| |
| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to the capture and use of an individual's biometric |
|
|
identifiers, specimen, or genetic information by a governmental |
|
|
body or peace officer or by a person for commercial purposes; |
|
|
authorizing civil penalties. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. The heading to Title 11, Business & Commerce |
|
|
Code, is amended to read as follows: |
|
|
TITLE 11. PERSONAL [IDENTITY] INFORMATION |
|
|
SECTION 2. The heading to Subtitle A, Title 11, Business & |
|
|
Commerce Code, is amended to read as follows: |
|
|
SUBTITLE A. IDENTIFYING AND OTHER PERSONAL INFORMATION |
|
|
SECTION 3. The heading to Chapter 503, Business & Commerce |
|
|
Code, is amended to read as follows: |
|
|
CHAPTER 503. BIOMETRIC IDENTIFIERS, GENETIC INFORMATION, AND |
|
|
SPECIMEN COLLECTION |
|
|
SECTION 4. Chapter 503, Business & Commerce Code, is |
|
|
amended by adding Section 503.0005 to read as follows: |
|
|
Sec. 503.0005. DEFINITIONS. In this chapter: |
|
|
(1) "Deidentified data" means data not reasonably |
|
|
linked to an identifiable individual. |
|
|
(2) "Direct-to-individual genetic testing company" |
|
|
means an entity that: |
|
|
(A) offers genetic testing products or services |
|
|
directly to individuals; or |
|
|
(B) collects, uses, or analyzes genetic data that |
|
|
an individual provides to the entity. |
|
|
(3) "DNA" means deoxyribonucleic acid. |
|
|
(4) "Express consent" means an individual's |
|
|
affirmative response to a clear and meaningful notice regarding the |
|
|
collection, use, or disclosure of genetic data for a specific |
|
|
purpose. |
|
|
(5) "Genetic data" means any data, regardless of |
|
|
format, concerning an individual's genetic characteristics. The |
|
|
term: |
|
|
(A) includes: |
|
|
(i) raw sequence data derived from |
|
|
sequencing all or a portion of an individual's extracted DNA; |
|
|
(ii) genotypic and phenotypic information |
|
|
obtained from analyzing an individual's raw sequence data; and |
|
|
(iii) health information regarding the |
|
|
health conditions that an individual self-reports to a company and |
|
|
that the company: |
|
|
(a) uses for scientific research or |
|
|
product development; and |
|
|
(b) analyzes in connection with the |
|
|
individual's raw sequence data; and |
|
|
(B) does not include deidentified data. |
|
|
(6) "Genetic testing" means: |
|
|
(A) a laboratory test of an individual's complete |
|
|
DNA, regions of DNA, chromosomes, genes, or gene products to |
|
|
determine the presence of the individual's genetic |
|
|
characteristics; or |
|
|
(B) an interpretation of an individual's genetic |
|
|
data. |
|
|
(7) "Specimen" means a sample of an individual's |
|
|
blood, urine, or other bodily fluid or tissue taken for scientific |
|
|
analysis to detect or diagnose a disease. |
|
|
SECTION 5. The heading to Section 503.001, Business & |
|
|
Commerce Code, is amended to read as follows: |
|
|
Sec. 503.001. CAPTURE OR USE OF BIOMETRIC IDENTIFIER; |
|
|
COLLECTION OR USE OF SPECIMEN. |
|
|
SECTION 6. Section 503.001, Business & Commerce Code, is |
|
|
amended by amending Subsections (b) and (c) and adding Subsection |
|
|
(c-3) to read as follows: |
|
|
(b) A person may not capture a biometric identifier of or |
|
|
collect a specimen from an individual for a commercial purpose |
|
|
unless the person: |
|
|
(1) informs the individual before capturing the |
|
|
biometric identifier or collecting the specimen of the pending |
|
|
capture or collection; [and] |
|
|
(2) receives the individual's consent to capture the |
|
|
biometric identifier or collect the specimen; and |
|
|
(3) if capturing a biometric identifier, informs the |
|
|
individual before capturing the biometric identifier of the |
|
|
purposes for which the person will use the biometric identifier. |
|
|
(c) A person who possesses a biometric identifier or |
|
|
specimen of an individual that is captured or collected for a |
|
|
commercial purpose: |
|
|
(1) may not sell, lease, or otherwise disclose the |
|
|
