Bill Text: TX HB4518 | 2019-2020 | 86th Legislature | Introduced
Bill Title: Relating to the privacy of a consumer's personal information collected by certain businesses; imposing a civil penalty.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Introduced - Dead) 2019-04-02 - Left pending in committee [HB4518 Detail]
Download: Texas-2019-HB4518-Introduced.html
86R17033 TSR-D | ||
By: Martinez Fischer | H.B. No. 4518 |
|
||
|
||
relating to the privacy of a consumer's personal information | ||
collected by certain businesses; imposing a civil penalty. | ||
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: | ||
SECTION 1. Title 11, Business & Commerce Code, is amended by | ||
adding Subtitle C to read as follows: | ||
SUBTITLE C. PRIVACY OF PERSONAL INFORMATION | ||
CHAPTER 541. PRIVACY OF CONSUMER'S PERSONAL INFORMATION | ||
SUBCHAPTER A. GENERAL PROVISIONS | ||
Sec. 541.001. SHORT TITLE. This chapter may be cited as the | ||
Texas Consumer Privacy Act. | ||
Sec. 541.002. DEFINITIONS. In this chapter: | ||
(1) "Aggregate consumer information" means | ||
information that relates to a group or category of consumers from | ||
which individual consumer identities have been removed and that is | ||
not linked or reasonably linkable to a particular consumer or | ||
household, including through a device. The term does not include | ||
one or more individual consumer records that have been | ||
deidentified. | ||
(2) "Biometric information" means an individual's | ||
physiological, biological, or behavioral characteristics that can | ||
be used, alone or in combination with other characteristics or | ||
other identifying data, to establish the individual's identity. | ||
The term includes: | ||
(A) deoxyribonucleic acid (DNA); | ||
(B) an image of an iris, retina, fingerprint, | ||
face, hand, palm, or vein pattern or a voice recording from which an | ||
identifier template can be extracted such as a faceprint, minutiae | ||
template, or voiceprint; | ||
(C) keystroke patterns or rhythms; | ||
(D) gait patterns or rhythms; and | ||
(E) sleep, health, or exercise data that contains | ||
identifying information. | ||
(3) "Business" means a for-profit entity, including a | ||
sole proprietorship, partnership, limited liability company, | ||
corporation, association, or other legal entity that is organized | ||
or operated for the profit or financial benefit of the entity's | ||
shareholders or other owners. | ||
(4) "Business purpose" means the use of personal | ||
information for: | ||
(A) the following operational purposes of a | ||
business or service provider, provided that the use of the | ||
information is reasonably necessary and proportionate to achieve | ||
the operational purpose for which the information was collected or | ||
processed or another operational purpose that is compatible with | ||
the context in which the information was collected: | ||
(i) auditing related to a current | ||
interaction with a consumer and any concurrent transactions, | ||
including counting ad impressions to unique visitors, verifying the | ||
positioning and quality of ad impressions, and auditing compliance | ||
with a specification or other standards for ad impressions; | ||
(ii) detecting a security incident, | ||
protecting against malicious, deceptive, fraudulent, or illegal | ||
activity, and prosecuting those responsible for any illegal | ||
activity described by this subparagraph; | ||
(iii) identifying and repairing or removing | ||
errors that impair the intended functionality of computer hardware | ||
or software; | ||
(iv) using personal information in the | ||
short term or for a transient use, provided that the information is | ||
not: | ||
(a) disclosed to a third party; and | ||
(b) used to build a profile about a | ||
consumer or alter an individual consumer's experience outside of a | ||
current interaction with the consumer, including the contextual | ||
customization of an advertisement displayed as part of the same | ||
interaction; | ||
(v) performing a service on behalf of the | ||
business or service provider, including: | ||
(a) maintaining or servicing an | ||
account, providing customer service, processing or fulfilling an | ||
order or transaction, verifying customer information, processing a | ||
payment, providing financing, providing advertising or marketing | ||
services, or providing analytic services; or | ||
(b) performing a service similar to a | ||
service described by Sub-subparagraph (a) on behalf of the business | ||
or service provider; | ||
(vi) undertaking internal research for | ||
technological development and demonstration; or | ||
(vii) undertaking an activity to: | ||
(a) verify or maintain the quality or | ||
safety of a service or device that is owned by, manufactured by, | ||
manufactured for, or controlled by the business; or | ||
(b) improve, upgrade, or enhance a | ||
service or device described by Sub-subparagraph (a); or | ||
(B) another operational purpose for which notice | ||
is given under this chapter. | ||
(5) "Collect" means to buy, rent, gather, obtain, | ||
receive, or access the personal information of a consumer by any | ||
means, including by actively or passively receiving the information | ||
from the consumer or by observing the consumer's behavior. | ||
(6) "Commercial purpose" means a purpose that is | ||
intended to result in a profit or other tangible benefit or the | ||
advancement of a person's commercial or economic interests, such as | ||
by inducing another person to buy, rent, lease, subscribe to, | ||
provide, or exchange products, goods, property, information, or | ||
services or by enabling or effecting, directly or indirectly, a | ||
commercial transaction. The term does not include the purpose of | ||
engaging in speech recognized by state or federal courts as | ||
noncommercial speech, including political speech and journalism. | ||
(7) "Consumer" means an individual who is a resident | ||
of this state. | ||
(8) "Deidentified information" means information that | ||
cannot reasonably identify, relate to, describe, be associated | ||
with, or be linked to, directly or indirectly, a particular | ||
consumer. | ||
(9) "Device" means any physical object capable of | ||
connecting to the Internet, directly or indirectly, or to another | ||
device. | ||
(10) "Identifier" means data elements or other | ||
information that alone or in conjunction with other information can | ||
be used to identify a particular consumer, household, or device | ||
that is linked to a particular consumer or household. | ||
(11) "Person" means an individual, sole | ||
