88R9015 JES-F
 
  By: Holland H.B. No. 4917
 
 
 
A BILL TO BE ENTITLED
 
AN ACT
  relating to the regulation of third-party data collection entities;
  providing a civil penalty and authorizing a fee.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  Subtitle A, Title 11, Business & Commerce Code,
  is amended by adding Chapter 509 to read as follows:
  CHAPTER 509.  THIRD-PARTY DATA COLLECTION
         Sec. 509.001.  DEFINITIONS. In this chapter:
               (1)  "Biometric identifier" has the meaning assigned by
  Section 503.001.
               (2)  "Child" means an individual younger than 18 years
  of age.
               (3)  "Collect," in the context of data, means to
  obtain, receive, access, or otherwise acquire the data by any
  means, including by purchasing or renting the data.
               (4)  "Covered data" means personal identifying
  information to which this chapter applies as provided by Section
  509.002.
               (5)  "Deidentified data" means information that does
  not identify and is not linked or cannot reasonably be linked to an
  individual or to a device linked to that individual, regardless of
  whether the information is aggregated.
               (6)  "Employee" includes an individual who is a
  director, officer, staff member, trainee, volunteer, or intern of
  an employer or an individual working as an independent contractor
  for an employer, regardless of whether the individual is paid,
  unpaid, or employed on a temporary basis. The term does not include
  an individual contractor who is a service provider.
               (7)  "Employee data" means information collected,
  processed, or transferred by an employer if the information:
                     (A)  is related to:
                           (i)  a job applicant and was collected
  during the course of the hiring and application process;
                           (ii)  an employee who is acting in a
  professional capacity for the employer, including the employee's
  business contact information such as the employee's name, position,
  title, business telephone number, business address, or business
  e-mail address;
                           (iii)  an employee's emergency contact
  information; or
                           (iv)  an employee or the employee's spouse,
  dependent, covered family member, or beneficiary; and
                     (B)  was collected, processed, or transferred
  solely for:
                           (i)  a purpose relating to the status of a
  person described by Paragraph (A)(i) as a current or former job
  applicant of the employer;
                           (ii)  a purpose relating to the professional
  activities of an employee described by Paragraph (A)(ii) on behalf
  of the employer;
                           (iii)  the purpose of having an emergency
  contact on file for an employee described by Paragraph (A)(iii) and
  for transferring the information in case of an emergency; and
                           (iv)  the purpose of administering benefits
  to which an employee described by Paragraph (A)(iv) is entitled or
  to which another person described by that paragraph is entitled on
  the basis of the employee's position with the employer.
               (8)  "Genetic data" means any data, regardless of
  format, concerning an individual's genetic characteristics. The
  term includes:
                     (A)  raw sequence data derived from sequencing all
  or a portion of an individual's extracted DNA; and
                     (B)  genotypic and phenotypic information
  obtained from analyzing an individual's raw sequence data.
               (9)  "Personal identifying information" has the
  meaning assigned by Section 521.002.
               (10)  "Precise geolocation data" means information
  accessed on a device or technology that shows the past or present
  physical location of an individual or the individual's device with
  sufficient precision to identify street-level location information
  of the individual or device in a range of not more than 1,850 feet.  
  The term does not include location information regarding an
  individual or device identifiable or derived solely from the visual
  content of a legally obtained image, including the location of a
  device that captured the image.
               (11)  "Process," in the context of data, means to
  conduct or direct any operation or set of operations performed on
  the data, including using, storing, or otherwise handling the data.
               (12)  "Publicly available information" means
  information:
                     (A)  that a business entity or service provider
  reasonably believes is lawfully available to the general public:
                           (i)  from a governmental record, unless use
  of the information by the business entity violates the governmental
  entity's restriction or terms of use for that information;
                           (ii)  from widely distributed media,
  including information from:
                                 (a)  a telephone book or online
  directory;
                                 (b)  a television, Internet, or radio
  program;
                                 (c)  the news media; or
                                 (d)  a generally available Internet
  website or online service on which the relevant information has not
  been restricted to a specific audience;
                           (iii)  from a disclosure as required by law;
  or
                           (iv)  by visual observation in a public
  place, other than data collected by a device in the individual's
  possession; and
                     (B)  that is not:
                           (i)  an obscene visual depiction under 18
  U.S.C. Section 1460;
                           (ii)  an inference:
                                 (a)  made exclusively from multiple
  independent sources of publicly available information; and
                                 (b)  that does not disclose an
  individual's sensitive information;
                           (iii)  a biometric identifier; 
                           (iv)  combined with personal identifying
  information;
                           (v)  genetic information not disclosed by
  the individual in a manner provided by Paragraph (A); or
                           (vi)  a nonconsensual intimate image, if
  known to be nonconsensual.
