88R13525 MLH-D
 
  By: Martinez Fischer H.B. No. 4854
 
 
 
A BILL TO BE ENTITLED
 
AN ACT
  relating to the authority of individuals over the personal
  identifying information collected, processed, or maintained about
  the individuals and certain others by certain businesses.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  Title 11, Business & Commerce Code, is amended by
  adding Subtitle C to read as follows:
  SUBTITLE C. PERSONAL IDENTIFYING INFORMATION
  CHAPTER 541. PERSONAL IDENTIFYING INFORMATION PROCESSED OR
  COLLECTED BY CERTAIN BUSINESSES
  SUBCHAPTER A. GENERAL PROVISIONS
         Sec. 541.001.  DEFINITIONS. In this chapter:
               (1)  "Business" means a for-profit entity, including a
  sole proprietorship, partnership, limited liability company,
  corporation, association, or other legal entity that is organized
  or operated for the profit or financial benefit of the entity's
  shareholders or other owners.
               (2)  "Personal identifying information" means a
  category of information relating to an identified or identifiable
  individual. The term does not include a specific category of
  personal identifying information that the attorney general exempts
  from this definition by rule. The term includes:
                     (A)  a social security number;
                     (B)  a driver's license number, passport number,
  military identification number, or any other similar number issued
  on a government document and used to verify an individual's
  identity;
                     (C)  a financial account number, credit or debit
  card number, or any security code, access code, or password that is
  necessary to permit access to an individual's financial account;
                     (D)  unique biometric information, including a
  fingerprint, voice print, retina or iris image, or any other unique
  physical representation;
                     (E)  physical or mental health information,
  including health care information;
                     (F)  the private communications or other
  user-created content of an individual that is not publicly
  available;
                     (G)  religious affiliation or practice
  information;
                     (H)  racial or ethnic origin information;
                     (I)  precise geolocation tracking data; and
                     (J)  unique genetic information.
               (3)  "Processing" means any operation or set of
  operations that are performed on personal identifying information
  or on sets of personal identifying information, including the
  collection, creation, generation, recording, organization,
  structuring, storage, adaptation, alteration, retrieval,
  consultation, use, disclosure, transfer, or dissemination of the
  information or otherwise making the information available.
               (4)  "Third party" means a person engaged by a business
  to process, on behalf of the business, personal identifying
  information collected by the business.
         Sec. 541.002.  APPLICABILITY. (a) This chapter applies
  only to a business that:
               (1)  does business in this state;
               (2)  has more than 50 employees;
               (3)  collects the personal identifying information of
  more than 5,000 individuals, households, or devices or has that
  information collected on the business's behalf; and
               (4)  satisfies one or more of the following thresholds:
                     (A)  has annual gross revenue in an amount that
  exceeds $25 million; or
                     (B)  derives 50 percent or more of the business's
  annual revenue by processing personal identifying information.
         (b)  Except as provided by Subsection (c), this chapter
  applies only to personal identifying information that is:
               (1)  collected over the Internet or any other digital
  network or through a computing device that is associated with or
  routinely used by an end user; and
               (2)  linked or reasonably linkable to a specific end
  user.
         (c)  This chapter does not apply to personal identifying
  information that is:
               (1)  collected solely for facilitating the
  transmission, routing, or connections by which digital personal
  identifying information and other data is transferred between or
  among businesses; or
               (2)  transmitted to and from the individual to whom the
  personal identifying information relates if the collector of the
  information does not access, review, or modify the content of the
  information, or otherwise perform or conduct any analytical,
  algorithmic, or machine learning processes on the information.
         Sec. 541.003.  EXEMPTIONS. This chapter does not apply to:
               (1)  publicly available information;
               (2)  protected health information governed by Chapter
  181, Health and Safety Code, or collected by a covered entity or a
  business associate of a covered entity, as those terms are defined
  by 45 C.F.R. Section 160.103, that is governed by the privacy,
  security, and breach notification rules in 45 C.F.R. Parts 160 and
  164 adopted by the United States Department of Health and Human
  Services under the Health Insurance Portability and Accountability
  Act of 1996 (Pub. L. No. 104-191) and Title XIII of the American
  Recovery and Reinvestment Act of 2009 (Pub. L. No. 111-5);
               (3)  personal identifying information collected by a
  consumer reporting agency, as defined by Section 20.01, if the
  information is to be:
                     (A)  reported in or used to generate a consumer
  report, as defined by Section 1681a(d) of the Fair Credit Reporting
  Act (15 U.S.C. Section 1681 et seq.); and
                     (B)  used solely for a purpose authorized under
  that Act;
               (4)  personal identifying information processed in
  accordance with the Gramm-Leach-Bliley Act (Pub. L. No. 106-102)
  and its implementing regulations; or
               (5)  education information that is not publicly
  available personally identifiable information under the Family
  Educational Rights and Privacy Act of 1974 (20 U.S.C. Section
  1232g) (34 C.F.R. Part 99).
