| |
| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to the personal identifying information collected, |
|
|
processed, or maintained by certain businesses; imposing a civil |
|
|
penalty. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Title 11, Business & Commerce Code, is amended by |
|
|
adding Subtitle C to read as follows: |
|
|
SUBTITLE C. PERSONAL IDENTIFYING INFORMATION |
|
|
CHAPTER 541. PERSONAL IDENTIFYING INFORMATION PROCESSED OR |
|
|
COLLECTED BY CERTAIN BUSINESSES |
|
|
SUBCHAPTER A. GENERAL PROVISIONS |
|
|
Sec. 541.001. DEFINITIONS. In this chapter: |
|
|
(1) "Business" means a for-profit entity, including a |
|
|
sole proprietorship, partnership, limited liability company, |
|
|
corporation, association, or other legal entity that is organized |
|
|
or operated for the profit or financial benefit of the entity's |
|
|
shareholders or other owners. |
|
|
(2) "Category one information" means personal |
|
|
identifying information that an individual may use in a personal, |
|
|
civic, or business setting, and includes: |
|
|
(A) a social security number; |
|
|
(B) a driver's license number, passport number, |
|
|
military identification number, or any other similar number issued |
|
|
on a government document and used to verify an individual's |
|
|
identity; |
|
|
(C) a financial account number, credit or debit |
|
|
card number, or any security code, access code, or password that is |
|
|
necessary to permit access to an individual's financial account; |
|
|
(D) unique biometric information, including a |
|
|
fingerprint, voice print, retina or iris image, or any other unique |
|
|
physical representation; |
|
|
(E) physical or mental health information, |
|
|
including health care information; and |
|
|
(F) the private communications or other |
|
|
user-created content of an individual that is not publicly |
|
|
available. |
|
|
(3) "Category two information" means personal |
|
|
identifying information that may present a privacy risk to an |
|
|
individual, including members of a constitutionally protected |
|
|
class, and includes: |
|
|
(A) racial or ethnic origin information; |
|
|
(B) religious affiliation or practice |
|
|
information; |
|
|
(C) age; |
|
|
(D) physical or mental impairment; |
|
|
(E) precise geolocation tracking data; and |
|
|
(F) unique genetic information. |
|
|
(4) "Category three information" means specific |
|
|
facets of personal identifying information and includes: |
|
|
(A) time of birth; and |
|
|
(B) political party or association. |
|
|
(5) "Collect" means: |
|
|
(A) buying, renting, gathering, obtaining, |
|
|
receiving, inferring, creating, or accessing any personal |
|
|
identifying information pertaining to an individual by any means; |
|
|
or |
|
|
(B) obtaining personal identifying information |
|
|
relating to an individual, actively or passively, or by observing |
|
|
the individual's behavior. |
|
|
(6) "Device" means any physical object capable of |
|
|
connecting to the Internet, directly or indirectly, or to another |
|
|
device and transmitting information. |
|
|
(7) "Geolocation tracking" means the use of |
|
|
geolocation technology to determine or record the position of a |
|
|
person, including the use of a global positioning system, web-based |
|
|
imagery, and cell tower triangulation. |
|
|
(8) "Personal identifying information" means a |
|
|
category of information relating to an identified or identifiable |
|
|
individual. The term does not include a specific category of |
|
|
personal identifying information that the attorney general exempts |
|
|
from this definition by rule. The term includes: |
|
|
(A) a social security number; |
|
|
(B) a driver's license number, passport number, |
|
|
military identification number, or any other similar number issued |
|
|
on a government document and used to verify an individual's |
|
|
identity; |
|
|
(C) a financial account number, credit or debit |
|
|
card number, or any security code, access code, or password that is |
|
|
necessary to permit access to an individual's financial account; |
|
|
(D) unique biometric information, including a |
|
|
fingerprint, voice print, retina or iris image, or any other unique |
|
|
physical representation; |
|
|
(E) physical or mental health information, |
|
|
including health care information; |
|
|
(F) the private communications or other |
|
|
user-created content of an individual that is not publicly |
|
|
available; |
|
|
(G) religious affiliation or practice |
