86R17033 TSR-D
 
  By: Martinez Fischer H.B. No. 4518
 
 
 
A BILL TO BE ENTITLED
 
AN ACT
  relating to the privacy of a consumer's personal information
  collected by certain businesses; imposing a civil penalty.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  Title 11, Business & Commerce Code, is amended by
  adding Subtitle C to read as follows:
  SUBTITLE C. PRIVACY OF PERSONAL INFORMATION
  CHAPTER 541. PRIVACY OF CONSUMER'S PERSONAL INFORMATION
  SUBCHAPTER A. GENERAL PROVISIONS
         Sec. 541.001.  SHORT TITLE. This chapter may be cited as the
  Texas Consumer Privacy Act.
         Sec. 541.002.  DEFINITIONS. In this chapter:
               (1)  "Aggregate consumer information" means
  information that relates to a group or category of consumers from
  which individual consumer identities have been removed and that is
  not linked or reasonably linkable to a particular consumer or
  household, including through a device. The term does not include
  one or more individual consumer records that have been
  deidentified.
               (2)  "Biometric information" means an individual's
  physiological, biological, or behavioral characteristics that can
  be used, alone or in combination with other characteristics or
  other identifying data, to establish the individual's identity.
  The term includes:
                     (A)  deoxyribonucleic acid (DNA);
                     (B)  an image of an iris, retina, fingerprint,
  face, hand, palm, or vein pattern or a voice recording from which an
  identifier template can be extracted such as a faceprint, minutiae
  template, or voiceprint;
                     (C)  keystroke patterns or rhythms;
                     (D)  gait patterns or rhythms; and
                     (E)  sleep, health, or exercise data that contains
  identifying information.
               (3)  "Business" means a for-profit entity, including a
  sole proprietorship, partnership, limited liability company,
  corporation, association, or other legal entity that is organized
  or operated for the profit or financial benefit of the entity's
  shareholders or other owners.
               (4)  "Business purpose" means the use of personal
  information for:
                     (A)  the following operational purposes of a
  business or service provider, provided that the use of the
  information is reasonably necessary and proportionate to achieve
  the operational purpose for which the information was collected or
  processed or another operational purpose that is compatible with
  the context in which the information was collected:
                           (i)  auditing related to a current
  interaction with a consumer and any concurrent transactions,
  including counting ad impressions to unique visitors, verifying the
  positioning and quality of ad impressions, and auditing compliance
  with a specification or other standards for ad impressions;
                           (ii)  detecting a security incident,
  protecting against malicious, deceptive, fraudulent, or illegal
  activity, and prosecuting those responsible for any illegal
  activity described by this subparagraph;
                           (iii)  identifying and repairing or removing
  errors that impair the intended functionality of computer hardware
  or software;
                           (iv)  using personal information in the
  short term or for a transient use, provided that the information is
  not:
                                 (a)  disclosed to a third party; and
                                 (b)  used to build a profile about a
  consumer or alter an individual consumer's experience outside of a
  current interaction with the consumer, including the contextual
  customization of an advertisement displayed as part of the same
  interaction;
                           (v)  performing a service on behalf of the
  business or service provider, including:
                                 (a)  maintaining or servicing an
  account, providing customer service, processing or fulfilling an
  order or transaction, verifying customer information, processing a
  payment, providing financing, providing advertising or marketing
  services, or providing analytic services; or
                                 (b)  performing a service similar to a
  service described by Sub-subparagraph (a) on behalf of the business
  or service provider;
                           (vi)  undertaking internal research for
  technological development and demonstration; or
                           (vii)  undertaking an activity to:
                                 (a)  verify or maintain the quality or
  safety of a service or device that is owned by, manufactured by,
  manufactured for, or controlled by the business; or
                                 (b)  improve, upgrade, or enhance a
  service or device described by Sub-subparagraph (a); or
                     (B)  another operational purpose for which notice
  is given under this chapter.
               (5)  "Collect" means to buy, rent, gather, obtain,
  receive, or access the personal information of a consumer by any
  means, including by actively or passively receiving the information
  from the consumer or by observing the consumer's behavior.
               (6)  "Commercial purpose" means a purpose that is
  intended to result in a profit or other tangible benefit or the
  advancement of a person's commercial or economic interests, such as
  by inducing another person to buy, rent, lease, subscribe to,
  provide, or exchange products, goods, property, information, or
  services or by enabling or effecting, directly or indirectly, a
  commercial transaction. The term does not include the purpose of
  engaging in speech recognized by state or federal courts as
  noncommercial speech, including political speech and journalism.
               (7)  "Consumer" means an individual who is a resident
  of this state.
               (8)  "Deidentified information" means information that
  cannot reasonably identify, relate to, describe, be associated
  with, or be linked to, directly or indirectly, a particular
  consumer.
               (9)  "Device" means any physical object capable of
  connecting to the Internet, directly or indirectly, or to another
  device.
               (10)  "Identifier" means data elements or other
  information that alone or in conjunction with other information can
  be used to identify a particular consumer, household, or device
  that is linked to a particular consumer or household.
               (11)  "Person" means an individual, sole
  proprietorship, firm, partnership, joint venture, syndicate,
  business trust, company, corporation, limited liability company,
  association, committee, and any other organization or group of
  persons acting in concert.
