2 1st Session of the 58th Legislature (2021)
3 HOUSE BILL 1130 By: Phillips
7 An Act relating to data transparency; defining terms;
requiring online businesses or websites to make
8 posting of certain consumer information to be
collected; listing information to be provided to
9 consumer; listing information to be provided to
consumer if consumer information is to be sold;
10 providing penalties for violations; providing for
certain civil action; allowing parties to seek
11 guidance; authorizing the promulgation of rules;
providing for codification; and providing an
12 effective date.
16 SECTION 1. NEW LAW A new section of law to be codified
17 in the Oklahoma Statutes as Section 764.2 of Title 15, unless there
18 is created a duplication in numbering, reads as follows:
19 A. As used in this section:
20 1. "Business" means a sole proprietorship, partnership, limited
21 liability company, corporation, association or other legal entity
22 that is organized or operated for the profit or financial benefit of
23 its shareholders or other owners that collects consumers' personal
24 information, or on the behalf of whom such information is collected,
Req. No. 6497 Page 1
1 and that alone, or jointly with others, determines the purposes and
2 means of the processing of consumers' personal information, that
3 does business in the State of Oklahoma;
4 2. "Business purposes" means the use of personal information
5 for the business' or a service provider's operational purposes, or
6 other notified purposes; provided, that the use of personal
7 information shall be reasonably necessary and proportionate to
8 achieve the operational purpose for which the personal information
9 is collected or processed or for another operational purpose that is
10 compatible with the context in which the personal information is
11 collected. Business purposes shall include:
12 a. auditing related to a current interaction with the
13 consumer and concurrent transactions, including, but
14 not limited to, counting ad impressions to unique
15 visitors, verifying positioning and quality of ad
16 impressions and auditing compliance with this
17 specification and other standards,
18 b. detecting security incidents, protecting against
19 malicious, deceptive, fraudulent or illegal activity,
20 and prosecuting those responsible for such activity,
21 c. debugging to identify and repair errors that impair
22 existing intended functionality,
23 d. short-term transient use, provided the personal
24 information that is not disclosed to another third
Req. No. 6497 Page 2
1 party and is not used to build a profile about a
2 consumer or otherwise alter an individual consumer's
3 experience outside the current interaction, including,
4 but not limited to, the contextual customization of
5 ads shown as part of the same interaction,
6 e. performing services on behalf of the business or
7 service provider, including maintaining or servicing
8 accounts, providing customer service, processing or
9 fulfilling orders and transactions, verifying customer
10 information, processing payments, providing financing,
11 providing advertising or marketing services, providing
12 analytic services or providing similar services on
13 behalf of the business or service provider,
14 f. undertaking internal research for technological
15 development and demonstration, and
16 g. undertaking activities to verify or maintain the
17 quality or safety of a service or device that is
18 owned, manufactured, manufactured for or controlled by
19 the business, and to improve, upgrade or enhance the
20 service or device that is owned, manufactured,
21 manufactured for, or controlled by the business;
22 3. "Collects", "collected", or "collection" means buying,
23 renting, gathering, obtaining, receiving or accessing any personal
24 information pertaining to a consumer by any means. This shall
Req. No. 6497 Page 3
1 include receiving information from the consumer, either actively or
2 passively, or by observing the consumer's behavior;
3 4. "Commercial purposes" means to advance a person's commercial
4 or economic interests, such as by inducing another person to buy,
5 rent, lease, join, subscribe to, provide or exchange products,
6 goods, property, information, or services, or by enabling or
7 effecting, directly or indirectly, a commercial transaction.
8 "Commercial purposes" shall not include for the purpose of engaging
9 in speech that state or federal courts have recognized as
10 noncommercial speech, including political speech and journalism;
11 5. "Consumer" means a natural person who is an Oklahoma
12 resident;
13 6. "Device" means any physical object that is capable of
14 connecting to the Internet, directly or indirectly, or to another
15 device;
16 7. "Homepage" means the introductory page of an Internet
17 website and any Internet webpage where personal information is
18 collected. In the case of an online service, such as a mobile
19 application, homepage means the application's platform page or
20 download page, a link within the application, such as from the
21 application configuration "About", "Information" or settings page,
22 and any other location that allows consumers to review the posting
23 required by subsection B of this section;
Req. No. 6497 Page 4
1 8. "Person" means an individual, proprietorship, firm,
2 partnership, joint venture, syndicate, business trust, company,
3 corporation, limited liability company, association, committee and
4 any other organization or group of persons acting in concert;
5 9. a. "Personal information" means information that
6 identifies, relates to, describes, is capable of being
7 associated with or could reasonably be linked,
8 directly or indirectly, with a particular consumer or
9 household. Personal information shall include, but is
10 not limited to, the following:
11 (1) identifiers such as a real name, alias, postal
12 address, unique personal identifier, online
13 identifier Internet Protocol address, email
14 address, account name, Social Security number
15 driver license number, passport number or other
16 similar identifiers,
17 (2) characteristics of protected classifications
18 under Oklahoma or federal law,
19 (3) commercial information, including records of
20 personal property, products or services
21 purchased, obtained or considered, or other
22 purchasing or consuming histories or tendencies,
23 (4) biometric information,
Req. No. 6497 Page 5
1 (5) Internet or other electronic network activity
2 information, including, but not limited to,
3 browsing history, search history and information
4 regarding a consumer's interaction with an
5 Internet website, application or advertisement,
6 (6) geolocation data,
7 (7) audio, electronic, visual, thermal, olfactory or
8 similar information,
9 (8) professional- or employment-related information,
10 (9) education information, defined as information
11 that is not publicly available personally
12 identifiable information as defined in the Family
13 Educational Rights and Privacy Act pursuant to 20
14 U.S.C., Section 1232g, 34 C.F.R. Part 99, and
15 (10) inferences drawn from any of the information
16 identified in this subdivision to create a
17 profile about a consumer reflecting the
18 consumer's preferences, characteristics,
19 psychological trends, predispositions, behavior,
20 attitudes, intelligence, abilities and aptitudes.
