| |
| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to the authority of individuals over the personal |
|
|
identifying information collected, processed, or maintained about |
|
|
the individuals and certain others by certain businesses. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Title 11, Business & Commerce Code, is amended by |
|
|
adding Subtitle C to read as follows: |
|
|
SUBTITLE C. PERSONAL IDENTIFYING INFORMATION |
|
|
CHAPTER 541. PERSONAL IDENTIFYING INFORMATION PROCESSED OR |
|
|
COLLECTED BY CERTAIN BUSINESSES |
|
|
SUBCHAPTER A. GENERAL PROVISIONS |
|
|
Sec. 541.001. DEFINITIONS. In this chapter: |
|
|
(1) "Business" means a for-profit entity, including a |
|
|
sole proprietorship, partnership, limited liability company, |
|
|
corporation, association, or other legal entity that is organized |
|
|
or operated for the profit or financial benefit of the entity's |
|
|
shareholders or other owners. |
|
|
(2) "Personal identifying information" means a |
|
|
category of information relating to an identified or identifiable |
|
|
individual. The term does not include a specific category of |
|
|
personal identifying information that the attorney general exempts |
|
|
from this definition by rule. The term includes: |
|
|
(A) a social security number; |
|
|
(B) a driver's license number, passport number, |
|
|
military identification number, or any other similar number issued |
|
|
on a government document and used to verify an individual's |
|
|
identity; |
|
|
(C) a financial account number, credit or debit |
|
|
card number, or any security code, access code, or password that is |
|
|
necessary to permit access to an individual's financial account; |
|
|
(D) unique biometric information, including a |
|
|
fingerprint, voice print, retina or iris image, or any other unique |
|
|
physical representation; |
|
|
(E) physical or mental health information, |
|
|
including health care information; |
|
|
(F) the private communications or other |
|
|
user-created content of an individual that is not publicly |
|
|
available; |
|
|
(G) religious affiliation or practice |
|
|
information; |
|
|
(H) racial or ethnic origin information; |
|
|
(I) precise geolocation tracking data; and |
|
|
(J) unique genetic information. |
|
|
(3) "Processing" means any operation or set of |
|
|
operations that are performed on personal identifying information |
|
|
or on sets of personal identifying information, including the |
|
|
collection, creation, generation, recording, organization, |
|
|
structuring, storage, adaptation, alteration, retrieval, |
|
|
consultation, use, disclosure, transfer, or dissemination of the |
|
|
information or otherwise making the information available. |
|
|
(4) "Third party" means a person engaged by a business |
|
|
to process, on behalf of the business, personal identifying |
|
|
information collected by the business. |
|
|
Sec. 541.002. APPLICABILITY. (a) This chapter applies |
|
|
only to a business that: |
|
|
(1) does business in this state; |
|
|
(2) has more than 50 employees; |
|
|
(3) collects the personal identifying information of |
|
|
more than 5,000 individuals, households, or devices or has that |
|
|
information collected on the business's behalf; and |
|
|
(4) satisfies one or more of the following thresholds: |
|
|
(A) has annual gross revenue in an amount that |
|
|
exceeds $25 million; or |
|
|
(B) derives 50 percent or more of the business's |
|
|
annual revenue by processing personal identifying information. |
|
|
(b) Except as provided by Subsection (c), this chapter |
|
|
applies only to personal identifying information that is: |
|
|
(1) collected over the Internet or any other digital |
|
|
network or through a computing device that is associated with or |
|
|
routinely used by an end user; and |
|
|
(2) linked or reasonably linkable to a specific end |
|
|
user. |
|
|
(c) This chapter does not apply to personal identifying |
|
|
information that is: |
|
|
(1) collected solely for facilitating the |
|
|
transmission, routing, or connections by which digital personal |
|
|
identifying information and other data is transferred between or |
|
|
among businesses; or |
|
|
(2) transmitted to and from the individual to whom the |
|
|
personal identifying information relates if the collector of the |
|
|
information does not access, review, or modify the content of the |
|
|
information, or otherwise perform or conduct any analytical, |
|
|
algorithmic, or machine learning processes on the information. |
|
|
Sec. 541.003. EXEMPTIONS. This chapter does not apply to: |
|
|
(1) publicly available information; |
|
|
(2) protected health information governed by Chapter |
|
|
181, Health and Safety Code, or collected by a covered entity or a |
|
|
business associate of a covered entity, as those terms are defined |
|
|
by 45 C.F.R. Section 160.103, that is governed by the privacy, |
|
|
security, and breach notification rules in 45 C.F.R. Parts 160 and |
|
|
164 adopted by the United States Department of Health and Human |
|
|
Services under the Health Insurance Portability and Accountability |
|
|
Act of 1996 (Pub. L. No. 104-191) and Title XIII of the American |
|
|
Recovery and Reinvestment Act of 2009 (Pub. L. No. 111-5); |
|
|
(3) personal identifying information collected by a |
|
|
consumer reporting agency, as defined by Section 20.01, if the |
|
|
information is to be: |
|
|
(A) reported in or used to generate a consumer |
|
|
report, as defined by Section 1681a(d) of the Fair Credit Reporting |
|
|
Act (15 U.S.C. Section 1681 et seq.); and |
|
|
(B) used solely for a purpose authorized under |
|
|
that Act; |
|
|
(4) personal identifying information processed in |
|
|
accordance with the Gramm-Leach-Bliley Act (Pub. L. No. 106-102) |
|
|
and its implementing regulations; or |
|
|
(5) education information that is not publicly |
|
|
available personally identifiable information under the Family |
|
|
Educational Rights and Privacy Act of 1974 (20 U.S.C. Section |
|
|
1232g) (34 C.F.R. Part 99). |
|
|
Sec. 541.004. RULES. The attorney general shall adopt |
|
|
rules necessary to implement, administer, and enforce this chapter. |
|
|
