| |
| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to the privacy of a consumer's personal information |
|
|
collected by certain businesses; imposing a civil penalty. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Title 11, Business & Commerce Code, is amended by |
|
|
adding Subtitle C to read as follows: |
|
|
SUBTITLE C. PRIVACY OF PERSONAL INFORMATION |
|
|
CHAPTER 541. PRIVACY OF CONSUMER'S PERSONAL INFORMATION |
|
|
SUBCHAPTER A. GENERAL PROVISIONS |
|
|
Sec. 541.001. SHORT TITLE. This chapter may be cited as the |
|
|
Texas Consumer Privacy Act. |
|
|
Sec. 541.002. DEFINITIONS. In this chapter: |
|
|
(1) "Aggregate consumer information" means |
|
|
information that relates to a group or category of consumers from |
|
|
which individual consumer identities have been removed and that is |
|
|
not linked or reasonably linkable to a particular consumer or |
|
|
household, including through a device. The term does not include |
|
|
one or more individual consumer records that have been |
|
|
deidentified. |
|
|
(2) "Biometric information" means an individual's |
|
|
physiological, biological, or behavioral characteristics that can |
|
|
be used, alone or in combination with other characteristics or |
|
|
other identifying data, to establish the individual's identity. |
|
|
The term includes: |
|
|
(A) deoxyribonucleic acid (DNA); |
|
|
(B) an image of an iris, retina, fingerprint, |
|
|
face, hand, palm, or vein pattern or a voice recording from which an |
|
|
identifier template can be extracted such as a faceprint, minutiae |
|
|
template, or voiceprint; |
|
|
(C) keystroke patterns or rhythms; |
|
|
(D) gait patterns or rhythms; and |
|
|
(E) sleep, health, or exercise data that contains |
|
|
identifying information. |
|
|
(3) "Business" means a for-profit entity, including a |
|
|
sole proprietorship, partnership, limited liability company, |
|
|
corporation, association, or other legal entity that is organized |
|
|
or operated for the profit or financial benefit of the entity's |
|
|
shareholders or other owners. |
|
|
(4) "Business purpose" means the use of personal |
|
|
information for: |
|
|
(A) the following operational purposes of a |
|
|
business or service provider, provided that the use of the |
|
|
information is reasonably necessary and proportionate to achieve |
|
|
the operational purpose for which the information was collected or |
|
|
processed or another operational purpose that is compatible with |
|
|
the context in which the information was collected: |
|
|
(i) auditing related to a current |
|
|
interaction with a consumer and any concurrent transactions, |
|
|
including counting ad impressions to unique visitors, verifying the |
|
|
positioning and quality of ad impressions, and auditing compliance |
|
|
with a specification or other standards for ad impressions; |
|
|
(ii) detecting a security incident, |
|
|
protecting against malicious, deceptive, fraudulent, or illegal |
|
|
activity, and prosecuting those responsible for any illegal |
|
|
activity described by this subparagraph; |
|
|
(iii) identifying and repairing or removing |
|
|
errors that impair the intended functionality of computer hardware |
|
|
or software; |
|
|
(iv) using personal information in the |
|
|
short term or for a transient use, provided that the information is |
|
|
not: |
|
|
(a) disclosed to a third party; and |
|
|
(b) used to build a profile about a |
|
|
consumer or alter an individual consumer's experience outside of a |
|
|
current interaction with the consumer, including the contextual |
|
|
customization of an advertisement displayed as part of the same |
|
|
interaction; |
|
|
(v) performing a service on behalf of the |
|
|
business or service provider, including: |
|
|
(a) maintaining or servicing an |
|
|
account, providing customer service, processing or fulfilling an |
|
|
order or transaction, verifying customer information, processing a |
|
|
payment, providing financing, providing advertising or marketing |
|
|
services, or providing analytic services; or |
|
|
(b) performing a service similar to a |
|
|
service described by Sub-subparagraph (a) on behalf of the business |
|
|
or service provider; |
|
|
(vi) undertaking internal research for |
|
|
technological development and demonstration; or |
|
|
(vii) undertaking an activity to: |
|
|
(a) verify or maintain the quality or |
|
|
safety of a service or device that is owned by, manufactured by, |
|
|
manufactured for, or controlled by the business; or |
|
|
(b) improve, upgrade, or enhance a |
|
|
service or device described by Sub-subparagraph (a); or |
|
|
(B) another operational purpose for which notice |
|
|
is given under this chapter. |
|
|
(5) "Collect" means to buy, rent, gather, obtain, |
|
|
receive, or access the personal information of a consumer by any |
|
|
means, including by actively or passively receiving the information |
|
|
from the consumer or by observing the consumer's behavior. |
|
|
(6) "Commercial purpose" means a purpose that is |
|
|
intended to result in a profit or other tangible benefit or the |
|
|
advancement of a person's commercial or economic interests, such as |
|
|
by inducing another person to buy, rent, lease, subscribe to, |
|
|
provide, or exchange products, goods, property, information, or |
|
|
services or by enabling or effecting, directly or indirectly, a |
|
|
commercial transaction. The term does not include the purpose of |
|
|
engaging in speech recognized by state or federal courts as |
|
|
noncommercial speech, including political speech and journalism. |
|
|
(7) "Consumer" means an individual who is a resident |
|
|
of this state. |
|
|
(8) "Deidentified information" means information that |
|
|
cannot reasonably identify, relate to, describe, be associated |
|
|
with, or be linked to, directly or indirectly, a particular |
|
|
consumer. |
|
|
(9) "Device" means any physical object capable of |
|
|
connecting to the Internet, directly or indirectly, or to another |
|
|
device. |
|
|
(10) "Identifier" means data elements or other |
|
|
information that alone or in conjunction with other information can |
|
|
be used to identify a particular consumer, household, or device |
|
|
that is linked to a particular consumer or household. |
|
|
(11) "Person" means an individual, sole |
|
|
proprietorship, firm, partnership, joint venture, syndicate, |
|
|
business trust, company, corporation, limited liability company, |
|
|
association, committee, and any other organization or group of |
|
|
persons acting in concert. |
|
|
(12) "Personal information" means information that |
|
|
identifies, relates to, describes, can be associated with, or can |
|
|
