Are mandatory arbitration provisions recognized in your state? If so, are there any limitations to its enforcement?

Yes, Oklahoma generally recognizes mandatory arbitration provisions. Under the Oklahoma Uniform Arbitration Act, an agreement that includes a mandatory arbitration provision is valid, enforceable, and irrevocable, subject to the defenses of contract law.[i]  However, the Act does not come without exceptions. A later provision of the Act notes that it does not apply to agreements that reference insurance, aside from contracts between insurance companies.[ii]

Recently, the Oklahoma Supreme Court analyzed whether Oklahoma law prohibits mandatory arbitration provisions in contracts that involve or reference insurance, and if so, whether federal law preempts Oklahoma law.^[iii] Generally, the Federal Arbitration Act preempts state law from restricting the enforcement of arbitration provisions.[iv] However, the federal McCarran-Ferguson Act gives states absolute authority over matters relating to insurance regulation.[v] In comparing these Acts, the Court in Sparks determined that Oklahoma law reverse preempts the Federal Arbitration Act.[vi] Therefore, under the Sparks holding and Oklahoma law, agreements in the state of Oklahoma that reference or involve insurance are prohibited from using mandatory arbitration provisions.[vii]

What is your state’s law, if any, regarding gift cards, subscription services and loyalty programs?

Gift Cards

Since 2005, the state of Oklahoma has governed the use of gift certificates and gift cards through the Gift Certificate and Gift Card Disclosure Act.[viii] This Act governs gift cards and gift certificates for goods or services from either a single merchant or a group of merchants affiliated through common corporate ownership or control.[ix] Notable provisions from the Act include:

• An expiration date cannot expire less than sixty (60) months from the date of purchase. If there is no expiration date shown on the card or certificate, it will be valid until redeemed or replaced.[x] So long as the cards or certificates provide the expiration date on the front of the card in at least 10-point font, the following, among others, are excluded from this provision:
  • Cards or certificates issued to a consumer pursuant to an awards, loyalty, or promotional program when they are given without consideration.[xi]
  • Cards or certificates that are issued for a food product.[xii]
• In general, gift cards and certificates are not permitted to use a service fee, including a service fee for dormancy.[xiii] However, this provision is also subject to exclusions, such as when the following criteria are met:
  • The remaining value of the gift card or certificate is $5.00 or less each time a fee is assessed;
  • The fee does not exceed $1.00 per month;
  • There has been no activity, including adding value or balance inquiries, for twenty-four (24) consecutive months;
  • The card or certificate holder is able to add value to the card or certificate; and
  • A statement is printed on the card or certificate in at least ten-point font with the specifics of the fee.[xiv]
• A gift card or certificate issuer is permitted to accept funds from one or more contributor toward the card or certificate purchase, so long as additional requirements are met.[xv]

In 2022, Oklahoma Senate passed Bill 418, updating the name of the Oklahoma Gift Certificate and Gift Card Disclosure Act to the Oklahoma INFORM Act.[xvi] The new Oklahoma INFORM Act does not replace the provisions of the prior version of the Act, but instead adds new requirements specific to online marketplace sellers.[xvii]

Subscription Services/Loyalty Programs

We could not locate any state statutes, case law, or regulations on subscription services or loyalty programs.

What is your state’s law, if any, regarding safeguarding consumer credit card or other private data (i.e., cyber security)?

In 1987, the State of Oklahoma enacted the Credit Services Organization Act.[i] The Credit Services Organization Act promulgates rules and regulations for organizations that deal with consumer credit cards and possess private data.[ii] The Oklahoma law relevant to accessing Consumer Report Requests, which contain private data, provides the following:

• Prior to requesting a consumer report for employment purposes, the requestor or user of the consumer report shall provide written notice to the person who is the subject of the consumer report. The notice shall inform the consumer that a consumer report will be used and the notice shall contain a box that the consumer may check to receive a copy of the consumer report. If the consumer requests a copy of the report, the user of the consumer report shall request that a copy be provided to the consumer when the user of the consumer report requests its copy from the credit reporting agency.[iii]
  • The report sent to the consumer shall be provided at no charge to the consumer. As used in this section, “consumer report” shall have the same meaning as that term is defined in the federal Fair Credit Reporting Act, 15 U.S.C., Sections 1681 et seq.[iv]
    • The Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et seq., governs access to consumer credit report records and promotes accuracy, fairness, and the privacy of personal information assembled by Credit Reporting Agencies (CRAs).[v]
      • In general. The term “consumer report” means any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for:
        • credit or insurance to be used primarily for personal, family, or household purposes;
        • employment purposes; or
        • any other purpose authorized under section 604 [§ 1681b].[vi]
      • No person shall be held liable for any violation of this section if such person shows by a preponderance of the evidence that, at the time of the alleged violation, such person maintained reasonable procedures to assure compliance with this section.[vii]

What is your state’s law, if any, regarding the collection and handling of financial information?