proprietorship, firm, partnership, joint venture, syndicate, | ||
business trust, company, corporation, limited liability company, | ||
association, committee, and any other organization or group of | ||
persons acting in concert. | ||
(12) "Personal information" means information that | ||
identifies, relates to, describes, can be associated with, or can | ||
reasonably be linked to, directly or indirectly, a particular | ||
consumer or household. The term does not include publicly | ||
available information. The term includes the following categories | ||
of information if the information identifies, relates to, | ||
describes, can be associated with, or can reasonably be linked to, | ||
directly or indirectly, a particular consumer or household: | ||
(A) an identifier, including a real name, alias, | ||
mailing address, account name, date of birth, driver's license | ||
number, unique identifier, social security number, passport | ||
number, signature, telephone number, or other government-issued | ||
identification number, or other similar identifier; | ||
(B) an online identifier, including an | ||
electronic mail address or Internet Protocol address, or other | ||
similar identifier; | ||
(C) a physical characteristic or description, | ||
including a characteristic of a protected classification under | ||
state or federal law; | ||
(D) commercial information, including: | ||
(i) a record of personal property; | ||
(ii) a good or service purchased, obtained, | ||
or considered; | ||
(iii) an insurance policy number; or | ||
(iv) other purchasing or consuming | ||
histories or tendencies; | ||
(E) biometric information; | ||
(F) Internet or other electronic network | ||
activity information, including: | ||
(i) browsing or search history; and | ||
(ii) other information regarding a | ||
consumer's interaction with an Internet website, application, or | ||
advertisement; | ||
(G) geolocation data; | ||
(H) audio, electronic, visual, thermal, | ||
olfactory, or other similar information; | ||
(I) professional or employment-related | ||
information; | ||
(J) education information that is not publicly | ||
available personally identifiable information under the Family | ||
Educational Rights and Privacy Act of 1974 (20 U.S.C. Section | ||
1232g) (34 C.F.R. Part 99); | ||
(K) financial information, including a financial | ||
institution account number, credit or debit card number, or | ||
password or access code associated with a credit or debit card or | ||
bank account; | ||
(L) medical information; | ||
(M) health insurance information; or | ||
(N) inferences drawn from any of the information | ||
listed under this subdivision to create a profile about a consumer | ||
that reflects the consumer's preferences, characteristics, | ||
psychological trends, predispositions, behavior, attitudes, | ||
intelligence, abilities, or aptitudes. | ||
(13) "Processing information" means performing any | ||
operation or set of operations on personal data or on sets of | ||
personal data, whether or not by automated means. | ||
(14) "Publicly available information" means | ||
information that is lawfully made available to the public from | ||
federal, state, or local government records if the conditions | ||
associated with making the information available are met. The term | ||
does not include: | ||
(A) biometric information of a consumer | ||
collected by a business without the consumer's knowledge; | ||
(B) data that is used for a purpose that is not | ||
compatible with the purpose for which the data is: | ||
(i) publicly maintained; or | ||
(ii) maintained in and made available from | ||
government records; or | ||
(C) deidentified or aggregate consumer | ||
information. | ||
(15) "Service provider" means a for-profit entity as | ||
described by Subdivision (3) that processes information on behalf | ||
of a business and to which the business discloses, for a business | ||
purpose, a consumer's personal information under a written | ||
contract, provided that the contract prohibits the entity receiving | ||
the information from retaining, using, or disclosing the | ||
information for any purpose other than: | ||
(A) providing the services specified in the | ||
contract with the business; or | ||
(B) for a purpose permitted by this chapter, | ||
including for a commercial purpose other than providing those | ||
specified services. | ||
(16) "Third party" means a person who is not: | ||
(A) a business to which this chapter applies that | ||
collects personal information from consumers; or | ||
(B) a person to whom the business discloses, for | ||
a business purpose, a consumer's personal information under a | ||
written contract, provided that the contract: | ||
(i) prohibits the person receiving the | ||
information from: | ||
(a) selling the information; | ||
(b) retaining, using, or disclosing | ||
the information for any purpose other than providing the services | ||
specified in the contract, including for a commercial purpose other | ||
than providing those services; and | ||
(c) retaining, using, or disclosing | ||
the information outside of the direct business relationship between | ||
the person and the business; and | ||
(ii) includes a certification made by the | ||
person receiving the personal information that the person | ||
understands and will comply with the prohibitions under | ||
Subparagraph (i). | ||
(17) "Unique identifier" means a persistent | ||
identifier that can be used over time and across different services | ||
to recognize a consumer, a custodial parent or guardian, or any | ||
minor children over which the parent or guardian has custody, or a | ||
device that is linked to those individuals. The term includes: | ||
(A) a device identifier; | ||
(B) an Internet Protocol address; | ||
(C) a cookie, beacon, pixel tag, mobile ad | ||
identifier, or similar technology; | ||
(D) a customer number, unique pseudonym, or user | ||
alias; | ||
(E) a telephone number; and | ||
(F) another form of a persistent or probabilistic | ||
identifier that can be used to identify a particular consumer or | ||
device. | ||
(18) "Verifiable consumer request" means a request: | ||
(A) that is made by a consumer, a consumer on | ||
behalf of the consumer's minor child, or a natural person or person | ||
who is authorized by a consumer to act on the consumer's behalf; and | ||
(B) that a business can reasonably verify, in | ||
accordance with rules adopted under Section 541.009, was submitted | ||
by: | ||
(i) the consumer about whom the business | ||
has collected personal information; or | ||
(ii) the consumer on behalf of the | ||
consumer's minor child about whom the business has collected | ||
