+3
1447+4
1448+5
1449+6
1450+7
1451+8
1452+9
1453+10
1454+11
1455+12
1456+13
1457+14
1458+15
1459+16
1460+17
1461+18
1462+19
1463+20
1464+21
1465+22
1466+23
1467+24
1468+
13801469 identifying the specific provisions of this act that the Attorney
13811470 General alleges have been or are being violated. The Attorney
13821471 General shall not bring an action against the controller or
13831472 processor if:
13841473 1. Within the thirty-day period, the controller or processor
13851474 cures the identified violation; and
13861475 2. The controller or processor provides the Attorney General a
13871476 written statement that the controller or processor:
13881477 a. cured the alleged violation,
13891478 b. provided supportive documentation to show how the
13901479 privacy violation was cured, and
1391-
1392-ENGR. S. B. NO. 546 Page 29 1
1393-2
1394-3
1395-4
1396-5
1397-6
1398-7
1399-8
1400-9
1401-10
1402-11
1403-12
1404-13
1405-14
1406-15
1407-16
1408-17
1409-18
1410-19
1411-20
1412-21
1413-22
1414-23
1415-24
1416-
14171480 c. that no further violations wil l occur.
14181481 SECTION 14. NEW LAW A new section of law to be codified
14191482 in the Oklahoma Statutes as Section 313 of Title 75A, unless there
14201483 is created a duplication in numbering, reads as follows:
14211484 A. A controller or processor who violates t his act following
14221485 the cure period described by Section 13 of this act or who breaches
14231486 a written statement provided to the Attorney General under such
14241487 section shall be liable for a civil penalty in an amount not to
14251488 exceed Seven Thousand Five Hundred Dollars ($7,500.00) for each
14261489 violation.
14271490 B. The Attorney General may bring an action to:
14281491 1. Recover a civil penalty under this section;
14291492 2. Restrain or enjoin the person from violating this act; or
1493+
1494+SENATE FLOOR VERSION - SB546 SFLR Page 30
1495+(Bold face denotes Committee Amendments) 1
1496+2
1497+3
1498+4
1499+5
1500+6
1501+7
1502+8
1503+9
1504+10
1505+11
1506+12
1507+13
1508+14
1509+15
1510+16
1511+17
1512+18
1513+19
1514+20
1515+21
1516+22
1517+23
1518+24
1519+
14301520 3. Recover the civil penalty and seek injunctive relief.
14311521 C. The court may award reasonable atto rney fees and other
14321522 expenses incurred in investigating and bringing an action under this
14331523 section.
14341524 D. Civil penalties collected in an action under this section
14351525 shall be deposited in the State Treasury to the credit of the
14361526 General Revenue Fund.
14371527 E. Nothing in this act shall be construed as providing a basis
14381528 for, or being subject to, a private right of action for a violation
14391529 of this act or any other provision of law.
1440-
1441-ENGR. S. B. NO. 546 Page 30 1
1442-2
1443-3
1444-4
1445-5
1446-6
1447-7
1448-8
1449-9
1450-10
1451-11
1452-12
1453-13
1454-14
1455-15
1456-16
1457-17
1458-18
1459-19
1460-20
1461-21
1462-22
1463-23
1464-24
1465-
14661530 SECTION 15. NEW LAW A new section of law to be codified
14671531 in the Oklahoma Statutes as Section 314 of Title 75A, unless there
14681532 is created a duplication in numbering, reads as follows:
14691533 A. The provisions of this act apply only to a controller or
14701534 processor who:
14711535 1. Conducts business in this state o r produces a product or
14721536 service targeted to the residents of this state; and
14731537 2. During a calendar year, either:
14741538 a. controls or processes personal data of at least one
14751539 hundred thousand (100,000) consumers , or
14761540 b. controls or processes personal data of at le ast
14771541 twenty-five thousand (25,000) consumers and derives
14781542 over fifty percent (50%) of gross revenue from the
14791543 sale of personal data.
