| |
| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to the privacy of personal identifying information; |
|
|
imposing a civil penalty. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Title 11, Business & Commerce Code, is amended by |
|
|
adding Subtitle C to read as follows: |
|
|
SUBTITLE C. PRIVACY OF PERSONAL IDENTIFYING INFORMATION |
|
|
CHAPTER 541. PERSONAL IDENTIFYING INFORMATION PROCESSED BY CERTAIN |
|
|
BUSINESSES |
|
|
SUBCHAPTER A. GENERAL PROVISIONS |
|
|
Sec. 541.001. SHORT TITLE. This chapter may be cited as the |
|
|
Texas Privacy Protection Act. |
|
|
Sec. 541.002. DEFINITIONS. In this chapter: |
|
|
(1) "Business" means a for-profit entity, including a |
|
|
sole proprietorship, partnership, limited liability company, |
|
|
corporation, association, or other legal entity that is organized |
|
|
or operated for the profit or financial benefit of the entity's |
|
|
shareholders or other owners. |
|
|
(2) "Collect" means: |
|
|
(A) buying, renting, gathering, obtaining, |
|
|
receiving, inferring, creating, or accessing any personal |
|
|
identifying information pertaining to an individual by any means; |
|
|
or |
|
|
(B) obtaining personal identifying information |
|
|
relating to an individual, actively or passively, or by observing |
|
|
the individual's behavior. |
|
|
(3) "Device" means any physical object capable of |
|
|
connecting to the Internet, directly or indirectly, or to another |
|
|
device and transmitting information. |
|
|
(4) "Personal identifying information" means a |
|
|
category of information relating to an identified or identifiable |
|
|
individual. The term does not include a specific category of |
|
|
personal identifying information that the attorney general exempts |
|
|
from this definition by rule. The term includes: |
|
|
(A) a social security number; |
|
|
(B) a driver's license number, passport number, |
|
|
military identification number, or any other similar number issued |
|
|
on a government document and used to verify an individual's |
|
|
identity; |
|
|
(C) a financial account number, credit or debit |
|
|
card number, or any security code, access code, or password that is |
|
|
necessary to permit access to an individual's financial account; |
|
|
(D) unique biometric information, including a |
|
|
fingerprint, voice print, retina or iris image, or any other unique |
|
|
physical representation; |
|
|
(E) physical or mental health information, |
|
|
including health care information; |
|
|
(F) the private communications or other |
|
|
user-created content of an individual that is not publicly |
|
|
available; |
|
|
(G) religious affiliation or practice |
|
|
information; |
|
|
(H) racial or ethnic origin information; |
|
|
(I) precise geolocation data; and |
|
|
(J) unique genetic information. |
|
|
(5) "Privacy risk" means potential adverse |
|
|
consequences to an individual or society at large arising from the |
|
|
processing of personal identifying information, including: |
|
|
(A) direct or indirect financial loss or economic |
|
|
harm; |
|
|
(B) physical harm; |
|
|
(C) psychological harm, including anxiety, |
|
|
embarrassment, fear, or other demonstrable mental trauma; |
|
|
(D) significant inconvenience or expenditure of |
|
|
time; |
|
|
(E) adverse outcomes or decisions with respect to |
|
|
an individual's eligibility for a right, benefit, or privilege in |
|
|
employment, including hiring, firing, promotion, demotion, or |
|
|
compensation; |
|
|
(F) credit or insurance harm, including denial of |
|
|
an application or obtaining less favorable terms related to |
|
|
housing, education, professional certification, or health care |
|
|
services; |
|
|
(G) stigmatization or reputational harm; |
|
|
(H) disruption and intrusion from unwanted |
|
|
commercial communications or contacts; |
|
|
(I) price discrimination; and |
|
|
(J) any other adverse consequence that affects an |
|
|
individual's private life, private family matters, actions or |
|
|
communications within an individual's home or similar physical, |
|
|
online, or digital location, if an individual has a reasonable |
|
|
expectation that personal identifying information will not be |
|
|
processed. |
|
|
(6) "Processing" means any operation or set of |
|
|
operations that are performed on personal identifying information |
|
|
or on sets of personal identifying information, including the |
|
|
collection, creation, generation, recording, organization, |
|
|
structuring, storage, adaptation, alteration, retrieval, |
|
|
consultation, use, disclosure, transfer, or dissemination of the |
|
|
information or otherwise making the information available. |
|
|
(7) "Third party" means a person engaged by a business |
|
|
to process, on behalf of the business, personal identifying |
|
|
information collected by the business. |
|
|
Sec. 541.003. APPLICABILITY. (a) This chapter applies |
|
|
only to a business that: |
|
|
(1) does business in this state; |
|
|
(2) has more than 50 employees; |
|
|
