Bill Text: TX SB2105 | 2023-2024 | 88th Legislature | Enrolled
Bill Title: Relating to the registration of and certain other requirements relating to data brokers; providing a civil penalty and authorizing a fee.
Spectrum: Bipartisan Bill
Status: (Passed) 2023-06-18 - Effective on 9/1/23 [SB2105 Detail]
Download: Texas-2023-SB2105-Enrolled.html
S.B. No. 2105 |
|
||
relating to the registration of and certain other requirements | ||
relating to data brokers; providing a civil penalty and authorizing | ||
a fee. | ||
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: | ||
SECTION 1. Subtitle A, Title 11, Business & Commerce Code, | ||
is amended by adding Chapter 509 to read as follows: | ||
CHAPTER 509. DATA BROKERS | ||
Sec. 509.001. DEFINITIONS. In this chapter: | ||
(1) "Biometric data" means data generated by automatic | ||
measurements of an individual's biological patterns or | ||
characteristics, including fingerprint, voiceprint, retina or iris | ||
scan, information pertaining to an individual's DNA, or another | ||
unique biological pattern or characteristic that is used to | ||
identify a specific individual. | ||
(2) "Child" means an individual younger than 13 years | ||
of age. | ||
(3) "Collect," in the context of data, means to | ||
obtain, receive, access, or otherwise acquire the data by any | ||
means, including by purchasing or renting the data. | ||
(4) "Data broker" means a business entity whose | ||
principal source of revenue is derived from the collecting, | ||
processing, or transferring of personal data that the entity did | ||
not collect directly from the individual linked or linkable to the | ||
data. | ||
(5) "Deidentified data" means data that cannot | ||
reasonably be linked to an identified or identifiable individual or | ||
to a device linked to that individual. | ||
(6) "Employee" includes an individual who is a | ||
director, officer, staff member, trainee, volunteer, or intern of | ||
an employer or an individual working as an independent contractor | ||
for an employer, regardless of whether the individual is paid, | ||
unpaid, or employed on a temporary basis. The term does not include | ||
an individual contractor who is a service provider. | ||
(7) "Employee data" means information collected, | ||
processed, or transferred by an employer if the information: | ||
(A) is related to: | ||
(i) a job applicant and was collected | ||
during the course of the hiring and application process; | ||
(ii) an employee who is acting in a | ||
professional capacity for the employer, including the employee's | ||
business contact information such as the employee's name, position, | ||
title, business telephone number, business address, or business | ||
e-mail address; | ||
(iii) an employee's emergency contact | ||
information; or | ||
(iv) an employee or the employee's spouse, | ||
dependent, covered family member, or beneficiary; and | ||
(B) was collected, processed, or transferred | ||
solely for: | ||
(i) a purpose relating to the status of a | ||
person described by Paragraph (A)(i) as a current or former job | ||
applicant of the employer; | ||
(ii) a purpose relating to the professional | ||
activities of an employee described by Paragraph (A)(ii) on behalf | ||
of the employer; | ||
(iii) the purpose of having an emergency | ||
contact on file for an employee described by Paragraph (A)(iii) and | ||
for transferring the information in case of an emergency; and | ||
(iv) the purpose of administering benefits | ||
to which an employee described by Paragraph (A)(iv) is entitled or | ||
to which another person described by that paragraph is entitled on | ||
the basis of the employee's position with the employer. | ||
(8) "Genetic data" means any data, regardless of | ||
format, concerning an individual's genetic characteristics. The | ||
term includes: | ||
(A) raw sequence data derived from sequencing all | ||
or a portion of an individual's extracted DNA; and | ||
(B) genotypic and phenotypic information | ||
obtained from analyzing an individual's raw sequence data. | ||
(9) "Individual" means a natural person residing in | ||
this state. | ||
(10) "Known child" means a child under circumstances | ||
where a data broker has actual knowledge of, or wilfully disregards | ||
obtaining actual knowledge of, the child's age. | ||
(11) "Personal data" means any information, including | ||
sensitive data, that is linked or reasonably linkable to an | ||
identified or identifiable individual. The term includes | ||
pseudonymous data when the information is used by a controller or | ||
processor in conjunction with additional information that | ||
reasonably links the information to an identified or identifiable | ||
individual. The term does not include deidentified data, employee | ||
data, or publicly available information. | ||
(12) "Precise geolocation data" means information | ||
accessed on a device or technology that shows the past or present | ||
physical location of an individual or the individual's device with | ||
sufficient precision to identify street-level location information | ||
of the individual or device in a range of not more than 1,850 feet. | ||
The term does not include location information regarding an | ||
individual or device identifiable or derived solely from the visual | ||