               (12)  "Personal information" means information that
  identifies, relates to, describes, can be associated with, or can
  reasonably be linked to, directly or indirectly, a particular
  consumer or household. The term does not include publicly
  available information. The term includes the following categories
  of information if the information identifies, relates to,
  describes, can be associated with, or can reasonably be linked to,
  directly or indirectly, a particular consumer or household:
                     (A)  an identifier, including a real name, alias,
  mailing address, account name, date of birth, driver's license
  number, unique identifier, social security number, passport
  number, signature, telephone number, or other government-issued
  identification number, or other similar identifier;
                     (B)  an online identifier, including an
  electronic mail address or Internet Protocol address, or other
  similar identifier;
                     (C)  a physical characteristic or description,
  including a characteristic of a protected classification under
  state or federal law;
                     (D)  commercial information, including:
                           (i)  a record of personal property;
                           (ii)  a good or service purchased, obtained,
  or considered;
                           (iii)  an insurance policy number; or
                           (iv)  other purchasing or consuming
  histories or tendencies;
                     (E)  biometric information;
                     (F)  Internet or other electronic network
  activity information, including:
                           (i)  browsing or search history; and
                           (ii)  other information regarding a
  consumer's interaction with an Internet website, application, or
  advertisement;
                     (G)  geolocation data;
                     (H)  audio, electronic, visual, thermal,
  olfactory, or other similar information;
                     (I)  professional or employment-related
  information;
                     (J)  education information that is not publicly
  available personally identifiable information under the Family
  Educational Rights and Privacy Act of 1974 (20 U.S.C. Section
  1232g) (34 C.F.R. Part 99);
                     (K)  financial information, including a financial
  institution account number, credit or debit card number, or
  password or access code associated with a credit or debit card or
  bank account;
                     (L)  medical information;
                     (M)  health insurance information; or
                     (N)  inferences drawn from any of the information
  listed under this subdivision to create a profile about a consumer
  that reflects the consumer's preferences, characteristics,
  psychological trends, predispositions, behavior, attitudes,
  intelligence, abilities, or aptitudes.
               (13)  "Processing information" means performing any
  operation or set of operations on personal data or on sets of
  personal data, whether or not by automated means.
               (14)  "Publicly available information" means
  information that is lawfully made available to the public from
  federal, state, or local government records if the conditions
  associated with making the information available are met. The term
  does not include:
                     (A)  biometric information of a consumer
  collected by a business without the consumer's knowledge;
                     (B)  data that is used for a purpose that is not
  compatible with the purpose for which the data is:
                           (i)  publicly maintained; or
                           (ii)  maintained in and made available from
  government records; or
                     (C)  deidentified or aggregate consumer
  information.
               (15)  "Service provider" means a for-profit entity as
  described by Subdivision (3) that processes information on behalf
  of a business and to which the business discloses, for a business
  purpose, a consumer's personal information under a written
  contract, provided that the contract prohibits the entity receiving
  the information from retaining, using, or disclosing the
  information for any purpose other than:
                     (A)  providing the services specified in the
  contract with the business; or
                     (B)  for a purpose permitted by this chapter,
  including for a commercial purpose other than providing those
  specified services.
               (16)  "Third party" means a person who is not:
                     (A)  a business to which this chapter applies that
  collects personal information from consumers; or
                     (B)  a person to whom the business discloses, for
  a business purpose, a consumer's personal information under a
  written contract, provided that the contract:
                           (i)  prohibits the person receiving the
  information from:
                                 (a)  selling the information;
                                 (b)  retaining, using, or disclosing
  the information for any purpose other than providing the services
  specified in the contract, including for a commercial purpose other
  than providing those services; and
                                 (c)  retaining, using, or disclosing
  the information outside of the direct business relationship between
  the person and the business; and
                           (ii)  includes a certification made by the
  person receiving the personal information that the person
  understands and will comply with the prohibitions under
  Subparagraph (i).
               (17)  "Unique identifier" means a persistent
  identifier that can be used over time and across different services
  to recognize a consumer, a custodial parent or guardian, or any
  minor children over which the parent or guardian has custody, or a
  device that is linked to those individuals. The term includes:
                     (A)  a device identifier;
                     (B)  an Internet Protocol address;
                     (C)  a cookie, beacon, pixel tag, mobile ad
  identifier, or similar technology;
                     (D)  a customer number, unique pseudonym, or user
  alias;
                     (E)  a telephone number; and
                     (F)  another form of a persistent or probabilistic
  identifier that can be used to identify a particular consumer or
  device.
               (18)  "Verifiable consumer request" means a request:
                     (A)  that is made by a consumer, a consumer on
  behalf of the consumer's minor child, or a natural person or person
  who is authorized by a consumer to act on the consumer's behalf; and
                     (B)  that a business can reasonably verify, in
  accordance with rules adopted under Section 541.009, was submitted
  by:
                           (i)  the consumer about whom the business
  has collected personal information; or
                           (ii)  the consumer on behalf of the
  consumer's minor child about whom the business has collected
  personal information.
