STATE OF OKLAHOMA
1st Session of the 59th Legislature (2023)
HOUSE BILL 1030 By: West (Josh)
AS INTRODUCED
An Act relating to privacy of computer data; enacting
the Oklahoma Computer Data Privacy Act; defining
terms; providing for applicability of act to certain
businesses that collect consumers' personal
information; providing exemptions; prescribing
compliance with other laws and legal proceedings;
requiring act to be liberally construed to align its
effects with other laws relating to privacy and
protection of personal information; providing for
controlling effect of federal law; providing for
construction in event of conflict with state law;
providing for controlling effect of law which
provides greatest privacy or protection to consumers;
providing for preemption of local law; providing
consumers right to request disclosure of certain
information; providing consumers right to request
deletion of certain information; providing consumers
the right to request and receive a disclosure of
personal information sold or disclosed; providing
consumers right to opt in and out of the sale of
personal information; making legislative findings;
providing contracts or other agreements purporting to
waive or limit a right, remedy or means of
enforcement contrary to public policy; requiring
businesses collecting consumer data information
inform consumer of certain information collected;
prescribing required content of disclosures;
requiring consumer consent; requiring businesses to
provide online privacy policy or a notice of
policies; requiring businesses to designate and make
available methods for submitting verifiable consumer
request for certain information; requiring businesses
receiving verifiable consumer requests reasonably
verify identity of requesting consumer; requiring
businesses disclose required information within a
Req. No. 5039 Page 1
 certain period; requiring businesses using de-
identified information not re-identify or attempt to
re-identify certain consumers; requiring permission;
prohibiting discrimination against consumers for
exercise of rights; authorizing businesses to offer
financial incentives to consumers for collection,
sale or disclosure of personal information;
prohibiting division of single transactions;
requiring employee training with respect to consumer
inquiries; requiring disclosure of certain rights,
requirements and information; providing civil
penalties; authorizing Oklahoma Attorney General to
take certain actions based on violations; authorizing
Attorney General to recover reasonable expenses
incurred in obtaining injunctive relief or civil
penalties; directing Attorney General to deposit
collected penalties in a dedicated account in the
General Revenue Fund; providing certain immunities;
providing protections to service providers; providing
for codification; and providing an effective date.
BE IT ENACTED BY THE PEOPLE OF THE STATE OF OKLAHOMA:
SECTION 1. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.1 of Title 17, unless there
is created a duplication in numbering, reads as follows:
This act shall be known and may be cited as the "Oklahoma
Computer Data Privacy Act".
SECTION 2. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 901.2 of Title 17, unless there
is created a duplication in numbering, reads as follows:
As used in this act:
Req. No. 5039 Page 2
 1. "Aggregate consumer information" means information that
relates to a group or category of consumers from which individual
consumer identities have been removed and that is not linked or
reasonably linkable to a particular consumer or household, including
through a device. The term does not include one or more individual
consumer records that have been de-identified;
2. "Biometric information" means an individual's physiological,
biological or behavioral characteristics that can be used, alone or
in combination with other characteristics or other identifying data,
to establish the individual's identity. The term includes:
a. an image of an iris, retina, fingerprint, face, hand,
palm or vein pattern or a voice recording from which
an identifier template can be extracted such as a
faceprint, minutiae template or voiceprint,
b. keystroke patterns or rhythms,
c. gait patterns or rhythms, and
d. sleep, health or exercise data that contains
identifying information;
3. "Business" means a for-profit entity, including a sole
proprietorship, partnership, limited liability company, corporation,
association or other legal entity that is organized or operated for
the profit or financial benefit of the entity's shareholders or
other owners, but does not include Internet service providers so
long as they are acting in their role as Internet service providers;
Req. No. 5039 Page 3
 4. "Business purpose" means the use of personal information
for:
a. the following operational purposes of a business or
service provider, provided that the use of the
information is reasonably necessary and proportionate
to achieve the operational purpose for which the
information was collected or processed or another
operational purpose that is compatible with the
context in which the information was collected:
(1) auditing related to a current interaction with a
consumer and any concurrent transactions,
including counting ad impressions of unique
visitors, verifying the positioning and quality
of ad impressions, and auditing compliance with a
specification or other standards for ad
impressions,
(2) detecting a security incident, protecting against
malicious, deceptive, fraudulent or illegal
activity, and prosecuting those responsible for
any illegal activity described by this division,
(3) identifying and repairing or removing errors that
impair the intended functionality of computer
hardware or software,
Req. No. 5039 Page 4
 (4) using personal information in the short term or
for a transient use, provided that the
information is not:
(a) disclosed to a third party, and
(b) used to build a profile about a consumer or
alter an individual consumer's experience
outside of a current interaction with the
consumer, including the contextual
customization of an advertisement displayed
as part of the same interaction,
(5) performing a service on behalf of the business or
service provider, including:
(a) maintaining or servicing an account,
providing customer service, processing or
fulfilling an order or transaction,
verifying customer information, processing a
payment, providing financing, providing
advertising or marketing services, or
providing analytic services, or
(b) performing a service similar to a service
described by subdivision (a) of this
division on behalf of the business or
service provider,
Req. No. 5039 Page 5
 (6) undertaking internal research for technological
development and demonstration,
(7) undertaking an activity to:
(a) verify or maintain the quality or safety of
a service or device that is owned by,
manufactured by, manufactured for or
controlled by the business, or
(b) improve, upgrade or enhance a service or
device described by subdivision (a) of this
division, or
(8) retention of employment data, or
b. another operational purpose for which notice is given
under this act, but specifically excepting cross-
context targeted advertising, unless the customer has
opted in to the same;
5. "Collect" means to buy, rent, gather, obtain, receive or
access the personal information of a consumer by any means,
including by actively or passively receiving the information from
the consumer or by observing the consumer's behavior;
6. "Commercial purpose" means a purpose that is intended to
result in a profit or other tangible benefit or the advancement of a
person's commercial or economic interests, such as by inducing
another person to buy, rent, lease, subscribe to, provide or
exchange products, goods, property, information or services or by
Req. No. 5039 Page 6
enabling or effecting, directly or indirectly, a commercial
transaction. The term does not include the purpose of engaging in
speech recognized by state or federal courts as noncommercial
speech, including political speech and journalism;
7. "Consumer" means an individual who is a resident of this
state;
8. "De-identified information" means information that cannot
reasonably identify, relate to, describe, be associated with, or be
linked to, directly or indirectly, a particular consumer;
9. "Device" means any physical object capable of connecting to
the Internet, directly or indirectly, or to another device;
10. "Genetic Information" means any information, regardless of
its format, that concerns a consumer's genetic characteristics.
