88R228 YDB/JSC-D
 
  By: Paxton S.B. No. 704
 
 
 
A BILL TO BE ENTITLED
 
AN ACT
  relating to the capture and use of an individual's biometric
  identifiers, specimen, or genetic information by a governmental
  body or peace officer or by a person for commercial purposes;
  authorizing civil penalties.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  The heading to Title 11, Business & Commerce
  Code, is amended to read as follows:
  TITLE 11. PERSONAL [IDENTITY] INFORMATION
         SECTION 2.  The heading to Subtitle A, Title 11, Business &
  Commerce Code, is amended to read as follows:
         SUBTITLE A. IDENTIFYING AND OTHER PERSONAL INFORMATION
         SECTION 3.  The heading to Chapter 503, Business & Commerce
  Code, is amended to read as follows:
  CHAPTER 503. BIOMETRIC IDENTIFIERS, GENETIC INFORMATION, AND
  SPECIMEN COLLECTION
         SECTION 4.  Chapter 503, Business & Commerce Code, is
  amended by adding Section 503.0005 to read as follows:
         Sec. 503.0005.  DEFINITIONS. In this chapter:
               (1)  "Deidentified data" means data not reasonably
  linked to an identifiable individual.
               (2)  "Direct-to-individual genetic testing company"
  means an entity that:
                     (A)  offers genetic testing products or services
  directly to individuals; or
                     (B)  collects, uses, or analyzes genetic data that
  an individual provides to the entity.
               (3)  "DNA" means deoxyribonucleic acid.
               (4)  "Express consent" means an individual's
  affirmative response to a clear and meaningful notice regarding the
  collection, use, or disclosure of genetic data for a specific
  purpose.
               (5)  "Genetic data" means any data, regardless of
  format, concerning an individual's genetic characteristics. The
  term:
                     (A)  includes:
                           (i)  raw sequence data derived from
  sequencing all or a portion of an individual's extracted DNA;
                           (ii)  genotypic and phenotypic information
  obtained from analyzing an individual's raw sequence data; and
                           (iii)  health information regarding the
  health conditions that an individual self-reports to a company and
  that the company:
                                 (a)  uses for scientific research or
  product development; and
                                 (b)  analyzes in connection with the
  individual's raw sequence data; and
                     (B)  does not include deidentified data.
               (6)  "Genetic testing" means:
                     (A)  a laboratory test of an individual's complete
  DNA, regions of DNA, chromosomes, genes, or gene products to
  determine the presence of the individual's genetic
  characteristics; or
                     (B)  an interpretation of an individual's genetic
  data.
               (7)  "Specimen" means a sample of an individual's
  blood, urine, or other bodily fluid or tissue taken for scientific
  analysis to detect or diagnose a disease.
         SECTION 5.  The heading to Section 503.001, Business &
  Commerce Code, is amended to read as follows:
         Sec. 503.001.  CAPTURE OR USE OF BIOMETRIC IDENTIFIER;
  COLLECTION OR USE OF SPECIMEN.
         SECTION 6.  Section 503.001, Business & Commerce Code, is
  amended by amending Subsections (b) and (c) and adding Subsection
  (c-3) to read as follows:
         (b)  A person may not capture a biometric identifier of or
  collect a specimen from an individual for a commercial purpose
  unless the person:
               (1)  informs the individual before capturing the
  biometric identifier or collecting the specimen of the pending
  capture or collection; [and]
               (2)  receives the individual's consent to capture the
  biometric identifier or collect the specimen; and
               (3)  if capturing a biometric identifier, informs the
  individual before capturing the biometric identifier of the
  purposes for which the person will use the biometric identifier.
         (c)  A person who possesses a biometric identifier or
  specimen of an individual that is captured or collected for a
  commercial purpose:
               (1)  may not sell, lease, or otherwise disclose the
  biometric identifier or specimen test results to another person
  unless:
                     (A)  the individual consents to the disclosure for
  identification purposes in the event of the individual's
  disappearance or death;
                     (B)  the disclosure of a biometric identifier
  completes a financial transaction that the individual requested or
  authorized;
                     (C)  the disclosure is required or permitted by a
  federal statute or by a state statute other than Chapter 552,
  Government Code; or
                     (D)  the disclosure is made by or to a law
  enforcement agency for a law enforcement purpose in response to a
  warrant;
               (2)  shall store, transmit, and protect from disclosure
  the biometric identifier or specimen test results using reasonable
  care and in a manner that is the same as or more protective than the
  manner in which the person stores, transmits, and protects any
  other confidential information the person possesses; and
               (3)  shall destroy the biometric identifier or specimen
  within a reasonable time, but not later than the first anniversary
  of the date the purpose for capturing [collecting] the identifier
  or collecting the specimen expires, except as provided by
  Subsection (c-1).
         (c-3)  A person who captures a biometric identifier of or
  collects a specimen from an individual for a commercial purpose
  shall provide to the individual information on:
               (1)  the type of technology to be used on the identifier
  or the scientific testing to be used on the specimen;
               (2)  the purpose of and method for capturing the
  identifier or collecting the specimen; and
               (3)  the method for storing data related to the
  captured identifier or collected specimen.