personal information. | ||
Sec. 541.003. APPLICABILITY OF CHAPTER. (a) This chapter | ||
applies only to: | ||
(1) a business that: | ||
(A) does business in this state; | ||
(B) collects consumers' personal information or | ||
has that information collected on the business's behalf; | ||
(C) alone or in conjunction with others, | ||
determines the purpose for and means of processing consumers' | ||
personal information; and | ||
(D) satisfies one or more of the following | ||
thresholds: | ||
(i) has annual gross revenue in an amount | ||
that exceeds $25 million, as adjusted by the attorney general in | ||
accordance with the rules adopted under Section 541.009; | ||
(ii) alone or in combination with others, | ||
annually buys, sells, or receives or shares for commercial purposes | ||
the personal information of 50,000 or more consumers, households, | ||
or devices; or | ||
(iii) derives 50 percent or more of the | ||
business's annual revenue from selling consumers' personal | ||
information; and | ||
(2) an entity that controls or is controlled by a | ||
business described by Subdivision (1) and that shares a service | ||
mark, trademark, or shared name with the business. | ||
(b) For purposes of Subsection (a)(2), "control" means the: | ||
(1) ownership of, or power to vote, more than 50 | ||
percent of the outstanding shares of any class of voting security of | ||
a business; | ||
(2) control in any manner over the election of a | ||
majority of the directors or of individuals exercising similar | ||
functions; or | ||
(3) power to exercise a controlling influence over the | ||
management of a company. | ||
(c) For purposes of this chapter, a business sells a | ||
consumer's personal information to another business or a third | ||
party if the business sells, rents, discloses, disseminates, makes | ||
available, transfers, or otherwise communicates, orally, in | ||
writing, or by electronic or other means, the information to the | ||
other business or third party for monetary or other valuable | ||
consideration. | ||
(d) For purposes of this chapter, a business does not sell a | ||
consumer's personal information if: | ||
(1) the consumer uses or directs the business to | ||
intentionally disclose the information or uses the business to | ||
intentionally interact with a third party, provided that the third | ||
party does not sell the information, unless that disclosure is | ||
consistent with this chapter; or | ||
(2) the business: | ||
(A) uses or shares an identifier of the consumer | ||
to alert a third party that the consumer has opted out of the sale of | ||
the information; | ||
(B) uses or shares with a service provider a | ||
consumer's personal information that is necessary to perform a | ||
business purpose if: | ||
(i) the business provided notice that the | ||
information is being used or shared in the business's terms and | ||
conditions consistent with Sections 541.054 and 541.102(a)(8); and | ||
(ii) the service provider does not further | ||
collect, sell, or use the information except as necessary to | ||
perform the business purpose; or | ||
(C) transfers to a third party a consumer's | ||
personal information as an asset that is part of a merger, | ||
acquisition, bankruptcy, or other transaction in which the third | ||
party assumes control of all or part of the business, provided that | ||
information is used or shared consistent with Sections 541.051, | ||
541.053, and 541.054(e). | ||
(e) For purposes of Subsection (d)(1), an intentional | ||
interaction occurs if the consumer does one or more deliberate acts | ||
with the intent to interact with a third party. Placing a cursor | ||
over, muting, pausing, or closing online content does not | ||
constitute a consumer's intent to interact with a third party. | ||
Sec. 541.004. EXEMPTIONS. (a) This chapter does not apply | ||
to: | ||
(1) publicly available information; | ||
(2) protected health information governed by Chapter | ||
181, Health and Safety Code, or collected by a covered entity or a | ||
business associate of a covered entity, as those terms are defined | ||
by 45 C.F.R. Section 160.103, that is governed by the privacy, | ||
security, and breach notification rules in 45 C.F.R. Parts 160 and | ||
164 adopted by the United States Department of Health and Human | ||
Services under the Health Insurance Portability and Accountability | ||
Act of 1996 (Pub. L. No. 104-191) and Title XIII of the American | ||
Recovery and Reinvestment Act of 2009 (Pub. L. No. 111-5); | ||
(3) a health care provider governed by Chapter 181, | ||
Health and Safety Code, or a covered entity described by | ||
Subdivision (2) to the extent that the provider or entity maintains | ||
the personal information of a patient in the same manner as | ||
protected health information described by that subdivision; | ||
(4) information collected as part of a clinical trial | ||
subject to the Federal Policy for the Protection of Human Subjects | ||
in accordance with the good clinical practice guidelines issued by | ||
the International Council for Harmonisation or the human subject | ||
protection requirements of the United States Food and Drug | ||
Administration; | ||
(5) the sale of personal information to or by a | ||
consumer reporting agency, as defined by Section 20.01, if the | ||
information is to be: | ||
(A) reported in or used to generate a consumer | ||
report, as defined by Section 1681a(d) of the Fair Credit Reporting | ||
Act (15 U.S.C. Section 1681 et seq.); and | ||
(B) used solely for a purpose authorized under | ||
that act; | ||
(6) personal information collected, processed, sold, | ||
or disclosed in accordance with: | ||
(A) the Gramm-Leach-Bliley Act (Pub. L. No. | ||
106-102) and its implementing regulations; or | ||
(B) the Driver's Privacy Protection Act of 1994 | ||
(18 U.S.C. Section 2721 et seq.); | ||
(7) deidentified or aggregate consumer information; | ||
or | ||
(8) a consumer's personal information collected or | ||
sold by a business, if every aspect of the collection or sale | ||
occurred wholly outside of this state. | ||
(b) For purposes of Subsection (a)(8), the collection or | ||
sale of a consumer's personal information occurs wholly outside of | ||
this state if: | ||
(1) the business collects that information while the | ||
consumer is outside of this state; | ||
(2) no part of the sale of the information occurs in | ||
this state; and | ||
(3) the business does not sell any personal | ||
information of the consumer collected while the consumer is in this | ||
state. | ||
(c) For purposes of Subsection (b), the collection or sale | ||
