1 STATE OF OKLAHOMA 1 2 1st Session of the 60th Legislature (2025) 2 3 HOUSE BILL 1012 By: West (Josh) 3 4 4 5 5 6 AS INTRODUCED 6 7 An Act relating to privacy of computer data; enacting 7 the Oklahoma Computer Data Privacy Act; defining 8 terms; providing for applicability of act to certain 8 businesses that collect consumers' personal 9 information; providing exemptions; prescribing 9 compliance with other laws and legal proceedings; 10 requiring act to be liberally construed to align its 10 effects with other laws relating to privacy and 11 protection of personal information; providing for 11 controlling effect of federal law; providing for 12 construction in event of conflict with state law; 12 providing for controlling effect of law which 13 provides greatest privacy or protection to consumers; 13 providing for preemption of local law; providing 14 consumers right to request disclosure of certain 14 information; providing consumers right to request 15 deletion of certain information; providing consumers 15 the right to request and receive a disclosure of 16 personal information sold or disclosed; providing 16 consumers right to opt in and out of the sale of 17 personal information; making legislative findings; 17 providing contracts or other agreements purporting to 18 waive or limit a right, remedy or means of 18 enforcement contrary to public policy; requiring 19 businesses collecting consumer data information 19 inform consumer of certain information collected; 20 prescribing required content of disclosures; 20 requiring consumer consent; requiring businesses to 21 provide online privacy policy or a notice of 21 policies; requiring businesses to designate and make 22 available methods for submitting verifiable consumer 22 request for certain information; requiring businesses 23 receiving verifiable consumer requests reasonably 23 verify identity of requesting consumer; requiring 24 businesses disclose required information within a 24 Req. No. 10067 Page 1 1 certain period; requiring businesses using de- 1 identified information not re-identify or attempt to 2 re-identify certain consumers; requiring permission; 2 prohibiting discrimination against consumers for 3 exercise of rights; authorizing businesses to offer 3 financial incentives to consumers for collection, 4 sale or disclosure of personal information; 4 prohibiting division of single transactions; 5 requiring employee training with respect to consumer 5 inquiries; requiring disclosure of certain rights, 6 requirements and information; providing civil 6 penalties; authorizing Oklahoma Attorney General to 7 take certain actions based on violations; authorizing 7 Attorney General to recover reasonable expenses 8 incurred in obtaining injunctive relief or civil 8 penalties; directing Attorney General to deposit 9 collected penalties in a dedicated account in the 9 General Revenue Fund; providing certain immunities; 10 providing protections to service providers; providing 10 for codification; and providing an effective date. 11 11 12 12 13 BE IT ENACTED BY THE PEOPLE OF THE STATE OF OKLAHOMA: 13 14 SECTION 1. NEW LAW A new section of law to be codified 14 15 in the Oklahoma Statutes as Section 901.1 of Title 17, unless there 15 16 is created a duplication in numbering, reads as follows: 16 17 This act shall be known and may be cited as the "Oklahoma 17 18 Computer Data Privacy Act". 18 19 SECTION 2. NEW LAW A new section of law to be codified 19 20 in the Oklahoma Statutes as Section 901.2 of Title 17, unless there 20 21 is created a duplication in numbering, reads as follows: 21 22 As used in this act: 22 23 1. "Aggregate consumer information" means information that 23 24 relates to a group or category of consumers from which individual 24 Req. No. 10067 Page 2 1 consumer identities have been removed and that is not linked or 1 2 reasonably linkable to a particular consumer or household, including 2 3 through a device. The term does not include one or more individual 3 4 consumer records that have been de-identified; 4 5 2. "Biometric information" means an individual's physiological, 5 6 biological or behavioral characteristics that can be used, alone or 6 7 in combination with other characteristics or other identifying data, 7 8 to establish the individual's identity. The term includes: 8 9 a. an image of an iris, retina, fingerprint, face, hand, 9 10 palm or vein pattern or a voice recording from which 10 11 an