By: Cain H.B. No. 4705
 
 
 
A BILL TO BE ENTITLED
 
AN ACT
  relating to collection and use of biometric identifiers and
  biometric information.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  SHORT TITLE. This Act may be cited as the
  Biometric Data Privacy Act of 2023.
         SECTION 2.  FINDINGS. The legislature finds that:
               (1)  The use of biometrics is growing in the business
  and security screening sectors and appears to promise streamlined
  financial transactions and security screenings.
               (2)  Major national corporations have selected the City
  of Chicago and other locations in this State as pilot testing sites
  for new applications of biometric-facilitated financial
  transactions, including finger-scan technologies at grocery
  stores, gas stations, and school cafeterias.
               (3)  Biometrics are unlike other unique identifiers
  that are used to access finances or other sensitive information.
  For example, social security numbers, when compromised, can be
  changed. Biometrics, however, are biologically unique to the
  individual; therefore, once compromised, the individual has no
  recourse, is at heightened risk for identity theft, and is likely to
  withdraw from biometric-facilitated transactions.
               (4)  An overwhelming majority of members of the public
  are weary of the use of biometrics when such information is tied to
  finances and other personal information.
               (5)  Despite limited State law regulating the
  collection, use, safeguarding, and storage of biometrics, many
  members of the public are deterred from partaking in biometric
  identifier-facilitated transactions.
               (6)  The full ramifications of biometric technology are
  not fully known.
               (7)  The public welfare, security, and safety will be
  served by regulating the collection, use, safeguarding, handling,
  storage, retention, and destruction of biometric identifiers and
  information.
         SECTION 3.  Chapter 503, Business and Commerce Code, is
  amended by adding Section 503.0001 to read as follows:
         Sec. 503.0001.  DEFINITIONS. In this chapter: (1)
  "Biometric identifier" means a retina or iris scan, palm or
  vascular vein, heartbeat, fingerprint, voiceprint, key strokes,
  signature, gait, or record or scan of hand or face geometry.
  Biometric identifier does not include a digital or physical
  photograph, an audio or video recording, or any data generated from
  a digital or physical photograph, or an audio or video recording,
  unless the photograph, recording, or data is generated to identify
  a specific individual.
               (2)  "Biometric information" means any information,
  regardless of how it is captured, converted, stored, or shared,
  based on an individual's biometric identifier used to identify an
  individual. Biometric information does not include information
  derived from items or procedures excluded under the definition of
  biometric identifiers.
               (3)  "Person" means any individual, partnership,
  association, corporation, or other private legal entity.
               (4)  "Written release" means informed written consent
  or, in the context of employment, a release executed by an employee
  as a condition of employment.
         SECTION 4.  Section 503.001, Business and Commerce Code, is
  amended to read as follows:
         Sec. 503.001.  CAPTURE OR USE OF BIOMETRIC IDENTIFIER OR
  BIOMETRIC INFORMATION. (a) [In this section, "biometric
  identifier" means a retina or iris scan, fingerprint, voiceprint,
  or record of hand or face geometry.]
         [(b)]  A person may not capture a biometric identifier or
  biometric information of an individual for a commercial purpose
  unless the person first:
               (1)  informs the individual or the individual's legally
  authorized representative in writing that a [before capturing the]
  biometric identifier or biometric information is being collected or
  stored; [and]
               (2)  informs the individual or the individual's legally
  authorized representative in writing of the specific purpose and
  the length of term for which a biometric identifier or biometric
  information is being collected, stored, and used; and
               (3)  receives a written release executed by the
  individual['s] or the individual's legally authorized
  representative [consent to capture the biometric identifier].
         (b)[(c)]  A person who possesses a biometric identifier or
  biometric information of an individual that is captured for a
  commercial purpose:
               (1)  may not sell, lease, trade, disclose, redisclose,
  or otherwise disseminate an individual's [disclose the] biometric
  identifier or biometric information to another person unless:
                     (A)  the individual or the individual's legally
  authorized representative consents to the disclosure for
  identification purposes in the event of the individual's
  disappearance or death;
                     (B)  the disclosure or redisclosure completes a
  financial transaction tihat the individual or the individual's
  legally authorized representative requested or authorized;
                     (C)  the disclosure is required or permitted by a
  federal statute or by a state statute other than Chapter 552,
  Government Code; or
                     (D)  the disclosure is made by or to a law
  enforcement agency for a law enforcement purpose in response to a
  warrant or subpoena issued by a court of competent jurisdiction;
               (2)  shall store, transmit, and protect from disclosure
  all [the] biometric identifiers or biometric information using
  reasonable care and in a manner that is the same as or more
  protective than the manner in which the person stores, transmits,
  and protects any other confidential information the person
  possesses; and
               (3)  shall permanently destroy the biometric
  identifiers and biometric information within a reasonable time, but
  not later than the first anniversary of the date the purpose for
  collecting or obtaining the identifiers or information expires,
  except as provided by Subsection (c) [(c-1)].
         (c) [(c-1)]  If a biometric identifier or biometric
  information of an individual captured or collected for a commercial
  purpose is used in connection with an instrument or document that is
  required by another law to be maintained for a period longer than
  the period prescribed by Subsection (b)(3) [(c)(3)], the person who
  possesses the biometric identifier or biometric information shall
  permanently destroy the biometric identifier or biometric
  information within a reasonable time, but not later than the first
  anniversary of the date the instrument or document is no longer
  required to be maintained by law.
         (c-1) [(c-2)]  If a biometric identifier or biometric
  information captured for a commercial purpose has been collected
  for security purposes by an employer, the purpose for collecting
  the identifier or information under Subsection (b)(3) [(c)(3)] is
  presumed to expire on termination of the employment relationship.
         (d)  A person who violates this section is subject to a civil
  penalty of not more than $25,000 for each violation. The attorney
  general, or an individual affected by a violation of this section,
  may bring an action to recover the civil penalty.
         (e)  This section does not apply to voiceprint data retained
  by a financial institution or an affiliate of a financial
  institution, as those terms are defined by 15 U.S.C. Section 6809.
         SECTION 5.  The change in law made by this Act to Section
  503.001, Business & Commerce Code, applies only to a violation that
  occurs on or after the effective date of this Act. A violation that
  occurs before the effective date of this Act is governed by the law
  in effect on the date the violation occurred, and the former law is
  continued in effect for that purpose.
         SECTION 6.  This Act takes effect on September 1, 2023.