content of a legally obtained image, including the location of a | ||
device that captured the image. | ||
(13) "Process," in the context of data, means an | ||
operation or set of operations performed, whether by manual or | ||
automated means, on personal data or on sets of personal data, such | ||
as the collection, use, storage, disclosure, analysis, deletion, or | ||
modification of personal data. | ||
(14) "Publicly available information" means | ||
information that: | ||
(A) is lawfully made available through | ||
government records; | ||
(B) a business has a reasonable basis to believe | ||
is lawfully available to the general public through widely | ||
distributed media; or | ||
(C) is lawfully made available by a consumer, or | ||
by a person to whom a consumer has disclosed the information, unless | ||
the consumer has restricted access to the information to a specific | ||
audience. | ||
(15) "Sensitive data" means: | ||
(A) a government-issued identifier not required | ||
by law to be available publicly, including: | ||
(i) a social security number; | ||
(ii) a passport number; or | ||
(iii) a driver's license number; | ||
(B) information that describes or reveals an | ||
individual's mental or physical health diagnosis, condition, or | ||
treatment; | ||
(C) an individual's financial information, | ||
except the last four digits of a debit or credit card number, | ||
including: | ||
(i) a financial account number; | ||
(ii) a credit or debit card number; or | ||
(iii) information that describes or reveals | ||
the income level or bank account balances of the individual; | ||
(D) biometric data; | ||
(E) genetic data; | ||
(F) precise geolocation data; | ||
(G) an individual's private communication that: | ||
(i) if made using a device, is not made | ||
using a device provided by the individual's employer that provides | ||
conspicuous notice to the individual that the employer may access | ||
communication made using the device; and | ||
(ii) includes, unless the data broker is | ||
the sender or an intended recipient of the communication: | ||
(a) the individual's voicemails, | ||
e-mails, texts, direct messages, or mail; | ||
(b) information that identifies the | ||
parties involved in the communications; and | ||
(c) information that relates to the | ||
transmission of the communications, including telephone numbers | ||
called, telephone numbers from which calls were placed, the time | ||
calls were made, call duration, and location information of the | ||
parties to the call; | ||
(H) a log-in credential, security code, or access | ||
code for an account or device; | ||
(I) information identifying the sexual behavior | ||
of the individual in a manner inconsistent with the individual's | ||
reasonable expectation regarding the collection, processing, or | ||
transfer of the information; | ||
(J) calendar information, address book | ||
information, phone or text logs, photos, audio recordings, or | ||
videos: | ||
(i) maintained for private use by an | ||
individual and stored on the individual's device or in another | ||
location; and | ||
(ii) not communicated using a device | ||
provided by the individual's employer unless the employee was | ||
provided conspicuous notice that the employer may access | ||
communication made using the device; | ||
(K) a photograph, film, video recording, or other | ||
similar medium that shows the individual or a part of the individual | ||
nude or wearing undergarments; | ||
(L) information revealing the video content | ||
requested or selected by an individual that is not: | ||
(i) collected by a provider of broadcast | ||
television service, cable service, satellite service, streaming | ||
media service, or other video programming, as that term is defined | ||
by 47 U.S.C. Section 613(h)(2); or | ||
(ii) used solely for transfers for | ||
independent video measurement; | ||
(M) information regarding a known child; | ||
(N) information revealing an individual's racial | ||
or ethnic origin, color, religious beliefs, or union membership; | ||
(O) information identifying an individual's | ||
online activities over time accessing multiple Internet websites or | ||
online services; or | ||
(P) information collected, processed, or | ||
transferred for the purpose of identifying information described by | ||
this subdivision. | ||
(16) "Service provider" means a person that receives, | ||
collects, processes, or transfers personal data on behalf of, and | ||
at the direction of, a business or governmental entity, including a | ||
business or governmental entity that is another service provider, | ||
in order for the person to perform a service or function with or on | ||
behalf of the business or governmental entity. | ||
(17) "Transfer," in the context of data, means to | ||
disclose, release, share, disseminate, make available, sell, or | ||
license the data by any means or medium. | ||
Sec. 509.002. APPLICABILITY TO CERTAIN DATA. (a) Except as | ||
provided by Subsection (b), this chapter applies to personal data | ||
from an individual that is collected, transferred, or processed by | ||
a data broker. | ||
(b) This chapter does not apply to the following data: | ||
(1) deidentified data, if the data broker: | ||
(A) takes reasonable technical measures to | ||
ensure that the data is not able to be used to identify an | ||