reasonably be linked to, directly or indirectly, a particular |
|
|
consumer or household. The term does not include publicly |
|
|
available information. The term includes the following categories |
|
|
of information if the information identifies, relates to, |
|
|
describes, can be associated with, or can reasonably be linked to, |
|
|
directly or indirectly, a particular consumer or household: |
|
|
(A) an identifier, including a real name, alias, |
|
|
mailing address, account name, date of birth, driver's license |
|
|
number, unique identifier, social security number, passport |
|
|
number, signature, telephone number, or other government-issued |
|
|
identification number, or other similar identifier; |
|
|
(B) an online identifier, including an |
|
|
electronic mail address or Internet Protocol address, or other |
|
|
similar identifier; |
|
|
(C) a physical characteristic or description, |
|
|
including a characteristic of a protected classification under |
|
|
state or federal law; |
|
|
(D) commercial information, including: |
|
|
(i) a record of personal property; |
|
|
(ii) a good or service purchased, obtained, |
|
|
or considered; |
|
|
(iii) an insurance policy number; or |
|
|
(iv) other purchasing or consuming |
|
|
histories or tendencies; |
|
|
(E) biometric information; |
|
|
(F) Internet or other electronic network |
|
|
activity information, including: |
|
|
(i) browsing or search history; and |
|
|
(ii) other information regarding a |
|
|
consumer's interaction with an Internet website, application, or |
|
|
advertisement; |
|
|
(G) geolocation data; |
|
|
(H) audio, electronic, visual, thermal, |
|
|
olfactory, or other similar information; |
|
|
(I) professional or employment-related |
|
|
information; |
|
|
(J) education information that is not publicly |
|
|
available personally identifiable information under the Family |
|
|
Educational Rights and Privacy Act of 1974 (20 U.S.C. Section |
|
|
1232g) (34 C.F.R. Part 99); |
|
|
(K) financial information, including a financial |
|
|
institution account number, credit or debit card number, or |
|
|
password or access code associated with a credit or debit card or |
|
|
bank account; |
|
|
(L) medical information; |
|
|
(M) health insurance information; or |
|
|
(N) inferences drawn from any of the information |
|
|
listed under this subdivision to create a profile about a consumer |
|
|
that reflects the consumer's preferences, characteristics, |
|
|
psychological trends, predispositions, behavior, attitudes, |
|
|
intelligence, abilities, or aptitudes. |
|
|
(13) "Processing information" means performing any |
|
|
operation or set of operations on personal data or on sets of |
|
|
personal data, whether or not by automated means. |
|
|
(14) "Publicly available information" means |
|
|
information that is lawfully made available to the public from |
|
|
federal, state, or local government records if the conditions |
|
|
associated with making the information available are met. The term |
|
|
does not include: |
|
|
(A) biometric information of a consumer |
|
|
collected by a business without the consumer's knowledge; |
|
|
(B) data that is used for a purpose that is not |
|
|
compatible with the purpose for which the data is: |
|
|
(i) publicly maintained; or |
|
|
(ii) maintained in and made available from |
|
|
government records; or |
|
|
(C) deidentified or aggregate consumer |
|
|
information. |
|
|
(15) "Service provider" means a for-profit entity as |
|
|
described by Subdivision (3) that processes information on behalf |
|
|
of a business and to which the business discloses, for a business |
|
|
purpose, a consumer's personal information under a written |
|
|
contract, provided that the contract prohibits the entity receiving |
|
|
the information from retaining, using, or disclosing the |
|
|
information for any purpose other than: |
|
|
(A) providing the services specified in the |
|
|
contract with the business; or |
|
|
(B) for a purpose permitted by this chapter, |
|
|
including for a commercial purpose other than providing those |
|
|
specified services. |
|
|
(16) "Third party" means a person who is not: |
|
|
(A) a business to which this chapter applies that |
|
|
collects personal information from consumers; or |
|
|
(B) a person to whom the business discloses, for |
|
|
a business purpose, a consumer's personal information under a |
|
|
written contract, provided that the contract: |
|
|
(i) prohibits the person receiving the |
|
|
information from: |
|
|
(a) selling the information; |
|
|
(b) retaining, using, or disclosing |
|
|
the information for any purpose other than providing the services |
|
|
specified in the contract, including for a commercial purpose other |
|
|
than providing those services; and |
|
|
(c) retaining, using, or disclosing |
|
|
the information outside of the direct business relationship between |
|
|
the person and the business; and |
|
|
(ii) includes a certification made by the |
|
|
person receiving the personal information that the person |
|
|
understands and will comply with the prohibitions under |
|
|
Subparagraph (i). |
|
|
(17) "Unique identifier" means a persistent |
|
|
identifier that can be used over time and across different services |
|
|
to recognize a consumer, a custodial parent or guardian, or any |
|
|
minor children over which the parent or guardian has custody, or a |
|
|
device that is linked to those individuals. The term includes: |
|
|
(A) a device identifier; |
|
|
(B) an Internet Protocol address; |
|
|
(C) a cookie, beacon, pixel tag, mobile ad |
|
|
identifier, or similar technology; |
|
|
(D) a customer number, unique pseudonym, or user |
|
|
alias; |
|
|
(E) a telephone number; and |
|
|
(F) another form of a persistent or probabilistic |
|
|
identifier that can be used to identify a particular consumer or |
|
|
device. |
|
|
(18) "Verifiable consumer request" means a request: |
|
|
(A) that is made by a consumer, a consumer on |
|
|
behalf of the consumer's minor child, or a natural person or person |
|
|
who is authorized by a consumer to act on the consumer's behalf; and |
|
|
(B) that a business can reasonably verify, in |
|
|
accordance with rules adopted under Section 541.009, was submitted |
|
|
by: |
|
|
(i) the consumer about whom the business |
|
|
has collected personal information; or |
|
|
(ii) the consumer on behalf of the |
|
|
consumer's minor child about whom the business has collected |
|
|
personal information. |
|
|
Sec. 541.003. APPLICABILITY OF CHAPTER. (a) This chapter |
|
|
applies only to: |
|
|
(1) a business that: |
|
|
(A) does business in this state; |
|
|
(B) collects consumers' personal information or |
|
|
has that information collected on the business's behalf; |
