Bill Text: TX HB3741 | 2021-2022 | 87th Legislature | Introduced


Bill Title: Relating to the personal identifying information collected, processed, or maintained by certain businesses; imposing a civil penalty.

Spectrum: Partisan Bill (Republican 1-0)

Status: (Introduced - Dead) 2021-03-22 - Referred to Business & Industry [HB3741 Detail]

Download: Texas-2021-HB3741-Introduced.html
  87R8183 MLH-F
 
  By: Capriglione H.B. No. 3741
 
 
 
A BILL TO BE ENTITLED
 
AN ACT
  relating to the personal identifying information collected,
  processed, or maintained by certain businesses; imposing a civil
  penalty.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  Title 11, Business & Commerce Code, is amended by
  adding Subtitle C to read as follows:
  SUBTITLE C. PERSONAL IDENTIFYING INFORMATION
  CHAPTER 541. PERSONAL IDENTIFYING INFORMATION PROCESSED OR
  COLLECTED BY CERTAIN BUSINESSES
  SUBCHAPTER A. GENERAL PROVISIONS
         Sec. 541.001.  DEFINITIONS. In this chapter:
               (1)  "Business" means a for-profit entity, including a
  sole proprietorship, partnership, limited liability company,
  corporation, association, or other legal entity that is organized
  or operated for the profit or financial benefit of the entity's
  shareholders or other owners.
               (2)  "Category one information" means personal
  identifying information that an individual may use in a personal,
  civic, or business setting, and includes:
                     (A)  a social security number;
                     (B)  a driver's license number, passport number,
  military identification number, or any other similar number issued
  on a government document and used to verify an individual's
  identity;
                     (C)  a financial account number, credit or debit
  card number, or any security code, access code, or password that is
  necessary to permit access to an individual's financial account;
                     (D)  unique biometric information, including a
  fingerprint, voice print, retina or iris image, or any other unique
  physical representation;
                     (E)  physical or mental health information,
  including health care information; and
                     (F)  the private communications or other
  user-created content of an individual that is not publicly
  available.
               (3)  "Category two information" means personal
  identifying information that may present a privacy risk to an
  individual, including members of a constitutionally protected
  class, and includes:
                     (A)  racial or ethnic origin information;
                     (B)  religious affiliation or practice
  information;
                     (C)  age;
                     (D)  physical or mental impairment;
                     (E)  precise geolocation tracking data; and
                     (F)  unique genetic information.
               (4)  "Category three information" means specific
  facets of personal identifying information and includes:
                     (A)  time of birth; and
                     (B)  political party or association.
               (5)  "Collect" means:
                     (A)  buying, renting, gathering, obtaining,
  receiving, inferring, creating, or accessing any personal
  identifying information pertaining to an individual by any means;
  or
                     (B)  obtaining personal identifying information
  relating to an individual, actively or passively, or by observing
  the individual's behavior.
               (6)  "Device" means any physical object capable of
  connecting to the Internet, directly or indirectly, or to another
  device and transmitting information.
               (7)  "Geolocation tracking" means the use of
  geolocation technology to determine or record the position of a
  person, including the use of a global positioning system, web-based
  imagery, and cell tower triangulation.
               (8)  "Personal identifying information" means a
  category of information relating to an identified or identifiable
  individual. The term does not include a specific category of
  personal identifying information that the attorney general exempts
  from this definition by rule. The term includes:
                     (A)  a social security number;
                     (B)  a driver's license number, passport number,
  military identification number, or any other similar number issued
  on a government document and used to verify an individual's
  identity;
                     (C)  a financial account number, credit or debit
  card number, or any security code, access code, or password that is
  necessary to permit access to an individual's financial account;
                     (D)  unique biometric information, including a
  fingerprint, voice print, retina or iris image, or any other unique
  physical representation;
                     (E)  physical or mental health information,
  including health care information;
                     (F)  the private communications or other
  user-created content of an individual that is not publicly
  available;
                     (G)  religious affiliation or practice
  information;
                     (H)  racial or ethnic origin information;
                     (I)  precise geolocation tracking data; and
                     (J)  unique genetic information.
               (9)  "Privacy risk" means potential adverse
  consequences to an individual or society at large arising from the
  processing of personal identifying information, including:
                     (A)  direct or indirect financial loss or economic
  harm;
                     (B)  physical harm;
                     (C)  psychological harm, including anxiety,