|
|
information; |
|
|
(H) racial or ethnic origin information; |
|
|
(I) precise geolocation tracking data; and |
|
|
(J) unique genetic information. |
|
|
(9) "Privacy risk" means potential adverse |
|
|
consequences to an individual or society at large arising from the |
|
|
processing of personal identifying information, including: |
|
|
(A) direct or indirect financial loss or economic |
|
|
harm; |
|
|
(B) physical harm; |
|
|
(C) psychological harm, including anxiety, |
|
|
embarrassment, fear, or other demonstrable mental trauma; |
|
|
(D) significant inconvenience or expenditure of |
|
|
time; |
|
|
(E) adverse outcomes or decisions with respect to |
|
|
an individual's eligibility for a right, benefit, or privilege in |
|
|
employment, including hiring, firing, promotion, demotion, or |
|
|
compensation; |
|
|
(F) credit or insurance harm, including denial of |
|
|
an application or obtaining less favorable terms related to |
|
|
housing, education, professional certification, or health care |
|
|
services; |
|
|
(G) stigmatization or reputational harm; |
|
|
(H) disruption and intrusion from unwanted |
|
|
commercial communications or contacts; |
|
|
(I) price discrimination; and |
|
|
(J) any other adverse consequence that affects an |
|
|
individual's private life, private family matters, actions or |
|
|
communications within an individual's home or similar physical, |
|
|
online, or digital location, if an individual has a reasonable |
|
|
expectation that personal identifying information will not be |
|
|
processed. |
|
|
(10) "Processing" means any operation or set of |
|
|
operations that are performed on personal identifying information |
|
|
or on sets of personal identifying information, including the |
|
|
collection, creation, generation, recording, organization, |
|
|
structuring, storage, adaptation, alteration, retrieval, |
|
|
consultation, use, disclosure, transfer, or dissemination of the |
|
|
information or otherwise making the information available. |
|
|
(11) "Third party" means a person engaged by a |
|
|
business to process, on behalf of the business, personal |
|
|
identifying information collected by the business. |
|
|
Sec. 541.002. APPLICABILITY. (a) This chapter applies |
|
|
only to a business that: |
|
|
(1) does business in this state; |
|
|
(2) has more than 50 employees; |
|
|
(3) collects the personal identifying information of |
|
|
more than 5,000 individuals, households, or devices or has that |
|
|
information collected on the business's behalf; and |
|
|
(4) satisfies one or more of the following thresholds: |
|
|
(A) has annual gross revenue in an amount that |
|
|
exceeds $25 million; or |
|
|
(B) derives 50 percent or more of the business's |
|
|
annual revenue by processing personal identifying information. |
|
|
(b) Except as provided by Subsection (c), this chapter |
|
|
applies only to personal identifying information that is: |
|
|
(1) collected over the Internet or any other digital |
|
|
network or through a computing device that is associated with or |
|
|
routinely used by an end user; and |
|
|
(2) linked or reasonably linkable to a specific end |
|
|
user. |
|
|
(c) This chapter does not apply to personal identifying |
|
|
information that is: |
|
|
(1) collected solely for facilitating the |
|
|
transmission, routing, or connections by which digital personal |
|
|
identifying information and other data is transferred between or |
|
|
among businesses; or |
|
|
(2) transmitted to and from the individual to whom the |
|
|
personal identifying information relates if the collector of the |
|
|
information does not access, review, or modify the content of the |
|
|
information, or otherwise perform or conduct any analytical, |
|
|
algorithmic, or machine learning processes on the information. |
|
|
Sec. 541.003. EXEMPTIONS. This chapter does not apply to: |
|
|
(1) publicly available information; |
|
|
(2) protected health information governed by Chapter |
|
|
181, Health and Safety Code, or collected by a covered entity or a |
|
|
business associate of a covered entity, as those terms are defined |
|
|
by 45 C.F.R. Section 160.103, that is governed by the privacy, |
|
|
security, and breach notification rules in 45 C.F.R. Parts 160 and |
|
|
164 adopted by the United States Department of Health and Human |
|
|
Services under the Health Insurance Portability and Accountability |
|
|
Act of 1996 (Pub. L. No. 104-191) and Title XIII of the American |