|
|
(C) alone or in conjunction with others, |
|
|
determines the purpose for and means of processing consumers' |
|
|
personal information; and |
|
|
(D) satisfies one or more of the following |
|
|
thresholds: |
|
|
(i) has annual gross revenue in an amount |
|
|
that exceeds $25 million, as adjusted by the attorney general in |
|
|
accordance with the rules adopted under Section 541.009; |
|
|
(ii) alone or in combination with others, |
|
|
annually buys, sells, or receives or shares for commercial purposes |
|
|
the personal information of 50,000 or more consumers, households, |
|
|
or devices; or |
|
|
(iii) derives 50 percent or more of the |
|
|
business's annual revenue from selling consumers' personal |
|
|
information; and |
|
|
(2) an entity that controls or is controlled by a |
|
|
business described by Subdivision (1) and that shares a service |
|
|
mark, trademark, or shared name with the business. |
|
|
(b) For purposes of Subsection (a)(2), "control" means the: |
|
|
(1) ownership of, or power to vote, more than 50 |
|
|
percent of the outstanding shares of any class of voting security of |
|
|
a business; |
|
|
(2) control in any manner over the election of a |
|
|
majority of the directors or of individuals exercising similar |
|
|
functions; or |
|
|
(3) power to exercise a controlling influence over the |
|
|
management of a company. |
|
|
(c) For purposes of this chapter, a business sells a |
|
|
consumer's personal information to another business or a third |
|
|
party if the business sells, rents, discloses, disseminates, makes |
|
|
available, transfers, or otherwise communicates, orally, in |
|
|
writing, or by electronic or other means, the information to the |
|
|
other business or third party for monetary or other valuable |
|
|
consideration. |
|
|
(d) For purposes of this chapter, a business does not sell a |
|
|
consumer's personal information if: |
|
|
(1) the consumer uses or directs the business to |
|
|
intentionally disclose the information or uses the business to |
|
|
intentionally interact with a third party, provided that the third |
|
|
party does not sell the information, unless that disclosure is |
|
|
consistent with this chapter; or |
|
|
(2) the business: |
|
|
(A) uses or shares an identifier of the consumer |
|
|
to alert a third party that the consumer has opted out of the sale of |
|
|
the information; |
|
|
(B) uses or shares with a service provider a |
|
|
consumer's personal information that is necessary to perform a |
|
|
business purpose if: |
|
|
(i) the business provided notice that the |
|
|
information is being used or shared in the business's terms and |
|
|
conditions consistent with Sections 541.054 and 541.102(a)(8); and |
|
|
(ii) the service provider does not further |
|
|
collect, sell, or use the information except as necessary to |
|
|
perform the business purpose; or |
|
|
(C) transfers to a third party a consumer's |
|
|
personal information as an asset that is part of a merger, |
|
|
acquisition, bankruptcy, or other transaction in which the third |
|
|
party assumes control of all or part of the business, provided that |
|
|
information is used or shared consistent with Sections 541.051, |
|
|
541.053, and 541.054(e). |
|
|
(e) For purposes of Subsection (d)(1), an intentional |
|
|
interaction occurs if the consumer does one or more deliberate acts |
|
|
with the intent to interact with a third party. Placing a cursor |
|
|
over, muting, pausing, or closing online content does not |
|
|
constitute a consumer's intent to interact with a third party. |
|
|
Sec. 541.004. EXEMPTIONS. (a) This chapter does not apply |
|
|
to: |
|
|
(1) publicly available information; |
|
|
(2) protected health information governed by Chapter |
|
|
181, Health and Safety Code, or collected by a covered entity or a |
|
|
business associate of a covered entity, as those terms are defined |
|
|
by 45 C.F.R. Section 160.103, that is governed by the privacy, |
|
|
security, and breach notification rules in 45 C.F.R. Parts 160 and |
|
|
164 adopted by the United States Department of Health and Human |
|
|
Services under the Health Insurance Portability and Accountability |
|
|
Act of 1996 (Pub. L. No. 104-191) and Title XIII of the American |
|
|
Recovery and Reinvestment Act of 2009 (Pub. L. No. 111-5); |
|
|
(3) a health care provider governed by Chapter 181, |
|
|
Health and Safety Code, or a covered entity described by |
|
|
Subdivision (2) to the extent that the provider or entity maintains |
|
|
the personal information of a patient in the same manner as |
|
|
protected health information described by that subdivision; |
|
|
(4) information collected as part of a clinical trial |
|
|
subject to the Federal Policy for the Protection of Human Subjects |
|
|
in accordance with the good clinical practice guidelines issued by |
|
|
the International Council for Harmonisation or the human subject |
|
|
protection requirements of the United States Food and Drug |
|
|
Administration; |
|
|
(5) the sale of personal information to or by a |
|
|
consumer reporting agency, as defined by Section 20.01, if the |
|
|
information is to be: |
|
|
(A) reported in or used to generate a consumer |
|
|
report, as defined by Section 1681a(d) of the Fair Credit Reporting |
|
|
Act (15 U.S.C. Section 1681 et seq.); and |
|
|
(B) used solely for a purpose authorized under |
|
|
that act; |
|
|
(6) personal information collected, processed, sold, |
|
|
or disclosed in accordance with: |
|
|
(A) the Gramm-Leach-Bliley Act (Pub. L. No. |
|
|
106-102) and its implementing regulations; or |
|
|
(B) the Driver's Privacy Protection Act of 1994 |
|
|
(18 U.S.C. Section 2721 et seq.); |
|
|
(7) deidentified or aggregate consumer information; |
|
|
or |
|
|
(8) a consumer's personal information collected or |
|
|
sold by a business, if every aspect of the collection or sale |
|
|
occurred wholly outside of this state. |
|
|
(b) For purposes of Subsection (a)(8), the collection or |
|
|
sale of a consumer's personal information occurs wholly outside of |
|
|
this state if: |
|
|
(1) the business collects that information while the |
|
|
consumer is outside of this state; |
|
|
(2) no part of the sale of the information occurs in |
|
|
this state; and |
|
|
(3) the business does not sell any personal |
|
|
information of the consumer collected while the consumer is in this |
|
|
state. |
|
|
(c) For purposes of Subsection (b), the collection or sale |
|
|
of a consumer's personal information does not occur wholly outside |
|
|
of this state if a business stores a consumer's personal |
|
|
information, including on a device, when the consumer is in this |
|
|
state and subsequently collects or sells that stored information |