         Sec. 541.003.  APPLICABILITY OF CHAPTER. (a) This chapter
  applies only to:
               (1)  a business that:
                     (A)  does business in this state;
                     (B)  collects consumers' personal information or
  has that information collected on the business's behalf;
                     (C)  alone or in conjunction with others,
  determines the purpose for and means of processing consumers'
  personal information; and
                     (D)  satisfies one or more of the following
  thresholds:
                           (i)  has annual gross revenue in an amount
  that exceeds $25 million, as adjusted by the attorney general in
  accordance with the rules adopted under Section 541.009;
                           (ii)  alone or in combination with others,
  annually buys, sells, or receives or shares for commercial purposes
  the personal information of 50,000 or more consumers, households,
  or devices; or
                           (iii)  derives 50 percent or more of the
  business's annual revenue from selling consumers' personal
  information; and
               (2)  an entity that controls or is controlled by a
  business described by Subdivision (1) and that shares a service
  mark, trademark, or shared name with the business.
         (b)  For purposes of Subsection (a)(2), "control" means the:
               (1)  ownership of, or power to vote, more than 50
  percent of the outstanding shares of any class of voting security of
  a business;
               (2)  control in any manner over the election of a
  majority of the directors or of individuals exercising similar
  functions; or
               (3)  power to exercise a controlling influence over the
  management of a company.
         (c)  For purposes of this chapter, a business sells a
  consumer's personal information to another business or a third
  party if the business sells, rents, discloses, disseminates, makes
  available, transfers, or otherwise communicates, orally, in
  writing, or by electronic or other means, the information to the
  other business or third party for monetary or other valuable
  consideration.
         (d)  For purposes of this chapter, a business does not sell a
  consumer's personal information if:
               (1)  the consumer uses or directs the business to
  intentionally disclose the information or uses the business to
  intentionally interact with a third party, provided that the third
  party does not sell the information, unless that disclosure is
  consistent with this chapter; or
               (2)  the business:
                     (A)  uses or shares an identifier of the consumer
  to alert a third party that the consumer has opted out of the sale of
  the information;
                     (B)  uses or shares with a service provider a
  consumer's personal information that is necessary to perform a
  business purpose if:
                           (i)  the business provided notice that the
  information is being used or shared in the business's terms and
  conditions consistent with Sections 541.054 and 541.102(a)(8); and
                           (ii)  the service provider does not further
  collect, sell, or use the information except as necessary to
  perform the business purpose; or
                     (C)  transfers to a third party a consumer's
  personal information as an asset that is part of a merger,
  acquisition, bankruptcy, or other transaction in which the third
  party assumes control of all or part of the business, provided that
  information is used or shared consistent with Sections 541.051,
  541.053, and 541.054(e).
         (e)  For purposes of Subsection (d)(1), an intentional
  interaction occurs if the consumer does one or more deliberate acts
  with the intent to interact with a third party. Placing a cursor
  over, muting, pausing, or closing online content does not
  constitute a consumer's intent to interact with a third party.
         Sec. 541.004.  EXEMPTIONS. (a) This chapter does not apply
  to:
               (1)  publicly available information;
               (2)  protected health information governed by Chapter
  181, Health and Safety Code, or collected by a covered entity or a
  business associate of a covered entity, as those terms are defined
  by 45 C.F.R. Section 160.103, that is governed by the privacy,
  security, and breach notification rules in 45 C.F.R. Parts 160 and
  164 adopted by the United States Department of Health and Human
  Services under the Health Insurance Portability and Accountability
  Act of 1996 (Pub. L. No. 104-191) and Title XIII of the American
  Recovery and Reinvestment Act of 2009 (Pub. L. No. 111-5);
               (3)  a health care provider governed by Chapter 181,
  Health and Safety Code, or a covered entity described by
  Subdivision (2) to the extent that the provider or entity maintains
  the personal information of a patient in the same manner as
  protected health information described by that subdivision;
               (4)  information collected as part of a clinical trial
  subject to the Federal Policy for the Protection of Human Subjects
  in accordance with the good clinical practice guidelines issued by
  the International Council for Harmonisation or the human subject
  protection requirements of the United States Food and Drug
  Administration;
               (5)  the sale of personal information to or by a
  consumer reporting agency, as defined by Section 20.01, if the
  information is to be:
                     (A)  reported in or used to generate a consumer
  report, as defined by Section 1681a(d) of the Fair Credit Reporting
  Act (15 U.S.C. Section 1681 et seq.); and
                     (B)  used solely for a purpose authorized under
  that act;
               (6)  personal information collected, processed, sold,
  or disclosed in accordance with:
                     (A)  the Gramm-Leach-Bliley Act (Pub. L. No.
  106-102) and its implementing regulations; or
                     (B)  the Driver's Privacy Protection Act of 1994
  (18 U.S.C. Section 2721 et seq.);
               (7)  deidentified or aggregate consumer information;
  or
               (8)  a consumer's personal information collected or
  sold by a business, if every aspect of the collection or sale
  occurred wholly outside of this state.
         (b)  For purposes of Subsection (a)(8), the collection or
  sale of a consumer's personal information occurs wholly outside of
  this state if:
               (1)  the business collects that information while the
  consumer is outside of this state;
               (2)  no part of the sale of the information occurs in
  this state; and
               (3)  the business does not sell any personal
  information of the consumer collected while the consumer is in this
  state.
