Bill Text: TX HB3741 | 2021-2022 | 87th Legislature | Introduced
Bill Title: Relating to the personal identifying information collected, processed, or maintained by certain businesses; imposing a civil penalty.
Spectrum: Partisan Bill (Republican 1-0)
Status: (Introduced - Dead) 2021-03-22 - Referred to Business & Industry [HB3741 Detail]
Download: Texas-2021-HB3741-Introduced.html
| 87R8183 MLH-F | ||
| By: Capriglione | H.B. No. 3741 | |
|
|
||
|
|
||
| relating to the personal identifying information collected, | ||
| processed, or maintained by certain businesses; imposing a civil | ||
| penalty. | ||
| BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: | ||
| SECTION 1. Title 11, Business & Commerce Code, is amended by | ||
| adding Subtitle C to read as follows: | ||
| SUBTITLE C. PERSONAL IDENTIFYING INFORMATION | ||
| CHAPTER 541. PERSONAL IDENTIFYING INFORMATION PROCESSED OR | ||
| COLLECTED BY CERTAIN BUSINESSES | ||
| SUBCHAPTER A. GENERAL PROVISIONS | ||
| Sec. 541.001. DEFINITIONS. In this chapter: | ||
| (1) "Business" means a for-profit entity, including a | ||
| sole proprietorship, partnership, limited liability company, | ||
| corporation, association, or other legal entity that is organized | ||
| or operated for the profit or financial benefit of the entity's | ||
| shareholders or other owners. | ||
| (2) "Category one information" means personal | ||
| identifying information that an individual may use in a personal, | ||
| civic, or business setting, and includes: | ||
| (A) a social security number; | ||
| (B) a driver's license number, passport number, | ||
| military identification number, or any other similar number issued | ||
| on a government document and used to verify an individual's | ||
| identity; | ||
| (C) a financial account number, credit or debit | ||
| card number, or any security code, access code, or password that is | ||
| necessary to permit access to an individual's financial account; | ||
| (D) unique biometric information, including a | ||
| fingerprint, voice print, retina or iris image, or any other unique | ||
| physical representation; | ||
| (E) physical or mental health information, | ||
| including health care information; and | ||
| (F) the private communications or other | ||
| user-created content of an individual that is not publicly | ||
| available. | ||
| (3) "Category two information" means personal | ||
| identifying information that may present a privacy risk to an | ||
| individual, including members of a constitutionally protected | ||
| class, and includes: | ||
| (A) racial or ethnic origin information; | ||
| (B) religious affiliation or practice | ||
| information; | ||
| (C) age; | ||
| (D) physical or mental impairment; | ||
| (E) precise geolocation tracking data; and | ||
| (F) unique genetic information. | ||
| (4) "Category three information" means specific | ||
| facets of personal identifying information and includes: | ||
| (A) time of birth; and | ||
| (B) political party or association. | ||
| (5) "Collect" means: | ||
| (A) buying, renting, gathering, obtaining, | ||
| receiving, inferring, creating, or accessing any personal | ||
| identifying information pertaining to an individual by any means; | ||
| or | ||
| (B) obtaining personal identifying information | ||
| relating to an individual, actively or passively, or by observing | ||
| the individual's behavior. | ||
| (6) "Device" means any physical object capable of | ||
| connecting to the Internet, directly or indirectly, or to another | ||
| device and transmitting information. | ||
| (7) "Geolocation tracking" means the use of | ||
| geolocation technology to determine or record the position of a | ||
| person, including the use of a global positioning system, web-based | ||
| imagery, and cell tower triangulation. | ||
| (8) "Personal identifying information" means a | ||
| category of information relating to an identified or identifiable | ||
| individual. The term does not include a specific category of | ||
| personal identifying information that the attorney general exempts | ||
| from this definition by rule. The term includes: | ||
| (A) a social security number; | ||
| (B) a driver's license number, passport number, | ||
| military identification number, or any other similar number issued | ||
| on a government document and used to verify an individual's | ||
| identity; | ||
| (C) a financial account number, credit or debit | ||
| card number, or any security code, access code, or password that is | ||
| necessary to permit access to an individual's financial account; | ||
| (D) unique biometric information, including a | ||