|
|
Recovery and Reinvestment Act of 2009 (Pub. L. No. 111-5); |
|
|
(3) personal identifying information collected by a |
|
|
consumer reporting agency, as defined by Section 20.01, if the |
|
|
information is to be: |
|
|
(A) reported in or used to generate a consumer |
|
|
report, as defined by Section 1681a(d) of the Fair Credit Reporting |
|
|
Act (15 U.S.C. Section 1681 et seq.); and |
|
|
(B) used solely for a purpose authorized under |
|
|
that Act; |
|
|
(4) personal identifying information processed in |
|
|
accordance with the Gramm-Leach-Bliley Act (Pub. L. No. 106-102) |
|
|
and its implementing regulations; or |
|
|
(5) education information that is not publicly |
|
|
available personally identifiable information under the Family |
|
|
Educational Rights and Privacy Act of 1974 (20 U.S.C. Section |
|
|
1232g) (34 C.F.R. Part 99). |
|
|
Sec. 541.004. RULES. The attorney general shall adopt |
|
|
rules necessary to implement, administer, and enforce this chapter. |
|
|
SUBCHAPTER B. CONSUMER RIGHTS |
|
|
Sec. 541.051. RIGHT TO KNOW: DISCLOSURE AND USE OF |
|
|
COLLECTED PERSONAL INFORMATION. An individual is entitled to |
|
|
request that a business that collects personal identifying |
|
|
information relating to the individual or someone for whom the |
|
|
individual is a legal representative or guardian disclose to the |
|
|
individual: |
|
|
(1) the personal identifying information that is being |
|
|
collected by the business, including the categories and specific |
|
|
items of information the business collects; |
|
|
(2) the sources from which the business collects the |
|
|
information; |
|
|
(3) the business's purpose in collecting the |
|
|
information; and |
|
|
(4) the names of third parties to which the |
|
|
information has been distributed or transferred by the business, |
|
|
including to names of any third parties that have purchased the |
|
|
information from the business. |
|
|
Sec. 541.052. RIGHT TO HAVE INACCURATE INFORMATION |
|
|
CORRECTED. Subject to Section 541.153, an individual is entitled |
|
|
to request that a business that collects personal identifying |
|
|
information related to the individual or someone for whom the |
|
|
individual is a legal representative or guardian correct any |
|
|
inaccurate information collected or maintained by the business that |
|
|
relates to the individual or the person for whom the individual is a |
|
|
legal representative or guardian. |
|
|
Sec. 541.053. RIGHT TO ACCESS AND OBTAIN INFORMATION. |
|
|
Subject to Section 541.154, an individual is entitled to: |
|
|
(1) access and obtain personal identifying |
|
|
information related to the individual or someone for whom the |
|
|
individual is a legal representative or guardian that is collected |
|
|
by a business; and |
|
|
(2) at the option of the individual, transfer personal |
|
|
identifying information from one business to another business, |
|
|
including in connection with the sale of that information under a |
|
|
contract described by Subchapter C. |
|
|
Sec. 541.054. RIGHT TO DELETION OF SENSITIVE PERSONAL |
|
|
INFORMATION. Subject to Section 541.155, an individual is entitled |
|
|
to request that a business delete sensitive personal information |
|
|
collected by the business that relates to that individual or |
|
|
someone for whom the individual is a legal representative or |
|
|
guardian. |
|
|
SUBCHAPTER C. CONTRACTS WITH INDIVIDUALS |
|
|
Sec. 541.101. DEFINITION. In this subchapter, "data |
|
|
stream" means the continuous transmission of an individual's |
|
|
personal identifying information through online activity or with a |
|
|
device connected to the Internet that can be used by the business to |
|
|
provide for the monetization of the information, customer |
|
|
relationship management, or continuous identification of an |
|
|
individual for commercial purposes. |
|
|
Sec. 541.102. APPLICABILITY. This subchapter applies only |
|
|
to a contract between a business and an individual under which, as a |
|
|
term of the contract, the individual allows the business to |
|
|
collect, store, or use the individual's personal identifying |
|
|
information. |
|
|
Sec. 541.103. CONSIDERATION UNDER CONTRACT. (a) An |
|
|
individual may provide the individual's data stream or information |
|
|
obtained by the individual under Section 541.154 as consideration |
|
|
under a contract. |
|
|
(b) A business may provide consideration in the form of |
|
|