identifier template can be extracted such as a 11 12 faceprint, minutiae template or voiceprint, 12 13 b. keystroke patterns or rhythms, 13 14 c. gait patterns or rhythms, and 14 15 d. sleep, health or exercise data that contains 15 16 identifying information; 16 17 3. "Business" means a for-profit entity, including a sole 17 18 proprietorship, partnership, limited liability company, corporation, 18 19 association or other legal entity that is organized or operated for 19 20 the profit or financial benefit of the entity's shareholders or 20 21 other owners, but does not include Internet service providers so 21 22 long as they are acting in their role as Internet service providers; 22 23 4. "Business purpose" means the use of personal information 23 24 for: 24 Req. No. 10067 Page 3 1 a. the following operational purposes of a business or 1 2 service provider, provided that the use of the 2 3 information is reasonably necessary and proportionate 3 4 to achieve the operational purpose for which the 4 5 information was collected or processed or another 5 6 operational purpose that is compatible with the 6 7 context in which the information was collected: 7 8 (1) auditing related to a current interaction with a 8 9 consumer and any concurrent transactions, 9 10 including counting ad impressions of unique 10 11 visitors, verifying the positioning and quality 11 12 of ad impressions, and auditing compliance with a 12 13 specification or other standards for ad 13 14 impressions, 14 15 (2) detecting a security incident, protecting against 15 16 malicious, deceptive, fraudulent or illegal 16 17 activity, and prosecuting those responsible for 17 18 any illegal activity described by this division, 18 19 (3) identifying and repairing or removing errors that 19 20 impair the intended functionality of computer 20 21 hardware or software, 21 22 (4) using personal information in the short term or 22 23 for a transient use, provided that the 23 24 information is not: 24 Req. No. 10067 Page 4 1 (a) disclosed to a third party, and 1 2 (b) used to build a profile about a consumer or 2 3 alter an individual consumer's experience 3 4 outside of a current interaction with the 4 5 consumer, including the contextual 5 6 customization of an advertisement displayed 6 7 as part of the same interaction, 7 8 (5) performing a service on behalf of the business or 8 9 service provider, including: 9 10 (a) maintaining or servicing an account, 10 11 providing customer service, processing or 11 12 fulfilling an order or transaction, 12 13 verifying customer information, processing a 13 14 payment, providing financing, providing 14 15 advertising or marketing services, or 15 16 providing analytic services, or 16 17 (b) performing a service similar to a service 17 18 described by subdivision (a) of this 18 19 division on behalf of the business or 19 20 service provider, 20 21 (6) undertaking internal research for technological 21 22 development and demonstration, 22 23 (7) undertaking an activity to: 23 24 24 Req. No. 10067 Page 5 1 (a) verify or maintain the quality or safety of 1 2 a service or device that is owned by, 2 3 manufactured by, manufactured for or 3 4 controlled by the business, or 4 5 (b) improve, upgrade or enhance a service or 5 6 device described by subdivision (a) of this 6 7 division, or 7 8 (8) retention of employment data, or 8 9 b. another operational purpose for which notice is given 9 10 under this act, but specifically excepting cross- 10 11 context targeted advertising, unless the customer has 11 12 opted in to the same; 12 13 5. "Collect" means to buy, rent, gather, obtain, receive or 13 14 access the personal information of a consumer by any means, 14 15 including by actively or passively receiving the information from 15 16 the consumer or by observing the consumer's behavior; 16 17 6. "Commercial purpose" means a purpose that is intended to 17 18 result in a profit or other tangible benefit or the advancement of a 18 19 person's commercial or economic interests, such as by inducing 19 20 another person to buy, rent, lease, subscribe to, provide or 20 21 exchange products, goods, property, information or services or by 21 22 enabling or effecting, directly or indirectly, a commercial 22 23 transaction. The term does not include the purpose of engaging in 23 24 24 Req. No. 10067 Page 6 1 speech recognized by state or federal courts as noncommercial 1 2 speech, including political speech and journalism; 2 3 7. "Consumer" means an individual who is a resident of this 3 4 state; 4 5 8. "De-identified information" means information that cannot 5 6 reasonably identify, relate to, describe, be associated with, or be 6 7 linked to, directly or indirectly, a particular consumer; 7 8 9. "Device" means any physical object capable of connecting to 8 9 the Internet, directly or indirectly, or to another device; 9 10 10. "Genetic information" means any information, regardless of 10 11 its format, that concerns a consumer's genetic characteristics. 