1544+
1545+SENATE FLOOR VERSION - SB546 SFLR Page 31
1546+(Bold face denotes Committee Amendments) 1
1547+2
1548+3
1549+4
1550+5
1551+6
1552+7
1553+8
1554+9
1555+10
1556+11
1557+12
1558+13
1559+14
1560+15
1561+16
1562+17
1563+18
1564+19
1565+20
1566+21
1567+22
1568+23
1569+24
1570+
14801571 B. The provisions of t his act shall not apply to:
14811572 1. A state agency or a political subdivision of this state, or
14821573 a service provider processing data on behalf of a state agency or
14831574 political subdivision of this state;
14841575 2. A financial institution or data subject to Title V of the
14851576 Gramm-Leach-Bliley Act, 15 U.S.C., Section 6801 et seq.;
14861577 3. A covered entity or business associate go verned by the
14871578 privacy, security, and breach notification rules issued by the
14881579 United States Department of Health and Human Services, 45 C.F.R. ,
14891580 Parts 160 and 164, established under the Health Insurance
1490-
1491-ENGR. S. B. NO. 546 Page 31 1
1492-2
1493-3
1494-4
1495-5
1496-6
1497-7
1498-8
1499-9
1500-10
1501-11
1502-12
1503-13
1504-14
1505-15
1506-16
1507-17
1508-18
1509-19
1510-20
1511-21
1512-22
1513-23
1514-24
1515-
15161581 Portability and Accountability Act of 1996 , 42 U.S.C., Section 1320d
15171582 et seq., and the Health Information Technology for Economic and
15181583 Clinical Health Act, Division A of Title XIII and Division B of
15191584 Title IV of the American Recovery and Reinvestment Act of 2009, Pub.
15201585 L. No. 111-5;
15211586 4. A nonprofit organization;
15221587 5. An institution of higher educa tion; or
15231588 6. The processing of personal data by a person in the course of
15241589 a purely personal or household activity.
15251590 SECTION 16. NEW LAW A new section of law to be codified
15261591 in the Oklahoma Statutes as S ection 315 of Title 75A, unless there
15271592 is created a duplication in numbering, reads as follows:
15281593 The following information shall be exempt from this act:
1594+
1595+SENATE FLOOR VERSION - SB546 SFLR Page 32
1596+(Bold face denotes Committee Amendments) 1
1597+2
1598+3
1599+4
1600+5
1601+6
1602+7
1603+8
1604+9
1605+10
1606+11
1607+12
1608+13
1609+14
1610+15
1611+16
1612+17
1613+18
1614+19
1615+20
1616+21
1617+22
1618+23
1619+24
1620+
15291621 1. Protected health information under the Health Insurance
15301622 Portability and Accountability Act of 1996 , 42 U.S.C., Section 1320d
15311623 et seq.;
15321624 2. Health records;
15331625 3. Patient identifying information for purposes of 42 U.S.C. ,
15341626 Section 290dd-2;
15351627 4. Identifiable private information:
15361628 a. for purposes of the federal policy for the protection
15371629 of human subjects under 45 C.F.R., Part 46,
15381630 b. collected as part of human subjects research under the
15391631 good clinical practice guidelines issued by the
1540-
1541-ENGR. S. B. NO. 546 Page 32 1
1542-2
1543-3
1544-4
1545-5
1546-6
1547-7
1548-8
1549-9
1550-10
1551-11
1552-12
1553-13
1554-14
1555-15
1556-16
1557-17
1558-18
1559-19
1560-20
1561-21
1562-22
1563-23
1564-24
1565-
15661632 International Council for Harmonisation of Technical
15671633 Requirements for Pharmaceuticals for Human Use (ICH)
15681634 or of the protection of hum an subjects under 21
15691635 C.F.R., Parts 50 and 56, or
15701636 c. that is personal data used or shared in research
15711637 conducted in accordance with the requirements set
15721638 forth in this act or other research conducted in