21 b. "Personal information" does not include publicly
22 available information. For these purposes, "publicly
23 available" means information that is lawfully made
24 available from federal, state or local government
Req. No. 6497 Page 6
1 records, if any conditions associated with such
2 information. "Publicly available" does not mean
3 biometric information collected by a business about a
4 consumer without the consumer's knowledge.
5 Information is not "publicly available" if that data
6 is used for a purpose that is not compatible with the
7 purpose for which the data is maintained and made
8 available in the government records or for which it is
9 publicly maintained;
10 10. "Processing" means any operation or set of operations that
11 is performed on personal data or on sets of personal data, whether
12 or not by automated means; and
13 11. "Sell", "selling", or "sold" means selling, renting,
14 releasing, disclosing, disseminating, making available, transferring
15 or otherwise communicating orally, in writing, or by electronic or
16 other means, a consumer's personal information by the business to
17 another business or a third party for monetary or other valuable
18 consideration.
19 B. Anyone or any business or website that operates an online
20 business or webpage in this state that collects a consumer's
21 personal digital information or data shall, before the point of
22 collection, conspicuously post on its website homepage in a plain
23 readable format as to the categories of personal information to be
24 collected and the purposes for which the categories of personal
Req. No. 6497 Page 7
1 information shall be used. A business shall not collect additional
2 categories of personal information or use personal information
3 collected for additional purposes without providing the consumer
4 with notice consistent with this section.
5 C. The website posting described in subsection B of this
6 section shall provide the consumer the following:
7 1. The categories of personal information it will collect about
8 that consumer;
9 2. The categories of sources from which the personal
10 information is collected;
11 3. The business or commercial purpose for collecting or selling
12 personal information;
13 4. The categories of third parties with whom the business will
14 share personal information;
15 5. The specific pieces of personal information it will collect
16 about that consumer; and
17 6. A description of the process for an individual consumer who
18 uses or visits the Internet website or online service to review and
19 request changes to any of his or her consumer information that is
20 collected through the Internet website or online service.
21 D. If the business or website sells the consumer's personal
22 data information, or discloses such information for a business
23 purpose, the website posting described in subsection B of this
24 section shall provide the consumer the following:
Req. No. 6497 Page 8
1 1. The categories of personal information that the business
2 will collect about the consumer;
3 2. The categories of personal information that the business
4 will sell about the consumer and the categories of third parties to
5 whom the personal information will be sold, by category or
6 categories of personal information for each third party to whom the
7 personal information will be sold. If the information to be
8 collected will not be sold, the business shall disclose that fact;
9 and
10 3. The categories of personal information that the business
11 plans to disclose about the consumer for a business purpose. If the
12 information to be collected will not be disclosed for a business
13 purpose, the business shall disclose that fact.
14 E. A business or website shall be in violation of this title if
15 it fails to cure any alleged violation within thirty (30) days after
16 being notified of alleged noncompliance. Any business, service
17 provider or other person that violates the provisions of this act
18 shall be subject to a fine of One Thousand Dollars ($1,000.00) for
19 the first violation and Five Thousand Dollars ($5,000.00) for each
20 additional violation. The penalties provided for in this subsection
21 shall be exclusively assessed and recovered in a civil action
22 brought by the Attorney General.
23 F. Any party subject to the provisions of this act may seek
24 information from the Office of the Attorney General for guidance on
Req. No. 6497 Page 9
1 how to comply with the provisions of this section. The Office of
2 the Attorney General is authorized to promulgate rules to effectuate
3 the provisions of this section.
4 SECTION 2. This act shall become effective November 1, 2021.
6 58-1-6497 JBH 12/28/20
Req. No. 6497 Page 10