September 2023

1. RIGHT TO PRIVACY/ CONSTITUTIONAL PROTECTION 

The Oklahoma Constitution ('the Constitution') contains a Right to Privacy clause, which states, 'the right of the people to be secure in their persons, houses, papers, and effects against unreasonable searches or seizures shall not be violated; and no warrant shall issue but upon probable cause supported by oath or affirmation, describing as particularly as may be the place to be searched and the person or thing to be seized' (Article II Section II-30 of the Constitution).

In addition, Oklahoma Courts have found that a common law right of privacy exists and that individuals may bring a cause of action for invasion of that right (McCormack v. Oklahoma Pub. Co., 1980 OK 98, 2, 613 P.2d 737). The Oklahoma Supreme Court adopted the Restatement of the Law of Torts (Second) and there are four common law invasion of privacy claims recognized in Oklahoma:

• intrusion on solitude or seclusion;
• public disclosure of private facts;
• publicity tending to put a person in a false light, known as 'false light'; and
• appropriation of one’s name or likeness.

2. KEY PRIVACY LAWS

Oklahoma has enacted several laws that safeguard personal information and an individual's right to privacy. Three of these laws will be discussed below, while other privacy laws will be covered in other sections of this Guidance Note.

2.1. Security of Communications Act

Section 176.3 of the Security of Communications Act, codified under §§ 13-176.1 to 176.7 of Title 13 of Oklahoma Statues ('O.S.'), makes it a felony for anyone to intercept any wire, oral or electronic communication. The Security of Communication Act also makes it a felony to build or sell devices that are primarily used to intercept communication. The Security of Communication Act also places restrictions on the use of information that is gathered in violation of 13 O.S. § 13-176.3.

§ 13-176.4 of the Security of Communication Act provides an exemption where consent of at least one party to the communication is obtained. Moreover, Court approved recordings of inmates by the Department of Corrections are also excluded from the Security Communication Act. A person found guilty shall be punished by a fine of no less than $5,000, or imprisonment of not more than five years, or by both.

2.2. Student Data Accessibility, Transparency and Accountability Act

The Student Data Accessibility, Transparency and Accountability Act of 2013, under § 70-3-168 of Title 70 of the O.S.) places restrictions on access to student information held by the Oklahoma State Department of Education ('SDE'). Access to student information is restricted to:

• authorizedauthorized staff and contractors of the SDE;
• district administrators, teachers, and school personnel who require access to this data to perform assigned duties;
• students and their parents; and
• authorizedauthorized staff of other state agencies as required by law or as part of an interagency data-sharing agreement.

The Student Data Accessibility, Transparency and Accountability Act only addresses the SDE and does not address the records held by individual schools.

2.3. Identity Theft

Oklahoma criminal law makes it unlawful for any person to wilfully and with intent to defraud to obtain personal identifying information, including but not limited to name, address, social security number, date of birth, place of business of employment, debit/credit account numbers, driver license numbers, or any other personal identifying information of another person, living or dead (§ 21-1533.1 of Title 21 of O.S.). Violators can receive a fine of up to $100,000, or one to five years of imprisonment, or by both. If the violator's victim is under 18 years of age, the punishment increases term of not less than two years nor more than ten years, or a fine not to exceed $100,000.00, or by both.

2.4. Personal Privacy Protection Act

The Oklahoma Personal Privacy Protection Act ('the Privacy Protection Act,) came into effect on November 1, 2020 (Section 2 of the Privacy Protection Act). The Privacy Protection Act provides that a public agency cannot require any individual to provide personal affiliation information or compel the release of personal affiliation information. Public agencies also cannot release, publicizepublicize or otherwise publicly disclose any personal affiliation information in the possession of the public agency, or request or require a current or prospective contractor or grantee with the public agency to provide the public agency with a list of entities organized pursuant to Section 501(c) of the United States Internal Revenue Code ('the Revenue Code') to which it has provided financial or nonfinancial support. Personal affiliation information is defined as 'any list, record, register, registry, roll, roster or other compilation of data of any kind that directly or indirectly identifies a person as a member, supporter, or volunteer of, or donor of financial or nonfinancial support to, any entity organized pursuant to Section 501(c)' of the Revenue Code (Section 1(B)(1) of the Privacy Protection Act).

