Bill Text: TX HB4390 | 2019-2020 | 86th Legislature | Introduced
NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Relating to the privacy of personal identifying information and the creation of the Texas Privacy Protection Advisory Council.
Spectrum: Bipartisan Bill
Status: (Passed) 2019-06-14 - See remarks for effective date [HB4390 Detail]
Download: Texas-2019-HB4390-Introduced.html
Bill Title: Relating to the privacy of personal identifying information and the creation of the Texas Privacy Protection Advisory Council.
Spectrum: Bipartisan Bill
Status: (Passed) 2019-06-14 - See remarks for effective date [HB4390 Detail]
Download: Texas-2019-HB4390-Introduced.html
By: Capriglione | H.B. No. 4390 |
|
||
|
||
relating to the privacy of personal identifying information; | ||
imposing a civil penalty. | ||
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: | ||
SECTION 1. Title 11, Business & Commerce Code, is amended by | ||
adding Subtitle C to read as follows: | ||
SUBTITLE C. PRIVACY OF PERSONAL IDENTIFYING INFORMATION | ||
CHAPTER 541. PERSONAL IDENTIFYING INFORMATION PROCESSED BY CERTAIN | ||
BUSINESSES | ||
SUBCHAPTER A. GENERAL PROVISIONS | ||
Sec. 541.001. SHORT TITLE. This chapter may be cited as the | ||
Texas Privacy Protection Act. | ||
Sec. 541.002. DEFINITIONS. In this chapter: | ||
(1) "Business" means a for-profit entity, including a | ||
sole proprietorship, partnership, limited liability company, | ||
corporation, association, or other legal entity that is organized | ||
or operated for the profit or financial benefit of the entity's | ||
shareholders or other owners. | ||
(2) "Collect" means: | ||
(A) buying, renting, gathering, obtaining, | ||
receiving, inferring, creating, or accessing any personal | ||
identifying information pertaining to an individual by any means; | ||
or | ||
(B) obtaining personal identifying information | ||
relating to an individual, actively or passively, or by observing | ||
the individual's behavior. | ||
(3) "Device" means any physical object capable of | ||
connecting to the Internet, directly or indirectly, or to another | ||
device and transmitting information. | ||
(4) "Personal identifying information" means a | ||
category of information relating to an identified or identifiable | ||
individual. The term does not include a specific category of | ||
personal identifying information that the attorney general exempts | ||
from this definition by rule. The term includes: | ||
(A) a social security number; | ||
(B) a driver's license number, passport number, | ||
military identification number, or any other similar number issued | ||
on a government document and used to verify an individual's | ||
identity; | ||
(C) a financial account number, credit or debit | ||
card number, or any security code, access code, or password that is | ||
necessary to permit access to an individual's financial account; | ||
(D) unique biometric information, including a | ||
fingerprint, voice print, retina or iris image, or any other unique | ||
physical representation; | ||
(E) physical or mental health information, | ||
including health care information; | ||
(F) the private communications or other | ||
user-created content of an individual that is not publicly | ||
available; | ||
(G) religious affiliation or practice | ||
information; | ||
(H) racial or ethnic origin information; | ||
(I) precise geolocation data; and | ||
(J) unique genetic information. | ||
(5) "Privacy risk" means potential adverse | ||
consequences to an individual or society at large arising from the | ||
processing of personal identifying information, including: | ||
(A) direct or indirect financial loss or economic | ||
harm; | ||
(B) physical harm; | ||
(C) psychological harm, including anxiety, | ||
embarrassment, fear, or other demonstrable mental trauma; | ||
(D) significant inconvenience or expenditure of | ||
time; | ||
(E) adverse outcomes or decisions with respect to | ||
an individual's eligibility for a right, benefit, or privilege in | ||
employment, including hiring, firing, promotion, demotion, or | ||
compensation; | ||
(F) credit or insurance harm, including denial of | ||
an application or obtaining less favorable terms related to | ||
housing, education, professional certification, or health care | ||
services; | ||
(G) stigmatization or reputational harm; | ||
(H) disruption and intrusion from unwanted | ||
commercial communications or contacts; | ||
(I) price discrimination; and | ||
(J) any other adverse consequence that affects an | ||
individual's private life, private family matters, actions or | ||
communications within an individual's home or similar physical, | ||
online, or digital location, if an individual has a reasonable | ||
expectation that personal identifying information will not be | ||
processed. | ||
(6) "Processing" means any operation or set of | ||
operations that are performed on personal identifying information | ||
or on sets of personal identifying information, including the | ||
collection, creation, generation, recording, organization, | ||