               (13)  "Sensitive covered data" means:
                     (A)  a government-issued identifier not required
  by law to be available publicly, including:
                           (i)  a social security number;
                           (ii)  a passport number; or
                           (iii)  a driver's license number;
                     (B)  information that describes or reveals an
  individual's mental or physical health diagnosis, condition, or
  treatment;
                     (C)  an individual's financial information,
  except the last four digits of a debit or credit card number,
  including:
                           (i)  a financial account number;
                           (ii)  a credit or debit card number; or
                           (iii)  information that describes or reveals
  the income level or bank account balances of the individual;
                     (D)  a biometric identifier;
                     (E)  genetic data;
                     (F)  precise geolocation data;
                     (G)  an individual's private communication that:
                           (i)  if made using a device, is not made
  using a device provided by the individual's employer that provides
  conspicuous notice to the individual that the employer may access
  communication made using the device; and
                           (ii)  includes, unless the third-party data
  collection entity is the sender or an intended recipient of the
  communication:
                                 (a)  the individual's voicemails,
  e-mails, texts, direct messages, or mail;
                                 (b)  information that identifies the
  parties involved in the communications; and
                                 (c)  information that relates to the
  transmission of the communications, including telephone numbers
  called, telephone numbers from which calls were placed, the time
  calls were made, call duration, and location information of the
  parties to the call;
                     (H)  a log-in credential, security code, or access
  code for an account or device;
                     (I)  information identifying the sexual behavior
  of the individual in a manner inconsistent with the individual's
  reasonable expectation regarding the collection, processing, or
  transfer of the information;
                     (J)  calendar information, address book
  information, phone or text logs, photos, audio recordings, or
  videos:
                           (i)  maintained for private use by an
  individual and stored on the individual's device or in another
  location; and
                           (ii)  not communicated using a device
  provided by the individual's employer unless the employee was
  provided conspicuous notice that the employer may access
  communication made using the device;
                     (K)  a photograph, film, video recording, or other
  similar medium that shows the individual or a part of the individual
  nude or wearing undergarments;
                     (L)  information revealing the video content
  requested or selected by an individual that is not:
                           (i)  collected by a provider of broadcast
  television service, cable service, satellite service, streaming
  media service, or other video programming, as that term is defined
  by 47 U.S.C. Section 613(h)(2); or
                           (ii)  used solely for transfers for
  independent video measurement;
                     (M)  information regarding a known child;
                     (N)  information revealing an individual's racial
  or ethnic origin, color, religious beliefs, or union membership;
                     (O)  information identifying an individual's
  online activities over time accessing multiple Internet websites or
  online services; or
                     (P)  information collected, processed, or
  transferred for the purpose of identifying information described by
  this subdivision.
               (14)  "Service provider" means a person that receives,
  collects, processes, or transfers personal identifying information
  on behalf of, and at the direction of, a business or governmental
  entity, including a business or governmental entity that is another
  service provider, in order for the person to perform a service or
  function with or on behalf of the business or governmental entity.
               (15)  "Third-party data collection entity" means a
  business entity that collects, processes, or transfers covered data
  that the entity did not collect directly from the individual linked
  or linkable to the data.
               (16)  "Transfer," in the context of data, means to
  disclose, release, share, disseminate, make available, or license
  the data by any means or medium.
         Sec. 509.002.  APPLICABILITY TO CERTAIN DATA. (a)  Except as
  provided by Subsection (b), this chapter applies to personal
  identifying information from an individual who resides in this
  state that is collected, transferred, or processed by a third-party
  data collection entity.
         (b)  This chapter does not apply to the following data:
               (1)  deidentified data, if the third-party data
  collection entity:
                     (A)  takes reasonable technical measures to
  ensure that the data is not able to be used to identify an
  individual with whom the data is associated;
                     (B)  publicly commits in a clear and conspicuous
  manner:
                           (i)  to process and transfer the data solely
  in a deidentified form without any reasonable means for
  reidentification; and
                           (ii)  to not attempt to identify the
  information to an individual with whom the data is associated; and
                     (C)  contractually obligates a person that
  receives the information from the provider:
                           (i)  to comply with this subsection with
  respect to the information; and
                           (ii)  to require that those contractual
  obligations be included in any subsequent transfer of the data to
  another person;
               (2)  employee data;
               (3)  publicly available information; or
               (4)  inferences made exclusively from multiple
  independent sources of publicly available information that do not
  reveal sensitive covered data with respect to an individual.