individual with whom the data is associated; | ||
(B) publicly commits in a clear and conspicuous | ||
manner: | ||
(i) to process and transfer the data solely | ||
in a deidentified form without any reasonable means for | ||
reidentification; and | ||
(ii) to not attempt to identify the | ||
information to an individual with whom the data is associated; and | ||
(C) contractually obligates a person that | ||
receives the information from the provider: | ||
(i) to comply with this subsection with | ||
respect to the information; and | ||
(ii) to require that those contractual | ||
obligations be included in any subsequent transfer of the data to | ||
another person; | ||
(2) employee data; | ||
(3) publicly available information; | ||
(4) inferences made exclusively from multiple | ||
independent sources of publicly available information that do not | ||
reveal sensitive data with respect to an individual; or | ||
(5) data subject to Title V, Gramm-Leach-Bliley Act | ||
(15 U.S.C. Section 6801 et seq.). | ||
Sec. 509.003. APPLICABILITY OF CHAPTER TO CERTAIN ENTITIES. | ||
(a) Except as provided by Subsection (b), this chapter applies only | ||
to a data broker that, in a 12-month period, derives: | ||
(1) more than 50 percent of the data broker's revenue | ||
from processing or transferring personal data that the data broker | ||
did not collect directly from the individuals to whom the data | ||
pertains; or | ||
(2) revenue from processing or transferring the | ||
personal data of more than 50,000 individuals that the data broker | ||
did not collect directly from the individuals to whom the data | ||
pertains. | ||
(b) This chapter does not apply to: | ||
(1) a service provider, including a service provider | ||
that engages in the business of processing employee data for a | ||
third-party employer for the sole purpose of providing benefits to | ||
the third-party employer's employees; | ||
(2) a person or entity that collects personal data | ||
from another person or entity to which the person or entity is | ||
related by common ownership or corporate control, provided a | ||
reasonable consumer would expect the persons or entities to share | ||
data; | ||
(3) a federal, state, tribal, territorial, or local | ||
governmental entity, including a body, authority, board, bureau, | ||
commission, district, agency, or political subdivision of a | ||
governmental entity; | ||
(4) an entity that serves as a congressionally | ||
designated nonprofit, national resource center, or clearinghouse | ||
to provide assistance to victims, families, child-serving | ||
professionals, and the general public on missing and exploited | ||
children issues; | ||
(5) a consumer reporting agency or other person or | ||
entity that furnishes information for inclusion in a consumer | ||
credit report or obtains a consumer credit report, but only to the | ||
extent the person or entity engages in activity regulated or | ||
authorized by the Fair Credit Reporting Act (15 U.S.C. Section 1681 | ||
et seq.), including the collection, maintenance, disclosure, sale, | ||
communication, or use of any personal information bearing on a | ||
consumer's creditworthiness, credit standing, credit capacity, | ||
character, general reputation, personal characteristics, or mode | ||
of living; or | ||
(6) a financial institution subject to Title V, | ||
Gramm-Leach-Bliley Act (15 U.S.C. Section 6801 et seq.). | ||
Sec. 509.004. NOTICE ON WEBSITE OR MOBILE APPLICATION. A | ||
data broker that maintains an Internet website or mobile | ||
application shall post a conspicuous notice on the website or | ||
application that: | ||
(1) states that the entity maintaining the website or | ||
application is a data broker; | ||
(2) is clear, not misleading, and readily accessible | ||
by the general public, including individuals with a disability; and | ||
(3) contains language provided by rule of the | ||
secretary of state for inclusion in the notice. | ||
Sec. 509.005. REGISTRATION. (a) To conduct business in | ||
this state, a data broker to which this chapter applies shall | ||
register with the secretary of state by filing a registration | ||
statement and paying a registration fee of $300. | ||
(b) The registration statement must include: | ||
(1) the legal name of the data broker; | ||
(2) a contact person and the primary physical address, | ||
e-mail address, telephone number, and Internet website address for | ||
the data broker; | ||
(3) a description of the categories of data the data | ||
broker processes and transfers; | ||
(4) a statement of whether or not the data broker | ||
implements a purchaser credentialing process; | ||
(5) if the data broker has actual knowledge that the | ||
data broker possesses personal data of a known child: | ||
(A) a statement detailing the data collection | ||
practices, databases, sales activities, and opt-out policies that | ||
are applicable to the personal data of a known child; and | ||
(B) a statement on how the data broker complies | ||
with applicable federal and state law regarding the collection, | ||
use, or disclosure of personal data from and about a child on the | ||
Internet; and | ||
(6) the number of security breaches the data broker | ||
has experienced during the year immediately preceding the year in | ||
which the registration is filed, and if known, the total number of | ||