15731639 accordance with applicable law;
15741640 5. Information and documents created for purposes of the Health
15751641 Care Quality Improvement Act of 1986 , 42 U.S.C., Section 11101 et
15761642 seq.;
1643+
1644+SENATE FLOOR VERSION - SB546 SFLR Page 33
1645+(Bold face denotes Committee Amendments) 1
1646+2
1647+3
1648+4
1649+5
1650+6
1651+7
1652+8
1653+9
1654+10
1655+11
1656+12
1657+13
1658+14
1659+15
1660+16
1661+17
1662+18
1663+19
1664+20
1665+21
1666+22
1667+23
1668+24
1669+
15771670 6. Patient safety work product for purposes of the Patient
15781671 Safety and Quality Improvement Act of 2005, 42 U.S.C. , Section 299b-
15791672 21 et seq.;
15801673 7. Information derived from any of the health care-related
15811674 information listed in this section that is de-identified in
15821675 accordance with the requirements for de -identification under the
15831676 Health Insurance Portability and Accountability Act of 1996, 42
15841677 U.S.C., Section 1320d et seq. or any regulation adopted thereunder ;
15851678 8. Information originating from, and intermingled to be
15861679 indistinguishable with, or information treated in the same manner
15871680 as, information exempt under this section that is maintained by a
15881681 covered entity or business associate as de fined under the Health
15891682 Insurance Portability and Accountability Act of 1996, 42 U.S.C. ,
1590-
1591-ENGR. S. B. NO. 546 Page 33 1
1592-2
1593-3
1594-4
1595-5
1596-6
1597-7
1598-8
1599-9
1600-10
1601-11
1602-12
1603-13
1604-14
1605-15
1606-16
1607-17
1608-18
1609-19
1610-20
1611-21
1612-22
1613-23
1614-24
1615-
16161683 Section 1320d et seq. or any regulation adopted thereunder , or by a
16171684 program or a qualified service organization as defined under 42
16181685 U.S.C., Section 290dd-2 or any regulation adopted thereunder ;
16191686 9. Information that is included in a limited data set as
16201687 described by 45 C.F.R. , Section 164.514(e), to the extent that the
16211688 information is used, disclosed, and maintained in the manner
16221689 specified by 45 C.F.R., Section 164.514(e);
16231690 10. Information collected or used only for public health
16241691 activities and purposes as authorized under the Health Insurance
16251692 Portability and Accountability Act of 1996, 42 U.S.C. , Section 1320d
16261693 et seq.;
1694+
1695+SENATE FLOOR VERSION - SB546 SFLR Page 34
1696+(Bold face denotes Committee Amendments) 1
1697+2
1698+3
1699+4
1700+5
1701+6
1702+7
1703+8
1704+9
1705+10
1706+11
1707+12
1708+13
1709+14
1710+15
1711+16
1712+17
1713+18
1714+19
1715+20
1716+21
1717+22
1718+23
1719+24
1720+
16271721 11. The collection, maintenance, disclosure, sale,
16281722 communication, or use of any personal information bearing on a
16291723 consumer’s creditworthiness, credit standing, credit capacity,
16301724 character, general reputation, personal characteristics, or mode of
16311725 living by a consumer reporting a gency or furnisher that provides
16321726 information for use in a consumer report, and by a user of a
16331727 consumer report, but only to the extent that the activity is
16341728 regulated by and authorized under the Fair Credit Reporting Act, 15
16351729 U.S.C., Section 1681 et seq.;
16361730 12. Personal data collected, processed, sold, or disclosed in
16371731 compliance with the Driver ’s Privacy Protection Act of 1994, 18
16381732 U.S.C., Section 2721 et seq.;
1639-
1640-ENGR. S. B. NO. 546 Page 34 1
1641-2
