Can I store personal information about my customers in Oklahoma? What are the requirements?

Storing Personal Information of Customers in Oklahoma

Yes, you can store personal information about your customers in Oklahoma, but you must comply with the Oklahoma Administrative Code (OKAC) 365:35-1-10 et seq. regarding privacy of consumer financial information.

Under OKAC 365:35-1-10, you must provide your customers with an initial privacy notice that explains what personal information you collect, how you use it, and how you protect it. You must also provide an annual privacy notice to your customers that accurately reflects your privacy policies and practices not less than annually during the continuation of the customer relationship ^[1.7].

If you plan to disclose nonpublic personal financial information to a nonaffiliated third party to perform services for you or functions on your behalf, you must enter into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which you disclosed the information ^[1.1][1.2].

If you receive nonpublic personal financial information from a nonaffiliated financial institution under an exception in Sections 365:35-1-31 or 32 of the regulation, your disclosure and use of that information is limited ^[1.3].

If you plan to store personal information about your customers in a commissary, you must comply with the requirements set forth in OKAC 310:257-17-5 ^[2.1].

Additionally, if you plan to store nonpublic personal health information about a consumer or customer, you must obtain authorization from the consumer or customer whose nonpublic personal health information is sought to be disclosed ^[1.4].

In summary, you can store personal information about your customers in Oklahoma, but you must comply with the privacy regulations set forth in OKAC 365:35-1-10 et seq. and any other applicable regulations.

Source(s):

• [1.1] Exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing
• [1.2] Other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information
• [1.3] Limits on redisclosure and reuse of nonpublic personal financial information
• [1.4] When authorization required for disclosure of nonpublic personal health information
• [2.1] Commissary and servicing area requirements
• [1.7] Annual privacy notice to customers required

Jurisdiction

Oklahoma

• Privacy