|
|
when the consumer and the information are outside of this state. |
|
|
Sec. 541.005. CERTAIN RIGHTS AND OBLIGATIONS NOT AFFECTED. |
|
|
A right or obligation under this chapter does not apply to the |
|
|
extent that the exercise of the right or performance of the |
|
|
obligation: |
|
|
(1) adversely affects a right of another consumer; or |
|
|
(2) infringes on a noncommercial activity of: |
|
|
(A) a publisher, editor, reporter, or other |
|
|
person connected with or employed by a newspaper, magazine, or |
|
|
other publication of general circulation, including a periodical |
|
|
newsletter, pamphlet, or report; |
|
|
(B) a radio or television station that holds a |
|
|
license issued by the Federal Communications Commission; or |
|
|
(C) an entity that provides an information |
|
|
service, including a press association or wire service. |
|
|
Sec. 541.006. COMPLIANCE WITH OTHER LAWS; LEGAL |
|
|
PROCEEDINGS. This chapter does not: |
|
|
(1) restrict a business's ability to: |
|
|
(A) comply with: |
|
|
(i) applicable federal, state, or local |
|
|
laws; or |
|
|
(ii) a civil, criminal, or regulatory |
|
|
inquiry, investigation, subpoena, or summons by a federal, state, |
|
|
or local authority; |
|
|
(B) cooperate with a law enforcement agency |
|
|
concerning conduct or activity that the business, a service |
|
|
provider of the business, or a third party reasonably and in good |
|
|
faith believes may violate other applicable federal, state, or |
|
|
local laws; or |
|
|
(C) pursue or defend against a legal claim; or |
|
|
(2) require a business to violate an evidentiary |
|
|
privilege under federal or state law or prevent a business from |
|
|
disclosing to a person covered by an evidentiary privilege the |
|
|
personal information of a consumer as part of a privileged |
|
|
communication. |
|
|
Sec. 541.007. CONSTRUCTION; RELATION TO OTHER STATE AND |
|
|
FEDERAL LAW. (a) This chapter shall be liberally construed to |
|
|
effect its purposes and to harmonize, to the extent possible, with |
|
|
other laws of this state relating to the privacy or protection of |
|
|
personal information. |
|
|
(b) To the extent of a conflict between a provision of this |
|
|
chapter and a provision of federal law, including a regulation or an |
|
|
interpretation of federal law, federal law controls and conflicting |
|
|
requirements or other provisions of this chapter do not apply. |
|
|
(c) To the extent of a conflict between a provision of this |
|
|
chapter and another statute of this state with respect to the |
|
|
privacy or protection of consumers' personal information, the |
|
|
provision of law that affords the greatest privacy or protection to |
|
|
consumers prevails. |
|
|
Sec. 541.008. PREEMPTION OF LOCAL LAW. This chapter |
|
|
preempts and supersedes any ordinance, order, or rule adopted by a |
|
|
political subdivision of this state relating to the collection or |
|
|
sale by a business of a consumer's personal information. |
|
|
Sec. 541.009. RULES. (a) The attorney general shall adopt |
|
|
rules necessary to implement, administer, and enforce this chapter. |
|
|
(b) The rules adopted under Subsection (a) must establish: |
|
|
(1) procedures for the adjustment of the monetary |
|
|
threshold under Section 541.003(a)(1)(D) in January of every |
|
|
odd-numbered year to reflect any increase in the consumer price |
|
|
index; |
|
|
(2) procedures governing the determination of, |
|
|
submission of, and compliance with a verifiable consumer request |
|
|
for information with the goal of minimizing administrative burdens |
|
|
on consumers and businesses subject to this chapter by taking into |
|
|
account available technology and security concerns, including: |
|
|
(A) treating as a verifiable consumer request a |
|
|
request submitted through a password-protected online account |
|
|
maintained by the consumer with the business while logged into the |
|
|
account; and |
|
|
(B) providing a mechanism for a request submitted |
|
|
by a consumer who does not maintain an account with the business; |
|
|
(3) procedures to facilitate and govern the submission |
|
|
of and compliance with a request to opt out of the sale of personal |
|
|
information under Section 541.054; |
|
|
(4) guidelines for the development of a recognizable |
|
|
and uniform opt-out logo or button for use on businesses' Internet |
|
|
websites in a manner that promotes consumer awareness of the |
|
|
opportunity to opt out of the sale of personal information; and |
|
|
(5) procedures and guidelines, including any |
|
|
necessary exceptions, to ensure that the notices and information |
|
|
businesses are required to provide under this chapter, including |
|
|
information regarding financial incentive offerings, are: |
|
|
(A) provided in a manner that is easily |
|
|
understood by the average consumer; |
|
|
(B) accessible by consumers with disabilities; |
|
|
and |
|
|
(C) available in the languages primarily used by |
|
|
consumers to interact with businesses. |
|
|
(c) The attorney general may adopt other rules necessary to |
|
|
further the purposes of this chapter, including rules as necessary |
|
|
to: |
|
|
(1) update the categories of personal information |
|
|
listed under Section 541.002(12) and the definition of identifier |
|
|
under Section 541.002 to account for privacy concerns, |
|
|
implementation obstacles, or changes in technology and data |
|
|
collection methods; |
|
|
(2) update the designated methods for submitting |
|
|
requests to facilitate a consumer's ability to obtain information |
|
|
from a business under Section 541.103; and |
|
|
(3) establish any exceptions necessary to comply with |
|
|
federal law or other laws of this state, including laws relating to |
|
|
trade secrets and intellectual property rights. |
|
|
Sec. 541.010. ATTORNEY GENERAL OPINION. A business or a |
|
|
third party may seek an opinion from the attorney general for |
|
|
guidance on how to comply with this chapter. |
|
|
Sec. 541.011. USE OF PERSONAL INFORMATION IN RESEARCH. For |
|
|
purposes of this chapter, "research" means scientific, systematic |
|
|
study and observation, including basic research or applied research |
|
|
that is in the public interest and that adheres to all other |
|
|
applicable ethics and privacy laws or studies conducted in the |
|
|
public interest in the area of public health. Research with |
|
|
personal information that may have been collected from a consumer |
|
|
in the course of the consumer's interactions with a business's |
|
|
service or device for other purposes must be: |
|
|
(1) compatible with the business purpose for which the |
|
|
personal information was collected; |