         (c)  For purposes of Subsection (b), the collection or sale
  of a consumer's personal information does not occur wholly outside
  of this state if a business stores a consumer's personal
  information, including on a device, when the consumer is in this
  state and subsequently collects or sells that stored information
  when the consumer and the information are outside of this state.
         Sec. 541.005.  CERTAIN RIGHTS AND OBLIGATIONS NOT AFFECTED.
  A right or obligation under this chapter does not apply to the
  extent that the exercise of the right or performance of the
  obligation:
               (1)  adversely affects a right of another consumer; or
               (2)  infringes on a noncommercial activity of:
                     (A)  a publisher, editor, reporter, or other
  person connected with or employed by a newspaper, magazine, or
  other publication of general circulation, including a periodical
  newsletter, pamphlet, or report;
                     (B)  a radio or television station that holds a
  license issued by the Federal Communications Commission; or
                     (C)  an entity that provides an information
  service, including a press association or wire service.
         Sec. 541.006.  COMPLIANCE WITH OTHER LAWS; LEGAL
  PROCEEDINGS. This chapter does not:
               (1)  restrict a business's ability to:
                     (A)  comply with:
                           (i)  applicable federal, state, or local
  laws; or
                           (ii)  a civil, criminal, or regulatory
  inquiry, investigation, subpoena, or summons by a federal, state,
  or local authority;
                     (B)  cooperate with a law enforcement agency
  concerning conduct or activity that the business, a service
  provider of the business, or a third party reasonably and in good
  faith believes may violate other applicable federal, state, or
  local laws; or
                     (C)  pursue or defend against a legal claim; or
               (2)  require a business to violate an evidentiary
  privilege under federal or state law or prevent a business from
  disclosing to a person covered by an evidentiary privilege the
  personal information of a consumer as part of a privileged
  communication.
         Sec. 541.007.  CONSTRUCTION; RELATION TO OTHER STATE AND
  FEDERAL LAW. (a) This chapter shall be liberally construed to
  effect its purposes and to harmonize, to the extent possible, with
  other laws of this state relating to the privacy or protection of
  personal information.
         (b)  To the extent of a conflict between a provision of this
  chapter and a provision of federal law, including a regulation or an
  interpretation of federal law, federal law controls and conflicting
  requirements or other provisions of this chapter do not apply.
         (c)  To the extent of a conflict between a provision of this
  chapter and another statute of this state with respect to the
  privacy or protection of consumers' personal information, the
  provision of law that affords the greatest privacy or protection to
  consumers prevails.
         Sec. 541.008.  PREEMPTION OF LOCAL LAW. This chapter
  preempts and supersedes any ordinance, order, or rule adopted by a
  political subdivision of this state relating to the collection or
  sale by a business of a consumer's personal information.
         Sec. 541.009.  RULES. (a) The attorney general shall adopt
  rules necessary to implement, administer, and enforce this chapter.
         (b)  The rules adopted under Subsection (a) must establish:
               (1)  procedures for the adjustment of the monetary
  threshold under Section 541.003(a)(1)(D) in January of every
  odd-numbered year to reflect any increase in the consumer price
  index;
               (2)  procedures governing the determination of,
  submission of, and compliance with a verifiable consumer request
  for information with the goal of minimizing administrative burdens
  on consumers and businesses subject to this chapter by taking into
  account available technology and security concerns, including:
                     (A)  treating as a verifiable consumer request a
  request submitted through a password-protected online account
  maintained by the consumer with the business while logged into the
  account; and
                     (B)  providing a mechanism for a request submitted
  by a consumer who does not maintain an account with the business;
               (3)  procedures to facilitate and govern the submission
  of and compliance with a request to opt out of the sale of personal
  information under Section 541.054;
               (4)  guidelines for the development of a recognizable
  and uniform opt-out logo or button for use on businesses' Internet
  websites in a manner that promotes consumer awareness of the
  opportunity to opt out of the sale of personal information; and
               (5)  procedures and guidelines, including any
  necessary exceptions, to ensure that the notices and information
  businesses are required to provide under this chapter, including
  information regarding financial incentive offerings, are:
                     (A)  provided in a manner that is easily
  understood by the average consumer;
                     (B)  accessible by consumers with disabilities;
  and
                     (C)  available in the languages primarily used by
  consumers to interact with businesses.
         (c)  The attorney general may adopt other rules necessary to
  further the purposes of this chapter, including rules as necessary
  to:
               (1)  update the categories of personal information
  listed under Section 541.002(12) and the definition of identifier
  under Section 541.002 to account for privacy concerns,
  implementation obstacles, or changes in technology and data
  collection methods;
               (2)  update the designated methods for submitting
  requests to facilitate a consumer's ability to obtain information
  from a business under Section 541.103; and
               (3)  establish any exceptions necessary to comply with
  federal law or other laws of this state, including laws relating to
  trade secrets and intellectual property rights.
         Sec. 541.010.  ATTORNEY GENERAL OPINION. A business or a
  third party may seek an opinion from the attorney general for
  guidance on how to comply with this chapter.