of a consumer's personal information does not occur wholly outside | ||
of this state if a business stores a consumer's personal | ||
information, including on a device, when the consumer is in this | ||
state and subsequently collects or sells that stored information | ||
when the consumer and the information are outside of this state. | ||
Sec. 541.005. CERTAIN RIGHTS AND OBLIGATIONS NOT AFFECTED. | ||
A right or obligation under this chapter does not apply to the | ||
extent that the exercise of the right or performance of the | ||
obligation: | ||
(1) adversely affects a right of another consumer; or | ||
(2) infringes on a noncommercial activity of: | ||
(A) a publisher, editor, reporter, or other | ||
person connected with or employed by a newspaper, magazine, or | ||
other publication of general circulation, including a periodical | ||
newsletter, pamphlet, or report; | ||
(B) a radio or television station that holds a | ||
license issued by the Federal Communications Commission; or | ||
(C) an entity that provides an information | ||
service, including a press association or wire service. | ||
Sec. 541.006. COMPLIANCE WITH OTHER LAWS; LEGAL | ||
PROCEEDINGS. This chapter does not: | ||
(1) restrict a business's ability to: | ||
(A) comply with: | ||
(i) applicable federal, state, or local | ||
laws; or | ||
(ii) a civil, criminal, or regulatory | ||
inquiry, investigation, subpoena, or summons by a federal, state, | ||
or local authority; | ||
(B) cooperate with a law enforcement agency | ||
concerning conduct or activity that the business, a service | ||
provider of the business, or a third party reasonably and in good | ||
faith believes may violate other applicable federal, state, or | ||
local laws; or | ||
(C) pursue or defend against a legal claim; or | ||
(2) require a business to violate an evidentiary | ||
privilege under federal or state law or prevent a business from | ||
disclosing to a person covered by an evidentiary privilege the | ||
personal information of a consumer as part of a privileged | ||
communication. | ||
Sec. 541.007. CONSTRUCTION; RELATION TO OTHER STATE AND | ||
FEDERAL LAW. (a) This chapter shall be liberally construed to | ||
effect its purposes and to harmonize, to the extent possible, with | ||
other laws of this state relating to the privacy or protection of | ||
personal information. | ||
(b) To the extent of a conflict between a provision of this | ||
chapter and a provision of federal law, including a regulation or an | ||
interpretation of federal law, federal law controls and conflicting | ||
requirements or other provisions of this chapter do not apply. | ||
(c) To the extent of a conflict between a provision of this | ||
chapter and another statute of this state with respect to the | ||
privacy or protection of consumers' personal information, the | ||
provision of law that affords the greatest privacy or protection to | ||
consumers prevails. | ||
Sec. 541.008. PREEMPTION OF LOCAL LAW. This chapter | ||
preempts and supersedes any ordinance, order, or rule adopted by a | ||
political subdivision of this state relating to the collection or | ||
sale by a business of a consumer's personal information. | ||
Sec. 541.009. RULES. (a) The attorney general shall adopt | ||
rules necessary to implement, administer, and enforce this chapter. | ||
(b) The rules adopted under Subsection (a) must establish: | ||
(1) procedures for the adjustment of the monetary | ||
threshold under Section 541.003(a)(1)(D) in January of every | ||
odd-numbered year to reflect any increase in the consumer price | ||
index; | ||
(2) procedures governing the determination of, | ||
submission of, and compliance with a verifiable consumer request | ||
for information with the goal of minimizing administrative burdens | ||
on consumers and businesses subject to this chapter by taking into | ||
account available technology and security concerns, including: | ||
(A) treating as a verifiable consumer request a | ||
request submitted through a password-protected online account | ||
maintained by the consumer with the business while logged into the | ||
account; and | ||
(B) providing a mechanism for a request submitted | ||
by a consumer who does not maintain an account with the business; | ||
(3) procedures to facilitate and govern the submission | ||
of and compliance with a request to opt out of the sale of personal | ||
information under Section 541.054; | ||
(4) guidelines for the development of a recognizable | ||
and uniform opt-out logo or button for use on businesses' Internet | ||
websites in a manner that promotes consumer awareness of the | ||
opportunity to opt out of the sale of personal information; and | ||
(5) procedures and guidelines, including any | ||
necessary exceptions, to ensure that the notices and information | ||
businesses are required to provide under this chapter, including | ||
information regarding financial incentive offerings, are: | ||
(A) provided in a manner that is easily | ||
understood by the average consumer; | ||
(B) accessible by consumers with disabilities; | ||
and | ||
(C) available in the languages primarily used by | ||
consumers to interact with businesses. | ||
(c) The attorney general may adopt other rules necessary to | ||
further the purposes of this chapter, including rules as necessary | ||
to: | ||
(1) update the categories of personal information | ||
listed under Section 541.002(12) and the definition of identifier | ||
under Section 541.002 to account for privacy concerns, | ||
implementation obstacles, or changes in technology and data | ||
collection methods; | ||
(2) update the designated methods for submitting | ||
requests to facilitate a consumer's ability to obtain information | ||
from a business under Section 541.103; and | ||
(3) establish any exceptions necessary to comply with | ||
federal law or other laws of this state, including laws relating to | ||
trade secrets and intellectual property rights. | ||
Sec. 541.010. ATTORNEY GENERAL OPINION. A business or a | ||
third party may seek an opinion from the attorney general for | ||
guidance on how to comply with this chapter. | ||
Sec. 541.011. USE OF PERSONAL INFORMATION IN RESEARCH. For | ||
purposes of this chapter, "research" means scientific, systematic | ||
study and observation, including basic research or applied research | ||
that is in the public interest and that adheres to all other | ||
applicable ethics and privacy laws or studies conducted in the | ||
public interest in the area of public health. Research with | ||
personal information that may have been collected from a consumer | ||