|
|
(2) subsequently pseudonymized and deidentified, or |
|
|
deidentified and in the aggregate, such that the information cannot |
|
|
reasonably identify, relate to, describe, be capable of being |
|
|
associated with, or be linked, directly or indirectly, to a |
|
|
particular consumer; |
|
|
(3) made subject to technical safeguards that prohibit |
|
|
reidentification of the consumer to whom the information may |
|
|
pertain; |
|
|
(4) subject to business processes that specifically |
|
|
prohibit reidentification of the information; |
|
|
(5) made subject to business processes to prevent |
|
|
inadvertent release of deidentified information; |
|
|
(6) protected from any reidentification attempts; |
|
|
(7) used solely for research purposes that are |
|
|
compatible with the context in which the personal information was |
|
|
collected; |
|
|
(8) not used for any commercial purpose; and |
|
|
(9) subjected by the business conducting the research |
|
|
to additional security controls that limit access to the research |
|
|
data to only those individuals in a business as are necessary to |
|
|
carry out the research purpose. |
|
|
SUBCHAPTER B. CONSUMER'S RIGHTS |
|
|
Sec. 541.051. RIGHT TO DISCLOSURE OF PERSONAL INFORMATION |
|
|
COLLECTED. (a) A consumer is entitled to request that a business |
|
|
that collects the consumer's personal information disclose to the |
|
|
consumer the categories and specific items of personal information |
|
|
the business has collected. |
|
|
(b) To receive the disclosure of information under |
|
|
Subsection (a), a consumer must submit to the business a verifiable |
|
|
consumer request using a method designated by the business under |
|
|
Section 541.103. |
|
|
(c) On receipt of a verifiable consumer request under this |
|
|
section, a business shall disclose to the consumer in the time and |
|
|
manner provided by Section 541.105: |
|
|
(1) each enumerated category and item within each |
|
|
category of personal information under Section 541.002(12) that the |
|
|
business collected about the consumer during the 12 months |
|
|
preceding the date of the request; |
|
|
(2) each category of sources from which the |
|
|
information was collected; |
|
|
(3) the business or commercial purpose for collecting |
|
|
or selling the personal information; and |
|
|
(4) each category of third parties with whom the |
|
|
business shares the personal information. |
|
|
(d) This section does not require a business to: |
|
|
(1) retain a consumer's personal information that was |
|
|
collected for a one-time transaction if the information is not sold |
|
|
or retained in the ordinary course of business; or |
|
|
(2) reidentify or otherwise link any data that, in the |
|
|
ordinary course of business, is not maintained in a manner that |
|
|
would be considered personal information. |
|
|
Sec. 541.052. RIGHT TO DELETION OF PERSONAL INFORMATION |
|
|
COLLECTED. (a) A consumer is entitled to request that a business |
|
|
that collects the consumer's personal information delete any |
|
|
personal information the business has collected from the consumer |
|
|
by submitting a verifiable consumer request using a method |
|
|
designated by the business under Section 541.103. |
|
|
(b) Except as provided by Subsection (c), on receipt of a |
|
|
verifiable consumer request under this section, a business shall |
|
|
delete from the business's records any personal information |
|
|
collected from the consumer and direct a service provider of the |
|
|
business to delete the information from the provider's records. |
|
|
(c) A business or service provider of the business is not |
|
|
required to comply with a verifiable consumer request received |
|
|
under this section if the business or service provider needs to |
|
|
retain the consumer's personal information to: |
|
|
(1) complete the transaction for which the information |
|
|
was collected; |
|
|
(2) provide a good or service requested by the |
|
|
consumer or reasonably anticipated to be requested by the consumer |
|
|
in the context of the ongoing business relationship between the |
|
|
business and consumer; |
|
|
(3) perform under a contract between the business and |
|
|
the consumer; |
|
|
(4) detect a security incident, protect against |
|
|
malicious, deceptive, fraudulent, or illegal activity, or |
|
|
prosecute those responsible for any illegal activity described by |
|
|
this subdivision; |
|
|
(5) identify and repair or remove errors from computer |
|
|
hardware or software that impair its intended functionality; |
|
|
(6) exercise free speech or ensure the right of |
|
|
another consumer to exercise the right of free speech or another |
|
|
right afforded by law; |
|
|
(7) comply with Chapter 1289 (H.B. 2268), Acts of the |
|
|
83rd Legislature, Regular Session, 2013, or a legal obligation; |
|
|
(8) engage in public or peer-reviewed scientific, |
|
|
historical, or statistical research that is in the public interest |
|
|
and that adheres to all other applicable ethics and privacy laws |
|
|
provided that: |
|
|
(A) the business's deletion of the information is |
|
|
likely to render impossible or seriously impair the achievement of |
|
|
that research; and |
|
|
(B) the consumer has provided to the business |
|
|
informed consent to retain the information; or |
|
|
(9) use the information internally: |
|
|
(A) so long as the use is reasonably aligned with |
|
|
the expectations of the consumer based on the consumer's |
|
|
relationship with the business; or |
|
|
(B) in a manner that is lawful and compatible |
|
|
with the context in which the consumer provided the information. |
|
|
Sec. 541.053. RIGHT TO DISCLOSURE OF PERSONAL INFORMATION |
|
|
SOLD OR DISCLOSED. (a) A consumer is entitled to request that a |
|
|
business that sells, or discloses for a business purpose, the |
|
|
consumer's personal information disclose to the consumer: |
|
|
(1) the categories of personal information the |
|
|
business collected about the consumer; |
|
|
(2) the categories of personal information about the |
|
|
consumer the business sold, or disclosed for a business purpose; |
|
|
and |
|
|
(3) the categories of third parties to whom the |
|
|
personal information was sold or disclosed. |
|
|
(b) To receive the disclosure of information under |
|
|
Subsection (a), a consumer must submit to the business a verifiable |
|
|
consumer request using a method designated by the business under |
|
|
Section 541.103. |
|
|
(c) On receipt of a verifiable consumer request under this |
|
|
section, a business shall disclose to the consumer in the time and |
|
|
manner provided by Section 541.105: |
|
|
(1) each enumerated category of personal information |