         Sec. 541.011.  USE OF PERSONAL INFORMATION IN RESEARCH. For
  purposes of this chapter, "research" means scientific, systematic
  study and observation, including basic research or applied research
  that is in the public interest and that adheres to all other
  applicable ethics and privacy laws or studies conducted in the
  public interest in the area of public health. Research with
  personal information that may have been collected from a consumer
  in the course of the consumer's interactions with a business's
  service or device for other purposes must be:
               (1)  compatible with the business purpose for which the
  personal information was collected;
               (2)  subsequently pseudonymized and deidentified, or
  deidentified and in the aggregate, such that the information cannot
  reasonably identify, relate to, describe, be capable of being
  associated with, or be linked, directly or indirectly, to a
  particular consumer;
               (3)  made subject to technical safeguards that prohibit
  reidentification of the consumer to whom the information may
  pertain;
               (4)  subject to business processes that specifically
  prohibit reidentification of the information;
               (5)  made subject to business processes to prevent
  inadvertent release of deidentified information;
               (6)  protected from any reidentification attempts;
               (7)  used solely for research purposes that are
  compatible with the context in which the personal information was
  collected;
               (8)  not used for any commercial purpose; and
               (9)  subjected by the business conducting the research
  to additional security controls that limit access to the research
  data to only those individuals in a business as are necessary to
  carry out the research purpose.
  SUBCHAPTER B. CONSUMER'S RIGHTS
         Sec. 541.051.  RIGHT TO DISCLOSURE OF PERSONAL INFORMATION
  COLLECTED. (a) A consumer is entitled to request that a business
  that collects the consumer's personal information disclose to the
  consumer the categories and specific items of personal information
  the business has collected.
         (b)  To receive the disclosure of information under
  Subsection (a), a consumer must submit to the business a verifiable
  consumer request using a method designated by the business under
  Section 541.103.
         (c)  On receipt of a verifiable consumer request under this
  section, a business shall disclose to the consumer in the time and
  manner provided by Section 541.105:
               (1)  each enumerated category and item within each
  category of personal information under Section 541.002(12) that the
  business collected about the consumer during the 12 months
  preceding the date of the request;
               (2)  each category of sources from which the
  information was collected;
               (3)  the business or commercial purpose for collecting
  or selling the personal information; and
               (4)  each category of third parties with whom the
  business shares the personal information.
         (d)  This section does not require a business to:
               (1)  retain a consumer's personal information that was
  collected for a one-time transaction if the information is not sold
  or retained in the ordinary course of business; or
               (2)  reidentify or otherwise link any data that, in the
  ordinary course of business, is not maintained in a manner that
  would be considered personal information.
         Sec. 541.052.  RIGHT TO DELETION OF PERSONAL INFORMATION
  COLLECTED. (a) A consumer is entitled to request that a business
  that collects the consumer's personal information delete any
  personal information the business has collected from the consumer
  by submitting a verifiable consumer request using a method
  designated by the business under Section 541.103.
         (b)  Except as provided by Subsection (c), on receipt of a
  verifiable consumer request under this section, a business shall
  delete from the business's records any personal information
  collected from the consumer and direct a service provider of the
  business to delete the information from the provider's records.
         (c)  A business or service provider of the business is not
  required to comply with a verifiable consumer request received
  under this section if the business or service provider needs to
  retain the consumer's personal information to:
               (1)  complete the transaction for which the information
  was collected;
               (2)  provide a good or service requested by the
  consumer or reasonably anticipated to be requested by the consumer
  in the context of the ongoing business relationship between the
  business and consumer;
               (3)  perform under a contract between the business and
  the consumer;
               (4)  detect a security incident, protect against
  malicious, deceptive, fraudulent, or illegal activity, or
  prosecute those responsible for any illegal activity described by
  this subdivision;
               (5)  identify and repair or remove errors from computer
  hardware or software that impair its intended functionality;
               (6)  exercise free speech or ensure the right of
  another consumer to exercise the right of free speech or another
  right afforded by law;
               (7)  comply with Chapter 1289 (H.B. 2268), Acts of the
  83rd Legislature, Regular Session, 2013, or a legal obligation;
               (8)  engage in public or peer-reviewed scientific,
  historical, or statistical research that is in the public interest
  and that adheres to all other applicable ethics and privacy laws
  provided that:
                     (A)  the business's deletion of the information is
  likely to render impossible or seriously impair the achievement of
  that research; and
                     (B)  the consumer has provided to the business
  informed consent to retain the information; or
               (9)  use the information internally:
                     (A)  so long as the use is reasonably aligned with
  the expectations of the consumer based on the consumer's
  relationship with the business; or
                     (B)  in a manner that is lawful and compatible
  with the context in which the consumer provided the information.
         Sec. 541.053.  RIGHT TO DISCLOSURE OF PERSONAL INFORMATION
  SOLD OR DISCLOSED. (a) A consumer is entitled to request that a
  business that sells, or discloses for a business purpose, the
  consumer's personal information disclose to the consumer:
               (1)  the categories of personal information the
  business collected about the consumer;
               (2)  the categories of personal information about the
  consumer the business sold, or disclosed for a business purpose;
  and
               (3)  the categories of third parties to whom the
  personal information was sold or disclosed.
         (b)  To receive the disclosure of information under
  Subsection (a), a consumer must submit to the business a verifiable
  consumer request using a method designated by the business under
  Section 541.103.