biometric identifier or specimen test results to another person |
|
|
unless: |
|
|
(A) the individual consents to the disclosure for |
|
|
identification purposes in the event of the individual's |
|
|
disappearance or death; |
|
|
(B) the disclosure of a biometric identifier |
|
|
completes a financial transaction that the individual requested or |
|
|
authorized; |
|
|
(C) the disclosure is required or permitted by a |
|
|
federal statute or by a state statute other than Chapter 552, |
|
|
Government Code; or |
|
|
(D) the disclosure is made by or to a law |
|
|
enforcement agency for a law enforcement purpose in response to a |
|
|
warrant; |
|
|
(2) shall store, transmit, and protect from disclosure |
|
|
the biometric identifier or specimen test results using reasonable |
|
|
care and in a manner that is the same as or more protective than the |
|
|
manner in which the person stores, transmits, and protects any |
|
|
other confidential information the person possesses; and |
|
|
(3) shall destroy the biometric identifier or specimen |
|
|
within a reasonable time, but not later than the first anniversary |
|
|
of the date the purpose for capturing [collecting] the identifier |
|
|
or collecting the specimen expires, except as provided by |
|
|
Subsection (c-1). |
|
|
(c-3) A person who captures a biometric identifier of or |
|
|
collects a specimen from an individual for a commercial purpose |
|
|
shall provide to the individual information on: |
|
|
(1) the type of technology to be used on the identifier |
|
|
or the scientific testing to be used on the specimen; |
|
|
(2) the purpose of and method for capturing the |
|
|
identifier or collecting the specimen; and |
|
|
(3) the method for storing data related to the |
|
|
captured identifier or collected specimen. |
|
|
SECTION 7. Chapter 503, Business & Commerce Code, is |
|
|
amended by adding Sections 503.002, 503.003, 503.004, and 503.005 |
|
|
to read as follows: |
|
|
Sec. 503.002. REQUIREMENTS FOR CERTAIN USES OF DEIDENTIFIED |
|
|
DATA. (a) Except as otherwise provided by this chapter or other |
|
|
law, a direct-to-individual genetic testing company that possesses |
|
|
an individual's deidentified data shall: |
|
|
(1) implement administrative and technical measures |
|
|
to ensure the data is not associated with a specific individual; and |
|
|
(2) publicly commit to maintaining and using data in |
|
|
deidentified form and refraining from making any attempt to |
|
|
identify an individual using the individual's deidentified data. |
|
|
(b) If a direct-to-individual genetic testing company |
|
|
shares an individual's deidentified data with another person, the |
|
|
company shall enter into a legally enforceable contractual |
|
|
obligation prohibiting the person from attempting to identify an |
|
|
individual using the individual's deidentified data. |
|
|
Sec. 503.003. REQUIREMENTS FOR CERTAIN USES OF GENETIC DATA |
|
|
AND SPECIMEN. (a) A direct-to-individual genetic testing company |
|
|
shall develop, implement, and maintain: |
|
|
(1) a comprehensive security program to protect an |
|
|
individual's genetic data against unauthorized access, use, or |
|
|
disclosure; and |
|
|
(2) a prominent, publicly available privacy notice |
|
|
that includes information about the company's data collection, |
|
|
consent, use, access, disclosure, transfer, security, retention, |
|
|
and deletion practices. |
|
|
(b) Before collecting, using, or disclosing an individual's |
|
|
genetic data, a direct-to-individual genetic testing company shall |
|
|
provide to the individual: |
|
|
(1) information about the company's collection, use, |
|
|
and disclosure of genetic data the company collects through a |
|
|
genetic testing product or service, including information that: |
|
|
(A) clearly describes the company's use of the |
|
|
genetic data; |
|
|
(B) specifies the persons who have access to test |
|
|
results; and |
|
|
(C) specifies the manner in which the company may |
|
|
share the genetic data; and |
|
|
(2) the privacy notice required by Subsection (a)(2). |