1642-3
1643-4
1644-5
1645-6
1646-7
1647-8
1648-9
1649-10
1650-11
1651-12
1652-13
1653-14
1654-15
1655-16
1656-17
1657-18
1658-19
1659-20
1660-21
1661-22
1662-23
1663-24
1664-
16651733 13. Personal data regulated by the Family Educational Rights
16661734 and Privacy Act of 1974, 20 U.S.C. , Section 1232g;
16671735 14. Personal data collected, processed, sold, or disclosed in
16681736 compliance with the Farm Credit Act of 1971, 12 U.S.C. , Section 2001
16691737 et seq.;
16701738 15. Data processed or maintained in the course of an individual
16711739 applying to, being employed by, or acti ng as an agent or independent
16721740 contractor of a controller, processor, or third party, to the extent
16731741 that the data is collected and used within the context of such role;
16741742 16. Data processed or maintained as the emergency contact
16751743 information of an individual under this act that is used for
16761744 emergency contact purposes; or
1745+
1746+SENATE FLOOR VERSION - SB546 SFLR Page 35
1747+(Bold face denotes Committee Amendments) 1
1748+2
1749+3
1750+4
1751+5
1752+6
1753+7
1754+8
1755+9
1756+10
1757+11
1758+12
1759+13
1760+14
1761+15
1762+16
1763+17
1764+18
1765+19
1766+20
1767+21
1768+22
1769+23
1770+24
1771+
16771772 17. Data that is processed or maintained and is necessary to
16781773 retain to administer benefits for another individual that relates to
16791774 an individual described by paragraph 15 of this section and us ed for
16801775 the purposes of administering those benefits.
16811776 SECTION 17. NEW LAW A new section of law to be codified
16821777 in the Oklahoma Statutes as Section 316 of Title 75A, unless there
16831778 is created a duplication in numbering, reads as follows:
16841779 A controller or processor that co mplies with the verifiable
16851780 parental consent requirements of the Children ’s Online Privacy
1686-Protection Act of 1998 with respect to data collected online shall
1687-be considered to be in compliance with any requirement to obtain
1688-parental consent under this act.
1689-
1690-ENGR. S. B. NO. 546 Page 35 1
1691-2
1692-3
1693-4
1694-5
1695-6
1696-7
1697-8
1698-9
1699-10
1700-11
1701-12
1702-13
1703-14
1704-15
1705-16
1706-17
1707-18
1708-19
1709-20
1710-21
1711-22
1712-23
1713-24
1714-
1781+Protection Act of 1998, 15 U.S.C., Section 6501 et seq., with
1782+respect to data collected online shall be considered to be in
1783+compliance with any requirement to obtain parental consent under
1784+this act.
17151785 SECTION 18. NEW LAW A new section of law to be codified
17161786 in the Oklahoma Statutes as Section 317 of Title 75A, unless there
17171787 is created a duplication in numbering, reads as follows:
17181788 A. The provisions o f this act shall not be construed to
17191789 restrict a controller ’s or processor’s ability to:
17201790 1. Comply with federal, state, or local laws, rules, or
17211791 regulations;
17221792 2. Comply with a civil, criminal, or regulatory inquiry,
17231793 investigation, subpoena, or summons by federal, state, local, or
17241794 other governmental authorities;
1795+
1796+SENATE FLOOR VERSION - SB546 SFLR Page 36
1797+(Bold face denotes Committee Amendments) 1
1798+2
1799+3
1800+4
1801+5
1802+6
1803+7
1804+8
1805+9
1806+10
1807+11
1808+12
1809+13
1810+14
1811+15
1812+16
1813+17
1814+18
1815+19
1816+20
1817+21
1818+22
1819+23
1820+24
1821+
17251822 3. Cooperate with law enforcement agencies concerning conduct
