BILL ANALYSIS

 

 

Senate Research Center

S.B. 2105

88R9015 JES-F

By: Johnson

 

Business & Commerce

 

4/14/2023

 

As Filed

 

 

 

AUTHOR'S / SPONSOR'S STATEMENT OF INTENT

 

Data brokers are key players in collecting and selling personal data to third parties. These third parties can be companies looking to advertise their businesses or any person interested in information about someone and willing to pay for it. Data brokers take advantage of the lack of adequate data privacy safeguards enshrined in both federal and state law, which puts vulnerable populations, such as survivors of domestic violence, victims of human trafficking, youths, and older adults, at risk for fraud and abuse.

 

S.B. 2105 creates a comprehensive framework in the Texas Business and Commerce Code to regulate data brokers and empower Texans to control the collection and sale of their personal information to these entities.

 

First, S.B. 2105 would require data brokers in the state of Texas to register annually with the Secretary of State.

 

Second, in their application to register, data brokers would have to provide a notice on all online platforms used to operate their business, containing who they are, the type of data they collect and other categories designated by the secretary of state.

 

Third, the secretary of state will set up and maintain a "Do Not Collect" registry that allows individuals to have their data deleted, which would then require data brokers to cease collecting, processing, and transferring that data.

 

Lastly, the bill also creates civil penalties for data brokers that fail to comply with the law.

 

As proposed, S.B. 2105 amends current law relating to the regulation of third-party data collection entities, provides a civil penalty, and authorizes a fee.

 

RULEMAKING AUTHORITY

 

Rulemaking authority is expressly granted to the secretary of state in SECTION 1 (Section 509.009, Business and Commerce Code) of this bill.

 

SECTION BY SECTION ANALYSIS

 

SECTION 1. Amends Subtitle A, Title 11, Business and Commerce Code, by adding Chapter 509, as follows:

 

CHAPTER 509. THIRD-PARTY DATA COLLECTION

 

Sec. 509.001. DEFINITIONS. Defines "biometric identifier," "child," "collect," "covered data," "deidentified data," "employee," "employee data," "genetic data," "personal identifying information," "precise geolocation data," "process," "publicly available information," "sensitive covered data," "service provider," "third-party data collection entity," and "transfer."

 

Sec. 509.002. APPLICABILITY TO CERTAIN DATA. (a) Provides that this chapter, except as provided by Subsection (b), applies to personal identifying information from an individual who resides in this state that is collected, transferred, or processed by a third-party data collection entity.

 

(b) Provides that this chapter does not apply to the following data:

 

(1) deidentified data, if the third-party data collection entity:

 

(A) takes reasonable technical measures to ensure that the data is not able to be used to identify an individual with whom the data is associated;

 

(B) publicly commits in a clear and conspicuous manner:

 

(i) to process and transfer the data solely in a deidentified form without any reasonable means for reidentification; and

 

(ii) to not attempt to identify the information to an individual with whom the data is associated; and

 

(C) contractually obligates a person that receives the information from the provider:

 

(i) to comply with this subsection with respect to the information; and

 

(ii) to require that those contractual obligations be included in any subsequent transfer of the data to another person;

 

(2) employee data;

 

(3) publicly available information; or

 

(4) inferences made exclusively from multiple independent sources of publicly available information that do not reveal sensitive covered data with respect to an individual.

 

Sec. 509.003. APPLICABILITY OF CHAPTER TO CERTAIN BUSINESS ENTITIES. (a) Provides that this chapter, except as provided by Subsection (b), applies to a third-party data collection entity, which is a business entity that, in a 12-month period, derives:

 

(1) more than 50 percent of the entity's revenue from processing or transferring covered data that the entity did not collect directly from the individuals to whom the data pertains; or

 

(2) revenue from processing or transferring the covered data of more than 50,000 individuals that the entity did not collect directly from the individuals to whom the data pertains.