         SECTION 7.  Chapter 503, Business & Commerce Code, is
  amended by adding Sections 503.002, 503.003, 503.004, and 503.005
  to read as follows:
         Sec. 503.002.  REQUIREMENTS FOR CERTAIN USES OF DEIDENTIFIED
  DATA. (a) Except as otherwise provided by this chapter or other
  law, a direct-to-individual genetic testing company that possesses
  an individual's deidentified data shall:
               (1)  implement administrative and technical measures
  to ensure the data is not associated with a specific individual; and
               (2)  publicly commit to maintaining and using data in
  deidentified form and refraining from making any attempt to
  identify an individual using the individual's deidentified data.
         (b)  If a direct-to-individual genetic testing company
  shares an individual's deidentified data with another person, the
  company shall enter into a legally enforceable contractual
  obligation prohibiting the person from attempting to identify an
  individual using the individual's deidentified data.
         Sec. 503.003.  REQUIREMENTS FOR CERTAIN USES OF GENETIC DATA
  AND SPECIMEN. (a) A direct-to-individual genetic testing company
  shall develop, implement, and maintain:
               (1)  a comprehensive security program to protect an
  individual's genetic data against unauthorized access, use, or
  disclosure; and
               (2)  a prominent, publicly available privacy notice
  that includes information about the company's data collection,
  consent, use, access, disclosure, transfer, security, retention,
  and deletion practices.
         (b)  Before collecting, using, or disclosing an individual's
  genetic data, a direct-to-individual genetic testing company shall
  provide to the individual:
               (1)  information about the company's collection, use,
  and disclosure of genetic data the company collects through a
  genetic testing product or service, including information that:
                     (A)  clearly describes the company's use of the
  genetic data;
                     (B)  specifies the persons who have access to test
  results; and
                     (C)  specifies the manner in which the company may
  share the genetic data; and
               (2)  the privacy notice required by Subsection (a)(2).
         (c)  A direct-to-individual genetic testing company shall
  provide a process for an individual to:
               (1)  access the individual's genetic data;
               (2)  delete the individual's account and genetic data;
  and
               (3)  destroy or require the destruction of the
  individual's specimen.
         Sec. 503.004.  REQUIRED CONSENT. A direct-to-individual
  genetic testing company engaging in any of the following activities
  must obtain:
               (1)  an individual's separate express consent for:
                     (A)  the transfer or disclosure of the
  individual's genetic data to any person other than the company's
  vendors and service providers;
                     (B)  the use of genetic data for a purpose other
  than the primary purpose of the company's genetic testing product
  or service; or
                     (C)  the retention of any specimen provided by the
  individual following the company's completion of the initial
  testing service requested by the individual;
               (2)  an individual's informed consent in accordance
  with guidelines for the protection of human subjects issued under
  45 C.F.R. Part 46, for transfer or disclosure of the individual's
  genetic data to a third party for:
                     (A)  research purposes; or
                     (B)  research conducted under the control of the
  company for the purpose of publication or generalizable knowledge;
  and
               (3)  an individual's express consent for:
                     (A)  marketing by the company to the individual
  based on the individual's genetic data; or
                     (B)  marketing by a third party to the individual
  based on the individual's ordering or purchasing of a genetic
  testing product or service.
         Sec. 503.005.  PROHIBITED DISCLOSURES. (a) A
  direct-to-individual genetic testing company may not disclose an
  individual's genetic data to a law enforcement entity or other
  governmental body unless:
               (1)  the company first obtains the individual's express
  written consent; or
               (2)  the entity or body obtains a warrant under Article
  18.25, Code of Criminal Procedure, or complies with another valid
  legal process required by the company.
         (b)  A direct-to-individual genetic testing company may not
  disclose, without first obtaining an individual's written consent,
  the individual's genetic data to:
               (1)  an entity that offers health insurance, life
  insurance, or long-term care insurance; or
               (2)  an employer of the individual.
         SECTION 8.  Section 503.001(d), Business & Commerce Code, is
  redesignated as Section 503.006, Business & Commerce Code, and
  amended to read as follows:
         Sec. 503.006.  CIVIL PENALTY. [(d)] A person who violates
  this chapter [section] is subject to a civil penalty of not more
  than $25,000 for each violation. The attorney general may bring an
  action to recover the civil penalty.
         SECTION 9.  Chapter 18, Code of Criminal Procedure, is
  amended by adding Article 18.25 to read as follows:
         Art. 18.25.  WARRANTS FOR GENETIC INFORMATION FROM CERTAIN
  BUSINESSES. (a) This article applies to a business that collects
  and analyzes genetic information to provide information about an
  individual's genetic traits or biological relationships.
         (b)  A peace officer may require a business described by
  Subsection (a) to provide the genetic information of a customer of
  the business by obtaining a warrant under this chapter or by
  obtaining the consent of the customer.
