BILL ANALYSIS

S.B. 2105

By: Johnson

Business & Industry

Committee Report (Unamended)

BACKGROUND AND PURPOSE

Data brokers are key players in collecting and selling personal data to third parties. These third parties can be companies looking to advertise their businesses or any person interested in information about someone and willing to pay for it. Data brokers may take advantage of the lack of adequate data privacy safeguards enshrined in both federal and state law, which could put vulnerable populations, such as survivors of domestic violence, victims of human trafficking, youths, and elderly individuals, at risk for fraud or abuse. S.B. 2105 seeks to create a comprehensive framework to regulate data brokers and empower Texans to control the collection and sale of their personal information to these entities.

CRIMINAL JUSTICE IMPACT

It is the committee's opinion that this bill does not expressly create a criminal offense, increase the punishment for an existing criminal offense or category of offenses, or change the eligibility of a person for community supervision, parole, or mandatory supervision.

RULEMAKING AUTHORITY

It is the committee's opinion that rulemaking authority is expressly granted to the secretary of state in SECTION 1 of this bill.

ANALYSIS

S.B. 2105 amends the Business & Commerce Code to establish provisions relating to the registration of and certain other requirements relating to applicable data brokers, as defined by the bill.

Notice and Registration Requirements

S.B. 2105 requires a data broker that maintains a website or mobile application to post a conspicuous notice on the website or application that meets the following criteria:

· states that the entity maintaining the website or application is a data broker;

· is clear, not misleading, and readily accessible by the general public, including individuals with a disability; and

· contains language provided by rule of the secretary of state for inclusion in the notice.

The bill requires a data broker, in order to conduct business in Texas, to register with the secretary of state by filing a registration statement and paying a registration fee of $300. The registration statement must include the following information:

· the legal name of the data broker;

· a contact person and the primary physical address, email address, telephone number, and website address for the data broker;

· a description of the categories of data the data broker processes and transfers;

· a statement of whether or not the data broker implements a purchaser credentialing process;

· if the data broker has actual knowledge that the data broker possesses personal data of a known child:

o a statement detailing the data collection practices, databases, sales activities, and opt-out policies that are applicable to the personal data of a known child; and

o a statement on how the data broker complies with applicable federal and state law regarding the collection, use, or disclosure of personal data from and about a child on the Internet; and

· the number of security breaches the data broker has experienced during the year immediately preceding the year in which the registration is filed, and if known, the total number of consumers affected by each breach.

The bill authorizes a registration of a data broker to include any additional information or explanation the broker chooses to provide to the secretary of state concerning the broker's data collection practices. The bill establishes that a registration certificate expires on the first anniversary of its date of issuance and authorizes a data broker to renew a registration certificate by filing a renewal application, in the form prescribed by the secretary of state, and paying a $300 renewal fee.

S.B. 2105 requires the secretary of state to establish and maintain on its website a searchable, central registry of data brokers registered with the secretary of state under the bill's provisions that includes a search feature that allows a person searching the registry to identify a specific data broker and for each data broker, the information included in the filed registration statement.

Protection of Personal Data: Comprehensive Information Security Program

The bill establishes that a data broker conducting business in Texas has a duty to protect personal data held by that broker as provided by the bill's provisions. The bill requires a data broker to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate for the broker's size, scope, and type of business; the amount of resources available to the broker; the amount of data stored by the data broker; and the need for security and confidentiality of personal data stored by the broker.

S.B. 2105 requires the comprehensive information security program to do the following:

· incorporate safeguards that are consistent with the safeguards for protection of personal data and information of a similar character under state or federal laws and regulations applicable to the data broker;

· include the designation of one or more employees of the data broker to maintain the program;

· require the identification and assessment of reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of any electronic, paper, or other record containing personal data, and the establishment of a process for evaluating and improving, as necessary, the effectiveness of the current safeguards for limiting those risks, including by:

o requiring ongoing employee and contractor education and training, including education and training for temporary employees and contractors of the data broker, on the proper use of security procedures and protocols and the importance of personal data security;

o mandating employee compliance with policies and procedures established under the program; and

o providing a means for detecting and preventing security system failures;

· include security policies for the data broker's employees relating to the storage, access, and transportation of records containing personal data outside of the broker's physical business premises;

· provide disciplinary measures for violations of a policy or procedure established under the program;

· include measures for preventing a terminated employee from accessing records containing personal data;

· provide policies for the supervision of third-party service providers that include:

o taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect personal data consistent with applicable law; and

o requiring third-party service providers by contract to implement and maintain appropriate security measures for personal data;

· provide reasonable restrictions on physical access to records containing personal data, including by requiring the records containing the data to be stored in a locked facility, storage area, or container;

· include regular monitoring to ensure that the program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal data and, as necessary, upgrading information safeguards to limit the risk of unauthorized access to or unauthorized use of personal data;

· require the regular review of the scope of the program's security measures that must occur at least annually and whenever there is a material change in the data broker's business practices that may reasonably affect the security or integrity of records containing personal data;

· require the documentation of responsive actions taken in connection with any incident involving a breach of security, including a mandatory post-incident review of each event and the actions taken, if any, to make changes in business practices relating to protection of personal data in response to that event; and