| fingerprint, voice print, retina or iris image, or any other unique | ||
| physical representation; | ||
| (E) physical or mental health information, | ||
| including health care information; | ||
| (F) the private communications or other | ||
| user-created content of an individual that is not publicly | ||
| available; | ||
| (G) religious affiliation or practice | ||
| information; | ||
| (H) racial or ethnic origin information; | ||
| (I) precise geolocation tracking data; and | ||
| (J) unique genetic information. | ||
| (9) "Privacy risk" means potential adverse | ||
| consequences to an individual or society at large arising from the | ||
| processing of personal identifying information, including: | ||
| (A) direct or indirect financial loss or economic | ||
| harm; | ||
| (B) physical harm; | ||
| (C) psychological harm, including anxiety, | ||
| embarrassment, fear, or other demonstrable mental trauma; | ||
| (D) significant inconvenience or expenditure of | ||
| time; | ||
| (E) adverse outcomes or decisions with respect to | ||
| an individual's eligibility for a right, benefit, or privilege in | ||
| employment, including hiring, firing, promotion, demotion, or | ||
| compensation; | ||
| (F) credit or insurance harm, including denial of | ||
| an application or obtaining less favorable terms related to | ||
| housing, education, professional certification, or health care | ||
| services; | ||
| (G) stigmatization or reputational harm; | ||
| (H) disruption and intrusion from unwanted | ||
| commercial communications or contacts; | ||
| (I) price discrimination; and | ||
| (J) any other adverse consequence that affects an | ||
| individual's private life, private family matters, actions or | ||
| communications within an individual's home or similar physical, | ||
| online, or digital location, if an individual has a reasonable | ||
| expectation that personal identifying information will not be | ||
| processed. | ||
| (10) "Processing" means any operation or set of | ||
| operations that are performed on personal identifying information | ||
| or on sets of personal identifying information, including the | ||
| collection, creation, generation, recording, organization, | ||
| structuring, storage, adaptation, alteration, retrieval, | ||
| consultation, use, disclosure, transfer, or dissemination of the | ||
| information or otherwise making the information available. | ||
| (11) "Third party" means a person engaged by a | ||
| business to process, on behalf of the business, personal | ||
| identifying information collected by the business. | ||
| Sec. 541.002. APPLICABILITY. (a) This chapter applies | ||
| only to a business that: | ||
| (1) does business in this state; | ||
| (2) has more than 50 employees; | ||
| (3) collects the personal identifying information of | ||
| more than 5,000 individuals, households, or devices or has that | ||
| information collected on the business's behalf; and | ||
| (4) satisfies one or more of the following thresholds: | ||
| (A) has annual gross revenue in an amount that | ||
| exceeds $25 million; or | ||
| (B) derives 50 percent or more of the business's | ||
| annual revenue by processing personal identifying information. | ||
| (b) Except as provided by Subsection (c), this chapter | ||
| applies only to personal identifying information that is: | ||
| (1) collected over the Internet or any other digital | ||
| network or through a computing device that is associated with or | ||
| routinely used by an end user; and | ||
| (2) linked or reasonably linkable to a specific end | ||
| user. | ||
| (c) This chapter does not apply to personal identifying | ||
| information that is: | ||
| (1) collected solely for facilitating the | ||
| transmission, routing, or connections by which digital personal | ||
| identifying information and other data is transferred between or | ||
| among businesses; or | ||
| (2) transmitted to and from the individual to whom the | ||
| personal identifying information relates if the collector of the | ||
| information does not access, review, or modify the content of the | ||
| information, or otherwise perform or conduct any analytical, | ||
| algorithmic, or machine learning processes on the information. | ||
| Sec. 541.003. EXEMPTIONS. This chapter does not apply to: | ||
| (1) publicly available information; | ||
| (2) protected health information governed by Chapter | ||
| 181, Health and Safety Code, or collected by a covered entity or a | ||
| business associate of a covered entity, as those terms are defined | ||
| by 45 C.F.R. Section 160.103, that is governed by the privacy, | ||