money or other incentive, including as an incentive to purchase |
|
|
goods or services, under a contract that is reasonably related to |
|
|
the value of the information or access offered by the individual |
|
|
under the contract. This subsection does not prohibit a business |
|
|
from differentiating the consideration offered to individuals |
|
|
based on information or access offered by individuals, including |
|
|
offering different individuals different prices or rates for goods |
|
|
or services or providing different levels of quality for goods or |
|
|
services based on the information and access offered by |
|
|
individuals. |
|
|
Sec. 541.104. CONTRACT REQUIREMENTS. (a) A contract |
|
|
subject to this subchapter: |
|
|
(1) must clearly state the terms, including the |
|
|
duration, of the contract; and |
|
|
(2) may not: |
|
|
(A) require that the individual exclusively |
|
|
contract with the business or otherwise restrict the individual's |
|
|
ability to sell the individual's personal identifying information; |
|
|
and |
|
|
(B) prevent the individual from receiving or |
|
|
considering alternative offers to purchase the individual's |
|
|
personal identifying information. |
|
|
(b) A contract provision that violates Subsection (a)(2) is |
|
|
void and unenforceable. |
|
|
SUBCHAPTER D. BUSINESS DUTIES |
|
|
Sec. 541.151. RESTRICTIONS ON USE OF PERSONAL IDENTIFYING |
|
|
INFORMATION. (a) Subject to the requirements of this section, a |
|
|
business may collect and process category one and category two |
|
|
information. |
|
|
(b) A business may not: |
|
|
(1) sell, transfer, or communicate category two |
|
|
information to any third party; or |
|
|
(2) collect or process category three information. |
|
|
(c) Without the express written consent of the individual, a |
|
|
business may not: |
|
|
(1) perform geolocation tracking of an individual, |
|
|
including for purposes of contact tracing; or |
|
|
(2) sell data relating to an individual that is |
|
|
collected from geolocation tracking. |
|
|
(d) A business shall protect and properly secure all |
|
|
personal identifying information collected by or in the possession |
|
|
of the business. |
|
|
Sec. 541.152. NOTICE REQUIRED. (a) A business in a |
|
|
conspicuous manner shall provide a notice that includes a |
|
|
reasonably full and complete description of the business's |
|
|
practices governing the processing of personal identifying |
|
|
information before collecting personal identifying information. |
|
|
The notice must include: |
|
|
(1) the categories of personal identifying |
|
|
information processed by the business; |
|
|
(2) details on the type of processing used by the |
|
|
business; |
|
|
(3) the purposes for which the business processes |
|
|
personal identifying information; and |
|
|
(4) the involvement of any third party in processing |
|
|
personal identifying information on behalf of the business. |
|
|
(b) The notice required by Subsection (a) must be: |
|
|
(1) clear, drafted in plain language, and easy to |
|
|
understand; and |
|
|
(2) located in a prominent location at the business |
|
|
and on the business's Internet website if the business has an |
|
|
Internet website. |
|
|
Sec. 541.153. DUTY TO MAINTAIN ACCURATE INFORMATION. (a) A |
|
|
business must ensure that the personal identifying information the |
|
|
business maintains is accurate. |
|
|
(b) A business shall clearly and conspicuously publish an |
|
|
e-mail address, fax number, or mailing address to enable an |
|
|
individual to dispute the accuracy of the personal identifying |
|
|
information collected or maintained by the business. |
|
|
(c) If a business receives a dispute regarding the accuracy |
|
|
of personal identifying information that relates to the individual |
|
|
or someone for whom the individual is a legal representative or |
|
|
guardian from the individual, the business shall, unless the |
|
|
business conducts an investigation and determines the information |
|
|
is accurate, promptly correct the inaccurate information. The |
|
|
individual making the dispute may provide supplementary |
|
|
information when necessary to correct inaccurate personal |
|
|
identifying information. |
|
|
(d) The business may not charge a fee to remove, correct, or |
|
|
modify inaccurate personal identifying information under this |
|
|
section. |
|
|
(e) A business shall provide written notice to the |
|
|
individual who disputed the accuracy of the personal identifying |