structuring, storage, adaptation, alteration, retrieval, | ||
consultation, use, disclosure, transfer, or dissemination of the | ||
information or otherwise making the information available. | ||
(7) "Third party" means a person engaged by a business | ||
to process, on behalf of the business, personal identifying | ||
information collected by the business. | ||
Sec. 541.003. APPLICABILITY. (a) This chapter applies | ||
only to a business that: | ||
(1) does business in this state; | ||
(2) has more than 50 employees; | ||
(3) collects the personal identifying information of | ||
more than 5,000 individuals, households, or devices or has that | ||
information collected on the business's behalf; and | ||
(4) satisfies one or more of the following thresholds: | ||
(A) has annual gross revenue in an amount that | ||
exceeds $25 million; or | ||
(B) derives 50 percent or more of the business's | ||
annual revenue by processing personal identifying information. | ||
(b) Except as provided by Subsection (c), this chapter | ||
applies only to personal identifying information that is: | ||
(1) collected over the Internet or any other digital | ||
network or through a computing device that is associated with or | ||
routinely used by an end user; and | ||
(2) linked or reasonably linkable to a specific end | ||
user. | ||
(c) This chapter does not apply to personal identifying | ||
information that is: | ||
(1) collected solely for facilitating the | ||
transmission, routing, or connections by which digital personal | ||
identifying information and other data is transferred between or | ||
among businesses; or | ||
(2) transmitted to and from the individual to whom the | ||
personal identifying information relates if the collector of the | ||
information does not access, review, or modify the content of the | ||
information, or otherwise perform or conduct any analytical, | ||
algorithmic, or machine learning processes on the information. | ||
Sec. 541.004. EXEMPTIONS. This chapter does not apply to: | ||
(1) publicly available information; | ||
(2) protected health information governed by Chapter | ||
181, Health and Safety Code, or collected by a covered entity or a | ||
business associate of a covered entity, as those terms are defined | ||
by 45 C.F.R. Section 160.103, that is governed by the privacy, | ||
security, and breach notification rules in 45 C.F.R. Parts 160 and | ||
164 adopted by the United States Department of Health and Human | ||
Services under the Health Insurance Portability and Accountability | ||
Act of 1996 (Pub. L. No. 104-191) and Title XIII of the American | ||
Recovery and Reinvestment Act of 2009 (Pub. L. No. 111-5); | ||
(3) personal identifying information collected by a | ||
consumer reporting agency, as defined by Section 20.01, if the | ||
information is to be: | ||
(A) reported in or used to generate a consumer | ||
report, as defined by Section 1681a(d) of the Fair Credit Reporting | ||
Act (15 U.S.C. Section 1681 et seq.); and | ||
(B) used solely for a purpose authorized under | ||
that Act; | ||
(4) personal identifying information processed in | ||
accordance with the Gramm-Leach-Bliley Act (Pub. L. No. 106-102) | ||
and its implementing regulations; or | ||
(5) education information that is not publicly | ||
available personally identifiable information under the Family | ||
Educational Rights and Privacy Act of 1974 (20 U.S.C. Section | ||
1232g) (34 C.F.R. Part 99). | ||
Sec. 541.005. RULES. The attorney general shall adopt | ||
rules necessary to implement, administer, and enforce this chapter. | ||
SUBCHAPTER B. BUSINESS DUTIES | ||
Sec. 541.051. COLLECTION OF PERSONAL IDENTIFYING | ||
INFORMATION. A business may not collect personal identifying | ||
information unless: | ||
(1) the collection of the information is relevant and | ||
necessary to accomplish the purpose for which the information was | ||
collected; and | ||
(2) that purpose is specifically disclosed by the | ||
business in the notice required under Section 541.054. | ||
Sec. 541.052. PROCESSING OF PERSONAL IDENTIFYING | ||
INFORMATION. (a) A business may only process personal identifying | ||
information if: | ||
(1) the information is relevant to accomplish the | ||
purposes for which the information is to be processed; | ||
(2) those purposes are specifically disclosed by the | ||
business in the notice required under Section 541.054; and | ||
(3) the information is processed only to the extent | ||
necessary to achieve one or more of those purposes. | ||
(b) A business may not process personal identifying | ||
information unless: | ||
(1) the individual whose personal identifying | ||
information is collected by the business explicitly consents to the | ||
processing of the information; or | ||
(2) the business is required by law to process the | ||
information. | ||
(c) Notwithstanding Subsection (a), a business may not | ||
process personal identifying information if: | ||
(1) the business knows processing the information will | ||
likely: | ||
(A) violate state or federal law; or | ||
(B) interfere with or deny a right or privilege | ||