| security, and breach notification rules in 45 C.F.R. Parts 160 and | ||
| 164 adopted by the United States Department of Health and Human | ||
| Services under the Health Insurance Portability and Accountability | ||
| Act of 1996 (Pub. L. No. 104-191) and Title XIII of the American | ||
| Recovery and Reinvestment Act of 2009 (Pub. L. No. 111-5); | ||
| (3) personal identifying information collected by a | ||
| consumer reporting agency, as defined by Section 20.01, if the | ||
| information is to be: | ||
| (A) reported in or used to generate a consumer | ||
| report, as defined by Section 1681a(d) of the Fair Credit Reporting | ||
| Act (15 U.S.C. Section 1681 et seq.); and | ||
| (B) used solely for a purpose authorized under | ||
| that Act; | ||
| (4) personal identifying information processed in | ||
| accordance with the Gramm-Leach-Bliley Act (Pub. L. No. 106-102) | ||
| and its implementing regulations; or | ||
| (5) education information that is not publicly | ||
| available personally identifiable information under the Family | ||
| Educational Rights and Privacy Act of 1974 (20 U.S.C. Section | ||
| 1232g) (34 C.F.R. Part 99). | ||
| Sec. 541.004. RULES. The attorney general shall adopt | ||
| rules necessary to implement, administer, and enforce this chapter. | ||
| SUBCHAPTER B. CONSUMER RIGHTS | ||
| Sec. 541.051. RIGHT TO KNOW: DISCLOSURE AND USE OF | ||
| COLLECTED PERSONAL INFORMATION. An individual is entitled to | ||
| request that a business that collects personal identifying | ||
| information relating to the individual or someone for whom the | ||
| individual is a legal representative or guardian disclose to the | ||
| individual: | ||
| (1) the personal identifying information that is being | ||
| collected by the business, including the categories and specific | ||
| items of information the business collects; | ||
| (2) the sources from which the business collects the | ||
| information; | ||
| (3) the business's purpose in collecting the | ||
| information; and | ||
| (4) the names of third parties to which the | ||
| information has been distributed or transferred by the business, | ||
| including to names of any third parties that have purchased the | ||
| information from the business. | ||
| Sec. 541.052. RIGHT TO HAVE INACCURATE INFORMATION | ||
| CORRECTED. Subject to Section 541.153, an individual is entitled | ||
| to request that a business that collects personal identifying | ||
| information related to the individual or someone for whom the | ||
| individual is a legal representative or guardian correct any | ||
| inaccurate information collected or maintained by the business that | ||
| relates to the individual or the person for whom the individual is a | ||
| legal representative or guardian. | ||
| Sec. 541.053. RIGHT TO ACCESS AND OBTAIN INFORMATION. | ||
| Subject to Section 541.154, an individual is entitled to: | ||
| (1) access and obtain personal identifying | ||
| information related to the individual or someone for whom the | ||
| individual is a legal representative or guardian that is collected | ||
| by a business; and | ||
| (2) at the option of the individual, transfer personal | ||
| identifying information from one business to another business, | ||
| including in connection with the sale of that information under a | ||
| contract described by Subchapter C. | ||
| Sec. 541.054. RIGHT TO DELETION OF SENSITIVE PERSONAL | ||
| INFORMATION. Subject to Section 541.155, an individual is entitled | ||
| to request that a business delete sensitive personal information | ||
| collected by the business that relates to that individual or | ||
| someone for whom the individual is a legal representative or | ||
| guardian. | ||
| SUBCHAPTER C. CONTRACTS WITH INDIVIDUALS | ||
| Sec. 541.101. DEFINITION. In this subchapter, "data | ||
| stream" means the continuous transmission of an individual's | ||
| personal identifying information through online activity or with a | ||
| device connected to the Internet that can be used by the business to | ||
| provide for the monetization of the information, customer | ||
| relationship management, or continuous identification of an | ||
| individual for commercial purposes. | ||
| Sec. 541.102. APPLICABILITY. This subchapter applies only | ||
| to a contract between a business and an individual under which, as a | ||
| term of the contract, the individual allows the business to | ||
| collect, store, or use the individual's personal identifying | ||
| information. | ||
| Sec. 541.103. CONSIDERATION UNDER CONTRACT. (a) An | ||
| individual may provide the individual's data stream or information | ||