|
|
(c) A direct-to-individual genetic testing company shall |
|
|
provide a process for an individual to: |
|
|
(1) access the individual's genetic data; |
|
|
(2) delete the individual's account and genetic data; |
|
|
and |
|
|
(3) destroy or require the destruction of the |
|
|
individual's specimen. |
|
|
Sec. 503.004. REQUIRED CONSENT. A direct-to-individual |
|
|
genetic testing company engaging in any of the following activities |
|
|
must obtain: |
|
|
(1) an individual's separate express consent for: |
|
|
(A) the transfer or disclosure of the |
|
|
individual's genetic data to any person other than the company's |
|
|
vendors and service providers; |
|
|
(B) the use of genetic data for a purpose other |
|
|
than the primary purpose of the company's genetic testing product |
|
|
or service; or |
|
|
(C) the retention of any specimen provided by the |
|
|
individual following the company's completion of the initial |
|
|
testing service requested by the individual; |
|
|
(2) an individual's informed consent in accordance |
|
|
with guidelines for the protection of human subjects issued under |
|
|
45 C.F.R. Part 46, for transfer or disclosure of the individual's |
|
|
genetic data to a third party for: |
|
|
(A) research purposes; or |
|
|
(B) research conducted under the control of the |
|
|
company for the purpose of publication or generalizable knowledge; |
|
|
and |
|
|
(3) an individual's express consent for: |
|
|
(A) marketing by the company to the individual |
|
|
based on the individual's genetic data; or |
|
|
(B) marketing by a third party to the individual |
|
|
based on the individual's ordering or purchasing of a genetic |
|
|
testing product or service. |
|
|
Sec. 503.005. PROHIBITED DISCLOSURES. (a) A |
|
|
direct-to-individual genetic testing company may not disclose an |
|
|
individual's genetic data to a law enforcement entity or other |
|
|
governmental body unless: |
|
|
(1) the company first obtains the individual's express |
|
|
written consent; or |
|
|
(2) the entity or body obtains a warrant under Article |
|
|
18.25, Code of Criminal Procedure, or complies with another valid |
|
|
legal process required by the company. |
|
|
(b) A direct-to-individual genetic testing company may not |
|
|
disclose, without first obtaining an individual's written consent, |
|
|
the individual's genetic data to: |
|
|
(1) an entity that offers health insurance, life |
|
|
insurance, or long-term care insurance; or |
|
|
(2) an employer of the individual. |
|
|
SECTION 8. Section 503.001(d), Business & Commerce Code, is |
|
|
redesignated as Section 503.006, Business & Commerce Code, and |
|
|
amended to read as follows: |
|
|
Sec. 503.006. CIVIL PENALTY. [(d)] A person who violates |
|
|
this chapter [section] is subject to a civil penalty of not more |
|
|
than $25,000 for each violation. The attorney general may bring an |
|
|
action to recover the civil penalty. |
|
|
SECTION 9. Chapter 18, Code of Criminal Procedure, is |
|
|
amended by adding Article 18.25 to read as follows: |
|
|
Art. 18.25. WARRANTS FOR GENETIC INFORMATION FROM CERTAIN |
|
|
BUSINESSES. (a) This article applies to a business that collects |
|
|
and analyzes genetic information to provide information about an |
|
|
individual's genetic traits or biological relationships. |
|
|
(b) A peace officer may require a business described by |
|
|
Subsection (a) to provide the genetic information of a customer of |
|
|
the business by obtaining a warrant under this chapter or by |
|
|
obtaining the consent of the customer. |
|
|
(c) A court may issue a warrant for genetic information held |
|
|
by a business described by Subsection (a) only if the applicant for |
|
|
the warrant shows that reasonable investigative leads have been |
|
|
pursued and have failed to identify the perpetrator of an alleged |
|
|
criminal offense. For purposes of this subsection, reasonable |
|
|
investigative leads are credible, case-specific facts, |
|
|
information, or circumstances that would lead a reasonably cautious |
|
