Bill Text: TX HB4164 | 2021-2022 | 87th Legislature | Introduced
Bill Title: Relating to the authority of individuals over the personal identifying information collected, processed, or maintained about the individuals and certain others by certain businesses.
Spectrum: Partisan Bill (Republican 1-0)
Status: (Introduced - Dead) 2021-03-29 - Referred to Business & Industry [HB4164 Detail]
Download: Texas-2021-HB4164-Introduced.html
| 87R7858 MLH-D | ||
| By: Capriglione | H.B. No. 4164 | |
|
|
||
|
|
||
| relating to the authority of individuals over the personal | ||
| identifying information collected, processed, or maintained about | ||
| the individuals and certain others by certain businesses. | ||
| BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: | ||
| SECTION 1. Title 11, Business & Commerce Code, is amended by | ||
| adding Subtitle C to read as follows: | ||
| SUBTITLE C. PERSONAL IDENTIFYING INFORMATION | ||
| CHAPTER 541. PERSONAL IDENTIFYING INFORMATION PROCESSED OR | ||
| COLLECTED BY CERTAIN BUSINESSES | ||
| SUBCHAPTER A. GENERAL PROVISIONS | ||
| Sec. 541.001. DEFINITIONS. In this chapter: | ||
| (1) "Business" means a for-profit entity, including a | ||
| sole proprietorship, partnership, limited liability company, | ||
| corporation, association, or other legal entity that is organized | ||
| or operated for the profit or financial benefit of the entity's | ||
| shareholders or other owners. | ||
| (2) "Personal identifying information" means a | ||
| category of information relating to an identified or identifiable | ||
| individual. The term does not include a specific category of | ||
| personal identifying information that the attorney general exempts | ||
| from this definition by rule. The term includes: | ||
| (A) a social security number; | ||
| (B) a driver's license number, passport number, | ||
| military identification number, or any other similar number issued | ||
| on a government document and used to verify an individual's | ||
| identity; | ||
| (C) a financial account number, credit or debit | ||
| card number, or any security code, access code, or password that is | ||
| necessary to permit access to an individual's financial account; | ||
| (D) unique biometric information, including a | ||
| fingerprint, voice print, retina or iris image, or any other unique | ||
| physical representation; | ||
| (E) physical or mental health information, | ||
| including health care information; | ||
| (F) the private communications or other | ||
| user-created content of an individual that is not publicly | ||
| available; | ||
| (G) religious affiliation or practice | ||
| information; | ||
| (H) racial or ethnic origin information; | ||
| (I) precise geolocation tracking data; and | ||
| (J) unique genetic information. | ||
| (3) "Processing" means any operation or set of | ||
| operations that are performed on personal identifying information | ||
| or on sets of personal identifying information, including the | ||
| collection, creation, generation, recording, organization, | ||
| structuring, storage, adaptation, alteration, retrieval, | ||
| consultation, use, disclosure, transfer, or dissemination of the | ||
| information or otherwise making the information available. | ||
| (4) "Third party" means a person engaged by a business | ||
| to process, on behalf of the business, personal identifying | ||
| information collected by the business. | ||
| Sec. 541.002. APPLICABILITY. (a) This chapter applies | ||
| only to a business that: | ||
| (1) does business in this state; | ||
| (2) has more than 50 employees; | ||
| (3) collects the personal identifying information of | ||
| more than 5,000 individuals, households, or devices or has that | ||
| information collected on the business's behalf; and | ||
| (4) satisfies one or more of the following thresholds: | ||
| (A) has annual gross revenue in an amount that | ||
| exceeds $25 million; or | ||
| (B) derives 50 percent or more of the business's | ||
| annual revenue by processing personal identifying information. | ||
| (b) Except as provided by Subsection (c), this chapter | ||
| applies only to personal identifying information that is: | ||
| (1) collected over the Internet or any other digital | ||
| network or through a computing device that is associated with or | ||
| routinely used by an end user; and | ||
| (2) linked or reasonably linkable to a specific end | ||
| user. | ||
| (c) This chapter does not apply to personal identifying | ||
| information that is: | ||
| (1) collected solely for facilitating the | ||
| transmission, routing, or connections by which digital personal | ||
| identifying information and other data is transferred between or | ||
| among businesses; or | ||
| (2) transmitted to and from the individual to whom the | ||
| personal identifying information relates if the collector of the | ||
| information does not access, review, or modify the content of the | ||
| information, or otherwise perform or conduct any analytical, | ||
| algorithmic, or machine learning processes on the information. | ||
| Sec. 541.003. EXEMPTIONS. This chapter does not apply to: | ||
| (1) publicly available information; | ||
| (2) protected health information governed by Chapter | ||
| 181, Health and Safety Code, or collected by a covered entity or a | ||
| business associate of a covered entity, as those terms are defined | ||
| by 45 C.F.R. Section 160.103, that is governed by the privacy, | ||
| security, and breach notification rules in 45 C.F.R. Parts 160 and | ||
| 164 adopted by the United States Department of Health and Human | ||
| Services under the Health Insurance Portability and Accountability | ||
| Act of 1996 (Pub. L. No. 104-191) and Title XIII of the American | ||
| Recovery and Reinvestment Act of 2009 (Pub. L. No. 111-5); | ||
| (3) personal identifying information collected by a | ||
| consumer reporting agency, as defined by Section 20.01, if the | ||
| information is to be: | ||
| (A) reported in or used to generate a consumer | ||
| report, as defined by Section 1681a(d) of the Fair Credit Reporting | ||
| Act (15 U.S.C. Section 1681 et seq.); and | ||
| (B) used solely for a purpose authorized under | ||
| that Act; | ||
| (4) personal identifying information processed in | ||
| accordance with the Gramm-Leach-Bliley Act (Pub. L. No. 106-102) | ||
| and its implementing regulations; or | ||
| (5) education information that is not publicly | ||
| available personally identifiable information under the Family | ||