| obtained by the individual under Section 541.154 as consideration | ||
| under a contract. | ||
| (b) A business may provide consideration in the form of | ||
| money or other incentive, including as an incentive to purchase | ||
| goods or services, under a contract that is reasonably related to | ||
| the value of the information or access offered by the individual | ||
| under the contract. This subsection does not prohibit a business | ||
| from differentiating the consideration offered to individuals | ||
| based on information or access offered by individuals, including | ||
| offering different individuals different prices or rates for goods | ||
| or services or providing different levels of quality for goods or | ||
| services based on the information and access offered by | ||
| individuals. | ||
| Sec. 541.104. CONTRACT REQUIREMENTS. (a) A contract | ||
| subject to this subchapter: | ||
| (1) must clearly state the terms, including the | ||
| duration, of the contract; and | ||
| (2) may not: | ||
| (A) require that the individual exclusively | ||
| contract with the business or otherwise restrict the individual's | ||
| ability to sell the individual's personal identifying information; | ||
| and | ||
| (B) prevent the individual from receiving or | ||
| considering alternative offers to purchase the individual's | ||
| personal identifying information. | ||
| (b) A contract provision that violates Subsection (a)(2) is | ||
| void and unenforceable. | ||
| SUBCHAPTER D. BUSINESS DUTIES | ||
| Sec. 541.151. RESTRICTIONS ON USE OF PERSONAL IDENTIFYING | ||
| INFORMATION. (a) Subject to the requirements of this section, a | ||
| business may collect and process category one and category two | ||
| information. | ||
| (b) A business may not: | ||
| (1) sell, transfer, or communicate category two | ||
| information to any third party; or | ||
| (2) collect or process category three information. | ||
| (c) Without the express written consent of the individual, a | ||
| business may not: | ||
| (1) perform geolocation tracking of an individual, | ||
| including for purposes of contact tracing; or | ||
| (2) sell data relating to an individual that is | ||
| collected from geolocation tracking. | ||
| (d) A business shall protect and properly secure all | ||
| personal identifying information collected by or in the possession | ||
| of the business. | ||
| Sec. 541.152. NOTICE REQUIRED. (a) A business in a | ||
| conspicuous manner shall provide a notice that includes a | ||
| reasonably full and complete description of the business's | ||
| practices governing the processing of personal identifying | ||
| information before collecting personal identifying information. | ||
| The notice must include: | ||
| (1) the categories of personal identifying | ||
| information processed by the business; | ||
| (2) details on the type of processing used by the | ||
| business; | ||
| (3) the purposes for which the business processes | ||
| personal identifying information; and | ||
| (4) the involvement of any third party in processing | ||
| personal identifying information on behalf of the business. | ||
| (b) The notice required by Subsection (a) must be: | ||
| (1) clear, drafted in plain language, and easy to | ||
| understand; and | ||
| (2) located in a prominent location at the business | ||
| and on the business's Internet website if the business has an | ||
| Internet website. | ||
| Sec. 541.153. DUTY TO MAINTAIN ACCURATE INFORMATION. (a) A | ||
| business must ensure that the personal identifying information the | ||
| business maintains is accurate. | ||
| (b) A business shall clearly and conspicuously publish an | ||
| e-mail address, fax number, or mailing address to enable an | ||
| individual to dispute the accuracy of the personal identifying | ||
| information collected or maintained by the business. | ||
| (c) If a business receives a dispute regarding the accuracy | ||
| of personal identifying information that relates to the individual | ||
| or someone for whom the individual is a legal representative or | ||
| guardian from the individual, the business shall, unless the | ||
| business conducts an investigation and determines the information | ||
| is accurate, promptly correct the inaccurate information. The | ||
| individual making the dispute may provide supplementary | ||
| information when necessary to correct inaccurate personal | ||
| identifying information. | ||
| (d) The business may not charge a fee to remove, correct, or | ||
| modify inaccurate personal identifying information under this | ||
| section. | ||
| (e) A business shall provide written notice to the | ||