|
investigator to believe that pursuit of the leads would have a fair |
|
|
probability of identifying the perpetrator of the offense. |
|
|
(d) A peace officer who obtains a warrant with respect to |
|
|
genetic information held by a business described by Subsection (a) |
|
|
may apply to the court issuing the warrant for an order commanding |
|
|
the business to whom the warrant is directed not to disclose to any |
|
|
person the existence of the warrant. The order is effective for the |
|
|
period the court considers appropriate. The court shall enter the |
|
|
order under this subsection if the court determines that there is |
|
|
reason to believe that notification of the existence of the warrant |
|
|
will lead to an adverse result, including: |
|
|
(1) endangering the life or physical safety of an |
|
|
individual; |
|
|
(2) flight from prosecution; |
|
|
(3) destruction of or tampering with evidence; |
|
|
(4) intimidation of a potential witness; or |
|
|
(5) otherwise seriously jeopardizing an investigation |
|
|
or unduly delaying a trial. |
|
|
(e) Unless an order is issued under Subsection (d), the |
|
|
peace officer who executes a warrant for the genetic information of |
|
|
a customer shall notify the customer of the existence of the |
|
|
warrant. |
|
|
SECTION 10. The heading to Chapter 560, Government Code, is |
|
|
amended to read as follows: |
|
|
CHAPTER 560. BIOMETRIC IDENTIFIER AND GENETIC INFORMATION |
|
|
SECTION 11. Section 560.001, Government Code, is amended to |
|
|
read as follows: |
|
|
Sec. 560.001. DEFINITIONS. In this chapter: |
|
|
(1) "Biometric identifier" means any measurement of |
|
|
the human body or its movement that is used to attempt to uniquely |
|
|
identify or authenticate the identity of an individual, including a |
|
|
blood sample, hair sample, skin sample, body scan, retina or iris |
|
|
scan, fingerprint, voiceprint, or record of hand or face geometry. |
|
|
(2) "Genetic information" means information that is: |
|
|
(A) obtained from or based on a scientific or |
|
|
medical determination of the presence or absence in an individual |
|
|
of a genetic characteristic; or |
|
|
(B) derived from the results of a genetic test of |
|
|
an individual's genes, gene products, or chromosomes. |
|
|
(3) "Genetic test" has the meaning assigned by Section |
|
|
546.001, Insurance Code. |
|
|
(4) "Governmental body" has the meaning assigned by |
|
|
Section 552.003, except that the term includes each entity within |
|
|
or created by the judicial branch of state government. |
|
|
SECTION 12. Chapter 560, Government Code, is amended by |
|
|
adding Section 560.0015 to read as follows: |
|
|
Sec. 560.0015. STATUTORY AUTHORITY REQUIRED. (a) A |
|
|
governmental body may not capture or possess a biometric identifier |
|
|
of an individual or require a biometric identifier as a |
|
|
prerequisite for providing a governmental service to the individual |
|
|
unless the governmental body: |
|
|
(1) has specific, explicit statutory authority that: |
|
|
(A) allows the governmental body to: |
|
|
(i) capture or possess the individual's |
|
|
biometric identifier; or |
|
|
(ii) require the individual's biometric |
|
|
identifier as a prerequisite for providing a governmental service |
|
|
to the individual; or |
|
|
(B) allows the governmental body to require and |
|
|
obtain the written consent of the individual or the individual's |
|
|
legal guardian before: |
|
|
(i) capturing or possessing the |
|
|
individual's biometric identifier; or |
|
|
(ii) requiring the individual's biometric |
|
|
identifier as a prerequisite for providing a governmental service |
|
|
to the individual; |
|
|
(2) obtains the voluntary, written consent of the |
|
|
individual or the individual's legal guardian; |
|
|
(3) is a health care provider or health care facility |
|
|
that captures, possesses, or requires the individual's biometric |
|
|
identifier in the provision of health care services to the |
|
|
individual; or |
|
|
(4) is a criminal justice agency, as defined by |
|
|