3. HEALTH DATA

3.1. Oklahoma Health Care Information System Act

On the basis of the Oklahoma Health Care Information System Act, under § 1-115 of Title 63 of the O.S., Oklahoma created a health care system that is charged with collecting, processing, and disseminating health information it receives from providers (§ 1-117 of Title 63 O.S.). The information will be used to create reports regarding the healthcare status of Oklahoma. § 63-1-120 of Title 63 O.S. provides that identifying information collected is deemed confidential and must not be disclosed.

3.2. Assisted Suicide Prevention Act

The Assisted Suicide Prevention Act, under § 63-3141.1 of Title 63 of the O.S., directs the Oklahoma State Department of Health ('the Department of Health') to collect data on suicides in Oklahoma (63 O.S. § 63-3151). The information collected is confidential and identifying information is not allowed to be disclosed (63 O.S. § 63-3151).

3.3. State Board of Behavioural Health Rules

The State Board of Behavioural Health regulates licensed professional counselors, licensed marital and family therapists, and licensed behavioral practitioners. The rules for licensed professional counselors require them to keep client records for five years after termination of counseling services and to keep information collected about a client confidential (as § 86:10-3-3(b) of Subchapter 3-3 of Chapter 10 of Title 86 of the Oklahoma Administrative Code ('OAR')). Licensed marital and family therapists are required to keep client records confidential except if mandated by law, to prevent clear and immediate danger to a person, if the therapist is a defendant in a case or disciplinary action arising from the therapy, or if the client or clients provide a waiver (OAR § 86:15-3-2). Licensed behavioralbehavioral practitioners are required to keep client records for five years after termination of counseling services and to keep information collected about a client confidential (OAR § 86:20-5-3).

3.4. Oklahoma State Department of Health Rules

The Department of Health is required to collect information from insurance providers regarding financial information and services provided (OAR § 310:9-3-1). All information collected from any source by the State Department will remain confidential and will not be public records as defined in the Oklahoma Open Records Act (OAR § 310:9-5-1).

3.5. Confidential Requirements for Other Professionals

State Board of Licensed Social Workers also has rules requiring Social Workers to keep client information confidential (OAR § 675:20-1-5). Licensed psychologists are required to keep all communications with the individual with whom they engage in the practice of psychology confidential (§ 59-1376 of Title 59 of the O.S.). Dentists must not disclose information protected by the Health Insurance Portability and Accountability Act of 1996 ('HIPAA') (59 O.S. § 59-328.32).

3.6. Confidentiality of Medical Records

Medical records and all communication between patients and doctors are considered confidential (§ 43A-1-109 of Title 43A of the O.S.). In addition, patients are entitled upon request to obtain access to the information contained in their medical records (§ 76-19 of Title 76 of the O.S.).

3.7. Mandatory Reporting Requirements

Every person having reason to believe that a child under the age of 18 years is a victim of abuse or neglect must report the matter immediately to the Department of Health and Human Services (§ 10A-1-2-101 of Title 10A of the O.S.). Physicians who know or have good reasons to suspect that a person having a sexually transmitted infection ('STI') is going to expose others to infection, are required to notify the local health officer of the name and address of the diseased person and the essential facts in the case (63 O.S. § 63-1-528(b)). However, all information and records created, received, investigated, held, or maintained by the State Department of Health concerning any person who has participated in a public health investigation or who may have any communicable or non-communicable disease which is required to be reported pursuant to 63 O.S. §§ 63-1-501 through 63-1-532.1 shall be confidential records of the State Department of Health (63 O.S. § 63-1-502.2(A)).