         Sec. 541.004.  RULES. The attorney general shall adopt
  rules necessary to implement, administer, and enforce this chapter.
  SUBCHAPTER B. AUTHORITY OF INDIVIDUALS TO ACCESS AND DELETE CERTAIN
  INFORMATION
         Sec. 541.051.  ACCESS TO INFORMATION; DATA PORTABILITY. (a)
  An individual is entitled to:
               (1)  access and obtain personal identifying
  information related to the individual or someone for whom the
  individual is a legal representative or guardian that is collected
  by a business; and
               (2)  at the option of the individual, transfer personal
  identifying information from one business to another business,
  including in connection with the sale of that information under a
  contract described by Subchapter C.
         (b)  A business shall allow an individual to promptly and
  reasonably obtain:
               (1)  confirmation of whether personal identifying
  information concerning the individual or someone for whom the
  individual is a legal representative or guardian is processed by
  the business;
               (2)  a description of the categories of personal
  identifying information processed by the business;
               (3)  an explanation in plain language of the specific
  types of personal identifying information collected by the
  business;
               (4)  a description of the inferences the business has
  drawn about the individual or someone for whom the individual is a
  personal representative or guardian from the information collected
  by the business; and
               (5)  access to the individual's personal identifying
  information, including in accordance with Subsection (c), a copy of
  the individual's personal identifying information in a portable and
  transferable format.
         (c)  On request of an individual, a business shall without
  undue delay provide the individual with all personal identifying
  information collected by the business that relates to the
  individual or someone for whom the individual is a legal
  representative or guardian. The business shall provide the
  requested information to an individual under this section in a
  portable, readily usable format that may be transferred, including
  in connection with the sale of the information, by the individual to
  another business.
         Sec. 541.052.  DELETION OF PERSONAL IDENTIFYING
  INFORMATION. (a) An individual is entitled to request that a
  business delete personal identifying information collected by the
  business that relates to that individual or someone for whom the
  individual is a legal representative or guardian.
         (b)  If an individual who maintains an account with a
  business closes the account, the business shall:
               (1)  stop processing the individual's personal
  identifying information on the date the individual closes the
  account; and
               (2)  not later than the one-year anniversary of the
  date the account is closed, permanently delete the individual's
  personal identifying information unless retention of the
  information is required by other law or is necessary to comply with
  other law.
         (c)  If an individual makes a request for a business to
  delete personal identifying information under this section, and
  that business has provided the personal identifying information to
  a third party, the business shall notify the third party of the
  individual's request. The third party shall delete the individual's
  personal identifying information not later than the one-year
  anniversary of the date the third party received the notification
  under this subsection.
  SUBCHAPTER C. CONTRACTS WITH INDIVIDUALS
         Sec. 541.101.  DEFINITION. In this subchapter, "data
  stream" means the continuous transmission of an individual's
  personal identifying information through online activity or with a
  device connected to the Internet that can be used by the business to
  provide for the monetization of the information, customer
  relationship management, or continuous identification of an
  individual for commercial purposes.
         Sec. 541.102.  APPLICABILITY. This subchapter applies only
  to a contract between a business and an individual under which, as a
  term of the contract, the individual allows the business to
  collect, store, or use the individual's personal identifying
  information.
         Sec. 541.103.  CONSIDERATION UNDER CONTRACT. (a)  An
  individual may provide the individual's data stream or information
  obtained by the individual under Section 541.051 as consideration
  under a contract.
         (b)  A business may provide consideration in the form of
  money or other incentive, including as an incentive to purchase
  goods or services, under a contract that is reasonably related to
  the value of the information or access offered by the individual
  under the contract. This subsection does not prohibit a business
  from differentiating the consideration offered to individuals
  based on information or access offered by individuals, including
  offering different individuals different prices or rates for goods
  or services or providing different levels of quality for goods or
  services based on the information and access offered by
  individuals.
         Sec. 541.104.  CONTRACT REQUIREMENTS. (a)  A contract
  subject to this subchapter:
               (1)  must clearly state the terms, including the
  duration, of the contract; and
               (2)  may not:
                     (A)  require that the individual exclusively
  contract with the business or otherwise restrict the individual's
  ability to sell the individual's personal identifying information;
  and
                     (B)  prevent the individual from receiving or
  considering alternative offers to purchase the individual's
  personal identifying information.
         (b)  A contract provision that violates Subsection (a)(2) is
  void and unenforceable.
         SECTION 2.  (a) Except as provided by Subsection (b) of this
  section, this Act takes effect September 1, 2023.
         (b)  Section 541.052, Business & Commerce Code, as added by
  this Act, takes effect January 1, 2024.