|
|
under Section 541.002(12) that the business collected about the |
|
|
consumer during the 12 months preceding the date of the request; |
|
|
(2) the categories of third parties to whom the |
|
|
business sold the consumer's personal information during the 12 |
|
|
months preceding the date of the request, by reference to each |
|
|
enumerated category of information under Section 541.002(12) sold |
|
|
to each third party; and |
|
|
(3) the categories of third parties to whom the |
|
|
business disclosed for a business purpose the consumer's personal |
|
|
information during the 12 months preceding the date of the request, |
|
|
by reference to each enumerated category of information under |
|
|
Section 541.002(12) disclosed to each third party. |
|
|
(d) A business shall provide the information described by |
|
|
Subsections (c)(2) and (3) in two separate lists. |
|
|
(e) A business that did not sell, or disclose for a business |
|
|
purpose, the consumer's personal information during the 12 months |
|
|
preceding the date of receiving the consumer's verifiable consumer |
|
|
request under this section shall disclose that fact to the |
|
|
consumer. |
|
|
Sec. 541.054. RIGHT TO OPT OUT OF SALE OF PERSONAL |
|
|
INFORMATION. (a) A consumer is entitled at any time to opt out of |
|
|
the sale of the consumer's personal information by a business to |
|
|
third parties by directing the business not to sell the |
|
|
information. A consumer may authorize another person solely to opt |
|
|
out of the sale of the consumer's personal information on the |
|
|
consumer's behalf. Except as provided by Subsection (c), a |
|
|
business shall comply with a direction not to sell that is received |
|
|
under this subsection. |
|
|
(b) A business that sells to a third party consumers' |
|
|
personal information shall provide on the business's Internet |
|
|
website's home page: |
|
|
(1) notice to consumers that: |
|
|
(A) the information may be sold; and |
|
|
(B) consumers have the right to opt out of the |
|
|
sale; and |
|
|
(2) a clear and conspicuous link that: |
|
|
(A) enables a consumer, or a person authorized by |
|
|
the consumer, to opt out of the sale of the consumer's personal |
|
|
information; and |
|
|
(B) is titled "DO NOT SELL MY PERSONAL |
|
|
INFORMATION." |
|
|
(c) A business may not sell to a third party the personal |
|
|
information of a consumer who opts out of the sale of that |
|
|
information under this section before the first anniversary of the |
|
|
date the consumer opted out, unless the consumer provides express |
|
|
authorization for the business to sell the consumer's personal |
|
|
information. After the period prescribed by this subsection |
|
|
expires, a business may request that the consumer consent to the |
|
|
sale of the consumer's personal information by the business. |
|
|
(d) A business may use any personal information collected |
|
|
from the consumer in connection with the consumer's opting out |
|
|
under this section solely to comply with this section. |
|
|
(e) A third party to whom a business has sold the personal |
|
|
information of a consumer may not sell the information unless the |
|
|
consumer receives explicit notice of the potential sale and is |
|
|
provided the opportunity to exercise the right to opt out of the |
|
|
sale as provided by this section. |
|
|
(f) Notwithstanding Subsection (b), a business is not |
|
|
required to provide the link required by that subsection on the |
|
|
Internet website the business makes available to the public if the |
|
|
business: |
|
|
(1) provides the required link on a separate and |
|
|
additional Internet website that is maintained by the business and |
|
|
dedicated to consumers; and |
|
|
(2) takes reasonable steps to ensure that consumers |
|
|
are directed to the website described by Subdivision (1) instead of |
|
|
the website the business makes available to the public. |
|
|
(g) A business may not require a consumer to create an |
|
|
account with the business to opt out of the sale of the consumer's |
|
|
personal information. |
|
|
Sec. 541.055. RIGHT TO OPT IN FOR SALE OF PERSONAL |
|
|
INFORMATION OF CERTAIN MINORS. (a) The requirement for consent to |
|
|
sell a consumer's personal information under this section may be |
|
|
referred to as the consumer's "right to opt in." |
|
|
(b) A business may not sell a consumer's personal |
|
|
information if the business has actual knowledge that the consumer |
|
|
is younger than 16 years of age unless: |
|
|
(1) for a consumer who is at least 13 years of age but |
|
|
younger than 16 years of age, the business receives express |
|
|
authorization to sell the consumer's personal information from the |
|
|
consumer; or |
|
|
(2) for a consumer who is younger than 13 years of age, |
|
|
the business receives express authorization to sell the consumer's |
|
|
personal information from the consumer's parent or legal guardian. |
|
|
(c) A business that wilfully disregards the age of a |
|
|
consumer whose personal information the business sells to a third |
|
|
party is considered to have actual knowledge of the consumer's age. |
|
|
Sec. 541.056. WAIVER OR LIMITATION PROVISION VOID. (a) A |
|
|
provision of a contract or other agreement that purports to waive or |
|
|
limit a right, remedy, or means of enforcement under this chapter is |
|
|
contrary to public policy and is void. |
|
|
(b) This section does not prevent a consumer from: |
|
|
(1) declining to request information from a business; |
|
|
(2) declining to opt out of a business's sale of the |
|
|
consumer's personal information; or |
|
|
(3) authorizing a business to sell the consumer's |
|
|
personal information after previously opting out. |
|
|
SUBCHAPTER C. BUSINESS RIGHTS AND OBLIGATIONS |
|
|
Sec. 541.101. NOTIFICATION OF COLLECTION REQUIRED. (a) A |
|
|
business that collects a consumer's personal information shall, at |
|
|
or before the point of collection, notify the consumer of each |
|
|
category of personal information to be collected and the purposes |
|
|
for which the category of information will be used. |
|
|
(b) A business may not collect an additional category of |
|
|
personal information or use personal information collected for an |
|
|
additional purpose unless the business provides notice to the |
|
|
consumer of the additional category or purpose in accordance with |
|
|
Subsection (a). |
|
|
(c) If a third party that assumes control of all or part of a |
|
|
business as described by Section 541.003(d)(2)(C) materially |
|
|
alters the practices of the business in how personal information is |
|
|
used or shared, and the practices are materially inconsistent with |
|
|