  embarrassment, fear, or other demonstrable mental trauma;
                     (D)  significant inconvenience or expenditure of
  time;
                     (E)  adverse outcomes or decisions with respect to
  an individual's eligibility for a right, benefit, or privilege in
  employment, including hiring, firing, promotion, demotion, or
  compensation;
                     (F)  credit or insurance harm, including denial of
  an application or obtaining less favorable terms related to
  housing, education, professional certification, or health care
  services;
                     (G)  stigmatization or reputational harm;
                     (H)  disruption and intrusion from unwanted
  commercial communications or contacts;
                     (I)  price discrimination; and
                     (J)  any other adverse consequence that affects an
  individual's private life, private family matters, actions or
  communications within an individual's home or similar physical,
  online, or digital location, if an individual has a reasonable
  expectation that personal identifying information will not be
  processed.
               (10)  "Processing" means any operation or set of
  operations that are performed on personal identifying information
  or on sets of personal identifying information, including the
  collection, creation, generation, recording, organization,
  structuring, storage, adaptation, alteration, retrieval,
  consultation, use, disclosure, transfer, or dissemination of the
  information or otherwise making the information available.
               (11)  "Third party" means a person engaged by a
  business to process, on behalf of the business, personal
  identifying information collected by the business.
         Sec. 541.002.  APPLICABILITY. (a) This chapter applies
  only to a business that:
               (1)  does business in this state;
               (2)  has more than 50 employees;
               (3)  collects the personal identifying information of
  more than 5,000 individuals, households, or devices or has that
  information collected on the business's behalf; and
               (4)  satisfies one or more of the following thresholds:
                     (A)  has annual gross revenue in an amount that
  exceeds $25 million; or
                     (B)  derives 50 percent or more of the business's
  annual revenue by processing personal identifying information.
         (b)  Except as provided by Subsection (c), this chapter
  applies only to personal identifying information that is:
               (1)  collected over the Internet or any other digital
  network or through a computing device that is associated with or
  routinely used by an end user; and
               (2)  linked or reasonably linkable to a specific end
  user.
         (c)  This chapter does not apply to personal identifying
  information that is:
               (1)  collected solely for facilitating the
  transmission, routing, or connections by which digital personal
  identifying information and other data is transferred between or
  among businesses; or
               (2)  transmitted to and from the individual to whom the
  personal identifying information relates if the collector of the
  information does not access, review, or modify the content of the
  information, or otherwise perform or conduct any analytical,
  algorithmic, or machine learning processes on the information.
         Sec. 541.003.  EXEMPTIONS. This chapter does not apply to:
               (1)  publicly available information;
               (2)  protected health information governed by Chapter
  181, Health and Safety Code, or collected by a covered entity or a
  business associate of a covered entity, as those terms are defined
  by 45 C.F.R. Section 160.103, that is governed by the privacy,
  security, and breach notification rules in 45 C.F.R. Parts 160 and
  164 adopted by the United States Department of Health and Human
  Services under the Health Insurance Portability and Accountability
  Act of 1996 (Pub. L. No. 104-191) and Title XIII of the American
  Recovery and Reinvestment Act of 2009 (Pub. L. No. 111-5);
               (3)  personal identifying information collected by a
  consumer reporting agency, as defined by Section 20.01, if the
  information is to be:
                     (A)  reported in or used to generate a consumer
  report, as defined by Section 1681a(d) of the Fair Credit Reporting
  Act (15 U.S.C. Section 1681 et seq.); and
                     (B)  used solely for a purpose authorized under
  that Act;
               (4)  personal identifying information processed in
  accordance with the Gramm-Leach-Bliley Act (Pub. L. No. 106-102)
  and its implementing regulations; or
               (5)  education information that is not publicly
  available personally identifiable information under the Family
  Educational Rights and Privacy Act of 1974 (20 U.S.C. Section
  1232g) (34 C.F.R. Part 99).
         Sec. 541.004.  RULES. The attorney general shall adopt
  rules necessary to implement, administer, and enforce this chapter.
  SUBCHAPTER B. CONSUMER RIGHTS
         Sec. 541.051.  RIGHT TO KNOW: DISCLOSURE AND USE OF
  COLLECTED PERSONAL INFORMATION.  An individual is entitled to
  request that a business that collects personal identifying
  information relating to the individual or someone for whom the
  individual is a legal representative or guardian disclose to the
  individual:
               (1)  the personal identifying information that is being
  collected by the business, including the categories and specific
  items of information the business collects;
               (2)  the sources from which the business collects the
  information;
               (3)  the business's purpose in collecting the