11 12 Genetic information includes, but is not limited to: 12 13 a. raw sequence data that result from sequencing of a 13 14 consumer's complete extracted or a portion of the 14 15 extracted DNA, 15 16 b. genotypic and phenotypic information that results from 16 17 analyzing the raw sequence data, and 17 18 c. self-reported health information that consumer submits 18 19 to a company regarding the consumer's health 19 20 conditions and that is used for scientific research or 20 21 product development and analyzed in connection with 21 22 the consumer's raw sequence data; 22 23 11. "Identifier" means data elements or other information that 23 24 alone or in conjunction with other information can be used to 24 Req. No. 10067 Page 7 1 identify a particular consumer, household or device that is linked 1 2 to a particular consumer or household; 2 3 12. "Internet service provider" means a person who provides a 3 4 mass-market retail service by wire or radio that provides the 4 5 capability to transmit data and to receive data from all or 5 6 substantially all Internet endpoints, including any capabilities 6 7 that are incidental to and enable the operations of the service, 7 8 excluding dial-up Internet access service; 8 9 13. "Person" means an individual, sole proprietorship, firm, 9 10 partnership, joint venture, syndicate, business trust, company, 10 11 corporation, limited liability company, association, committee and 11 12 any other organization or group of persons acting in concert; 12 13 14. "Personal information" means information that identifies, 13 14 relates to, describes, can be associated with or can reasonably be 14 15 linked to, directly or indirectly, a particular consumer or 15 16 household. The term includes the following categories of 16 17 information if the information identifies, relates to, describes, 17 18 can be associated with or can reasonably be linked to, directly or 18 19 indirectly, a particular consumer or household: 19 20 a. an identifier, including a real name, alias, mailing 20 21 address, account name, date of birth, driver license 21 22 number, unique identifier, Social Security number, 22 23 passport number, signature, telephone number or other 23 24 24 Req. No. 10067 Page 8 1 government-issued identification number, or other 1 2 similar identifier, 2 3 b. an online identifier, including an electronic mail 3 4 address or Internet Protocol address, or other similar 4 5 identifier, 5 6 c. a physical characteristic or description, including a 6 7 characteristic of a protected classification under 7 8 state or federal law, 8 9 d. commercial information, including: 9 10 (1) a record of personal property, 10 11 (2) a good or service purchased, obtained or 11 12 considered, 12 13 (3) an insurance policy number, or 13 14 (4) other purchasing or consuming histories or 14 15 tendencies, 15 16 e. biometric information and genetic information, 16 17 f. Internet or other electronic network activity 17 18 information, including: 18 19 (1) browsing or search history, and 19 20 (2) other information regarding a consumer's 20 21 interaction with an Internet website, application 21 22 or advertisement, 22 23 g. geolocation data, 23 24 24 Req. No. 10067 Page 9 1 h. audio, electronic, visual, thermal, olfactory or other 1 2 similar information, 2 3 i. professional or employment-related information, 3 4 j. education information that is not publicly available 4 5 that includes personally identifiable information 5 6 under the federal Family Educational Rights and 6 7 Privacy Act of 1974, 7 8 k. financial information, including a financial 8 9 institution account number, credit or debit card 9 10 number, or password or access code associated with a 10 11 credit or debit card or bank account, 11 12 l. medical information, 12 13 m. health insurance information, or 13 14 n. inferences drawn from any of the information listed