Article 66.001, Code of Criminal Procedure, that captures, |
|
|
possesses, or requires the individual's biometric identifier while |
|
|
engaged in the administration of criminal justice, as defined by |
|
|
that article. |
|
|
(b) For purposes of Subsection (a), Subchapter B, Chapter |
|
|
33, Health and Safety Code, is specific, explicit statutory |
|
|
authority under Subsection (a)(1)(A)(i) to capture or possess an |
|
|
individual's biometric identifier in the conduct of newborn |
|
|
screening as provided by that subchapter. |
|
|
SECTION 13. Chapter 560, Government Code, is amended by |
|
|
adding Sections 560.004, 560.005, 560.006, and 560.007 to read as |
|
|
follows: |
|
|
Sec. 560.004. DESTRUCTION OF SAMPLE GENETIC MATERIAL; |
|
|
EXCEPTIONS. A governmental body shall promptly destroy a sample of |
|
|
genetic material obtained from an individual for a genetic test |
|
|
after the purpose for which the sample was obtained is accomplished |
|
|
unless: |
|
|
(1) the sample is retained under a court order; |
|
|
(2) the individual authorizes retention of the sample |
|
|
for medical treatment or scientific research; |
|
|
(3) the sample was obtained for research authorized by |
|
|
an institutional review board and retention of the sample is: |
|
|
(A) under a requirement the institutional review |
|
|
board imposes on a specific research project; or |
|
|
(B) authorized by the research participant with |
|
|
institutional review board approval in accordance with federal law; |
|
|
or |
|
|
(4) the sample was obtained for a screening test |
|
|
prescribed by the Department of State Health Services under Section |
|
|
33.011, Health and Safety Code, and performed by that department or |
|
|
a laboratory approved by that department. |
|
|
Sec. 560.005. CONFIDENTIALITY OF GENETIC INFORMATION. (a) |
|
|
Except as provided by Sections 560.006(a) and (b), genetic |
|
|
information is confidential and privileged regardless of the source |
|
|
of the information. |
|
|
(b) A governmental body that holds an individual's genetic |
|
|
information may not disclose or be compelled to disclose, by |
|
|
subpoena or otherwise, that information unless the disclosure is |
|
|
specifically authorized by the individual as provided by Section |
|
|
560.007. |
|
|
(c) This section applies to a redisclosure of genetic |
|
|
information by a secondary recipient of the information after |
|
|
disclosure of the information by an initial recipient. Except as |
|
|
provided by Section 560.006(b), a governmental body may not |
|
|
redisclose genetic information unless the redisclosure is |
|
|
consistent with the disclosures authorized by the tested individual |
|
|
under an authorization executed under Section 560.007. |
|
|
Sec. 560.006. EXCEPTIONS TO CONFIDENTIALITY. (a) Subject |
|
|
to Subchapter G, Chapter 411, genetic information may be disclosed |
|
|
without an authorization under Section 560.007 if the disclosure |
|
|
is: |
|
|
(1) authorized under a state or federal criminal law |
|
|
relating to: |
|
|
(A) the identification of individuals; or |
|
|
(B) a criminal or juvenile proceeding, an |
|
|
inquest, or a child fatality review by a multidisciplinary |
|
|
child-abuse team; |
|
|
(2) required under a specific order of a state or |
|
|
federal court; |
|
|
(3) needed to establish paternity as authorized under |
|
|
a state or federal law; |
|
|
(4) needed to provide genetic information of a |
|
|
decedent and the information is disclosed to the blood relatives of |
|
|
the decedent for medical diagnosis; or |
|
|
(5) needed to identify a decedent. |
|
|
(b) A governmental body may redisclose genetic information |
|
|
without an authorization under Section 560.007 for actuarial or |
|
|
research studies if: |
|
|
(1) a tested individual could not be identified in any |
|
|
actuarial or research report; and |
|
|
(2) any materials that identify a tested individual |
|
|
are returned or destroyed as soon as reasonably practicable. |
|
|
(c) A redisclosure authorized under Subsection (b) may |
|
|