         (c)  On receipt of a verifiable consumer request under this
  section, a business shall disclose to the consumer in the time and
  manner provided by Section 541.105:
               (1)  each enumerated category of personal information
  under Section 541.002(12) that the business collected about the
  consumer during the 12 months preceding the date of the request;
               (2)  the categories of third parties to whom the
  business sold the consumer's personal information during the 12
  months preceding the date of the request, by reference to each
  enumerated category of information under Section 541.002(12) sold
  to each third party; and
               (3)  the categories of third parties to whom the
  business disclosed for a business purpose the consumer's personal
  information during the 12 months preceding the date of the request,
  by reference to each enumerated category of information under
  Section 541.002(12) disclosed to each third party.
         (d)  A business shall provide the information described by
  Subsections (c)(2) and (3) in two separate lists.
         (e)  A business that did not sell, or disclose for a business
  purpose, the consumer's personal information during the 12 months
  preceding the date of receiving the consumer's verifiable consumer
  request under this section shall disclose that fact to the
  consumer.
         Sec. 541.054.  RIGHT TO OPT OUT OF SALE OF PERSONAL
  INFORMATION. (a) A consumer is entitled at any time to opt out of
  the sale of the consumer's personal information by a business to
  third parties by directing the business not to sell the
  information. A consumer may authorize another person solely to opt
  out of the sale of the consumer's personal information on the
  consumer's behalf. Except as provided by Subsection (c), a
  business shall comply with a direction not to sell that is received
  under this subsection.
         (b)  A business that sells to a third party consumers'
  personal information shall provide on the business's Internet
  website's home page:
               (1)  notice to consumers that:
                     (A)  the information may be sold; and
                     (B)  consumers have the right to opt out of the
  sale; and
               (2)  a clear and conspicuous link that:
                     (A)  enables a consumer, or a person authorized by
  the consumer, to opt out of the sale of the consumer's personal
  information; and
                     (B)  is titled "DO NOT SELL MY PERSONAL
  INFORMATION."
         (c)  A business may not sell to a third party the personal
  information of a consumer who opts out of the sale of that
  information under this section before the first anniversary of the
  date the consumer opted out, unless the consumer provides express
  authorization for the business to sell the consumer's personal
  information. After the period prescribed by this subsection
  expires, a business may request that the consumer consent to the
  sale of the consumer's personal information by the business.
         (d)  A business may use any personal information collected
  from the consumer in connection with the consumer's opting out
  under this section solely to comply with this section.
         (e)  A third party to whom a business has sold the personal
  information of a consumer may not sell the information unless the
  consumer receives explicit notice of the potential sale and is
  provided the opportunity to exercise the right to opt out of the
  sale as provided by this section.
         (f)  Notwithstanding Subsection (b), a business is not
  required to provide the link required by that subsection on the
  Internet website the business makes available to the public if the
  business:
               (1)  provides the required link on a separate and
  additional Internet website that is maintained by the business and
  dedicated to consumers; and
               (2)  takes reasonable steps to ensure that consumers
  are directed to the website described by Subdivision (1) instead of
  the website the business makes available to the public.
         (g)  A business may not require a consumer to create an
  account with the business to opt out of the sale of the consumer's
  personal information.
         Sec. 541.055.  RIGHT TO OPT IN FOR SALE OF PERSONAL
  INFORMATION OF CERTAIN MINORS. (a) The requirement for consent to
  sell a consumer's personal information under this section may be
  referred to as the consumer's "right to opt in."
         (b)  A business may not sell a consumer's personal
  information if the business has actual knowledge that the consumer
  is younger than 16 years of age unless:
               (1)  for a consumer who is at least 13 years of age but
  younger than 16 years of age, the business receives express
  authorization to sell the consumer's personal information from the
  consumer; or
               (2)  for a consumer who is younger than 13 years of age,
  the business receives express authorization to sell the consumer's
  personal information from the consumer's parent or legal guardian.
         (c)  A business that wilfully disregards the age of a
  consumer whose personal information the business sells to a third
  party is considered to have actual knowledge of the consumer's age.
         Sec. 541.056.  WAIVER OR LIMITATION PROVISION VOID. (a) A
  provision of a contract or other agreement that purports to waive or
  limit a right, remedy, or means of enforcement under this chapter is
  contrary to public policy and is void.
         (b)  This section does not prevent a consumer from:
               (1)  declining to request information from a business;
               (2)  declining to opt out of a business's sale of the
  consumer's personal information; or
               (3)  authorizing a business to sell the consumer's
  personal information after previously opting out.
  SUBCHAPTER C. BUSINESS RIGHTS AND OBLIGATIONS
         Sec. 541.101.  NOTIFICATION OF COLLECTION REQUIRED. (a) A
  business that collects a consumer's personal information shall, at
  or before the point of collection, notify the consumer of each
  category of personal information to be collected and the purposes
  for which the category of information will be used.
         (b)  A business may not collect an additional category of
  personal information or use personal information collected for an
  additional purpose unless the business provides notice to the
  consumer of the additional category or purpose in accordance with
  Subsection (a).
         (c)  If a third party that assumes control of all or part of a
  business as described by Section 541.003(d)(2)(C) materially
  alters the practices of the business in how personal information is
  used or shared, and the practices are materially inconsistent with
  a notice provided to a consumer under Subsection (a) or (b), the
  third party must notify the consumer of the third party's new or
  changed practices before the third party uses or shares the
  personal information in a conspicuous manner that allows the
  consumer to easily exercise a right provided under this chapter.