· to the extent technically feasible, include the following procedures and protocols with respect to computer system security requirements or procedures and protocols providing a higher degree of security, for the protection of personal data:

o the use of secure user authentication protocols that include each of the following features: controlling user log-in credentials and other identifiers; using a reasonably secure method of assigning and selecting passwords or using unique identifier technologies, which may include biometrics or token devices; controlling data security passwords to ensure that the passwords are kept in a location and format that do not compromise the security of the data the passwords protect; restricting access to only active users and active user accounts; and blocking access to user credentials or identification after multiple unsuccessful attempts to gain access;

o the use of secure access control measures that include restricting access to records and files containing personal data to only employees or contractors who need access to that personal data to perform the job duties of the employees or contractors and assigning to each employee or contractor with access to a computer containing personal data unique identification and a password, which may not be a vendor-supplied default password, or using another protocol reasonably designed to maintain the integrity of the security of the access controls to personal data;

o encryption of transmitted records and files containing personal data that will travel across public networks and data containing personal data that is transmitted wirelessly;

o reasonable monitoring of systems for unauthorized use of or access to personal data;

o encryption of all personal data stored on laptop computers or other portable devices;

o for files containing personal data on a system that is connected to the Internet, the use of reasonably current firewall protection and operating system security patches that are reasonably designed to maintain the integrity of the personal data; and

o the use of a reasonably current version of system security agent software that must include malware protection and reasonably current patches and virus definitions or a version of system security agent software that is supportable with current patches and virus definitions and is set to receive the most current security updates on a regular basis.

Civil Penalty and Deceptive Trade Practice

S.B. 2105 makes a data broker that violates the bill's notice or registration requirements liable to the state for a civil penalty, which may not be in an amount less than the total of $100 for each day the entity is in violation of the requirements and the amount of unpaid registration fees for each year the entity failed to register, provided that the penalty may not exceed $10,000 assessed against the same broker in a 12-month period. The bill authorizes the attorney general to bring an action to recover the civil penalty and to recover reasonable attorney's fees and court costs incurred in bringing the action. The bill establishes that a violation of its provisions relating to the protection of personal data by a data broker and to the comprehensive information security program constitutes a deceptive trade practice in addition to the practices described by the Deceptive Trade Practices-Consumer Protection Act and is actionable under that act.

Applicability Provisions

S.B. 2105 applies to personal data from an individual that is collected, transferred, or processed by a data broker, except for the following data:

· deidentified data, if the data broker:

o takes reasonable technical measures to ensure that the data is not able to be used to identify an individual with whom the data is associated;

o publicly commits in a clear and conspicuous manner to process and transfer the data solely in a deidentified form without any reasonable means for reidentification and to not attempt to identify the information to an individual with whom the data is associated; and

o contractually obligates a person that receives the information from the provider to comply with this exception provision with respect to the information and to require that those contractual obligations be included in any subsequent transfer of the data to another person;

· employee data;

· publicly available information;

· inferences made exclusively from multiple independent sources of publicly available information that do not reveal sensitive data with respect to an individual; or

· data subject to Title V of the federal Gramm-Leach-Bliley Act.

S.B. 2105 applies only to a data broker that, in a 12-month period, derives more than 50 percent of the broker's revenue from processing or transferring personal data that the broker did not collect directly from the individuals to whom the data pertains or derives revenue from processing or transferring the personal data of more than 50,000 individuals that the data broker did not collect directly from the individuals to whom the data pertains. The bill's provisions do not apply to the following persons or entities:

· a service provider, including a service provider that engages in the business of processing employee data for a third-party employer for the sole purpose of providing benefits to the third-party employer's employees;

· a person or entity that collects personal data from another person or entity to which the person or entity is related by common ownership or corporate control, provided a reasonable consumer would expect the persons or entities to share data;

· a federal, state, tribal, territorial, or local governmental entity, including a body, authority, board, bureau, commission, district, agency, or political subdivision of a governmental entity;

· an entity that serves as a congressionally designated nonprofit, national resource center, or clearinghouse to provide assistance to victims, families, child-serving professionals, and the general public on missing and exploited children issues;

· a consumer reporting agency or other person or entity that furnishes information for inclusion in a consumer credit report or obtains a consumer credit report, but only to the extent the person or entity engages in activity regulated or authorized by the federal Fair Credit Reporting Act, including the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living; or

· a financial institution subject to Title V of the federal Gramm-Leach-Bliley Act.