contain only genetic information reasonably necessary to |
|
|
accomplish the purpose for which the information is disclosed. |
|
|
Sec. 560.007. AUTHORIZED DISCLOSURE. An individual or an |
|
|
individual's legal representative may authorize disclosure of the |
|
|
individual's genetic information by submitting a statement that: |
|
|
(1) is written in plain language and is signed by the |
|
|
individual or legal representative; |
|
|
(2) is dated; |
|
|
(3) contains a specific description of the information |
|
|
to be disclosed; |
|
|
(4) identifies or describes each person authorized to |
|
|
disclose the genetic information; |
|
|
(5) identifies or describes the individuals or |
|
|
entities to whom the genetic information may be disclosed or |
|
|
subsequently redisclosed; |
|
|
(6) describes the specific purpose of the disclosure; |
|
|
and |
|
|
(7) advises the individual or legal representative |
|
|
that the individual's authorized representative is entitled to |
|
|
receive a copy of the authorization. |
|
|
SECTION 14. Section 33.012(a), Health and Safety Code, is |
|
|
amended to read as follows: |
|
|
(a) Screening tests may not be administered to a newborn |
|
|
child whose parents, managing conservator, or guardian objects to |
|
|
[on the ground that] the tests [conflict with the religious tenets |
|
|
or practices of an organized church of which they are adherents]. |
|
|
SECTION 15. Subchapter C, Chapter 81, Health and Safety |
|
|
Code, is amended by adding Section 81.0465 to read as follows: |
|
|
Sec. 81.0465. EXPRESS CONSENT FOR SPECIMEN COLLECTION, USE, |
|
|
AND DISCLOSURE; CONFIDENTIALITY; CIVIL PENALTY. (a) In this |
|
|
section: |
|
|
(1) "COVID-19" means the 2019 novel coronavirus |
|
|
disease. |
|
|
(2) "Express consent" means an individual's |
|
|
affirmative response to a clear and meaningful notice regarding the |
|
|
collection, use, or disclosure of a specimen for a specific |
|
|
purpose. |
|
|
(3) "Specimen" means a sample of an individual's |
|
|
blood, urine, or other bodily fluid or tissue taken for scientific |
|
|
analysis to detect or diagnose a disease. |
|
|
(b) A person who collects a specimen from an individual to |
|
|
test for a specific disease may not use or analyze the specimen for |
|
|
a purpose unrelated to the test without the individual's express |
|
|
consent to the use or analysis for another purpose. |
|
|
(c) A person who possesses an individual's specimen that is |
|
|
collected for a commercial purpose shall destroy the specimen |
|
|
within a reasonable time, but not later than the first anniversary |
|
|
of the date the purpose for collecting the specimen expires. |
|
|
(d) A person who obtains an individual's specimen or other |
|
|
personal information in relation to the collection of COVID-19 data |
|
|
may not disclose that information without the express consent of |
|
|
the individual. |
|
|
(e) A person who violates this section is subject to a civil |
|
|
penalty of not more than $1,000 for each violation. The attorney |
|
|
general may bring an action to recover the civil penalty. |
|
|
(f) This section does not apply to a specimen collected by a |
|
|
direct-to-individual genetic testing company as defined by Section |
|
|
503.0005, Business & Commerce Code. |
|
|
SECTION 16. Article 18.25, Code of Criminal Procedure, as |
|
|
added by this Act, applies only to a warrant issued on or after the |
|
|
effective date of this Act. |
|
|
SECTION 17. The changes in law made by this Act apply only |
|
|
to a biometric identifier captured, a specimen collected, or |
|
|
genetic information obtained or to a biometric identifier, a |
|
|
specimen, or genetic information requested on or after the |
|
|
effective date of this Act. A biometric identifier, a specimen, or |
|
|
genetic information captured, collected, obtained, or requested |
|
|
before that date is governed by the law in effect immediately before |
|
|
the effective date of this Act, and that law is continued in effect |
|
|
for that purpose. |
|
|
SECTION 18. This Act takes effect September 1, 2023. |