Genetic information includes, but is not limited to:
a. raw sequence data that result from sequencing of a
consumer's complete extracted or a portion of the
extracted DNA,
b. genotypic and phenotypic information that results from
analyzing the raw sequence data, and
c. self-reported health information that consumer submits
to a company regarding the consumer's health
conditions and that is used for scientific research or
product development and analyzed in connection with
the consumer's raw sequence data;
Req. No. 5039 Page 7
 11. "Identifier" means data elements or other information that
alone or in conjunction with other information can be used to
identify a particular consumer, household or device that is linked
to a particular consumer or household;
12. "Internet service provider" means a person who provides a
mass-market retail service by wire or radio that provides the
capability to transmit data and to receive data from all or
substantially all Internet endpoints, including any capabilities
that are incidental to and enable the operations of the service,
excluding dial-up Internet access service;
13. "Person" means an individual, sole proprietorship, firm,
partnership, joint venture, syndicate, business trust, company,
corporation, limited liability company, association, committee and
any other organization or group of persons acting in concert;
14. "Personal information" means information that identifies,
relates to, describes, can be associated with or can reasonably be
linked to, directly or indirectly, a particular consumer or
household. The term includes the following categories of
information if the information identifies, relates to, describes,
can be associated with or can reasonably be linked to, directly or
indirectly, a particular consumer or household:
a. an identifier, including a real name, alias, mailing
address, account name, date of birth, driver license
number, unique identifier, Social Security number,
Req. No. 5039 Page 8
 passport number, signature, telephone number or other
government-issued identification number, or other
similar identifier,
b. an online identifier, including an electronic mail
address or Internet Protocol address, or other similar
identifier,
c. a physical characteristic or description, including a
characteristic of a protected classification under
state or federal law,
d. commercial information, including:
(1) a record of personal property,
(2) a good or service purchased, obtained or
considered,
(3) an insurance policy number, or
(4) other purchasing or consuming histories or
tendencies,
e. biometric information and genetic information,
f. Internet or other electronic network activity
information, including:
(1) browsing or search history, and
(2) other information regarding a consumer's
interaction with an Internet website, application
or advertisement,
g. geolocation data,
Req. No. 5039 Page 9
 h. audio, electronic, visual, thermal, olfactory or other
similar information,
i. professional or employment-related information,
j. education information that is not publicly available
that includes personally identifiable information
under the federal Family Educational Rights and
Privacy Act of 1974,
k. financial information, including a financial
institution account number, credit or debit card
number, or password or access code associated with a
credit or debit card or bank account,
l. medical information,
m. health insurance information, or
n. inferences drawn from any of the information listed
under this paragraph to create a profile about a
consumer that reflects the consumer's preferences,
characteristics, psychological trends,
predispositions, behavior, attitudes, intelligence,
abilities or aptitudes;
15. "Processing information" means performing any operation or
set of operations on personal data or on sets of personal data,
whether or not by automated means;
16. "Pseudonymize" or "pseudonymization" means the processing
of personal information in a manner that renders the personal
Req. No. 5039 Page 10
information no longer attributable to a specific consumer without
the use of additional information, provided that the additional
information is kept separately and is subject to technical and
organizational measures to ensure that the personal information is
not attributed to an identified or identifiable consumer;
17. "Publicly available information" means information that is
lawfully made available to the public from federal, state or local
government records or information received from widely distributed
media or by the consumer in the public domain. The term does not
include:
a. biometric information or genetic information of a
consumer collected by a business without the
consumer's knowledge or consent, or
b. de-identified or aggregate consumer information;
18. "Service provider" means a for-profit entity as described
by paragraph 3 of this section that processes information on behalf
of a business and to which the business discloses, for a business
purpose, a consumer's personal information under a written contract,
provided that the contract prohibits the entity receiving the
information from retaining, using or disclosing the information for
any purpose other than:
a. providing the services specified in the contract with
the business, or
Req. No. 5039 Page 11
 b. for a purpose permitted by this act, including for a
commercial purpose other than providing those
specified services;
19. "Third party" means a person who is not:
a. a business to which this act applies that collects
personal information from consumers, or
b. a person to whom the business discloses, for a
business purpose, a consumer's personal information
under a written contract, provided that the contract:
(1) pr