a notice provided to a consumer under Subsection (a) or (b), the |
|
|
third party must notify the consumer of the third party's new or |
|
|
changed practices before the third party uses or shares the |
|
|
personal information in a conspicuous manner that allows the |
|
|
consumer to easily exercise a right provided under this chapter. |
|
|
(d) Subsection (c) does not authorize a business to make a |
|
|
material, retroactive change or other change to a business's |
|
|
privacy policy in a manner that would be a deceptive trade practice |
|
|
actionable under Subchapter E, Chapter 17. |
|
|
Sec. 541.102. ONLINE PRIVACY POLICY OR POLICY NOTICE. (a) |
|
|
A business that collects, sells, or for a business purpose |
|
|
discloses a consumer's personal information shall disclose the |
|
|
following information in the business's online privacy policy or |
|
|
other notice of the business's policies: |
|
|
(1) a description of a consumer's rights under |
|
|
Sections 541.051, 541.053, and 541.107 and designated methods for |
|
|
submitting a verifiable consumer request for information under this |
|
|
chapter; |
|
|
(2) for a business that collects personal information |
|
|
about consumers, a description of the consumer's right to request |
|
|
the deletion of the consumer's personal information; |
|
|
(3) separate lists containing the categories of |
|
|
consumers' personal information described by Section 541.002(12) |
|
|
that, during the 12 months preceding the date the business updated |
|
|
the information as required by Subsection (b), the business: |
|
|
(A) collected; |
|
|
(B) sold, if applicable; or |
|
|
(C) disclosed for a business purpose, if |
|
|
applicable; |
|
|
(4) the categories of sources from which the |
|
|
information under Subdivision (3) is collected; |
|
|
(5) the business or commercial purposes for collecting |
|
|
personal information; |
|
|
(6) if the business does not sell consumers' personal |
|
|
information or disclose the information for a business or |
|
|
commercial purpose, a statement of that fact; |
|
|
(7) the categories of third parties to whom the |
|
|
business sells or discloses personal information; |
|
|
(8) if the business sells consumers' personal |
|
|
information, the Internet link required by Section 541.054(b); and |
|
|
(9) if applicable, the financial incentives offered to |
|
|
consumers under Section 541.108. |
|
|
(b) If a business described by Subsection (a) does not have |
|
|
an online privacy policy or other notice of the business's |
|
|
policies, the business shall make the information required under |
|
|
Subsection (a) available to consumers on the business's Internet |
|
|
website or another website the business maintains that is dedicated |
|
|
to consumers in this state. |
|
|
(c) A business must update the information required by |
|
|
Subsection (a) at least once each year. |
|
|
Sec. 541.103. METHODS TO SUBMIT VERIFIABLE CONSUMER |
|
|
REQUEST. (a) A business shall designate and make available to |
|
|
consumers, in a form that is reasonably accessible, at least two |
|
|
methods for submitting a verifiable consumer request for |
|
|
information required to be disclosed or deleted under Subchapter B. |
|
|
The methods must include, at a minimum: |
|
|
(1) a toll-free telephone number that a consumer may |
|
|
call to submit the request; and |
|
|
(2) the business's Internet website at which the |
|
|
consumer may submit the request, if the business maintains an |
|
|
Internet website. |
|
|
(b) The methods designated under Subsection (a) may also |
|
|
include: |
|
|
(1) a mailing address; |
|
|
(2) an electronic mail address; |
|
|
(3) another Internet web page or portal; |
|
|
(4) other contact information; or |
|
|
(5) any consumer-friendly method approved by the |
|
|
attorney general under Section 541.009. |
|
|
(c) A business may not require a consumer to create an |
|
|
account with the business to submit a verifiable consumer request. |
|
|
Sec. 541.104. VERIFICATION OF CONSUMER REQUEST. (a) A |
|
|
business that receives a consumer request under Section 541.051 or |
|
|
541.053 shall promptly take steps to reasonably verify, in |
|
|
accordance with rules adopted under Section 541.009, that: |
|
|
(1) the consumer who is the subject of the request is a |
|
|
consumer about whom the business has collected, sold, or for a |
|
|
business purpose disclosed personal information; and |
|
|
(2) the request is made by: |
|
|
(A) the consumer; |
|
|
(B) a consumer on behalf of the consumer's minor |
|
|
child; or |
|
|
(C) a person authorized to act on the consumer's |
|
|
behalf. |
|
|
(b) A business may use any personal information collected |
|
|
from the consumer in connection with the business's verification of |
|
|
a request under this section solely to verify the request. |
|
|
(c) A business that is unable to verify a consumer request |
|
|
under this section is not required to comply with the request. |
|
|
Sec. 541.105. DISCLOSURE REQUIREMENTS. (a) Not later than |
|
|
the 45th day after the date a business receives a verifiable |
|
|
consumer request under Section 541.051 or 541.053, the business |
|
|
shall disclose free of charge to the consumer the information |
|
|
required to be disclosed under those sections. |
|
|
(b) A business may extend the time in which to comply with |
|
|
Subsection (a) once by an additional 45 days if reasonably |
|
|
necessary or by an additional 90 days after taking into account the |
|
|
number and complexity of verifiable consumer requests received by |
|
|
the business. A business that extends the time in which to comply |
|
|
with Subsection (a) shall notify the consumer of the extension and |
|
|
reason for the delay within the period prescribed by that |
|
|
subsection. |
|
|
(c) The disclosure required by Subsection (a) must: |
|
|
(1) cover personal information collected, sold, or |
|
|
disclosed for a business purpose, as applicable, during the 12 |
|
|
months preceding the date the business receives the request; and |
|
|
(2) be made in writing and delivered to the consumer: |
|
|
(A) by mail or electronically, at the consumer's |
|
|
option, if the consumer does not have an account with the business; |
|
|
or |
|
|
(B) through the consumer's account with the |
|
|
business. |
|
|
(d) An electronic disclosure under Subsection (c) must be in |
|
|
a readily accessible format that allows the consumer to |
|
|
electronically transmit the information to another person or |
|
|
entity. |
|
|
(e) A business is not required to make the disclosure |
|
|
required by Subsection (a) to the same consumer more than twice in a |
|
|
12-month period. |
|
|
(f) Notwithstanding Subsection (a), if a consumer's |