         Sec. 509.003.  APPLICABILITY OF CHAPTER TO CERTAIN BUSINESS
  ENTITIES. (a)  Except as provided by Subsection (b), this chapter
  applies to a third-party data collection entity, which is a
  business entity that, in a 12-month period, derives:
               (1)  more than 50 percent of the entity's revenue from
  processing or transferring covered data that the entity did not
  collect directly from the individuals to whom the data pertains; or
               (2)  revenue from processing or transferring the
  covered data of more than 50,000 individuals that the entity did not
  collect directly from the individuals to whom the data pertains.
         (b)  This chapter does not apply to:
               (1)  a business entity that:
                     (A)  is engaging in the business of processing
  employee data for a third party for the sole purpose of providing
  benefits to the third party's employees; or
                     (B)  is collecting covered data from another
  entity to which the entity is related by common ownership or
  corporate control if a reasonable consumer would expect the
  entities to share the relevant data;
               (2)  a business entity that is a service provider with
  respect to the entity's use of covered data;
               (3)  a governmental entity or an entity that is
  collecting, processing, or transferring covered data as a service
  provider for a governmental entity; or
               (4)  an entity that serves as a congressionally
  designated nonprofit, national resource center, or clearinghouse
  to provide assistance to victims, families, child-serving
  professionals, and the general public on missing and exploited
  children issues.
         Sec. 509.004.  NOTICE ON WEBSITE OR MOBILE APPLICATION. A
  third-party data collection entity that maintains an Internet
  website or mobile application shall post a conspicuous notice on
  the website or application that:
               (1)  states that the entity maintaining the website or
  application is a third-party data collection entity;
               (2)  must be clear, not misleading, and be readily
  accessible by the general public, including individuals with a
  disability;
               (3)  contains language provided by rule of the
  secretary of state for inclusion in the notice; and
               (4)  provides a link to the "do not collect" online
  registry established under Section 509.006.
         Sec. 509.005.  REGISTRATION. (a)  To conduct business in
  this state, a third-party data collection entity to which this
  chapter applies that collects, processes, or transfers the covered
  date of individuals residing in this state shall register with the
  secretary of state by filing a registration statement and paying a
  registration fee of $300.
         (b)  The registration statement must include:
               (1)  the legal name of the third-party data collection
  entity;
               (2)  a contact person and the primary physical address,
  e-mail address, telephone number, and Internet website address for
  the entity;
               (3)  a description of the categories of data the entity
  processes and transfers;
               (4)  a statement of whether or not the entity
  implements a purchaser credentialing process that includes taking
  reasonable steps to confirm that:
                     (A)  the actual identity of the entity's customer
  and the customer's use of the data matches the identity and intended
  use provided to the entity by the customer; and
                     (B)  the entity's customers will not use the data
  for a nefarious purpose;
               (5)  if the entity has actual knowledge that the entity
  possesses personal identifying information of a child:
                     (A)  a statement detailing the data collection
  practices, databases, sales activities, and opt-out policies that
  are applicable to the personal identifying information of a child;
  and
                     (B)  a statement on how the entity complies with
  applicable federal and state law regarding the collection, use, or
  disclosure of personal identifying information from and about a
  child on the Internet;
               (6)  the number of security breaches the entity has
  experienced during the year immediately preceding the year in which
  the registration is filed, and if known, the total number of
  consumers affected by each breach;
               (7)  any litigation or unresolved complaints related to
  the operation of the entity; and
               (8)  any Internet website link the entity provides to
  allow individuals to easily access the "do not collect" online
  registry established under Section 509.006.
         (c)  A registration of a third-party data collection entity
  may include any additional information or explanation the
  third-party data collection entity chooses to provide to the
  secretary of state concerning the entity's data collection
  practices.
         (d)  A registration certificate expires on the first
  anniversary of its date of issuance. A third-party data collection
  entity may renew a registration certificate by filing a renewal
  application, in the form prescribed by the secretary of state, and
  paying a renewal fee in the amount of $300.
         Sec. 509.006.  REGISTRY OF THIRD-PARTY COLLECTING ENTITIES;
  DO NOT COLLECT REQUESTS.  (a)  The secretary of state shall
  establish and maintain, on its Internet website, a searchable,
  central registry of third-party data collection entities
  registered under Section 509.005.
         (b)  The registry must include:
               (1)  a search feature that allows a person searching
  the registry to identify a specific third-party data collection
  entity;
               (2)  for each third-party data collection entity, the
  information filed under Section 509.005(b); and
               (3)  a link and mechanism by which individuals may
  submit do not collect requests to third-party collection entities,
  other than consumer reporting agencies, as provided by Subsection
  (c).