17261823 or activity that the controller or processor reasonably and in good
17271824 faith believes may violate federal, state, or local laws, rules,
17281825 ordinances, or regulations;
17291826 4. Investigate, establish, exercise, prepare for, or defend
17301827 legal claims;
17311828 5. Provide a product or service specifically requested by a
17321829 consumer or the parent or guardian of a child, perform a contr act to
17331830 which the consumer is a party, including fulfilling the terms of a
17341831 written warranty, or take steps at the request of the consumer
17351832 before entering into a contract;
17361833 6. Take immediate steps to protect an interest that is
17371834 essential for the life or phys ical safety of the consumer or of
1738-
1739-ENGR. S. B. NO. 546 Page 36 1
1740-2
1741-3
1742-4
1743-5
1744-6
1745-7
1746-8
1747-9
1748-10
1749-11
1750-12
1751-13
1752-14
1753-15
1754-16
1755-17
1756-18
1757-19
1758-20
1759-21
1760-22
1761-23
1762-24
1763-
17641835 another individual and in which the processing cannot be manifestly
17651836 based on another legal basis;
17661837 7. Prevent, detect, protect against, or respond to security
17671838 incidents, identity theft, fraud, harassment, malicious or dece ptive
17681839 activities, or any illegal activity;
17691840 8. Preserve the integrity or security of systems or
17701841 investigate, report, or prosecute those responsible for breaches of
17711842 system security;
17721843 9. Engage in public or peer -reviewed scientific or statistical
17731844 research in the public interest that adheres to all other applicable
17741845 ethics and privacy laws and is approved, monitored, and governed by
1846+
1847+SENATE FLOOR VERSION - SB546 SFLR Page 37
1848+(Bold face denotes Committee Amendments) 1
1849+2
1850+3
1851+4
1852+5
1853+6
1854+7
1855+8
1856+9
1857+10
1858+11
1859+12
1860+13
1861+14
1862+15
1863+16
1864+17
1865+18
1866+19
1867+20
1868+21
1869+22
1870+23
1871+24
1872+
17751873 an institutional review board or similar independent oversight
17761874 entity that determines:
17771875 a. if the deletion of the information is li kely to
17781876 provide substantial benefits that do not exclusively
17791877 accrue to the controller,
17801878 b. whether the expected benefits of the research outweigh
17811879 the privacy risks, and
17821880 c. if the controller has implemented reasonable
17831881 safeguards to mitigate privacy risks ass ociated with
17841882 research, including any risks associated with
17851883 reidentification; or
17861884 10. Assist another controller, processor, or third party with
17871885 any of the requirements under this subsection.
1788-
1789-ENGR. S. B. NO. 546 Page 37 1
1790-2
1791-3
1792-4
1793-5
1794-6
1795-7
1796-8
1797-9
1798-10
1799-11
1800-12
1801-13
1802-14
1803-15
1804-16
1805-17
1806-18
1807-19
1808-20
1809-21
1810-22
1811-23
1812-24
1813-
18141886 B. The provisions of this act shall not be construed:
18151887 1. To prevent a controller or processor from providing personal
18161888 data concerning a consumer to a person covered by an evidentiary
18171889 privilege under the laws of this state as part of a privileged
18181890 communication;
18191891 2. As imposing a requirement on controllers and processors that
18201892 adversely affects the right s or freedoms of any person, including
18211893 the right of free speech; or
18221894 3. As requiring a controller, processor, third party, or
18231895 consumer to disclose a trade secret.