SUBCHAPTER B. AUTHORITY OF INDIVIDUALS TO ACCESS AND DELETE CERTAIN |
|
|
INFORMATION |
|
|
Sec. 541.051. ACCESS TO INFORMATION; DATA PORTABILITY. (a) |
|
|
An individual is entitled to: |
|
|
(1) access and obtain personal identifying |
|
|
information related to the individual or someone for whom the |
|
|
individual is a legal representative or guardian that is collected |
|
|
by a business; and |
|
|
(2) at the option of the individual, transfer personal |
|
|
identifying information from one business to another business, |
|
|
including in connection with the sale of that information under a |
|
|
contract described by Subchapter C. |
|
|
(b) A business shall allow an individual to promptly and |
|
|
reasonably obtain: |
|
|
(1) confirmation of whether personal identifying |
|
|
information concerning the individual or someone for whom the |
|
|
individual is a legal representative or guardian is processed by |
|
|
the business; |
|
|
(2) a description of the categories of personal |
|
|
identifying information processed by the business; |
|
|
(3) an explanation in plain language of the specific |
|
|
types of personal identifying information collected by the |
|
|
business; |
|
|
(4) a description of the inferences the business has |
|
|
drawn about the individual or someone for whom the individual is a |
|
|
personal representative or guardian from the information collected |
|
|
by the business; and |
|
|
(5) access to the individual's personal identifying |
|
|
information, including in accordance with Subsection (c), a copy of |
|
|
the individual's personal identifying information in a portable and |
|
|
transferable format. |
|
|
(c) On request of an individual, a business shall without |
|
|
undue delay provide the individual with all personal identifying |
|
|
information collected by the business that relates to the |
|
|
individual or someone for whom the individual is a legal |
|
|
representative or guardian. The business shall provide the |
|
|
requested information to an individual under this section in a |
|
|
portable, readily usable format that may be transferred, including |
|
|
in connection with the sale of the information, by the individual to |
|
|
another business. |
|
|
Sec. 541.052. DELETION OF PERSONAL IDENTIFYING |
|
|
INFORMATION. (a) An individual is entitled to request that a |
|
|
business delete personal identifying information collected by the |
|
|
business that relates to that individual or someone for whom the |
|
|
individual is a legal representative or guardian. |
|
|
(b) If an individual who maintains an account with a |
|
|
business closes the account, the business shall: |
|
|
(1) stop processing the individual's personal |
|
|
identifying information on the date the individual closes the |
|
|
account; and |
|
|
(2) not later than the one-year anniversary of the |
|
|
date the account is closed, permanently delete the individual's |
|
|
personal identifying information unless retention of the |
|
|
information is required by other law or is necessary to comply with |
|
|
other law. |
|
|
(c) If an individual makes a request for a business to |
|
|
delete personal identifying information under this section, and |
|
|
that business has provided the personal identifying information to |
|
|
a third party, the business shall notify the third party of the |
|
|
individual's request. The third party shall delete the individual's |
|
|
personal identifying information not later than the one-year |
|
|
anniversary of the date the third party received the notification |
|
|
under this subsection. |
|
|
SUBCHAPTER C. CONTRACTS WITH INDIVIDUALS |
|
|
Sec. 541.101. DEFINITION. In this subchapter, "data |
|
|
stream" means the continuous transmission of an individual's |
|
|
personal identifying information through online activity or with a |
|
|
device connected to the Internet that can be used by the business to |
|
|
provide for the monetization of the information, customer |
|
|
relationship management, or continuous identification of an |
|
|
individual for commercial purposes. |
|
|
Sec. 541.102. APPLICABILITY. This subchapter applies only |
|
|
to a contract between a business and an individual under which, as a |
|
|
term of the contract, the individual allows the business to |
|
|
collect, store, or use the individual's personal identifying |
|
|
information. |
|
|
Sec. 541.103. CONSIDERATION UNDER CONTRACT. (a) An |
|
|
individual may provide the individual's data stream or information |
|
|
obtained by the individual under Section 541.051 as consideration |
|
|
under a contract. |
|
|
(b) A business may provide consideration in the form of |
|
|
money or other incentive, including as an incentive to purchase |
|
|
goods or services, under a contract that is reasonably related to |
|
|
the value of the information or access offered by the individual |
|
|
under the contract. This subsection does not prohibit a business |
|
|
from differentiating the consideration offered to individuals |
|
|
based on information or access offered by individuals, including |
|
|
offering different individuals different prices or rates for goods |
|
|
or services or providing different levels of quality for goods or |
|
|
services based on the information and access offered by |
|
|
individuals. |
|
|
Sec. 541.104. CONTRACT REQUIREMENTS. (a) A contract |
|
|
subject to this subchapter: |
|
|
(1) must clearly state the terms, including the |
|
|
duration, of the contract; and |
|
|
(2) may not: |
|
|
(A) require that the individual exclusively |
|
|
contract with the business or otherwise restrict the individual's |
|
|
ability to sell the individual's personal identifying information; |
|
|
and |
|
|
(B) prevent the individual from receiving or |
|
|
considering alternative offers to purchase the individual's |
|
|
personal identifying information. |
|
|
(b) A contract provision that violates Subsection (a)(2) is |
|
|
void and unenforceable. |
|
|
SECTION 2. (a) Except as provided by Subsection (b) of this |
|
|
section, this Act takes effect September 1, 2023. |
|
|
(b) Section 541.052, Business & Commerce Code, as added by |
|
|
this Act, takes effect January 1, 2024. |