of an individual granted under the United States Constitution; or | ||
(2) the information is to be processed using automated | ||
processing, including algorithmic, machine learning, or artificial | ||
intelligence processing or predictive analysis, unless the | ||
processing is performed after the business: | ||
(A) conducts an objective and documented | ||
assessment of the automated processing and the results of the | ||
processing and determines the processing is reasonably free from | ||
bias and error; | ||
(B) analyzes the privacy risk of using automated | ||
processing and takes reasonable steps to mitigate that risk; and | ||
(C) concludes that, after all reasonable steps | ||
are taken to mitigate any privacy risk, the automated processing of | ||
the personal identifying information does not cause or is not | ||
likely to cause a substantial privacy risk. | ||
Sec. 541.053. DATA SECURITY PROGRAM. (a) A business shall | ||
develop, implement, and maintain a comprehensive data security | ||
program that contains administrative, technical, and physical | ||
safeguards for personal identifying information. | ||
(b) The safeguards required under Subsection (a) must be: | ||
(1) documented by the business; and | ||
(2) appropriate considering the: | ||
(A) size and complexity of the business; | ||
(B) nature and scope of the business's | ||
activities; and | ||
(C) sensitivity of the personal identifying | ||
information processed by the business. | ||
Sec. 541.054. NOTICE REQUIRED. (a) A business in a | ||
conspicuous manner shall provide a notice that includes a | ||
reasonably full and complete description of the business's | ||
practices governing the processing of personal identifying | ||
information before collecting personal identifying information. | ||
The notice must include: | ||
(1) the categories of personal identifying | ||
information processed by the business; | ||
(2) details on the type of processing used by the | ||
business; | ||
(3) the purposes for which the business processes | ||
personal identifying information; and | ||
(4) the involvement of any third party in processing | ||
personal identifying information on behalf of the business. | ||
(b) The notice required by Subsection (a) must be: | ||
(1) clear, drafted in plain language, and easy to | ||
understand; and | ||
(2) located in a prominent location at the business | ||
and on the business's Internet website if the business has an | ||
Internet website. | ||
(c) If a business processes geolocation data, biometric | ||
information, genetic information, racial or ethnic origin | ||
information, religious affiliation or practice information, | ||
physical or mental health information, or other personal | ||
identifying information that when processed is likely to create a | ||
significant privacy risk, the business must, before collecting the | ||
information, explicitly specify in the notice required under | ||
Subsection (a): | ||
(1) the categories or items of personal identifying | ||
information processed by the business, as applicable; and | ||
(2) the purposes for processing that information. | ||
(d) The information required under Subsection (c) must be | ||
included in the notice in a manner that is conspicuous, readily | ||
available, accessible, accurate, and easy to understand. | ||
(e) The notice required under this section may be included | ||
in the privacy policy required by Section 541.055. | ||
Sec. 541.055. PRIVACY POLICY. A business shall make | ||
publicly available on an ongoing basis a privacy policy that: | ||
(1) generally articulates the processing practices of | ||
the business for personal identifying information, including any | ||
analysis or predictions made by the business based on the | ||
processing of personal identifying information by the business; | ||
(2) includes an accurate and easy method for an | ||
individual to access the individual's personal identifying | ||
information that the business has processed about the individual; | ||
and | ||
(3) states that the business is required to: | ||
(A) stop processing personal identifying | ||
information on the date an individual closes the individual's | ||
account with the business; and | ||
(B) not later than the 30th day after the date the | ||
individual closes the account, delete the individual's personal | ||
identifying information unless retention of the information is | ||
required by other law or is necessary to comply with other law. | ||
Sec. 541.056. ACCESS TO INFORMATION. A business shall | ||
allow an individual to promptly and reasonably obtain: | ||
(1) confirmation of whether personal identifying | ||
information concerning the individual is processed by the business; | ||
(2) a description of the categories of personal | ||
identifying information processed by the business; | ||
(3) an explanation in plain language of the specific | ||
types of personal identifying information collected by the | ||
business; and | ||
(4) access to the individual's personal identifying | ||
information. | ||