3.8. Disclosure of Information Relating to Charges against Caretaker

When a person responsible for the care of a vulnerable adult has been charged with committing a crime resulting in the death or near death of the vulnerable adult, there is a presumption that the best interest of the public is served by public disclosure of information concerning the circumstance of the investigation of the death or near death and any other investigations concerning that vulnerable adult or other vulnerable adults living in the same facility (43A O.S. § 43A-10-110.1).

3.9. Student Mental Health Disclosure

Starting in the 2023 – 2024 school year, prior to enrollment a parent or legal guardian of a student may disclose to the student’s school district if the student 'received inpatient or emergency outpatient mental health services from a mental health facility in the previous 24 months' (70 O.S. § 3-169(A)). The disclosure and subsequent handling of this information must comply with the Family Educational Rights and Privacy Act of 1974 ('FERPA') and the HIPAA (70 O.S. § 3-169(C)).

4. FINANCIAL DATA

4.1. Financial Privacy Act

The key law governing financial privacy in Oklahoma is the Financial Privacy Act, under §§ 6-2201 to 6-2208 of Title 6 of the O.S. Section 6-2203 of the Financial Privacy Act provides that financial institutions are prohibited from giving, releasing, or disclosing any financial records to a government authority without either the written consent of the customer or being served with a subpoena.

'Government authority' under the act means any agency, board, commission, or department of the State of Oklahoma, or any officer, employee, representative, or agent thereof (6 O.S. § 6-2202(c)). Oklahoma case law interprets government authority to also include trial court judges and municipal police officers (Alva State Bank and Trust Co. v. Dayton, 1988 OK 44, 755 P.2d 635).

The Financial Privacy Act places several requirements for issuing a subpoena (6 O.S. § 6-2204). The subpoena must be issued by the court, state agency, or legislative committee. The subpoena must identify the financial records sought from the financial institution. While the subpoena is being served on the financial institution that has the records, a copy of the subpoena must be served on the customer on or before the subpoena is sent to the financial institution. The customer whose records are being sought will have 14 days to file a motion to quash the subpoena. Oklahoma law allows a customer to quash a subpoena on four grounds:

• that the financial record sought is incompetent, irrelevant, or immaterial for the purpose or purposes for which it is sought;
• that the release of the financial record would cause an unreasonable burden or hardship under the circumstances;
• that the government authority seeking said financial record is attempting to harass the customer; or
• that there is no merit in the purpose or purposes for which said financial record is sought.

4.2. Records of State Credit Union Board

The State Credit Union Board regulates Credit Unions in the State. The records of the State Credit Union Board, the Bank Commissioner, and Administrator and Oklahoma Banking Department are confidential except for applications for credit union charter, records of public hearings, information disclosing failure of a credit union, reports of completed investigations, and items filed in the office of the Oklahoma Secretary of State (6 O.S. § 6-2027).

4.3. Enforcement for violation of Security Breach Notification

Oklahoma has a Security Breach Notification Act, under § 24-161 to 24-166 of Title 24 of the O.S., which is discussed in section 9 below. If the Security Breach Notification Act is violated by a state-chartered or state-licensed financial institution, the violation is exclusively enforceable by the primary state regulator of the financial institution (24 O.S. § 24-165).

5. EMPLOYMENT DATA

5.1. Drug and Alcohol Testing of Employees

Oklahoma employers that engage in drug and alcohol testing must follow strict procedures promulgated by the state board of health. Employers in Oklahoma can take an adverse employment action against an employer based on a refusal to take a test or a positive test result.

Oklahoma's Standards for Workplace Drug and Alcohol Testing Act ('ODTA') (under § 40-553 of Title 40 of the O.S.) governs drug testing of employees. The law, however, does not apply to employees governed by federal law or employees who benefit from a collective bargaining agreement that shields them from testing (40 O.S. § 40-553).

40 O.S. § 40-555 mandates that employers test employees in accordance with a written policy and that this policy must be consistently and equally applied to all employees. The policy may generally include, among other things, information addressing substances for which employers are attempting to test, testing and collection methods, the potential consequences following a positive test result, and circumstances under which future testing may be sought. Moreover, the statute mandates that an employer's written policy should cover the disciplinary actions that will be enforced as a result of a positive test result (40 O.S. § 40-562).