         (d)  Subsection (c) does not authorize a business to make a
  material, retroactive change or other change to a business's
  privacy policy in a manner that would be a deceptive trade practice
  actionable under Subchapter E, Chapter 17.
         Sec. 541.102.  ONLINE PRIVACY POLICY OR POLICY NOTICE. (a)
  A business that collects, sells, or for a business purpose
  discloses a consumer's personal information shall disclose the
  following information in the business's online privacy policy or
  other notice of the business's policies:
               (1)  a description of a consumer's rights under
  Sections 541.051, 541.053, and 541.107 and designated methods for
  submitting a verifiable consumer request for information under this
  chapter;
               (2)  for a business that collects personal information
  about consumers, a description of the consumer's right to request
  the deletion of the consumer's personal information;
               (3)  separate lists containing the categories of
  consumers' personal information described by Section 541.002(12)
  that, during the 12 months preceding the date the business updated
  the information as required by Subsection (b), the business:
                     (A)  collected;
                     (B)  sold, if applicable; or
                     (C)  disclosed for a business purpose, if
  applicable;
               (4)  the categories of sources from which the
  information under Subdivision (3) is collected;
               (5)  the business or commercial purposes for collecting
  personal information;
               (6)  if the business does not sell consumers' personal
  information or disclose the information for a business or
  commercial purpose, a statement of that fact;
               (7)  the categories of third parties to whom the
  business sells or discloses personal information;
               (8)  if the business sells consumers' personal
  information, the Internet link required by Section 541.054(b); and
               (9)  if applicable, the financial incentives offered to
  consumers under Section 541.108.
         (b)  If a business described by Subsection (a) does not have
  an online privacy policy or other notice of the business's
  policies, the business shall make the information required under
  Subsection (a) available to consumers on the business's Internet
  website or another website the business maintains that is dedicated
  to consumers in this state.
         (c)  A business must update the information required by
  Subsection (a) at least once each year.
         Sec. 541.103.  METHODS TO SUBMIT VERIFIABLE CONSUMER
  REQUEST. (a) A business shall designate and make available to
  consumers, in a form that is reasonably accessible, at least two
  methods for submitting a verifiable consumer request for
  information required to be disclosed or deleted under Subchapter B.  
  The methods must include, at a minimum:
               (1)  a toll-free telephone number that a consumer may
  call to submit the request; and
               (2)  the business's Internet website at which the
  consumer may submit the request, if the business maintains an
  Internet website.
         (b)  The methods designated under Subsection (a) may also
  include:
               (1)  a mailing address;
               (2)  an electronic mail address;
               (3)  another Internet web page or portal;
               (4)  other contact information; or
               (5)  any consumer-friendly method approved by the
  attorney general under Section 541.009.
         (c)  A business may not require a consumer to create an
  account with the business to submit a verifiable consumer request.
         Sec. 541.104.  VERIFICATION OF CONSUMER REQUEST. (a) A
  business that receives a consumer request under Section 541.051 or
  541.053 shall promptly take steps to reasonably verify, in
  accordance with rules adopted under Section 541.009, that:
               (1)  the consumer who is the subject of the request is a
  consumer about whom the business has collected, sold, or for a
  business purpose disclosed personal information; and
               (2)  the request is made by:
                     (A)  the consumer;
                     (B)  a consumer on behalf of the consumer's minor
  child; or
                     (C)  a person authorized to act on the consumer's
  behalf.
         (b)  A business may use any personal information collected
  from the consumer in connection with the business's verification of
  a request under this section solely to verify the request.
         (c)  A business that is unable to verify a consumer request
  under this section is not required to comply with the request.
         Sec. 541.105.  DISCLOSURE REQUIREMENTS. (a) Not later than
  the 45th day after the date a business receives a verifiable
  consumer request under Section 541.051 or 541.053, the business
  shall disclose free of charge to the consumer the information
  required to be disclosed under those sections.
         (b)  A business may extend the time in which to comply with
  Subsection (a) once by an additional 45 days if reasonably
  necessary or by an additional 90 days after taking into account the
  number and complexity of verifiable consumer requests received by
  the business. A business that extends the time in which to comply
  with Subsection (a) shall notify the consumer of the extension and
  reason for the delay within the period prescribed by that
  subsection.
         (c)  The disclosure required by Subsection (a) must:
               (1)  cover personal information collected, sold, or
  disclosed for a business purpose, as applicable, during the 12
  months preceding the date the business receives the request; and
               (2)  be made in writing and delivered to the consumer:
                     (A)  by mail or electronically, at the consumer's
  option, if the consumer does not have an account with the business;
  or
                     (B)  through the consumer's account with the
  business.
         (d)  An electronic disclosure under Subsection (c) must be in
  a readily accessible format that allows the consumer to
  electronically transmit the information to another person or
  entity.
         (e)  A business is not required to make the disclosure
  required by Subsection (a) to the same consumer more than twice in a
  12-month period.