| Educational Rights and Privacy Act of 1974 (20 U.S.C. Section | ||
| 1232g) (34 C.F.R. Part 99). | ||
| Sec. 541.004. RULES. The attorney general shall adopt | ||
| rules necessary to implement, administer, and enforce this chapter. | ||
| SUBCHAPTER B. AUTHORITY OF INDIVIDUALS TO ACCESS AND DELETE CERTAIN | ||
| INFORMATION | ||
| Sec. 541.051. ACCESS TO INFORMATION; DATA PORTABILITY. (a) | ||
| An individual is entitled to: | ||
| (1) access and obtain personal identifying | ||
| information related to the individual or someone for whom the | ||
| individual is a legal representative or guardian that is collected | ||
| by a business; and | ||
| (2) at the option of the individual, transfer personal | ||
| identifying information from one business to another business, | ||
| including in connection with the sale of that information under a | ||
| contract described by Subchapter C. | ||
| (b) A business shall allow an individual to promptly and | ||
| reasonably obtain: | ||
| (1) confirmation of whether personal identifying | ||
| information concerning the individual or someone for whom the | ||
| individual is a legal representative or guardian is processed by | ||
| the business; | ||
| (2) a description of the categories of personal | ||
| identifying information processed by the business; | ||
| (3) an explanation in plain language of the specific | ||
| types of personal identifying information collected by the | ||
| business; | ||
| (4) a description of the inferences the business has | ||
| drawn about the individual or someone for whom the individual is a | ||
| personal representative or guardian from the information collected | ||
| by the business; and | ||
| (5) access to the individual's personal identifying | ||
| information, including in accordance with Subsection (c), a copy of | ||
| the individual's personal identifying information in a portable and | ||
| transferable format. | ||
| (c) On request of an individual, a business shall without | ||
| undue delay provide the individual with all personal identifying | ||
| information collected by the business that relates to the | ||
| individual or someone for whom the individual is a legal | ||
| representative or guardian. The business shall provide the | ||
| requested information to an individual under this section in a | ||
| portable, readily usable format that may be transferred, including | ||
| in connection with the sale of the information, by the individual to | ||
| another business. | ||
| Sec. 541.052. DELETION OF PERSONAL IDENTIFYING | ||
| INFORMATION. (a) An individual is entitled to request that a | ||
| business delete personal identifying information collected by the | ||
| business that relates to that individual or someone for whom the | ||
| individual is a legal representative or guardian. | ||
| (b) If an individual who maintains an account with a | ||
| business closes the account, the business shall: | ||
| (1) stop processing the individual's personal | ||
| identifying information on the date the individual closes the | ||
| account; and | ||
| (2) not later than the one-year anniversary of the | ||
| date the account is closed, permanently delete the individual's | ||
| personal identifying information unless retention of the | ||
| information is required by other law or is necessary to comply with | ||
| other law. | ||
| (c) If an individual makes a request for a business to | ||
| delete personal identifying information under this section, and | ||
| that business has provided the personal identifying information to | ||
| a third party, the business shall notify the third party of the | ||
| individual's request. The third party shall delete the individual's | ||
| personal identifying information not later than the one-year | ||
| anniversary of the date the third party received the notification | ||
| under this subsection. | ||
| SUBCHAPTER C. CONTRACTS WITH INDIVIDUALS | ||
| Sec. 541.101. DEFINITION. In this subchapter, "data | ||
| stream" means the continuous transmission of an individual's | ||
| personal identifying information through online activity or with a | ||
| device connected to the Internet that can be used by the business to | ||
| provide for the monetization of the information, customer | ||
| relationship management, or continuous identification of an | ||
| individual for commercial purposes. | ||
| Sec. 541.102. APPLICABILITY. This subchapter applies only | ||
| to a contract between a business and an individual under which, as a | ||
| term of the contract, the individual allows the business to | ||
| collect, store, or use the individual's personal identifying | ||
| information. | ||
| Sec. 541.103. CONSIDERATION UNDER CONTRACT. (a) An | ||
| individual may provide the individual's data stream or information | ||
| obtained by the individual under Section 541.051 as consideration | ||
| under a contract. | ||
| (b) A business may provide consideration in the form of | ||
| money or other incentive, including as an incentive to purchase | ||
| goods or services, under a contract that is reasonably related to | ||
| the value of the information or access offered by the individual | ||
| under the contract. This subsection does not prohibit a business | ||
| from differentiating the consideration offered to individuals | ||
| based on information or access offered by individuals, including | ||
| offering different individuals different prices or rates for goods | ||
| or services or providing different levels of quality for goods or | ||
| services based on the information and access offered by | ||
| individuals. | ||
| Sec. 541.104. CONTRACT REQUIREMENTS. (a) A contract | ||
| subject to this subchapter: | ||
| (1) must clearly state the terms, including the | ||
| duration, of the contract; and | ||
| (2) may not: | ||
| (A) require that the individual exclusively | ||
| contract with the business or otherwise restrict the individual's | ||
| ability to sell the individual's personal identifying information; | ||
| and | ||
| (B) prevent the individual from receiving or | ||
| considering alternative offers to purchase the individual's | ||
| personal identifying information. | ||
| (b) A contract provision that violates Subsection (a)(2) is | ||
| void and unenforceable. | ||
| SECTION 2. (a) Except as provided by Subsection (b) of this | ||
| section, this Act takes effect September 1, 2021. | ||
| (b) Section 541.052, Business & Commerce Code, as added by | ||
| this Act, takes effect January 1, 2022. | ||