in the course of the consumer's interactions with a business's | ||
service or device for other purposes must be: | ||
(1) compatible with the business purpose for which the | ||
personal information was collected; | ||
(2) subsequently pseudonymized and deidentified, or | ||
deidentified and in the aggregate, such that the information cannot | ||
reasonably identify, relate to, describe, be capable of being | ||
associated with, or be linked, directly or indirectly, to a | ||
particular consumer; | ||
(3) made subject to technical safeguards that prohibit | ||
reidentification of the consumer to whom the information may | ||
pertain; | ||
(4) subject to business processes that specifically | ||
prohibit reidentification of the information; | ||
(5) made subject to business processes to prevent | ||
inadvertent release of deidentified information; | ||
(6) protected from any reidentification attempts; | ||
(7) used solely for research purposes that are | ||
compatible with the context in which the personal information was | ||
collected; | ||
(8) not used for any commercial purpose; and | ||
(9) subjected by the business conducting the research | ||
to additional security controls that limit access to the research | ||
data to only those individuals in a business as are necessary to | ||
carry out the research purpose. | ||
SUBCHAPTER B. CONSUMER'S RIGHTS | ||
Sec. 541.051. RIGHT TO DISCLOSURE OF PERSONAL INFORMATION | ||
COLLECTED. (a) A consumer is entitled to request that a business | ||
that collects the consumer's personal information disclose to the | ||
consumer the categories and specific items of personal information | ||
the business has collected. | ||
(b) To receive the disclosure of information under | ||
Subsection (a), a consumer must submit to the business a verifiable | ||
consumer request using a method designated by the business under | ||
Section 541.103. | ||
(c) On receipt of a verifiable consumer request under this | ||
section, a business shall disclose to the consumer in the time and | ||
manner provided by Section 541.105: | ||
(1) each enumerated category and item within each | ||
category of personal information under Section 541.002(12) that the | ||
business collected about the consumer during the 12 months | ||
preceding the date of the request; | ||
(2) each category of sources from which the | ||
information was collected; | ||
(3) the business or commercial purpose for collecting | ||
or selling the personal information; and | ||
(4) each category of third parties with whom the | ||
business shares the personal information. | ||
(d) This section does not require a business to: | ||
(1) retain a consumer's personal information that was | ||
collected for a one-time transaction if the information is not sold | ||
or retained in the ordinary course of business; or | ||
(2) reidentify or otherwise link any data that, in the | ||
ordinary course of business, is not maintained in a manner that | ||
would be considered personal information. | ||
Sec. 541.052. RIGHT TO DELETION OF PERSONAL INFORMATION | ||
COLLECTED. (a) A consumer is entitled to request that a business | ||
that collects the consumer's personal information delete any | ||
personal information the business has collected from the consumer | ||
by submitting a verifiable consumer request using a method | ||
designated by the business under Section 541.103. | ||
(b) Except as provided by Subsection (c), on receipt of a | ||
verifiable consumer request under this section, a business shall | ||
delete from the business's records any personal information | ||
collected from the consumer and direct a service provider of the | ||
business to delete the information from the provider's records. | ||
(c) A business or service provider of the business is not | ||
required to comply with a verifiable consumer request received | ||
under this section if the business or service provider needs to | ||
retain the consumer's personal information to: | ||
(1) complete the transaction for which the information | ||
was collected; | ||
(2) provide a good or service requested by the | ||
consumer or reasonably anticipated to be requested by the consumer | ||
in the context of the ongoing business relationship between the | ||
business and consumer; | ||
(3) perform under a contract between the business and | ||
the consumer; | ||
(4) detect a security incident, protect against | ||
malicious, deceptive, fraudulent, or illegal activity, or | ||
prosecute those responsible for any illegal activity described by | ||
this subdivision; | ||
(5) identify and repair or remove errors from computer | ||
hardware or software that impair its intended functionality; | ||
(6) exercise free speech or ensure the right of | ||
another consumer to exercise the right of free speech or another | ||
right afforded by law; | ||
(7) comply with Chapter 1289 (H.B. 2268), Acts of the | ||
83rd Legislature, Regular Session, 2013, or a legal obligation; | ||
(8) engage in public or peer-reviewed scientific, | ||
historical, or statistical research that is in the public interest | ||
and that adheres to all other applicable ethics and privacy laws | ||
provided that: | ||
(A) the business's deletion of the information is | ||
likely to render impossible or seriously impair the achievement of | ||
that research; and | ||
(B) the consumer has provided to the business | ||
informed consent to retain the information; or | ||
(9) use the information internally: | ||
(A) so long as the use is reasonably aligned with | ||
the expectations of the consumer based on the consumer's | ||
relationship with the business; or | ||
(B) in a manner that is lawful and compatible | ||
with the context in which the consumer provided the information. | ||
Sec. 541.053. RIGHT TO DISCLOSURE OF PERSONAL INFORMATION | ||
SOLD OR DISCLOSED. (a) A consumer is entitled to request that a | ||
business that sells, or discloses for a business purpose, the | ||
consumer's personal information disclose to the consumer: | ||
(1) the categories of personal information the | ||
business collected about the consumer; | ||
(2) the categories of personal information about the | ||
consumer the business sold, or disclosed for a business purpose; | ||
and | ||
(3) the categories of third parties to whom the | ||
personal information was sold or disclosed. | ||
(b) To receive the disclosure of information under | ||
Subsection (a), a consumer must submit to the business a verifiable | ||
consumer request using a method designated by the business under | ||
Section 541.103. | ||
(c) On receipt of a verifiable consumer request under this | ||