|
|
information of the actions it has taken in response to the dispute |
|
|
not later than the fifth business day after the date on which the |
|
|
dispute was received. |
|
|
Sec. 541.154. ACCESS TO INFORMATION; DATA PORTABILITY. (a) |
|
|
A business shall allow an individual to promptly and reasonably |
|
|
obtain: |
|
|
(1) confirmation of whether personal identifying |
|
|
information concerning the individual or someone for whom the |
|
|
individual is a legal representative or guardian is processed by |
|
|
the business; |
|
|
(2) a description of the categories of personal |
|
|
identifying information processed by the business; |
|
|
(3) an explanation in plain language of the specific |
|
|
types of personal identifying information collected by the |
|
|
business; |
|
|
(4) a description of the inferences the business has |
|
|
drawn about the individual or someone for whom the individual is a |
|
|
personal representative or guardian from the information collected |
|
|
by the business; and |
|
|
(5) access to the individual's personal identifying |
|
|
information, including in accordance with Subsection (b), a copy of |
|
|
the individual's personal identifying information in a portable and |
|
|
transferable format. |
|
|
(b) On request of an individual, a business shall without |
|
|
undue delay provide the individual with all personal identifying |
|
|
information collected by the business that relates to the |
|
|
individual or someone for whom the individual is a legal |
|
|
representative or guardian. The business shall provide the |
|
|
requested information to an individual under this section in a |
|
|
portable, readily usable format that may be transferred, including |
|
|
in connection with the sale of the information, by the individual to |
|
|
another business. |
|
|
Sec. 541.155. DELETION OF PERSONAL IDENTIFYING |
|
|
INFORMATION. (a) If an individual who maintains an account with a |
|
|
business closes the account, the business shall: |
|
|
(1) stop processing the individual's personal |
|
|
identifying information on the date the individual closes the |
|
|
account; and |
|
|
(2) not later than the one-year anniversary of the |
|
|
date the account is closed, permanently delete the individual's |
|
|
personal identifying information unless retention of the |
|
|
information is required by other law or is necessary to comply with |
|
|
other law. |
|
|
(b) If an individual makes a request for a business to |
|
|
delete personal identifying information under this section, and |
|
|
that business has provided the personal identifying information to |
|
|
a third party, the business shall notify the third party of the |
|
|
individual's request. The third party shall delete the individual's |
|
|
personal identifying information not later than the one-year |
|
|
anniversary of the date the third party received the notification |
|
|
under this subsection. |
|
|
SUBCHAPTER E. ENFORCEMENT |
|
|
Sec. 541.201. CIVIL PENALTY. (a) A business that violates |
|
|
this chapter or a third party that violates Section 541.155(b) is |
|
|
liable to this state for a civil penalty in an amount of not more |
|
|
than $10,000 for each violation, not to exceed a total amount of $1 |
|
|
million. |
|
|
(b) The attorney general may bring an action in the name of |
|
|
the state against the business or third party to recover the civil |
|
|
penalty imposed under this section. |
|
|
(c) The attorney general is entitled to recover reasonable |
|
|
expenses, including reasonable attorney's fees, court costs, and |
|
|
investigatory costs, incurred in bringing an action under this |
|
|
section. |
|
|
Sec. 541.202. BUSINESS IMMUNITY FROM LIABILITY. A business |
|
|
that is in compliance with this chapter and engages a third party to |
|
|
process on behalf of the business personal identifying information |
|
|
collected by the business may not be held liable for a violation of |
|
|
Section 541.155(b) by the third party if the business does not have |
|
|
actual knowledge or a reasonable belief that the third party |
|
|
intends to violate that section. |
|
|
Sec. 541.203. NO PRIVATE CAUSE OF ACTION. This chapter does |
|
|
not create a private cause of action. |
|
|
SECTION 2. (a) Except as provided by Subsection (b) of this |
|
|
section, this Act takes effect September 1, 2021. |
|
|
(b) Sections 541.054 and 541.155, Business & Commerce Code, |
|
|
as added by this Act, take effect January 1, 2022. |