(3) collects the personal identifying information of |
|
|
more than 5,000 individuals, households, or devices or has that |
|
|
information collected on the business's behalf; and |
|
|
(4) satisfies one or more of the following thresholds: |
|
|
(A) has annual gross revenue in an amount that |
|
|
exceeds $25 million; or |
|
|
(B) derives 50 percent or more of the business's |
|
|
annual revenue by processing personal identifying information. |
|
|
(b) Except as provided by Subsection (c), this chapter |
|
|
applies only to personal identifying information that is: |
|
|
(1) collected over the Internet or any other digital |
|
|
network or through a computing device that is associated with or |
|
|
routinely used by an end user; and |
|
|
(2) linked or reasonably linkable to a specific end |
|
|
user. |
|
|
(c) This chapter does not apply to personal identifying |
|
|
information that is: |
|
|
(1) collected solely for facilitating the |
|
|
transmission, routing, or connections by which digital personal |
|
|
identifying information and other data is transferred between or |
|
|
among businesses; or |
|
|
(2) transmitted to and from the individual to whom the |
|
|
personal identifying information relates if the collector of the |
|
|
information does not access, review, or modify the content of the |
|
|
information, or otherwise perform or conduct any analytical, |
|
|
algorithmic, or machine learning processes on the information. |
|
|
Sec. 541.004. EXEMPTIONS. This chapter does not apply to: |
|
|
(1) publicly available information; |
|
|
(2) protected health information governed by Chapter |
|
|
181, Health and Safety Code, or collected by a covered entity or a |
|
|
business associate of a covered entity, as those terms are defined |
|
|
by 45 C.F.R. Section 160.103, that is governed by the privacy, |
|
|
security, and breach notification rules in 45 C.F.R. Parts 160 and |
|
|
164 adopted by the United States Department of Health and Human |
|
|
Services under the Health Insurance Portability and Accountability |
|
|
Act of 1996 (Pub. L. No. 104-191) and Title XIII of the American |
|
|
Recovery and Reinvestment Act of 2009 (Pub. L. No. 111-5); |
|
|
(3) personal identifying information collected by a |
|
|
consumer reporting agency, as defined by Section 20.01, if the |
|
|
information is to be: |
|
|
(A) reported in or used to generate a consumer |
|
|
report, as defined by Section 1681a(d) of the Fair Credit Reporting |
|
|
Act (15 U.S.C. Section 1681 et seq.); and |
|
|
(B) used solely for a purpose authorized under |
|
|
that Act; |
|
|
(4) personal identifying information processed in |
|
|
accordance with the Gramm-Leach-Bliley Act (Pub. L. No. 106-102) |
|
|
and its implementing regulations; or |
|
|
(5) education information that is not publicly |
|
|
available personally identifiable information under the Family |
|
|
Educational Rights and Privacy Act of 1974 (20 U.S.C. Section |
|
|
1232g) (34 C.F.R. Part 99). |
|
|
Sec. 541.005. RULES. The attorney general shall adopt |
|
|
rules necessary to implement, administer, and enforce this chapter. |
|
|
SUBCHAPTER B. BUSINESS DUTIES |
|
|
Sec. 541.051. COLLECTION OF PERSONAL IDENTIFYING |
|
|
INFORMATION. A business may not collect personal identifying |
|
|
information unless: |
|
|
(1) the collection of the information is relevant and |
|
|
necessary to accomplish the purpose for which the information was |
|
|
collected; and |
|
|
(2) that purpose is specifically disclosed by the |
|
|
business in the notice required under Section 541.054. |
|
|
Sec. 541.052. PROCESSING OF PERSONAL IDENTIFYING |
|
|
INFORMATION. (a) A business may only process personal identifying |
|
|
information if: |
|
|
(1) the information is relevant to accomplish the |
|
|
purposes for which the information is to be processed; |
|
|
(2) those purposes are specifically disclosed by the |
|
|
business in the notice required under Section 541.054; and |
|
|
(3) the information is processed only to the extent |
|
|
necessary to achieve one or more of those purposes. |
|
|
(b) A business may not process personal identifying |
|
|
information unless: |
|
|
(1) the individual whose personal identifying |
|
|
information is collected by the business explicitly consents to the |
|
|
processing of the information; or |
|
|
(2) the business is required by law to process the |
|
|
information. |
|
|
(c) Notwithstanding Subsection (a), a business may not |
|
|
process personal identifying information if: |
|
|
(1) the business knows processing the information will |
|
|
likely: |
|
|
(A) violate state or federal law; or |
|
|
(B) interfere with or deny a right or privilege |
|
|
of an individual granted under the United States Constitution; or |
|
|
(2) the information is to be processed using automated |
|
|
processing, including algorithmic, machine learning, or artificial |
|
|
intelligence processing or predictive analysis, unless the |
|
|
processing is performed after the business: |
|
|