 

(b) Provides that this chapter does not apply to:

 

(1) a business entity that:

 

(A) is engaging in the business of processing employee data for a third party for the sole purpose of providing benefits to the third party's employees; or

 

(B) is collecting covered data from another entity to which the entity is related by common ownership or corporate control if a reasonable consumer would expect the entities to share the relevant data;

 

(2) a business entity that is a service provider with respect to the entity's use of covered data;

 

(3) a governmental entity or an entity that is collecting, processing, or transferring covered data as a service provider for a governmental entity; or

 

(4) an entity that serves as a congressionally designated nonprofit, national resource center, or clearinghouse to provide assistance to victims, families, child-serving professionals, and the general public on missing and exploited children issues.

 

Sec. 509.004. NOTICE ON WEBSITE OR MOBILE APPLICATION. Requires a third-party data collection entity that maintains an Internet website or mobile application to post a conspicuous notice on the website or application that:

 

(1) states that the entity maintaining the website or application is a third-party data collection entity;

 

(2) must be clear, not misleading, and be readily accessible by the general public, including individuals with a disability;

 

(3) contains language provided by rule of the secretary of state (SOS) for inclusion in the notice; and

 

(4) provides a link to the "do not collect" online registry established under Section 509.006.

 

Sec. 509.005. REGISTRATION. (a) Requires a third-party data collection entity to which this chapter applies that collects, processes, or transfers the covered date of individuals residing in this state, to conduct business in this state, to register with SOS by filing a registration statement and paying a registration fee of $300.

 

(b) Requires that the registration statement include:

 

(1) the legal name of the third-party data collection entity;

 

(2) a contact person and the primary physical address, e-mail address, telephone number, and Internet website address for the entity;

 

(3) a description of the categories of data the entity processes and transfers;

 

(4) a statement of whether or not the entity implements a purchaser credentialing process that includes taking reasonable steps to confirm that:

 

(A) the actual identity of the entity's customer and the customer's use of the data matches the identity and intended use provided to the entity by the customer; and

 

(B) the entity's customers will not use the data for a nefarious purpose;

 

(5) if the entity has actual knowledge that the entity possesses personal identifying information of a child:

 

(A) a statement detailing the data collection practices, databases, sales activities, and opt-out policies that are applicable to the personal identifying information of a child; and

 

(B) a statement on how the entity complies with applicable federal and state law regarding the collection, use, or disclosure of personal identifying information from and about a child on the Internet;

 

(6) the number of security breaches the entity has experienced during the year immediately preceding the year in which the registration is filed, and if known, the total number of consumers affected by each breach;

 

(7) any litigation or unresolved complaints related to the operation of the entity; and

 

(8) any Internet website link the entity provides to allow individuals to easily access the "do not collect" online registry established under Section 509.006.

 

(c) Authorizes a registration of a third-party data collection entity to include any additional information or explanation the third-party data collection entity chooses to provide to SOS concerning the entity's data collection practices.

 

(d) Provides that a registration certificate expires on the first anniversary of its date of issuance. Authorizes a third-party data collection entity to renew a registration certificate by filing a renewal application, in the form prescribed by SOS, and paying a renewal fee in the amount of $300.

 

Sec. 509.006. REGISTRY OF THIRD-PARTY COLLECTING ENTITIES; DO NOT COLLECT REQUESTS. (a) Requires SOS to establish and maintain, on its Internet website, a searchable, central registry of third-party data collection entities registered under Section 509.005.

 

(b) Requires that the registry include:

 

(1) a search feature that allows a person searching the registry to identify a specific third-party data collection entity;

 

(2) for each third-party data collection entity, the information filed under Section 509.005(b); and

 

(3) a link and mechanism by which individuals are authorized to submit do not collect requests to third-party collection entities, other than consumer reporting agencies, as provided by Subsection (c).

 

(c) Requires SOS to ensure that under the mechanism described by Subsection (b) an individual has the capability to easily submit a single request requiring all registered third-party data collection entities to:

 

(1) delete, not later than the 30th day after receiving the request, all covered data related to the requesting individual that is in their possession and was not collected from the individual directly; and

 

(2) cease collecting, processing, or transferring covered data related to the requesting individual, unless the entity receives the individual's affirmative express consent to continue to collect, process, or transfer data, as applicable, in accordance with Subsection (e).