1896+
1897+SENATE FLOOR VERSION - SB546 SFLR Page 38
1898+(Bold face denotes Committee Amendments) 1
1899+2
1900+3
1901+4
1902+5
1903+6
1904+7
1905+8
1906+9
1907+10
1908+11
1909+12
1910+13
1911+14
1912+15
1913+16
1914+17
1915+18
1916+19
1917+20
1918+21
1919+22
1920+23
1921+24
1922+
18241923 SECTION 19. NEW LAW A new section of law to be codified
18251924 in the Oklahoma Statutes as Section 318 of Title 75A, unless there
18261925 is created a duplication in numbering, reads as follows:
18271926 A. The requirements imposed on controllers and processors under
18281927 this act shall not restrict a controller ’s or processor’s ability to
18291928 collect, use, or retain data to:
18301929 1. Conduct internal research to develop, improve, or repair
18311930 products, services, or technology;
18321931 2. Effect a product recall;
18331932 3. Identify and repair technical errors that impair existing or
18341933 intended functionality; or
18351934 4. Perform internal operations that are:
18361935 a. reasonably aligned with the expectations of the
18371936 consumer,
1838-
1839-ENGR. S. B. NO. 546 Page 38 1
1840-2
1841-3
1842-4
1843-5
1844-6
1845-7
1846-8
1847-9
1848-10
1849-11
1850-12
1851-13
1852-14
1853-15
1854-16
1855-17
1856-18
1857-19
1858-20
1859-21
1860-22
1861-23
1862-24
1863-
18641937 b. reasonably anticipated based on the consumer ’s
18651938 existing relationship with the controller, or
18661939 c. otherwise compatible with processing da ta in
18671940 furtherance of the provisio n of a product or service
18681941 specifically requested by a consumer or the
18691942 performance of a contract to which the consumer is a
18701943 party.
18711944 B. A requirement imposed on a controller or processor under
18721945 this act shall not apply if comp liance with the requirement by the
1946+
1947+SENATE FLOOR VERSION - SB546 SFLR Page 39
1948+(Bold face denotes Committee Amendments) 1
1949+2
1950+3
1951+4
1952+5
1953+6
1954+7
1955+8
1956+9
1957+10
1958+11
1959+12
1960+13
1961+14
1962+15
1963+16
1964+17
1965+18
1966+19
1967+20
1968+21
1969+22
1970+23
1971+24
1972+
18731973 controller or processor, as applicable, would violate an evidentiary
18741974 privilege under the laws of this state.
18751975 C. The processing of personal data by an entity for the
18761976 purposes described in subsection A of this section shal l not solely
18771977 make the entity a co ntroller with respect to the processing of the
18781978 data.
18791979 SECTION 20. NEW LAW A new section of law to be codified
18801980 in the Oklahoma Statutes as Section 319 of Title 75A, unless there
18811981 is created a duplication in numbering, reads as follows:
18821982 A. A controller or processor that discloses personal data to a
18831983 third-party controller or processor, in compliance with the
18841984 requirements of this act, shall not be deemed to be in violation of
18851985 this act if the third -party controller or processor that receive s
18861986 and processes that personal data is in violation of this act ;
18871987 provided, that at the time of the data ’s disclosure, the disclosing
1888-
1889-ENGR. S. B. NO. 546 Page 39 1
1890-2
1891-3
1892-4
1893-5
1894-6
1895-7
1896-8
1897-9
1898-10
1899-11
1900-12
1901-13
1902-14
1903-15
1904-16
1905-17
1906-18
1907-19
1908-20
1909-21
1910-22
1911-23
1912-24
1913-
19141988 controller or processor did not have actual knowledge that the
19151989 recipient intended to commit a violation.
19161990 B. A third-party controller or processor receiving personal
19171991 data from a controller or processor in compliance with the
19181992 requirements of this act shall not be deemed to be in violation of
19191993 this act for any wrongdoing of the controller or proces sor from
19201994 which the third-party controller or processor receives the personal
19211995 data.