The ODTA also imposes substantial restrictions on the circumstances in which testing may be administered. Only in the following situations testing is appropriate: pre-employment drug testing, transfer or reassignment to another position within the same organization, testing for-cause (at the discretion of the employer), testing after an accident, scheduled periodic testing, and return-to-work testing after a leave of absence. Random testing must be administered consistently among all members of an employment class (40 O.S. § 40-554).

Employees may file a civil action against an employer for a breach of the ODTA. The law imposes a one-year statute of limitations (40 O.S. § 40-563).

5.2. Drug Testing Records

Employers may disclose the results of employee drug tests only in very limited circumstances. These include dissemination of information within the workplace for legal and regulatory purposes, as evidence in a legal case or regulatory proceeding, or if disclosure is required by court order or government agency (40 O.S. § 40-560).

5.3. Genetic Testing

The Oklahoma Genetic Nondiscrimination in Employment Act prohibits any employer from performing a genetic test on an employee, other than in connection with the determination of insurance coverage or benefits (§ 36-3614.2 of Title 36 of O.S.). An employer also may not require that an employee undergo a genetic test or require genetic information from the employee or prospective employee.

5.4. Oklahoma Act Regarding Fair Credit Reporting

Prior to requesting a consumer report for employment purposes, the requestor or user of the consumer report must provide written notice to the person who is the subject of the consumer report (24 O.S. § 24-148). The written notice is required to contain a box that the consumer can check to receive a copy of the report. The consumer report sent to the consumer must be provided at no charge to the consumer and must have the same meaning as that term as defined in the Fair Credit Reporting Act of 1970.

5.5. Employees' Social Security Numbers

Oklahoma law provides that an employer must not publicly post or display the social security number of an employee or require an employee to transmit their social security number over the internet unless it is transmitted by a secure connection or the social security number is encrypted (40 O.S. § 40-173.1).

5.6. Employees' Social Media

Employers cannot require an employee or prospective employee to disclose a username and password (40 O.S. § 173.2). Employees and prospective employees are able to bring a civil action against an employer who violates this law.

6. ONLINE PRIVACY

Not applicable.

7. UNSOLICITED COMMERCIAL COMMUNICATIONS

7.1. Fraudulent Use of Electronic Mail

The Fraudulent Use of Electronic Mail provision of the Oklahoma Consumer Protection Act makes it unlawful to send an email when the sender knows that the email does not contain or misrepresents an identifying point of origin; contains false, misleading, or malicious material that could purposefully or negligently injure a person; falsely represents that it is being sent by a legitimate online business; links the recipient to a web page that appears associated with a legitimate business but will fraudulently take identifying information from the recipient; or asks for identifying information from the recipient for a purpose the recipient believes is legitimate (§§ 15-776.1 to 15-776.7 of Title 15 of the O.S.).

7.2. Anti-Phishing Act

Oklahoma has an Anti-Phishing Act that makes it unlawful for any person, by means of a web page or link to a web page to solicit, request, or take any action to induce another person to provide identifying information by representing himself, herself, or itself to be a business without the authority or approval of the business (15 O.S. §§ 15-776.8 to 15-776.12). The Anti-Phishing Act provides a private right of action that allows victims to seek injunctive relief and damages.

7.3. Anti-Caller ID Spoofing Act

The Anti-Caller ID Spoofing Act makes it illegal for a caller to knowingly insert false information into a caller identification system with the intent to mislead, defraud, or deceive the recipient of a telephone call (15 O.S. § 15-776.23).

7.4. Commercial Telephone Solicitation

The Oklahoma Consumer Protection Act places a restriction on telemarketing practices in Oklahoma. These restrictions include requiring telemarketers to register with the Oklahoma Attorney General ('AG') (15 O.S. § 15-775A.4; see 15 O.S. § 15-775A.3 for registering requirements) and barring telemarketers to misrepresent that a person won a contest, sweepstakes or drawing.