consumers affected by each breach. | ||
(c) A registration of a data broker may include any | ||
additional information or explanation the data broker chooses to | ||
provide to the secretary of state concerning the data broker's data | ||
collection practices. | ||
(d) A registration certificate expires on the first | ||
anniversary of its date of issuance. A data broker may renew a | ||
registration certificate by filing a renewal application, in the | ||
form prescribed by the secretary of state, and paying a renewal fee | ||
in the amount of $300. | ||
Sec. 509.006. REGISTRY OF DATA BROKERS. (a) The secretary | ||
of state shall establish and maintain, on its Internet website, a | ||
searchable, central registry of data brokers registered under | ||
Section 509.005. | ||
(b) The registry must include: | ||
(1) a search feature that allows a person searching | ||
the registry to identify a specific data broker; and | ||
(2) for each data broker, the information filed under | ||
Section 509.005(b). | ||
Sec. 509.007. PROTECTION OF PERSONAL DATA: COMPREHENSIVE | ||
INFORMATION SECURITY PROGRAM. (a) A data broker conducting | ||
business in this state has a duty to protect personal data held by | ||
that data broker as provided by this section. | ||
(b) A data broker shall develop, implement, and maintain a | ||
comprehensive information security program that is written in one | ||
or more readily accessible parts and contains administrative, | ||
technical, and physical safeguards that are appropriate for: | ||
(1) the data broker's size, scope, and type of | ||
business; | ||
(2) the amount of resources available to the data | ||
broker; | ||
(3) the amount of data stored by the data broker; and | ||
(4) the need for security and confidentiality of | ||
personal data stored by the data broker. | ||
(c) The comprehensive information security program required | ||
by this section must: | ||
(1) incorporate safeguards that are consistent with | ||
the safeguards for protection of personal data and information of a | ||
similar character under state or federal laws and regulations | ||
applicable to the data broker; | ||
(2) include the designation of one or more employees | ||
of the data broker to maintain the program; | ||
(3) require the identification and assessment of | ||
reasonably foreseeable internal and external risks to the security, | ||
confidentiality, and integrity of any electronic, paper, or other | ||
record containing personal data, and the establishment of a process | ||
for evaluating and improving, as necessary, the effectiveness of | ||
the current safeguards for limiting those risks, including by: | ||
(A) requiring ongoing employee and contractor | ||
education and training, including education and training for | ||
temporary employees and contractors of the data broker, on the | ||
proper use of security procedures and protocols and the importance | ||
of personal data security; | ||
(B) mandating employee compliance with policies | ||
and procedures established under the program; and | ||
(C) providing a means for detecting and | ||
preventing security system failures; | ||
(4) include security policies for the data broker's | ||
employees relating to the storage, access, and transportation of | ||
records containing personal data outside of the broker's physical | ||
business premises; | ||
(5) provide disciplinary measures for violations of a | ||
policy or procedure established under the program; | ||
(6) include measures for preventing a terminated | ||
employee from accessing records containing personal data; | ||
(7) provide policies for the supervision of | ||
third-party service providers that include: | ||
(A) taking reasonable steps to select and retain | ||
third-party service providers that are capable of maintaining | ||
appropriate security measures to protect personal data consistent | ||
with applicable law; and | ||
(B) requiring third-party service providers by | ||
contract to implement and maintain appropriate security measures | ||
for personal data; | ||
(8) provide reasonable restrictions on physical | ||
access to records containing personal data, including by requiring | ||
the records containing the data to be stored in a locked facility, | ||
storage area, or container; | ||
(9) include regular monitoring to ensure that the | ||
program is operating in a manner reasonably calculated to prevent | ||
unauthorized access to or unauthorized use of personal data and, as | ||
necessary, upgrading information safeguards to limit the risk of | ||
unauthorized access to or unauthorized use of personal data; | ||
(10) require the regular review of the scope of the | ||
program's security measures that must occur: | ||
(A) at least annually; and | ||
(B) whenever there is a material change in the | ||
data broker's business practices that may reasonably affect the | ||
security or integrity of records containing personal data; | ||
(11) require the documentation of responsive actions | ||
taken in connection with any incident involving a breach of | ||
security, including a mandatory post-incident review of each event | ||
and the actions taken, if any, to make changes in business practices | ||
relating to protection of personal data in response to that event; | ||
and | ||