  information; and
               (4)  the names of third parties to which the
  information has been distributed or transferred by the business,
  including to names of any third parties that have purchased the
  information from the business.
         Sec. 541.052.  RIGHT TO HAVE INACCURATE INFORMATION
  CORRECTED. Subject to Section 541.153, an individual is entitled
  to request that a business that collects personal identifying
  information related to the individual or someone for whom the
  individual is a legal representative or guardian correct any
  inaccurate information collected or maintained by the business that
  relates to the individual or the person for whom the individual is a
  legal representative or guardian.
         Sec. 541.053.  RIGHT TO ACCESS AND OBTAIN INFORMATION.
  Subject to Section 541.154, an individual is entitled to:
               (1)  access and obtain personal identifying
  information related to the individual or someone for whom the
  individual is a legal representative or guardian that is collected
  by a business; and
               (2)  at the option of the individual, transfer personal
  identifying information from one business to another business,
  including in connection with the sale of that information under a
  contract described by Subchapter C.
         Sec. 541.054.  RIGHT TO DELETION OF SENSITIVE PERSONAL
  INFORMATION. Subject to Section 541.155, an individual is entitled
  to request that a business delete sensitive personal information
  collected by the business that relates to that individual or
  someone for whom the individual is a legal representative or
  guardian.
  SUBCHAPTER C. CONTRACTS WITH INDIVIDUALS
         Sec. 541.101.  DEFINITION. In this subchapter, "data
  stream" means the continuous transmission of an individual's
  personal identifying information through online activity or with a
  device connected to the Internet that can be used by the business to
  provide for the monetization of the information, customer
  relationship management, or continuous identification of an
  individual for commercial purposes.
         Sec. 541.102.  APPLICABILITY. This subchapter applies only
  to a contract between a business and an individual under which, as a
  term of the contract, the individual allows the business to
  collect, store, or use the individual's personal identifying
  information.
         Sec. 541.103.  CONSIDERATION UNDER CONTRACT. (a)  An
  individual may provide the individual's data stream or information
  obtained by the individual under Section 541.154 as consideration
  under a contract.
         (b)  A business may provide consideration in the form of
  money or other incentive, including as an incentive to purchase
  goods or services, under a contract that is reasonably related to
  the value of the information or access offered by the individual
  under the contract. This subsection does not prohibit a business
  from differentiating the consideration offered to individuals
  based on information or access offered by individuals, including
  offering different individuals different prices or rates for goods
  or services or providing different levels of quality for goods or
  services based on the information and access offered by
  individuals.
         Sec. 541.104.  CONTRACT REQUIREMENTS. (a)  A contract
  subject to this subchapter:
               (1)  must clearly state the terms, including the
  duration, of the contract; and
               (2)  may not:
                     (A)  require that the individual exclusively
  contract with the business or otherwise restrict the individual's
  ability to sell the individual's personal identifying information;
  and
                     (B)  prevent the individual from receiving or
  considering alternative offers to purchase the individual's
  personal identifying information.
         (b)  A contract provision that violates Subsection (a)(2) is
  void and unenforceable.
  SUBCHAPTER D. BUSINESS DUTIES
         Sec. 541.151.  RESTRICTIONS ON USE OF PERSONAL IDENTIFYING
  INFORMATION. (a)  Subject to the requirements of this section, a
  business may collect and process category one and category two
  information.
         (b)  A business may not:
               (1)  sell, transfer, or communicate category two
  information to any third party; or
               (2)  collect or process category three information.
         (c)  Without the express written consent of the individual, a
  business may not:
               (1)  perform geolocation tracking of an individual,
  including for purposes of contact tracing; or
               (2)  sell data relating to an individual that is
  collected from geolocation tracking.
         (d)  A business shall protect and properly secure all
  personal identifying information collected by or in the possession
  of the business.
         Sec. 541.152.  NOTICE REQUIRED. (a) A business in a
  conspicuous manner shall provide a notice that includes a
  reasonably full and complete description of the business's
  practices governing the processing of personal identifying
  information before collecting personal identifying information.
  The notice must include:
               (1)  the categories of personal identifying
  information processed by the business;
               (2)  details on the type of processing used by the
  business;
               (3)  the purposes for which the business processes
  personal identifying information; and
               (4)  the involvement of any third party in processing
  personal identifying information on behalf of the business.
         (b)  The notice required by Subsection (a) must be:
               (1)  clear, drafted in plain language, and easy to