         (f)  Notwithstanding Subsection (a), if a consumer's
  verifiable consumer request is manifestly baseless or excessive, in
  particular because of repetitiveness, a business may charge a
  reasonable fee after taking into account the administrative costs
  of compliance or refusal to comply with the request. The business
  has the burden of demonstrating that a request is manifestly
  baseless or excessive.
         (g)  A business that does not comply with a consumer's
  verifiable consumer request under Subsection (a) shall notify the
  consumer, within the time the business is required to respond to a
  request under this section, of the reasons for the refusal and the
  rights the consumer may have to appeal that decision.
         Sec. 541.106.  DEIDENTIFIED INFORMATION. (a) A business
  that uses deidentified information may not reidentify or attempt to
  reidentify a consumer who is the subject of deidentified
  information without obtaining the consumer's consent or
  authorization.
         (b)  A business that uses deidentified information shall
  implement:
               (1)  technical safeguards and business processes to
  prohibit reidentification of the consumer to whom the information
  may pertain; and
               (2)  business processes to prevent inadvertent release
  of deidentified information.
         (c)  This chapter may not be construed to require a business
  to reidentify or otherwise link information that is not maintained
  in a manner that would be considered personal information.
         Sec. 541.107.  DISCRIMINATION PROHIBITED. (a) A business may
  not discriminate against a consumer because the consumer exercised
  a right under this chapter, including by:
               (1)  denying a good or service to the consumer;
               (2)  charging the consumer a different price or rate
  for a good or service, including denying the use of a discount or
  other benefit or imposing a penalty;
               (3)  providing a different level or quality of a good or
  service to the consumer; or
               (4)  suggesting that the consumer will be charged a
  different price or rate for, or provided a different level or
  quality of, a good or service.
         (b)  This section does not prohibit a business from offering
  or charging a consumer a different price or rate for a good or
  service, or offering or providing to the consumer a different level
  or quality of a good or service, if the difference is reasonably
  related to the value provided to the consumer by the consumer's
  data.
         Sec. 541.108.  FINANCIAL INCENTIVES. (a) Subject to
  Subsection (b), a business may offer a financial incentive to a
  consumer, including a payment as compensation, for the collection,
  sale, or disclosure of the consumer's personal information.
         (b)  A business may enroll a customer in a financial
  incentive program only if the business provides to the consumer a
  clear description of the material terms of the program and obtains
  the consumer's prior opt-in consent, which:
               (1)  contains a clear description of those material
  terms; and
               (2)  may be revoked by the consumer at any time.
         (c)  A business may not use financial incentive practices
  that are unjust, unreasonable, coercive, or usurious in nature.
         Sec. 541.109.  CERTAIN ACTIONS TO AVOID REQUIREMENTS
  PROHIBITED. (a) A business may not divide a single transaction into
  more than one transaction with the intent to avoid the requirements
  of this chapter.
         (b)  For purposes of this chapter, two or more substantially
  similar or related transactions are considered a single transaction
  if the transactions:
               (1)  are entered into contemporaneously; and
               (2)  have at least one common party.
         (c)  A court shall disregard any intermediate transactions
  conducted by a business with the intent to avoid the requirements of
  this chapter, including the disclosure of information by a business
  to a third party to avoid complying with the requirements under this
  chapter applicable to a sale of the information.
         Sec. 541.110.  INFORMATION REQUIRED. A business shall
  ensure that each person responsible for handling consumer inquiries
  about the business's privacy practices or compliance with this
  chapter is informed of the requirements of this chapter and of how
  to direct a consumer in exercising any of the rights to which a
  consumer is entitled under this chapter.
  SUBCHAPTER D. REMEDIES
         Sec. 541.151.  CIVIL PENALTY; INJUNCTION. (a) A person who
  violates this chapter is liable to this state for a civil penalty in
  an amount not to exceed:
               (1)  $2,500 for each violation; or
               (2)  $7,500 for each violation, if the violation is
  intentional.
         (b)  If it appears to the attorney general that a person is
  engaging in, has engaged in, or is about to engage in conduct that
  violates this chapter, the attorney general may give notice to the
  person of the alleged violation. If the person fails to cure the
  alleged violation before the 30th day after the date notice is
  given, the attorney general may bring an action in the name of the
  state against the person to restrain the violation by a temporary
  restraining order or by a permanent or temporary injunction or to
  recover the civil penalty imposed under this section, or both.
         (c)  The attorney general is entitled to recover reasonable
  expenses, including reasonable attorney's fees, court costs, and
  investigatory costs, incurred in obtaining injunctive relief or
  civil penalties, or both, under this section. Amounts collected
  under this section shall be deposited in a dedicated account in the
  general revenue fund and may be appropriated only for the purposes
  of the administration and enforcement of this chapter.
         Sec. 541.152.  BUSINESS IMMUNITY FROM LIABILITY. A business
  that discloses to a third party, or discloses for a business purpose
  to a service provider, a consumer's personal information in
  compliance with this chapter may not be held liable for a violation
  of this chapter by the third party or service provider if the
  business does not have actual knowledge or a reasonable belief that
  the third party or service provider intends to violate this
  chapter.
         Sec. 541.153.  SERVICE PROVIDER IMMUNITY FROM LIABILITY. A
  business's service provider may not be held liable for a violation
  of this chapter by the business.
         SECTION 2.  This Act takes effect September 1, 2020.