(12) to the extent technically feasible, include the | ||
following procedures and protocols with respect to computer system | ||
security requirements or procedures and protocols providing a | ||
higher degree of security, for the protection of personal data: | ||
(A) the use of secure user authentication | ||
protocols that include each of the following features: | ||
(i) controlling user log-in credentials and | ||
other identifiers; | ||
(ii) using a reasonably secure method of | ||
assigning and selecting passwords or using unique identifier | ||
technologies, which may include biometrics or token devices; | ||
(iii) controlling data security passwords | ||
to ensure that the passwords are kept in a location and format that | ||
do not compromise the security of the data the passwords protect; | ||
(iv) restricting access to only active | ||
users and active user accounts; and | ||
(v) blocking access to user credentials or | ||
identification after multiple unsuccessful attempts to gain | ||
access; | ||
(B) the use of secure access control measures | ||
that include: | ||
(i) restricting access to records and files | ||
containing personal data to only employees or contractors who need | ||
access to that personal data to perform the job duties of the | ||
employees or contractors; and | ||
(ii) assigning to each employee or | ||
contractor with access to a computer containing personal data | ||
unique identification and a password, which may not be a | ||
vendor-supplied default password, or using another protocol | ||
reasonably designed to maintain the integrity of the security of | ||
the access controls to personal data; | ||
(C) encryption of: | ||
(i) transmitted records and files | ||
containing personal data that will travel across public networks; | ||
and | ||
(ii) data containing personal data that is | ||
transmitted wirelessly; | ||
(D) reasonable monitoring of systems for | ||
unauthorized use of or access to personal data; | ||
(E) encryption of all personal data stored on | ||
laptop computers or other portable devices; | ||
(F) for files containing personal data on a | ||
system that is connected to the Internet, the use of reasonably | ||
current firewall protection and operating system security patches | ||
that are reasonably designed to maintain the integrity of the | ||
personal data; and | ||
(G) the use of: | ||
(i) a reasonably current version of system | ||
security agent software that must include malware protection and | ||
reasonably current patches and virus definitions; or | ||
(ii) a version of system security agent | ||
software that is supportable with current patches and virus | ||
definitions and is set to receive the most current security updates | ||
on a regular basis. | ||
Sec. 509.008. CIVIL PENALTY. (a) A data broker that | ||
violates Section 509.004 or 509.005 is liable to this state for a | ||
civil penalty as prescribed by this section. | ||
(b) A civil penalty imposed against a data broker under this | ||
section: | ||
(1) subject to Subdivision (2), may not be in an amount | ||
less than the total of: | ||
(A) $100 for each day the entity is in violation | ||
of Section 509.004 or 509.005; and | ||
(B) the amount of unpaid registration fees for | ||
each year the entity failed to register in violation of Section | ||
509.005; and | ||
(2) may not exceed $10,000 assessed against the same | ||
data broker in a 12-month period. | ||
(c) The attorney general may bring an action to recover a | ||
civil penalty imposed under this section. The attorney general may | ||
recover reasonable attorney's fees and court costs incurred in | ||
bringing the action. | ||
Sec. 509.009. DECEPTIVE TRADE PRACTICE. A violation of | ||
Section 509.007 by a data broker constitutes a deceptive trade | ||
practice in addition to the practices described by Subchapter E, | ||
Chapter 17, and is actionable under that subchapter. | ||
Sec. 509.010. RULES. The secretary of state shall adopt | ||
rules as necessary to implement this chapter. | ||
SECTION 2. Not later than December 1, 2023, the secretary of | ||
state shall adopt rules necessary to facilitate registration by a | ||
data broker under Section 509.005, Business & Commerce Code, as | ||
added by this Act, including by incorporating into the rules | ||
adequate time for a data broker to comply with Chapter 509, Business & | ||
Commerce Code, as added by this Act, following the adoption of the | ||
rules. | ||
SECTION 3. Chapter 509, Business & Commerce Code, as added | ||
by this Act, applies only to the collection, processing, or | ||
transfer of personal data by a data broker on or after December 1, | ||
2023. | ||
SECTION 4. This Act takes effect September 1, 2023. | ||
______________________________ | ______________________________ | |
President of the Senate | Speaker of the House | |
I hereby certify that S.B. No. 2105 passed the Senate on | ||
May 3, 2023, by the following vote: Yeas 29, Nays 2. | ||
______________________________ | ||
Secretary of the Senate | ||
I hereby certify that S.B. No. 2105 passed the House on | ||
May 24, 2023, by the following vote: Yeas 117, Nays 21, | ||
one present not voting. | ||
______________________________ | ||
Chief Clerk of the House | ||
Approved: | ||
______________________________ | ||
Date | ||
______________________________ | ||
Governor |