(A) conducts an objective and documented |
|
|
assessment of the automated processing and the results of the |
|
|
processing and determines the processing is reasonably free from |
|
|
bias and error; |
|
|
(B) analyzes the privacy risk of using automated |
|
|
processing and takes reasonable steps to mitigate that risk; and |
|
|
(C) concludes that, after all reasonable steps |
|
|
are taken to mitigate any privacy risk, the automated processing of |
|
|
the personal identifying information does not cause or is not |
|
|
likely to cause a substantial privacy risk. |
|
|
Sec. 541.053. DATA SECURITY PROGRAM. (a) A business shall |
|
|
develop, implement, and maintain a comprehensive data security |
|
|
program that contains administrative, technical, and physical |
|
|
safeguards for personal identifying information. |
|
|
(b) The safeguards required under Subsection (a) must be: |
|
|
(1) documented by the business; and |
|
|
(2) appropriate considering the: |
|
|
(A) size and complexity of the business; |
|
|
(B) nature and scope of the business's |
|
|
activities; and |
|
|
(C) sensitivity of the personal identifying |
|
|
information processed by the business. |
|
|
Sec. 541.054. NOTICE REQUIRED. (a) A business in a |
|
|
conspicuous manner shall provide a notice that includes a |
|
|
reasonably full and complete description of the business's |
|
|
practices governing the processing of personal identifying |
|
|
information before collecting personal identifying information. |
|
|
The notice must include: |
|
|
(1) the categories of personal identifying |
|
|
information processed by the business; |
|
|
(2) details on the type of processing used by the |
|
|
business; |
|
|
(3) the purposes for which the business processes |
|
|
personal identifying information; and |
|
|
(4) the involvement of any third party in processing |
|
|
personal identifying information on behalf of the business. |
|
|
(b) The notice required by Subsection (a) must be: |
|
|
(1) clear, drafted in plain language, and easy to |
|
|
understand; and |
|
|
(2) located in a prominent location at the business |
|
|
and on the business's Internet website if the business has an |
|
|
Internet website. |
|
|
(c) If a business processes geolocation data, biometric |
|
|
information, genetic information, racial or ethnic origin |
|
|
information, religious affiliation or practice information, |
|
|
physical or mental health information, or other personal |
|
|
identifying information that when processed is likely to create a |
|
|
significant privacy risk, the business must, before collecting the |
|
|
information, explicitly specify in the notice required under |
|
|
Subsection (a): |
|
|
(1) the categories or items of personal identifying |
|
|
information processed by the business, as applicable; and |
|
|
(2) the purposes for processing that information. |
|
|
(d) The information required under Subsection (c) must be |
|
|
included in the notice in a manner that is conspicuous, readily |
|
|
available, accessible, accurate, and easy to understand. |
|
|
(e) The notice required under this section may be included |
|
|
in the privacy policy required by Section 541.055. |
|
|
Sec. 541.055. PRIVACY POLICY. A business shall make |
|
|
publicly available on an ongoing basis a privacy policy that: |
|
|
(1) generally articulates the processing practices of |
|
|
the business for personal identifying information, including any |
|
|
analysis or predictions made by the business based on the |
|
|
processing of personal identifying information by the business; |
|
|
(2) includes an accurate and easy method for an |
|
|
individual to access the individual's personal identifying |
|
|
information that the business has processed about the individual; |
|
|
and |
|
|
(3) states that the business is required to: |
|
|
(A) stop processing personal identifying |
|
|
information on the date an individual closes the individual's |
|
|
account with the business; and |
|
|
(B) not later than the 30th day after the date the |
|
|
individual closes the account, delete the individual's personal |
|
|
identifying information unless retention of the information is |
|
|
required by other law or is necessary to comply with other law. |
|
|
Sec. 541.056. ACCESS TO INFORMATION. A business shall |
|
|
allow an individual to promptly and reasonably obtain: |
|
|
(1) confirmation of whether personal identifying |
|
|
information concerning the individual is processed by the business; |
|
|
(2) a description of the categories of personal |
|
|
identifying information processed by the business; |
|
|
(3) an explanation in plain language of the specific |
|
|
types of personal identifying information collected by the |
|
|
business; and |
|
|
(4) access to the individual's personal identifying |
|
|
information. |
|
|
Sec. 541.057. DELETION OF PERSONAL IDENTIFYING |
|
|
INFORMATION. If an individual who maintains an account with a |
|
|
business closes the account, the business shall: |
|
|