| individual who disputed the accuracy of the personal identifying | ||
| information of the actions it has taken in response to the dispute | ||
| not later than the fifth business day after the date on which the | ||
| dispute was received. | ||
| Sec. 541.154. ACCESS TO INFORMATION; DATA PORTABILITY. (a) | ||
| A business shall allow an individual to promptly and reasonably | ||
| obtain: | ||
| (1) confirmation of whether personal identifying | ||
| information concerning the individual or someone for whom the | ||
| individual is a legal representative or guardian is processed by | ||
| the business; | ||
| (2) a description of the categories of personal | ||
| identifying information processed by the business; | ||
| (3) an explanation in plain language of the specific | ||
| types of personal identifying information collected by the | ||
| business; | ||
| (4) a description of the inferences the business has | ||
| drawn about the individual or someone for whom the individual is a | ||
| personal representative or guardian from the information collected | ||
| by the business; and | ||
| (5) access to the individual's personal identifying | ||
| information, including in accordance with Subsection (b), a copy of | ||
| the individual's personal identifying information in a portable and | ||
| transferable format. | ||
| (b) On request of an individual, a business shall without | ||
| undue delay provide the individual with all personal identifying | ||
| information collected by the business that relates to the | ||
| individual or someone for whom the individual is a legal | ||
| representative or guardian. The business shall provide the | ||
| requested information to an individual under this section in a | ||
| portable, readily usable format that may be transferred, including | ||
| in connection with the sale of the information, by the individual to | ||
| another business. | ||
| Sec. 541.155. DELETION OF PERSONAL IDENTIFYING | ||
| INFORMATION. (a) If an individual who maintains an account with a | ||
| business closes the account, the business shall: | ||
| (1) stop processing the individual's personal | ||
| identifying information on the date the individual closes the | ||
| account; and | ||
| (2) not later than the one-year anniversary of the | ||
| date the account is closed, permanently delete the individual's | ||
| personal identifying information unless retention of the | ||
| information is required by other law or is necessary to comply with | ||
| other law. | ||
| (b) If an individual makes a request for a business to | ||
| delete personal identifying information under this section, and | ||
| that business has provided the personal identifying information to | ||
| a third party, the business shall notify the third party of the | ||
| individual's request. The third party shall delete the individual's | ||
| personal identifying information not later than the one-year | ||
| anniversary of the date the third party received the notification | ||
| under this subsection. | ||
| SUBCHAPTER E. ENFORCEMENT | ||
| Sec. 541.201. CIVIL PENALTY. (a) A business that violates | ||
| this chapter or a third party that violates Section 541.155(b) is | ||
| liable to this state for a civil penalty in an amount of not more | ||
| than $10,000 for each violation, not to exceed a total amount of $1 | ||
| million. | ||
| (b) The attorney general may bring an action in the name of | ||
| the state against the business or third party to recover the civil | ||
| penalty imposed under this section. | ||
| (c) The attorney general is entitled to recover reasonable | ||
| expenses, including reasonable attorney's fees, court costs, and | ||
| investigatory costs, incurred in bringing an action under this | ||
| section. | ||
| Sec. 541.202. BUSINESS IMMUNITY FROM LIABILITY. A business | ||
| that is in compliance with this chapter and engages a third party to | ||
| process on behalf of the business personal identifying information | ||
| collected by the business may not be held liable for a violation of | ||
| Section 541.155(b) by the third party if the business does not have | ||
| actual knowledge or a reasonable belief that the third party | ||
| intends to violate that section. | ||
| Sec. 541.203. NO PRIVATE CAUSE OF ACTION. This chapter does | ||
| not create a private cause of action. | ||
| SECTION 2. (a) Except as provided by Subsection (b) of this | ||
| section, this Act takes effect September 1, 2021. | ||
| (b) Sections 541.054 and 541.155, Business & Commerce Code, | ||
| as added by this Act, take effect January 1, 2022. | ||