  understand; and
               (2)  located in a prominent location at the business
  and on the business's Internet website if the business has an
  Internet website.
         Sec. 541.153.  DUTY TO MAINTAIN ACCURATE INFORMATION. (a) A
  business must ensure that the personal identifying information the
  business maintains is accurate.
         (b)  A business shall clearly and conspicuously publish an
  e-mail address, fax number, or mailing address to enable an
  individual to dispute the accuracy of the personal identifying
  information collected or maintained by the business.
         (c)  If a business receives a dispute regarding the accuracy
  of personal identifying information that relates to the individual
  or someone for whom the individual is a legal representative or
  guardian from the individual, the business shall, unless the
  business conducts an investigation and determines the information
  is accurate, promptly correct the inaccurate information. The
  individual making the dispute may provide supplementary
  information when necessary to correct inaccurate personal
  identifying information.
         (d)  The business may not charge a fee to remove, correct, or
  modify inaccurate personal identifying information under this
  section.
         (e)  A business shall provide written notice to the
  individual who disputed the accuracy of the personal identifying
  information of the actions it has taken in response to the dispute
  not later than the fifth business day after the date on which the
  dispute was received.
         Sec. 541.154.  ACCESS TO INFORMATION; DATA PORTABILITY. (a)  
  A business shall allow an individual to promptly and reasonably
  obtain:
               (1)  confirmation of whether personal identifying
  information concerning the individual or someone for whom the
  individual is a legal representative or guardian is processed by
  the business;
               (2)  a description of the categories of personal
  identifying information processed by the business;
               (3)  an explanation in plain language of the specific
  types of personal identifying information collected by the
  business;
               (4)  a description of the inferences the business has
  drawn about the individual or someone for whom the individual is a
  personal representative or guardian from the information collected
  by the business; and
               (5)  access to the individual's personal identifying
  information, including in accordance with Subsection (b), a copy of
  the individual's personal identifying information in a portable and
  transferable format.
         (b)  On request of an individual, a business shall without
  undue delay provide the individual with all personal identifying
  information collected by the business that relates to the
  individual or someone for whom the individual is a legal
  representative or guardian. The business shall provide the
  requested information to an individual under this section in a
  portable, readily usable format that may be transferred, including
  in connection with the sale of the information, by the individual to
  another business.
         Sec. 541.155.  DELETION OF PERSONAL IDENTIFYING
  INFORMATION. (a) If an individual who maintains an account with a
  business closes the account, the business shall:
               (1)  stop processing the individual's personal
  identifying information on the date the individual closes the
  account; and
               (2)  not later than the one-year anniversary of the
  date the account is closed, permanently delete the individual's
  personal identifying information unless retention of the
  information is required by other law or is necessary to comply with
  other law.
         (b)  If an individual makes a request for a business to
  delete personal identifying information under this section, and
  that business has provided the personal identifying information to
  a third party, the business shall notify the third party of the
  individual's request. The third party shall delete the individual's
  personal identifying information not later than the one-year
  anniversary of the date the third party received the notification
  under this subsection.
  SUBCHAPTER E. ENFORCEMENT
         Sec. 541.201.  CIVIL PENALTY. (a) A business that violates
  this chapter or a third party that violates Section 541.155(b) is
  liable to this state for a civil penalty in an amount of not more
  than $10,000 for each violation, not to exceed a total amount of $1
  million.
         (b)  The attorney general may bring an action in the name of
  the state against the business or third party to recover the civil
  penalty imposed under this section.
         (c)  The attorney general is entitled to recover reasonable
  expenses, including reasonable attorney's fees, court costs, and
  investigatory costs, incurred in bringing an action under this
  section.
         Sec. 541.202.  BUSINESS IMMUNITY FROM LIABILITY. A business
  that is in compliance with this chapter and engages a third party to
  process on behalf of the business personal identifying information
  collected by the business may not be held liable for a violation of
  Section 541.155(b) by the third party if the business does not have
  actual knowledge or a reasonable belief that the third party
  intends to violate that section.
         Sec. 541.203.  NO PRIVATE CAUSE OF ACTION. This chapter does
  not create a private cause of action.
         SECTION 2.  (a) Except as provided by Subsection (b) of this
  section, this Act takes effect September 1, 2021.
         (b)  Sections 541.054 and 541.155, Business & Commerce Code,
  as added by this Act, take effect January 1, 2022.
feedback