In 1979, the State of Oklahoma enacted the Financial Privacy Act.[viii] The Financial Privacy Act provides that a financial institution is prohibited from giving, releasing or disclosing any financial record to any government authority unless:

• It has written consent from the customer for the specific record requested; or
• It has been served with a lawfully issued subpoena [that specifies the specific financial record sought].[ix]

Federal and State Laws require that if you maintain [as part of a database] a consumer’s name and other personal identification numbers, i.e., SSN, driver’s license, credit card or financial information with the personal security code that such information must be encrypted or redacted so that in the event of a breach, such information cannot be obtained and used by a third party.[x] The state law is as follows:

In 2008, The State of Oklahoma enacted the Security Breach Notification Act.[xi] The Act promulgates rules on disclosure of security breaches of databases containing financial information of consumers:

• An individual or entity that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to any resident of this state whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state. Except as provided in subsection D of this section or in order to take any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the system, the disclosure shall be made without unreasonable delay.[xii]
• An individual or entity must disclose the breach of the security of the system if encrypted information is accessed and acquired in an unencrypted form or if the security breach involves a person with access to the encryption key and the individual or entity reasonably believes that such breach has caused or will cause identity theft or other fraud to any resident of this state.[xiii]
• An individual or entity that maintains computerized data that includes personal information that the individual or entity does not own or license shall notify the owner or licensee of the information of any breach of the security of the system as soon as practicable following discovery, if the personal information was or if the entity reasonably believes was accessed and acquired by an unauthorized person.[xiv]
• Notice required by this section may be delayed if a law enforcement agency determines and advises the individual or entity that the notice will impede a criminal or civil investigation or homeland or national security. Notice required by this section must be made without unreasonable delay after the law enforcement agency determines that notification will no longer impede the investigation or jeopardize national or homeland security.[xv]

The Act also promulgates rules on the authority to bring action:

• A violation of this act that results in injury or loss to residents of this state may be enforced by the Attorney General or a district attorney in the same manner as an unlawful practice under the Oklahoma Consumer Protection Act.[xvi]
• Except as provided in subsection C of this section, the Attorney General or a district attorney shall have exclusive authority to bring action and may obtain either actual damages for a violation of this act or a civil penalty not to exceed One Hundred Fifty Thousand Dollars ($150,000.00) per breach of the security of the system or series of breaches of a similar nature that are discovered in a single investigation.[xvii]
• A violation of this act by a state-chartered or state-licensed financial institution shall be enforceable exclusively by the primary state regulator of the financial institution.[xviii]

[i] Okla. Stat. tit. 24 § 131.

[ii] Id.

[iii] Okla. Stat. tit. 24 § 148(A).

[iv] Id.

[v] 15 U.S.C. §§ 1681a – 1681b.

[vi] 15 U.S.C. § 1681a(d).

[vii] Okla. Stat. tit. 24 § 148(B).

[viii] Okla. Stat. tit. 6 § 2203.

[ix] Okla. Stat. tit. 6 §§ 2203(a-b), Okla. Stat. tit 6 § 2204A.

[x] Okla. Stat. tit 24 § 161.

[xi] Id.

[xii] Okla. Stat. tit 24 § 163A

[xiii] Okla. Stat. tit 24 § 163B

[xiv] Okla. Stat. tit 24 § 163C

[xv] Okla. Stat. tit 24 § 163D

[xvi] Okla. Stat. tit 24 § 165A

[xvii] Okla. Stat. tit 24 § 165B

[xviii] Okla. Stat. tit 24 § 165C

[i] Okla. Stat. tit. 12 § 1857(A).

[ii] Okla. Stat. tit. 12 § 1855.

[iii] Sparks v. Old Republican Home Prot. Co., 2020 OK 42, 467 P.3d 680.

[iv] 9 U.S.C.S. § 1, et seq.

[v] 15 U.S.C.S. § 1012.

[vi] Sparks, 2020 OK 42 at ¶ 35.

[vii] Id.

[viii] Okla. Stat. tit. 15 §§795-799.

[ix] Okla. Stat. tit. 15 § 796.

[x] Okla. Stat. tit. 15 § 797 (A), (B).

[xi] Okla. Stat. tit. 15 § 797 (C).

[xii] Id.

[xiii] Okla. Stat. tit. 15 § 797(A).

[xiv] Okla. Stat. tit. 15 § 797(D).

[xv] Okla. Stat. tit. 15 § 797(E).

[xvi] Okla. Stat. tit. 15 §§ 799A.1 – 799A.8 (eff. January 1, 2023).

[xvii] Id.