Sec. 541.057. DELETION OF PERSONAL IDENTIFYING | ||
INFORMATION. If an individual who maintains an account with a | ||
business closes the account, the business shall: | ||
(1) stop processing the individual's personal | ||
identifying information on the date the individual closes the | ||
account; | ||
(2) not later than the 30th day after the date the | ||
account is closed, delete the individual's personal identifying | ||
information unless retention of the information is required by | ||
other law or is necessary to comply with other law; and | ||
(3) if the business engages a third party to process | ||
personal identifying information, notify the third party that the | ||
individual is closing the account. | ||
Sec. 541.058. ACCOUNTABILITY PROGRAM. To ensure compliance | ||
with this chapter, a business shall implement an ongoing | ||
accountability program and maintain an internal publication of the | ||
written policies and procedures necessary to implement the program. | ||
The program must include: | ||
(1) a process to identify, assess, and mitigate any | ||
reasonably foreseeable privacy risk; | ||
(2) procedures to provide remedies for privacy risk; | ||
(3) an annual assessment of the program and | ||
supporting policies and procedures; | ||
(4) methods and procedures for responding to data | ||
breaches and for addressing inquiries and complaints concerning | ||
personal identifying information; and | ||
(5) procedures for internal enforcement of the | ||
business's policies and discipline for noncompliance. | ||
Sec. 541.059. INFORMATION SHARED WITH THIRD PARTY. (a) A | ||
business that engages a third party to process personal identifying | ||
information collected by the business shall: | ||
(1) use due diligence in selecting the third party and | ||
shall ensure that the third party complies with the requirements of | ||
this chapter that apply to the third party; and | ||
(2) annually obtain from the third party verification | ||
that the third party is complying with the requirements. | ||
(b) Notwithstanding Subsection (a), a business may not | ||
share with any third party who the business engages to process the | ||
information an individual's biometric, health, or genetic | ||
information unless the individual consents to the sharing of the | ||
information. | ||
(c) A third party that processes personal identifying | ||
information received from a business may only process the | ||
information to the extent the business is authorized to process the | ||
information under Section 541.052 and shall: | ||
(1) implement a data security program described by | ||
Section 541.053; | ||
(2) implement an accountability program described by | ||
Section 541.058; and | ||
(3) if the business notifies the third party under | ||
Section 541.057 that an individual is closing the individual's | ||
account with the business: | ||
(A) stop processing the individual's personal | ||
identifying information on the date the individual closes the | ||
account; and | ||
(B) not later than the 30th day after the date the | ||
account is closed, delete the individual's personal identifying | ||
information unless retention of the information is required by | ||
other law or is necessary to comply with other law. | ||
SUBCHAPTER C. ENFORCEMENT | ||
Sec. 541.101. CIVIL PENALTY. (a) A business that violates | ||
this chapter or a third party that violates Section 541.059(c) is | ||
liable to this state for a civil penalty in an amount of not more | ||
than $10,000 for each violation, not to exceed a total amount of $1 | ||
million. | ||
(b) The attorney general may bring an action in the name of | ||
the state against the business or third party to recover the civil | ||
penalty imposed under this section. | ||
(c) The attorney general is entitled to recover reasonable | ||
expenses, including reasonable attorney's fees, court costs, and | ||
investigatory costs, incurred in bringing an action under this | ||
section. | ||
Sec. 541.102. BUSINESS IMMUNITY FROM LIABILITY. A business | ||
that is in compliance with this chapter and engages a third party to | ||
process on behalf of the business personal identifying information | ||
collected by the business may not be held liable for a violation of | ||
Section 541.059(c) by the third party if the business does not have | ||
actual knowledge or a reasonable belief that the third party | ||
intends to violate that section. | ||
SECTION 2. Subchapter Z, Chapter 2252, Government Code, is | ||
amended by adding Section 2252.909 to read as follows: | ||
Sec. 2252.909. SALE OF PERSONAL IDENTIFYING INFORMATION | ||
PROHIBITED. Notwithstanding any other law, a governmental entity | ||
may not sell or offer to sell personal identifying information, as | ||
defined by Section 541.002, Business & Commerce Code, that is: | ||
(1) unique genetic information; | ||
(2) precise geolocation data; or | ||
(3) unique biometric information, including a | ||
fingerprint, voice print, retina or iris image, or any other unique | ||
physical representation. | ||
SECTION 3. This Act takes effect September 1, 2019. |