Oklahoma also has a 'do not call list'. 15 O.S. § 15-775B.6 provides that telemarketers are not allowed to call or message any consumer more than 30 days after the consumer was added to the do not call list.

8. PRIVACY POLICIES

There is no Oklahoma statute requiring the posting of privacy notices or policies on a website. However, many different state and federal laws require the posting of privacy notices on websites, so those intending to do business in Oklahoma would be well-advised to review various requirements that may apply.

9. DATA DISPOSAL/CYBERSECURITY/DATA SECURITY

9.1. Banking Records Disposal

Oklahoma has data retention and disposal requirements for banks found in the Oklahoma Banking Code, under Title 6 of the O.S. 6 O.S. § 6-214 outlines that banks are required to keep records as directed by the Oklahoma Bank Board (6 O.S. § 6-214).

9.2. Security Breach Notification Act

Section 163 of the Security Breach Notification Act (24 O.S. § 24-163) provides that entities that own or license data that includes personal information are required to disclose breaches under certain circumstances. Entities are required to notify any affected individual if:

• unredacted or unencrypted personal information was accessed and acquired by an unauthorized person;
• encrypted information is accessed and acquired in an unencrypted form; or
• the security breach involves a person with access to the encrypted key.

Notice under the Security Breach Notification Act can be delayed if a law enforcement agency advises that disclosure would impede an investigation or impact national or homeland security.

Two key definitions found in Section 162 of the Security Breach Notification Act are 'Personal Information' and 'Notice'. Oklahoma defined personal information more narrowly than other states.

'Personal Information' means the first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of this state, when the data elements are neither encrypted nor redacted:

• social security number,
• driver's license number or state identification card number issued in lieu of a driver's license; or
• financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to the financial accounts of a resident.

The definition of notice also provides the notice requirements following a breach.

'Notice' means:

• written notice to the postal address in the records of the individual or entity;
• telephone notice;
• electronic notice; or
• substitute notice, if the individual or the entity required to provide notice demonstrates that the cost of providing notice will exceed $50,000, or that the affected class of residents to be notified exceeds 100,000 persons, or that the individual or the entity does not have sufficient contact information or consent to provide notice. Substitute notice consists of any two of the following:
  • email notice if the individual or the entity has email addresses for the members of the affected class of residents;
  • conspicuous posting of the notice on the Internet website of the individual or the entity if the individual or the entity maintains a public Internet website; or
  • notice to major state-wide media.

Violation of the Security Breach Notification Act is enforced by the AG or a district attorney. The AG or district attorney can seek actual damages or a civil penalty not to exceed $150,000 per breach.

9.3. State Government Breach Disclosure

The Oklahoma Government Website Information Act contains a breach disclosure provision that applies to state agencies and tracks the requirements in the Security Breach Notification Act (§ 74-3113.1 of Title 74 of the O.S.).

9.4. Electric Usage Data Protection Act

The Electric Usage Data Protection Act places restrictions on how electric utilities can disclose customer information. Electric utilities are required to maintain the confidentiality of customer information (§ 17-710.4 of Title 17 of the O.S.). 17 O.S. § 17-710.6 provides that electric utilities can provide customer information without customer consent to affiliates and third-party contractors. Electric utilities are also allowed to disclose customer information as required by law, a warrant or subpoena, as part of a merger or sale, in emergency situations, or with written consent of the customer.

9.5. Restriction on use of Social Security Number

The use of social security numbers is also regulated in the Oklahoma Government Website Information Act (74 O.S. §§ 74-3111 and 74-3113). Government agencies are not allowed to furnish any information indexed by social security number unless required by law or specifically authorized to do so by the holder of said social security number. The provision does not apply to 'reports produced by a state agency of monetary payments made to any state official or employee from State Treasury funds or accounts' (74 O.S. § 74-3113).

10. OTHER SPECIFIC JURISDICTIONAL REQUIREMENTS

No other specific jurisdictional requirements.