Definitions

S.B. 2105 defines the following terms for purposes of the bill's provisions:

· "biometric data" as data generated by automatic measurements of an individual's biological patterns or characteristics, including fingerprint, voiceprint, retina or iris scan, information pertaining to an individual's DNA, or another unique biological pattern or characteristic that is used to identify a specific individual;

· "child" as an individual younger than 13 years of age;

· "collect," in the context of data, as to obtain, receive, access, or otherwise acquire the data by any means, including by purchasing or renting the data;

· "data broker" as a business entity whose principal source of revenue is derived from the collecting, processing, or transferring of personal data that the entity did not collect directly from the individual linked or linkable to the data;

· "deidentified data" as data that cannot reasonably be linked to an identified or identifiable individual or to a device linked to that individual;

· "employee" as including an individual who is a director, officer, staff member, trainee, volunteer, or intern of an employer or an individual working as an independent contractor for an employer, regardless of whether the individual is paid, unpaid, or employed on a temporary basis. The term does not include an individual contractor who is a service provider;

· "employee data" means information collected, processed, or transferred by an employer if the information:

o is related to a job applicant and was collected during the course of the hiring and application process, to an employee who is acting in a professional capacity for the employer, including the employee's business contact information such as the employee's name, position, title, business telephone number, business address, or business email address, to an employee's emergency contact information, or to an employee or the employee's spouse, dependent, covered family member, or beneficiary; and

o was collected, processed, or transferred solely for a purpose relating to the status of a job applicant as a current or former job applicant of the employer, to the professional activities of an employee on behalf of the employer, of having an emergency contact on file for an employee and for transferring the information in case of an emergency, and of administering benefits to which an employee is entitled or to which another person is entitled on the basis of the employee's position with the employer;

· "genetic data" as any data, regardless of format, concerning an individual's genetic characteristics, including raw sequence data derived from sequencing all or a portion of an individual's extracted DNA and genotypic and phenotypic information obtained from analyzing an individual's raw sequence data;

· "individual" as a natural person residing in Texas;

· "known child" as a child under circumstances where a data broker has actual knowledge of, or wilfully disregards obtaining actual knowledge of, the child's age;

· "personal data" as any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual, including pseudonymous data when the information is used by a controller or processor in conjunction with additional information that reasonably links the information to an identified or identifiable individual, but excluding deidentified data, employee data, or publicly available information;

· "precise geolocation data" as information accessed on a device or technology that shows the past or present physical location of an individual or the individual's device with sufficient precision to identify street-level location information of the individual or device in a range of not more than 1,850 feet, but excluding location information regarding an individual or device identifiable or derived solely from the visual content of a legally obtained image, including the location of a device that captured the image;

· "process," in the context of data, as an operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data;

· "publicly available information" as information that:

o is lawfully made available through government records;

o a business has a reasonable basis to believe is lawfully available to the general public through widely distributed media; or

o is lawfully made available by a consumer, or by a person to whom a consumer has disclosed the information, unless the consumer has restricted access to the information to a specific audience;

· "sensitive data" as:

o a government-issued identifier not required by law to be available publicly, including a social security number, passport number, or driver's license number;

o information that describes or reveals an individual's mental or physical health diagnosis, condition, or treatment;

o an individual's financial information, except the last four digits of a debit or credit card number, including a financial account number, credit or debit card number, or information that describes or reveals the income level or bank account balances of the individual;

o biometric data;

o genetic data;

o precise geolocation data;

o an individual's private communication that, if made using a device, is not made using a device provided by the individual's employer that provides conspicuous notice to the individual that the employer may access communication made using the device, and that includes, unless the data broker is the sender or an intended recipient of the communication, the individual's voicemails, emails, texts, direct messages, or mail, information that identifies the parties involved in the communications, and information that relates to the transmission of the communications, including telephone numbers called, telephone numbers from which calls were placed, the time calls were made, call duration, and location information of the parties to the call;

o a log-in credential, security code, or access code for an account or device;

o information identifying the sexual behavior of the individual in a manner inconsistent with the individual's reasonable expectation regarding the collection, processing, or transfer of the information;

o calendar information, address book information, phone or text logs, photos, audio recordings, or videos maintained for private use by an individual and stored on the individual's device or in another location and not communicated using a device provided by the individual's employer unless the employee was provided conspicuous notice that the employer may access communication made using the device;

o a photograph, film, video recording, or other similar medium that shows the individual or a part of the individual nude or wearing undergarments;

o information revealing the video content requested or selected by an individual that is not collected by a provider of broadcast television service, cable service, satellite service, streaming media service, or other video programming, as that term is defined by certain federal law, or used solely for transfers for independent video measurement;

o information regarding a known child;

o information revealing an individual's racial or ethnic origin, color, religious beliefs, or union membership;

o information identifying an individual's online activities over time accessing multiple Internet websites or online services; or

o information collected, processed, or transferred for the purpose of identifying information defined by the bill as sensitive information;

· "service provider" as a person that receives, collects, processes, or transfers personal data on behalf of, and at the direction of, a business or governmental entity, including a business or governmental entity that is another service provider, in order for the person to perform a service or function with or on behalf of the business or governmental entity; and

· "transfer," in the context of data, as to disclose, release, share, disseminate, make available, sell, or license the data by any means or medium.

The bill's provisions apply only to the collection, processing, or transfer of personal data by a data broker on or after December 1, 2023.

Rulemaking Authority

S.B. 2105 requires the secretary of state to adopt rules as necessary to implement the bill's provisions and to adopt not later than December 1, 2023, rules necessary to facilitate registration by a data broker under the bill's provisions, including by incorporating into the rules adequate time for a data broker to comply with the bill's provisions, following the adoption of the rules.

EFFECTIVE DATE

September 1, 2023.