         (c)  The secretary of state shall ensure that under the
  mechanism described by Subsection (b) an individual has the
  capability to easily submit a single request requiring all
  registered third-party data collection entities to:
               (1)  delete, not later than the 30th day after
  receiving the request, all covered data related to the requesting
  individual that is in their possession and was not collected from
  the individual directly; and
               (2)  cease collecting, processing, or transferring
  covered data related to the requesting individual, unless the
  entity receives the individual's affirmative express consent to
  continue to collect, process, or transfer data, as applicable, in
  accordance with Subsection (e).
         (d)  Notwithstanding Subsection (c), a third-party data
  collection entity may decline to comply with a request under that
  subsection if the entity:
               (1)  knows that the individual has been convicted of a
  crime related to the abduction or sexual exploitation of a child,
  and that the data the entity is collecting is necessary to
  effectuate the purposes of a federal or state sex offender registry
  or of an entity described by Section 509.003(b)(4); or
               (2)  is a consumer reporting agency governed by the
  Fair Credit Reporting Act (15 U.S.C. Section 1681 et seq.).
         (e)  For purposes of Subsection (c)(2), an individual is
  considered to have given the individual's affirmative express
  consent if the individual, by an affirmative act, clearly
  communicates the individual's specific and unambiguous
  authorization for the act or practice in response to a specific
  request by a third-party data collection entity that:
               (1)  is provided to the individual in a clear,
  conspicuous, and separate disclosure presented through:
                     (A)  the primary medium by which the entity offers
  its products or services; or
                     (B)  another medium regularly used in conjunction
  with the entity's products or services;
               (2)  includes a description of the processing purpose
  for which the individual's consent is sought, that:
                     (A)  clearly states the specific categories of
  personal identifying information the business will collect,
  process, or transfer for that purpose;
                     (B)  includes a prominent heading; and
                     (C)  is written in easily understood language
  intended to enable a reasonable individual to identify and
  understand the processing purpose for which consent is sought;
               (3)  explains the individual's right to give and revoke
  consent under this section;
               (4)  is made in a manner reasonably accessible to and
  usable by an individual with a disability;
               (5)  is made available in each language in which the
  business provides a product or service for which consent is sought;
               (6)  presents the option to refuse consent at least as
  prominently as the option to accept; and
               (7)  ensures that refusing to consent takes not more
  than the same amount of steps to complete as the option to accept
  consent.
         (f)  If the processing purpose disclosed to an individual in
  a request made under Subsection (e) changes, a third-party data
  collection entity must request and receive a new consent that meets
  the requirements of that subsection before the entity is able to
  collect, transfer, or process any further information pursuant to
  that consent.
         (g)  An individual's inaction or continued use of a service
  or product provided by a third-party data collection entity does
  not constitute an individual's affirmative express consent for
  purposes of Subsection (e).
         (h)  A third-party data collection entity may not obtain or
  attempt to obtain an individual's affirmative express consent under
  Subsection (b) through:
               (1)  the use of a false, fraudulent, or materially
  misleading statement or representation; or
               (2)  the design, modification, or manipulation of a
  user interface to impair a reasonable individual's autonomy to
  consent or to withhold certain personal identifying information.
         Sec. 509.007.  CIVIL PENALTY. (a)  A third-party data
  collection entity that violates Section 509.004, 509.005, or
  509.006 is liable to this state for a civil penalty as prescribed by
  this section.
         (b)  A civil penalty imposed against a third-party data
  collection entity under this section:
               (1)  subject to Subdivision (2), may not be in an amount
  less than the total of:
                     (A)  $100 for each day the entity is in violation
  of Section 509.004 or 509.005; and
                     (B)  the amount of unpaid registration fees for
  each year the entity failed to register in violation of Section
  509.005; and
               (2)  may not exceed $10,000 assessed against the same
  entity in a 12-month period.
         (c)  The attorney general may bring an action to recover a
  civil penalty imposed under this section. The attorney general may
  recover reasonable attorney's fees and court costs incurred in
  bringing the action.
         Sec. 509.008.  DECEPTIVE TRADE PRACTICE.  A violation of
  this chapter constitutes a deceptive trade practice in addition to
  the practices described by Subchapter E, Chapter 17, and is
  actionable under that subchapter.
         Sec. 509.009.  RULES. The secretary of state shall adopt
  rules as necessary to implement this chapter.
         SECTION 2.  Not later than December 1, 2023, the secretary of
  state shall adopt rules necessary to facilitate registration by a
  third-party data collection entity under Section 509.005, Business &
  Commerce Code, as added by this Act.
         SECTION 3.  Chapter 509, Business & Commerce Code, as added
  by this Act, applies only to the collection, processing, or
  transfer of personal identifying information by a third-party data
  collection entity on or after the effective date of this Act.
         SECTION 4.  This Act takes effect September 1, 2023.