 

(d) Authorizes a third-party data collection entity, notwithstanding Subsection (c), to decline to comply with a request under that subsection if the entity:

 

(1) knows that the individual has been convicted of a crime related to the abduction or sexual exploitation of a child, and that the data the entity is collecting is necessary to effectuate the purposes of a federal or state sex offender registry or of an entity described by Section 509.003(b)(4); or

 

(2) is a consumer reporting agency governed by the Fair Credit Reporting Act (15 U.S.C. Section 1681 et seq.).

 

(e) Provides that an individual is considered to have given the individual's affirmative express consent, for purposes of Subsection (c)(2), if the individual, by an affirmative act, clearly communicates the individual's specific and unambiguous authorization for the act or practice in response to a specific request by a third-party data collection entity that:

 

(1) is provided to the individual in a clear, conspicuous, and separate disclosure presented through:

 

(A) the primary medium by which the entity offers its products or services; or

 

(B) another medium regularly used in conjunction with the entity's products or services;

 

(2) includes a description of the processing purpose for which the individual's consent is sought, that:

 

(A) clearly states the specific categories of personal identifying information the business will collect, process, or transfer for that purpose;

 

(B) includes a prominent heading; and

 

(C) is written in easily understood language intended to enable a reasonable individual to identify and understand the processing purpose for which consent is sought;

 

(3) explains the individual's right to give and revoke consent under this section;

 

(4) is made in a manner reasonably accessible to and usable by an individual with a disability;

 

(5) is made available in each language in which the business provides a product or service for which consent is sought;

 

(6) presents the option to refuse consent at least as prominently as the option to accept; and

 

(7) ensures that refusing to consent takes not more than the same amount of steps to complete as the option to accept consent.

 

(f) Requires a third-party data collection entity, if the processing purpose disclosed to an individual in a request made under Subsection (e) changes, to request and receive a new consent that meets the requirements of that subsection before the entity is able to collect, transfer, or process any further information pursuant to that consent.

 

(g) Provides that an individual's inaction or continued use of a service or product provided by a third-party data collection entity does not constitute an individual's affirmative express consent for purposes of Subsection (e).

 

(h) Prohibits a third-party data collection entity from obtaining or attempting to obtain an individual's affirmative express consent under Subsection (b) through:

 

(1) the use of a false, fraudulent, or materially misleading statement or representation; or

 

(2) the design, modification, or manipulation of a user interface to impair a reasonable individual's autonomy to consent or to withhold certain personal identifying information.

 

Sec. 509.007. CIVIL PENALTY. (a) Provides that a third-party data collection entity that violates Section 509.004, 509.005, or 509.006 is liable to this state for a civil penalty as prescribed by this section.

 

(b) Provides that a civil penalty imposed against a third-party data collection entity under this section:

 

(1) subject to Subdivision (2), is prohibited from being in an amount less than the total of:

 

(A) $100 for each day the entity is in violation of Section 509.004 or 509.005; and

 

(B) the amount of unpaid registration fees for each year the entity failed to register in violation of Section 509.005; and

 

(2) is prohibited from exceeding $10,000 assessed against the same entity in a 12-month period.

 

(c) Authorizes the attorney general to bring an action to recover a civil penalty imposed under this section. Authorizes the attorney general to recover reasonable attorney's fees and court costs incurred in bringing the action.

 

Sec. 509.008. DECEPTIVE TRADE PRACTICE. Provides that a violation of this chapter constitutes a deceptive trade practice in addition to the practices described by Subchapter E (Deceptive Trade Practices and Consumer Protection), Chapter 17, and is actionable under that subchapter.

 

Sec. 509.009. RULES. Requires SOS to adopt rules as necessary to implement this chapter.

 

SECTION 2. Requires SOS, not later than December 1, 2023, to adopt rules necessary to facilitate registration by a third-party data collection entity under Section 509.005, Business and Commerce Code, as added by this Act.

 

SECTION 3. Makes application of Chapter 509, Business and Commerce Code, as added by this Act, prospective.

 

SECTION 4. Effective date: September 1, 2023.