section, a business shall disclose to the consumer in the time and | ||
manner provided by Section 541.105: | ||
(1) each enumerated category of personal information | ||
under Section 541.002(12) that the business collected about the | ||
consumer during the 12 months preceding the date of the request; | ||
(2) the categories of third parties to whom the | ||
business sold the consumer's personal information during the 12 | ||
months preceding the date of the request, by reference to each | ||
enumerated category of information under Section 541.002(12) sold | ||
to each third party; and | ||
(3) the categories of third parties to whom the | ||
business disclosed for a business purpose the consumer's personal | ||
information during the 12 months preceding the date of the request, | ||
by reference to each enumerated category of information under | ||
Section 541.002(12) disclosed to each third party. | ||
(d) A business shall provide the information described by | ||
Subsections (c)(2) and (3) in two separate lists. | ||
(e) A business that did not sell, or disclose for a business | ||
purpose, the consumer's personal information during the 12 months | ||
preceding the date of receiving the consumer's verifiable consumer | ||
request under this section shall disclose that fact to the | ||
consumer. | ||
Sec. 541.054. RIGHT TO OPT OUT OF SALE OF PERSONAL | ||
INFORMATION. (a) A consumer is entitled at any time to opt out of | ||
the sale of the consumer's personal information by a business to | ||
third parties by directing the business not to sell the | ||
information. A consumer may authorize another person solely to opt | ||
out of the sale of the consumer's personal information on the | ||
consumer's behalf. Except as provided by Subsection (c), a | ||
business shall comply with a direction not to sell that is received | ||
under this subsection. | ||
(b) A business that sells to a third party consumers' | ||
personal information shall provide on the business's Internet | ||
website's home page: | ||
(1) notice to consumers that: | ||
(A) the information may be sold; and | ||
(B) consumers have the right to opt out of the | ||
sale; and | ||
(2) a clear and conspicuous link that: | ||
(A) enables a consumer, or a person authorized by | ||
the consumer, to opt out of the sale of the consumer's personal | ||
information; and | ||
(B) is titled "DO NOT SELL MY PERSONAL | ||
INFORMATION." | ||
(c) A business may not sell to a third party the personal | ||
information of a consumer who opts out of the sale of that | ||
information under this section before the first anniversary of the | ||
date the consumer opted out, unless the consumer provides express | ||
authorization for the business to sell the consumer's personal | ||
information. After the period prescribed by this subsection | ||
expires, a business may request that the consumer consent to the | ||
sale of the consumer's personal information by the business. | ||
(d) A business may use any personal information collected | ||
from the consumer in connection with the consumer's opting out | ||
under this section solely to comply with this section. | ||
(e) A third party to whom a business has sold the personal | ||
information of a consumer may not sell the information unless the | ||
consumer receives explicit notice of the potential sale and is | ||
provided the opportunity to exercise the right to opt out of the | ||
sale as provided by this section. | ||
(f) Notwithstanding Subsection (b), a business is not | ||
required to provide the link required by that subsection on the | ||
Internet website the business makes available to the public if the | ||
business: | ||
(1) provides the required link on a separate and | ||
additional Internet website that is maintained by the business and | ||
dedicated to consumers; and | ||
(2) takes reasonable steps to ensure that consumers | ||
are directed to the website described by Subdivision (1) instead of | ||
the website the business makes available to the public. | ||
(g) A business may not require a consumer to create an | ||
account with the business to opt out of the sale of the consumer's | ||
personal information. | ||
Sec. 541.055. RIGHT TO OPT IN FOR SALE OF PERSONAL | ||
INFORMATION OF CERTAIN MINORS. (a) The requirement for consent to | ||
sell a consumer's personal information under this section may be | ||
referred to as the consumer's "right to opt in." | ||
(b) A business may not sell a consumer's personal | ||
information if the business has actual knowledge that the consumer | ||
is younger than 16 years of age unless: | ||
(1) for a consumer who is at least 13 years of age but | ||
younger than 16 years of age, the business receives express | ||
authorization to sell the consumer's personal information from the | ||
consumer; or | ||
(2) for a consumer who is younger than 13 years of age, | ||
the business receives express authorization to sell the consumer's | ||
personal information from the consumer's parent or legal guardian. | ||
(c) A business that wilfully disregards the age of a | ||
consumer whose personal information the business sells to a third | ||
party is considered to have actual knowledge of the consumer's age. | ||
Sec. 541.056. WAIVER OR LIMITATION PROVISION VOID. (a) A | ||
provision of a contract or other agreement that purports to waive or | ||
limit a right, remedy, or means of enforcement under this chapter is | ||
contrary to public policy and is void. | ||
(b) This section does not prevent a consumer from: | ||
(1) declining to request information from a business; | ||
(2) declining to opt out of a business's sale of the | ||
consumer's personal information; or | ||
(3) authorizing a business to sell the consumer's | ||
personal information after previously opting out. | ||
SUBCHAPTER C. BUSINESS RIGHTS AND OBLIGATIONS | ||
Sec. 541.101. NOTIFICATION OF COLLECTION REQUIRED. (a) A | ||
business that collects a consumer's personal information shall, at | ||
or before the point of collection, notify the consumer of each | ||
category of personal information to be collected and the purposes | ||
for which the category of information will be used. | ||
(b) A business may not collect an additional category of | ||
personal information or use personal information collected for an | ||
additional purpose unless the business provides notice to the | ||
consumer of the additional category or purpose in accordance with | ||
Subsection (a). | ||
(c) If a third party that assumes control of all or part of a | ||
business as described by Section 541.003(d)(2)(C) materially | ||
alters the practices of the business in how personal information is | ||