(1) stop processing the individual's personal |
|
|
identifying information on the date the individual closes the |
|
|
account; |
|
|
(2) not later than the 30th day after the date the |
|
|
account is closed, delete the individual's personal identifying |
|
|
information unless retention of the information is required by |
|
|
other law or is necessary to comply with other law; and |
|
|
(3) if the business engages a third party to process |
|
|
personal identifying information, notify the third party that the |
|
|
individual is closing the account. |
|
|
Sec. 541.058. ACCOUNTABILITY PROGRAM. To ensure compliance |
|
|
with this chapter, a business shall implement an ongoing |
|
|
accountability program and maintain an internal publication of the |
|
|
written policies and procedures necessary to implement the program. |
|
|
The program must include: |
|
|
(1) a process to identify, assess, and mitigate any |
|
|
reasonably foreseeable privacy risk; |
|
|
(2) procedures to provide remedies for privacy risk; |
|
|
(3) an annual assessment of the program and |
|
|
supporting policies and procedures; |
|
|
(4) methods and procedures for responding to data |
|
|
breaches and for addressing inquiries and complaints concerning |
|
|
personal identifying information; and |
|
|
(5) procedures for internal enforcement of the |
|
|
business's policies and discipline for noncompliance. |
|
|
Sec. 541.059. INFORMATION SHARED WITH THIRD PARTY. (a) A |
|
|
business that engages a third party to process personal identifying |
|
|
information collected by the business shall: |
|
|
(1) use due diligence in selecting the third party and |
|
|
shall ensure that the third party complies with the requirements of |
|
|
this chapter that apply to the third party; and |
|
|
(2) annually obtain from the third party verification |
|
|
that the third party is complying with the requirements. |
|
|
(b) Notwithstanding Subsection (a), a business may not |
|
|
share with any third party who the business engages to process the |
|
|
information an individual's biometric, health, or genetic |
|
|
information unless the individual consents to the sharing of the |
|
|
information. |
|
|
(c) A third party that processes personal identifying |
|
|
information received from a business may only process the |
|
|
information to the extent the business is authorized to process the |
|
|
information under Section 541.052 and shall: |
|
|
(1) implement a data security program described by |
|
|
Section 541.053; |
|
|
(2) implement an accountability program described by |
|
|
Section 541.058; and |
|
|
(3) if the business notifies the third party under |
|
|
Section 541.057 that an individual is closing the individual's |
|
|
account with the business: |
|
|
(A) stop processing the individual's personal |
|
|
identifying information on the date the individual closes the |
|
|
account; and |
|
|
(B) not later than the 30th day after the date the |
|
|
account is closed, delete the individual's personal identifying |
|
|
information unless retention of the information is required by |
|
|
other law or is necessary to comply with other law. |
|
|
SUBCHAPTER C. ENFORCEMENT |
|
|
Sec. 541.101. CIVIL PENALTY. (a) A business that violates |
|
|
this chapter or a third party that violates Section 541.059(c) is |
|
|
liable to this state for a civil penalty in an amount of not more |
|
|
than $10,000 for each violation, not to exceed a total amount of $1 |
|
|
million. |
|
|
(b) The attorney general may bring an action in the name of |
|
|
the state against the business or third party to recover the civil |
|
|
penalty imposed under this section. |
|
|
(c) The attorney general is entitled to recover reasonable |
|
|
expenses, including reasonable attorney's fees, court costs, and |
|
|
investigatory costs, incurred in bringing an action under this |
|
|
section. |
|
|
Sec. 541.102. BUSINESS IMMUNITY FROM LIABILITY. A business |
|
|
that is in compliance with this chapter and engages a third party to |
|
|
process on behalf of the business personal identifying information |
|
|
collected by the business may not be held liable for a violation of |
|
|
Section 541.059(c) by the third party if the business does not have |
|
|
actual knowledge or a reasonable belief that the third party |
|
|
intends to violate that section. |
|
|
SECTION 2. Subchapter Z, Chapter 2252, Government Code, is |
|
|
amended by adding Section 2252.909 to read as follows: |
|
|
Sec. 2252.909. SALE OF PERSONAL IDENTIFYING INFORMATION |
|
|
PROHIBITED. Notwithstanding any other law, a governmental entity |
|
|
may not sell or offer to sell personal identifying information, as |
|
|
defined by Section 541.002, Business & Commerce Code, that is: |
|
|
(1) unique genetic information; |
|
|
(2) precise geolocation data; or |
|
|
(3) unique biometric information, including a |
|
|
fingerprint, voice print, retina or iris image, or any other unique |
|
|
physical representation. |
|
|
SECTION 3. This Act takes effect September 1, 2019. |