|
|
verifiable consumer request is manifestly baseless or excessive, in |
|
|
particular because of repetitiveness, a business may charge a |
|
|
reasonable fee after taking into account the administrative costs |
|
|
of compliance or refusal to comply with the request. The business |
|
|
has the burden of demonstrating that a request is manifestly |
|
|
baseless or excessive. |
|
|
(g) A business that does not comply with a consumer's |
|
|
verifiable consumer request under Subsection (a) shall notify the |
|
|
consumer, within the time the business is required to respond to a |
|
|
request under this section, of the reasons for the refusal and the |
|
|
rights the consumer may have to appeal that decision. |
|
|
Sec. 541.106. DEIDENTIFIED INFORMATION. (a) A business |
|
|
that uses deidentified information may not reidentify or attempt to |
|
|
reidentify a consumer who is the subject of deidentified |
|
|
information without obtaining the consumer's consent or |
|
|
authorization. |
|
|
(b) A business that uses deidentified information shall |
|
|
implement: |
|
|
(1) technical safeguards and business processes to |
|
|
prohibit reidentification of the consumer to whom the information |
|
|
may pertain; and |
|
|
(2) business processes to prevent inadvertent release |
|
|
of deidentified information. |
|
|
(c) This chapter may not be construed to require a business |
|
|
to reidentify or otherwise link information that is not maintained |
|
|
in a manner that would be considered personal information. |
|
|
Sec. 541.107. DISCRIMINATION PROHIBITED. (a) A business may |
|
|
not discriminate against a consumer because the consumer exercised |
|
|
a right under this chapter, including by: |
|
|
(1) denying a good or service to the consumer; |
|
|
(2) charging the consumer a different price or rate |
|
|
for a good or service, including denying the use of a discount or |
|
|
other benefit or imposing a penalty; |
|
|
(3) providing a different level or quality of a good or |
|
|
service to the consumer; or |
|
|
(4) suggesting that the consumer will be charged a |
|
|
different price or rate for, or provided a different level or |
|
|
quality of, a good or service. |
|
|
(b) This section does not prohibit a business from offering |
|
|
or charging a consumer a different price or rate for a good or |
|
|
service, or offering or providing to the consumer a different level |
|
|
or quality of a good or service, if the difference is reasonably |
|
|
related to the value provided to the consumer by the consumer's |
|
|
data. |
|
|
Sec. 541.108. FINANCIAL INCENTIVES. (a) Subject to |
|
|
Subsection (b), a business may offer a financial incentive to a |
|
|
consumer, including a payment as compensation, for the collection, |
|
|
sale, or disclosure of the consumer's personal information. |
|
|
(b) A business may enroll a customer in a financial |
|
|
incentive program only if the business provides to the consumer a |
|
|
clear description of the material terms of the program and obtains |
|
|
the consumer's prior opt-in consent, which: |
|
|
(1) contains a clear description of those material |
|
|
terms; and |
|
|
(2) may be revoked by the consumer at any time. |
|
|
(c) A business may not use financial incentive practices |
|
|
that are unjust, unreasonable, coercive, or usurious in nature. |
|
|
Sec. 541.109. CERTAIN ACTIONS TO AVOID REQUIREMENTS |
|
|
PROHIBITED. (a) A business may not divide a single transaction into |
|
|
more than one transaction with the intent to avoid the requirements |
|
|
of this chapter. |
|
|
(b) For purposes of this chapter, two or more substantially |
|
|
similar or related transactions are considered a single transaction |
|
|
if the transactions: |
|
|
(1) are entered into contemporaneously; and |
|
|
(2) have at least one common party. |
|
|
(c) A court shall disregard any intermediate transactions |
|
|
conducted by a business with the intent to avoid the requirements of |
|
|
this chapter, including the disclosure of information by a business |
|
|
to a third party to avoid complying with the requirements under this |
|
|
chapter applicable to a sale of the information. |
|
|
Sec. 541.110. INFORMATION REQUIRED. A business shall |
|
|
ensure that each person responsible for handling consumer inquiries |
|
|
about the business's privacy practices or compliance with this |
|
|
chapter is informed of the requirements of this chapter and of how |
|
|
to direct a consumer in exercising any of the rights to which a |
|
|
consumer is entitled under this chapter. |
|
|
SUBCHAPTER D. REMEDIES |
|
|
Sec. 541.151. CIVIL PENALTY; INJUNCTION. (a) A person who |
|
|
violates this chapter is liable to this state for a civil penalty in |
|
|
an amount not to exceed: |
|
|
(1) $2,500 for each violation; or |
|
|
(2) $7,500 for each violation, if the violation is |
|
|
intentional. |
|
|
(b) If it appears to the attorney general that a person is |
|
|
engaging in, has engaged in, or is about to engage in conduct that |
|
|
violates this chapter, the attorney general may give notice to the |
|
|
person of the alleged violation. If the person fails to cure the |
|
|
alleged violation before the 30th day after the date notice is |
|
|
given, the attorney general may bring an action in the name of the |
|
|
state against the person to restrain the violation by a temporary |
|
|
restraining order or by a permanent or temporary injunction or to |
|
|
recover the civil penalty imposed under this section, or both. |
|
|
(c) The attorney general is entitled to recover reasonable |
|
|
expenses, including reasonable attorney's fees, court costs, and |
|
|
investigatory costs, incurred in obtaining injunctive relief or |
|
|
civil penalties, or both, under this section. Amounts collected |
|
|
under this section shall be deposited in a dedicated account in the |
|
|
general revenue fund and may be appropriated only for the purposes |
|
|
of the administration and enforcement of this chapter. |
|
|
Sec. 541.152. BUSINESS IMMUNITY FROM LIABILITY. A business |
|
|
that discloses to a third party, or discloses for a business purpose |
|
|
to a service provider, a consumer's personal information in |
|
|
compliance with this chapter may not be held liable for a violation |
|
|
of this chapter by the third party or service provider if the |
|
|
business does not have actual knowledge or a reasonable belief that |
|
|
the third party or service provider intends to violate this |
|
|
chapter. |
|
|
Sec. 541.153. SERVICE PROVIDER IMMUNITY FROM LIABILITY. A |
|
|
business's service provider may not be held liable for a violation |
|
|
of this chapter by the business. |
|
|
SECTION 2. This Act takes effect September 1, 2020. |