used or shared, and the practices are materially inconsistent with | ||
a notice provided to a consumer under Subsection (a) or (b), the | ||
third party must notify the consumer of the third party's new or | ||
changed practices before the third party uses or shares the | ||
personal information in a conspicuous manner that allows the | ||
consumer to easily exercise a right provided under this chapter. | ||
(d) Subsection (c) does not authorize a business to make a | ||
material, retroactive change or other change to a business's | ||
privacy policy in a manner that would be a deceptive trade practice | ||
actionable under Subchapter E, Chapter 17. | ||
Sec. 541.102. ONLINE PRIVACY POLICY OR POLICY NOTICE. (a) | ||
A business that collects, sells, or for a business purpose | ||
discloses a consumer's personal information shall disclose the | ||
following information in the business's online privacy policy or | ||
other notice of the business's policies: | ||
(1) a description of a consumer's rights under | ||
Sections 541.051, 541.053, and 541.107 and designated methods for | ||
submitting a verifiable consumer request for information under this | ||
chapter; | ||
(2) for a business that collects personal information | ||
about consumers, a description of the consumer's right to request | ||
the deletion of the consumer's personal information; | ||
(3) separate lists containing the categories of | ||
consumers' personal information described by Section 541.002(12) | ||
that, during the 12 months preceding the date the business updated | ||
the information as required by Subsection (b), the business: | ||
(A) collected; | ||
(B) sold, if applicable; or | ||
(C) disclosed for a business purpose, if | ||
applicable; | ||
(4) the categories of sources from which the | ||
information under Subdivision (3) is collected; | ||
(5) the business or commercial purposes for collecting | ||
personal information; | ||
(6) if the business does not sell consumers' personal | ||
information or disclose the information for a business or | ||
commercial purpose, a statement of that fact; | ||
(7) the categories of third parties to whom the | ||
business sells or discloses personal information; | ||
(8) if the business sells consumers' personal | ||
information, the Internet link required by Section 541.054(b); and | ||
(9) if applicable, the financial incentives offered to | ||
consumers under Section 541.108. | ||
(b) If a business described by Subsection (a) does not have | ||
an online privacy policy or other notice of the business's | ||
policies, the business shall make the information required under | ||
Subsection (a) available to consumers on the business's Internet | ||
website or another website the business maintains that is dedicated | ||
to consumers in this state. | ||
(c) A business must update the information required by | ||
Subsection (a) at least once each year. | ||
Sec. 541.103. METHODS TO SUBMIT VERIFIABLE CONSUMER | ||
REQUEST. (a) A business shall designate and make available to | ||
consumers, in a form that is reasonably accessible, at least two | ||
methods for submitting a verifiable consumer request for | ||
information required to be disclosed or deleted under Subchapter B. | ||
The methods must include, at a minimum: | ||
(1) a toll-free telephone number that a consumer may | ||
call to submit the request; and | ||
(2) the business's Internet website at which the | ||
consumer may submit the request, if the business maintains an | ||
Internet website. | ||
(b) The methods designated under Subsection (a) may also | ||
include: | ||
(1) a mailing address; | ||
(2) an electronic mail address; | ||
(3) another Internet web page or portal; | ||
(4) other contact information; or | ||
(5) any consumer-friendly method approved by the | ||
attorney general under Section 541.009. | ||
(c) A business may not require a consumer to create an | ||
account with the business to submit a verifiable consumer request. | ||
Sec. 541.104. VERIFICATION OF CONSUMER REQUEST. (a) A | ||
business that receives a consumer request under Section 541.051 or | ||
541.053 shall promptly take steps to reasonably verify, in | ||
accordance with rules adopted under Section 541.009, that: | ||
(1) the consumer who is the subject of the request is a | ||
consumer about whom the business has collected, sold, or for a | ||
business purpose disclosed personal information; and | ||
(2) the request is made by: | ||
(A) the consumer; | ||
(B) a consumer on behalf of the consumer's minor | ||
child; or | ||
(C) a person authorized to act on the consumer's | ||
behalf. | ||
(b) A business may use any personal information collected | ||
from the consumer in connection with the business's verification of | ||
a request under this section solely to verify the request. | ||
(c) A business that is unable to verify a consumer request | ||
under this section is not required to comply with the request. | ||
Sec. 541.105. DISCLOSURE REQUIREMENTS. (a) Not later than | ||
the 45th day after the date a business receives a verifiable | ||
consumer request under Section 541.051 or 541.053, the business | ||
shall disclose free of charge to the consumer the information | ||
required to be disclosed under those sections. | ||
(b) A business may extend the time in which to comply with | ||
Subsection (a) once by an additional 45 days if reasonably | ||
necessary or by an additional 90 days after taking into account the | ||
number and complexity of verifiable consumer requests received by | ||
the business. A business that extends the time in which to comply | ||
with Subsection (a) shall notify the consumer of the extension and | ||
reason for the delay within the period prescribed by that | ||
subsection. | ||
(c) The disclosure required by Subsection (a) must: | ||
(1) cover personal information collected, sold, or | ||
disclosed for a business purpose, as applicable, during the 12 | ||
months preceding the date the business receives the request; and | ||
(2) be made in writing and delivered to the consumer: | ||
(A) by mail or electronically, at the consumer's | ||
option, if the consumer does not have an account with the business; | ||
or | ||
(B) through the consumer's account with the | ||
business. | ||
(d) An electronic disclosure under Subsection (c) must be in | ||
a readily accessible format that allows the consumer to | ||
electronically transmit the information to another person or | ||
entity. | ||
(e) A business is not required to make the disclosure | ||
required by Subsection (a) to the same consumer more than twice in a | ||
12-month period. | ||