1996+
1997+SENATE FLOOR VERSION - SB546 SFLR Page 40
1998+(Bold face denotes Committee Amendments) 1
1999+2
2000+3
2001+4
2002+5
2003+6
2004+7
2005+8
2006+9
2007+10
2008+11
2009+12
2010+13
2011+14
2012+15
2013+16
2014+17
2015+18
2016+19
2017+20
2018+21
2019+22
2020+23
2021+24
2022+
19222023 SECTION 21. NEW LAW A new section of law to be codified
19232024 in the Oklahoma Statutes as Section 320 of Title 75A, unless there
19242025 is created a duplication in numbering, reads as follows:
1925-A. Personal data processed by a controller pursuant to Section
1926-18, 19, or 20 of this act shall not be processed for any purpose
1927-other than a purpose listed in Section 18, 19 , or 20 of this act
1928-unless otherwise allowed by this act. Personal data processed by a
1929-controller under Section 18, 19, or 20 of this act may be proc essed
1930-to the extent that the processing of the data is:
2026+A. Personal data processed by a controller shall not be
2027+processed for any purpose other than a purpose listed in Section 18,
2028+19, or 20 of this act unless otherwise allowed by this act.
2029+Personal data processed by a controller under Section 18, 19, or 20
2030+of this act may be processed to the extent that the processing of
2031+the data is:
19312032 1. Reasonably necessary and proportionate to the purposes
19322033 listed in Section 18, 19, or 20 of this act; and
19332034 2. Adequate, relevant, and limited to w hat is necessary in
19342035 relation to the specific purposes listed in Section 18, 19, or 20 of
19352036 this act.
19362037 B. Personal data collected, used, or retained under subsection
19372038 A of Section 19 of this act shall, where applicable, consider the
1938-
1939-ENGR. S. B. NO. 546 Page 40 1
1940-2
1941-3
1942-4
1943-5
1944-6
1945-7
1946-8
1947-9
1948-10
1949-11
1950-12
1951-13
1952-14
1953-15
1954-16
1955-17
1956-18
1957-19
1958-20
1959-21
1960-22
1961-23
1962-24
1963-
19642039 nature and purpose of such collection, use, or retention. T he
19652040 personal data described by this subsection is subject to reasonable
19662041 administrative, technical, and physical measures to protect the
19672042 confidentiality, integrity, and accessibility of the personal data
19682043 and to reduce reasona bly foreseeable risks of harm to consumers
19692044 relating to the collection, use, or retention of personal data.
19702045 C. A controller that processes personal data under an exemption
19712046 in Section 18, 19, or 20 of this act bears the burden of
2047+
2048+SENATE FLOOR VERSION - SB546 SFLR Page 41
2049+(Bold face denotes Committee Amendments) 1
2050+2
2051+3
2052+4
2053+5
2054+6
2055+7
2056+8
2057+9
2058+10
2059+11
2060+12
2061+13
2062+14
2063+15
2064+16
2065+17
2066+18
2067+19
2068+20
2069+21
2070+22
2071+23
2072+24
2073+
19722074 demonstrating that the proc essing of the personal data quali fies for
19732075 the exemption and complies with the requirements of subsections A
19742076 and B of this section.
19752077 D. The processing of personal data by an entity for the
19762078 purposes described by Section 18 of this act does not solely make
19772079 the entity a controller with respect to the processing of the data.
19782080 SECTION 22. This act shall become effective July 1, 2026.
1979-
1980-ENGR. S. B. NO. 546 Page 41 1
1981-2
1982-3
1983-4
1984-5
1985-6
1986-7
1987-8
1988-9
1989-10
1990-11
1991-12
1992-13
1993-14
1994-15
1995-16
1996-17
1997-18
1998-19
1999-20
2000-21
2001-22
2002-23
2003-24
2004-
2005-Passed the Senate the 26th day of March, 2025.
2006-
2007-
2008-
2009- Presiding Officer of the Senate
2010-
2011-
2012-Passed the House of Representatives the ____ day of __________,
2013-2025.
2014-
2015-
2016-
2017- Presiding Officer of the House
2018- of Representatives
2019-
2081+COMMITTEE REPORT BY: COMMITTEE ON TECHNOLOGY AND TELECOMMUNICATIONS
2082+February 13, 2025 - DO PASS AS AMENDED