(f) Notwithstanding Subsection (a), if a consumer's | ||
verifiable consumer request is manifestly baseless or excessive, in | ||
particular because of repetitiveness, a business may charge a | ||
reasonable fee after taking into account the administrative costs | ||
of compliance or refusal to comply with the request. The business | ||
has the burden of demonstrating that a request is manifestly | ||
baseless or excessive. | ||
(g) A business that does not comply with a consumer's | ||
verifiable consumer request under Subsection (a) shall notify the | ||
consumer, within the time the business is required to respond to a | ||
request under this section, of the reasons for the refusal and the | ||
rights the consumer may have to appeal that decision. | ||
Sec. 541.106. DEIDENTIFIED INFORMATION. (a) A business | ||
that uses deidentified information may not reidentify or attempt to | ||
reidentify a consumer who is the subject of deidentified | ||
information without obtaining the consumer's consent or | ||
authorization. | ||
(b) A business that uses deidentified information shall | ||
implement: | ||
(1) technical safeguards and business processes to | ||
prohibit reidentification of the consumer to whom the information | ||
may pertain; and | ||
(2) business processes to prevent inadvertent release | ||
of deidentified information. | ||
(c) This chapter may not be construed to require a business | ||
to reidentify or otherwise link information that is not maintained | ||
in a manner that would be considered personal information. | ||
Sec. 541.107. DISCRIMINATION PROHIBITED. (a) A business may | ||
not discriminate against a consumer because the consumer exercised | ||
a right under this chapter, including by: | ||
(1) denying a good or service to the consumer; | ||
(2) charging the consumer a different price or rate | ||
for a good or service, including denying the use of a discount or | ||
other benefit or imposing a penalty; | ||
(3) providing a different level or quality of a good or | ||
service to the consumer; or | ||
(4) suggesting that the consumer will be charged a | ||
different price or rate for, or provided a different level or | ||
quality of, a good or service. | ||
(b) This section does not prohibit a business from offering | ||
or charging a consumer a different price or rate for a good or | ||
service, or offering or providing to the consumer a different level | ||
or quality of a good or service, if the difference is reasonably | ||
related to the value provided to the consumer by the consumer's | ||
data. | ||
Sec. 541.108. FINANCIAL INCENTIVES. (a) Subject to | ||
Subsection (b), a business may offer a financial incentive to a | ||
consumer, including a payment as compensation, for the collection, | ||
sale, or disclosure of the consumer's personal information. | ||
(b) A business may enroll a customer in a financial | ||
incentive program only if the business provides to the consumer a | ||
clear description of the material terms of the program and obtains | ||
the consumer's prior opt-in consent, which: | ||
(1) contains a clear description of those material | ||
terms; and | ||
(2) may be revoked by the consumer at any time. | ||
(c) A business may not use financial incentive practices | ||
that are unjust, unreasonable, coercive, or usurious in nature. | ||
Sec. 541.109. CERTAIN ACTIONS TO AVOID REQUIREMENTS | ||
PROHIBITED. (a) A business may not divide a single transaction into | ||
more than one transaction with the intent to avoid the requirements | ||
of this chapter. | ||
(b) For purposes of this chapter, two or more substantially | ||
similar or related transactions are considered a single transaction | ||
if the transactions: | ||
(1) are entered into contemporaneously; and | ||
(2) have at least one common party. | ||
(c) A court shall disregard any intermediate transactions | ||
conducted by a business with the intent to avoid the requirements of | ||
this chapter, including the disclosure of information by a business | ||
to a third party to avoid complying with the requirements under this | ||
chapter applicable to a sale of the information. | ||
Sec. 541.110. INFORMATION REQUIRED. A business shall | ||
ensure that each person responsible for handling consumer inquiries | ||
about the business's privacy practices or compliance with this | ||
chapter is informed of the requirements of this chapter and of how | ||
to direct a consumer in exercising any of the rights to which a | ||
consumer is entitled under this chapter. | ||
SUBCHAPTER D. REMEDIES | ||
Sec. 541.151. CIVIL PENALTY; INJUNCTION. (a) A person who | ||
violates this chapter is liable to this state for a civil penalty in | ||
an amount not to exceed: | ||
(1) $2,500 for each violation; or | ||
(2) $7,500 for each violation, if the violation is | ||
intentional. | ||
(b) If it appears to the attorney general that a person is | ||
engaging in, has engaged in, or is about to engage in conduct that | ||
violates this chapter, the attorney general may give notice to the | ||
person of the alleged violation. If the person fails to cure the | ||
alleged violation before the 30th day after the date notice is | ||
given, the attorney general may bring an action in the name of the | ||
state against the person to restrain the violation by a temporary | ||
restraining order or by a permanent or temporary injunction or to | ||
recover the civil penalty imposed under this section, or both. | ||
(c) The attorney general is entitled to recover reasonable | ||
expenses, including reasonable attorney's fees, court costs, and | ||
investigatory costs, incurred in obtaining injunctive relief or | ||
civil penalties, or both, under this section. Amounts collected | ||
under this section shall be deposited in a dedicated account in the | ||
general revenue fund and may be appropriated only for the purposes | ||
of the administration and enforcement of this chapter. | ||
Sec. 541.152. BUSINESS IMMUNITY FROM LIABILITY. A business | ||
that discloses to a third party, or discloses for a business purpose | ||
to a service provider, a consumer's personal information in | ||
compliance with this chapter may not be held liable for a violation | ||
of this chapter by the third party or service provider if the | ||
business does not have actual knowledge or a reasonable belief that | ||
the third party or service provider intends to violate this | ||
chapter. | ||
Sec. 541.153. SERVICE PROVIDER IMMUNITY FROM LIABILITY. A | ||
business's service provider may not be held liable for a violation | ||
of this chapter by the business. | ||
SECTION 2. This Act takes effect September 1, 2020. |