         (c)  A court may issue a warrant for genetic information held
  by a business described by Subsection (a) only if the applicant for
  the warrant shows that reasonable investigative leads have been
  pursued and have failed to identify the perpetrator of an alleged
  criminal offense. For purposes of this subsection, reasonable
  investigative leads are credible, case-specific facts,
  information, or circumstances that would lead a reasonably cautious
  investigator to believe that pursuit of the leads would have a fair
  probability of identifying the perpetrator of the offense.
         (d)  A peace officer who obtains a warrant with respect to
  genetic information held by a business described by Subsection (a)
  may apply to the court issuing the warrant for an order commanding
  the business to whom the warrant is directed not to disclose to any
  person the existence of the warrant. The order is effective for the
  period the court considers appropriate. The court shall enter the
  order under this subsection if the court determines that there is
  reason to believe that notification of the existence of the warrant
  will lead to an adverse result, including:
               (1)  endangering the life or physical safety of an
  individual;
               (2)  flight from prosecution;
               (3)  destruction of or tampering with evidence;
               (4)  intimidation of a potential witness; or
               (5)  otherwise seriously jeopardizing an investigation
  or unduly delaying a trial.
         (e)  Unless an order is issued under Subsection (d), the
  peace officer who executes a warrant for the genetic information of
  a customer shall notify the customer of the existence of the
  warrant.
         SECTION 10.  The heading to Chapter 560, Government Code, is
  amended to read as follows:
  CHAPTER 560. BIOMETRIC IDENTIFIER AND GENETIC INFORMATION
         SECTION 11.  Section 560.001, Government Code, is amended to
  read as follows:
         Sec. 560.001.  DEFINITIONS.  In this chapter:
               (1)  "Biometric identifier" means any measurement of
  the human body or its movement that is used to attempt to uniquely
  identify or authenticate the identity of an individual, including a
  blood sample, hair sample, skin sample, body scan, retina or iris
  scan, fingerprint, voiceprint, or record of hand or face geometry.
               (2)  "Genetic information" means information that is:
                     (A)  obtained from or based on a scientific or
  medical determination of the presence or absence in an individual
  of a genetic characteristic; or
                     (B)  derived from the results of a genetic test of
  an individual's genes, gene products, or chromosomes.
               (3)  "Genetic test" has the meaning assigned by Section
  546.001, Insurance Code.
               (4)  "Governmental body" has the meaning assigned by
  Section 552.003, except that the term includes each entity within
  or created by the judicial branch of state government.
         SECTION 12.  Chapter 560, Government Code, is amended by
  adding Section 560.0015 to read as follows:
         Sec. 560.0015.  STATUTORY AUTHORITY REQUIRED. (a) A
  governmental body may not capture or possess a biometric identifier
  of an individual or require a biometric identifier as a
  prerequisite for providing a governmental service to the individual
  unless the governmental body:
               (1)  has specific, explicit statutory authority that:
                     (A)  allows the governmental body to:
                           (i)  capture or possess the individual's
  biometric identifier; or
                           (ii)  require the individual's biometric
  identifier as a prerequisite for providing a governmental service
  to the individual; or
                     (B)  allows the governmental body to require and
  obtain the written consent of the individual or the individual's
  legal guardian before:
                           (i)  capturing or possessing the
  individual's biometric identifier; or
                           (ii)  requiring the individual's biometric
  identifier as a prerequisite for providing a governmental service
  to the individual;
               (2)  obtains the voluntary, written consent of the
  individual or the individual's legal guardian;
               (3)  is a health care provider or health care facility
  that captures, possesses, or requires the individual's biometric
  identifier in the provision of health care services to the
  individual; or
               (4)  is a criminal justice agency, as defined by
  Article 66.001, Code of Criminal Procedure, that captures,
  possesses, or requires the individual's biometric identifier while
  engaged in the administration of criminal justice, as defined by
  that article.
         (b)  For purposes of Subsection (a), Subchapter B, Chapter
  33, Health and Safety Code, is specific, explicit statutory
  authority under Subsection (a)(1)(A)(i) to capture or possess an
  individual's biometric identifier in the conduct of newborn
  screening as provided by that subchapter.
         SECTION 13.  Chapter 560, Government Code, is amended by
  adding Sections 560.004, 560.005, 560.006, and 560.007 to read as
  follows:
         Sec. 560.004.  DESTRUCTION OF SAMPLE GENETIC MATERIAL;
  EXCEPTIONS. A governmental body shall promptly destroy a sample of
  genetic material obtained from an individual for a genetic test
  after the purpose for which the sample was obtained is accomplished
  unless:
               (1)  the sample is retained under a court order;
               (2)  the individual authorizes retention of the sample
  for medical treatment or scientific research;
               (3)  the sample was obtained for research authorized by
  an institutional review board and retention of the sample is:
                     (A)  under a requirement the institutional review
  board imposes on a specific research project; or
                     (B)  authorized by the research participant with
  institutional review board approval in accordance with federal law;
  or
               (4)  the sample was obtained for a screening test
  prescribed by the Department of State Health Services under Section
  33.011, Health and Safety Code, and performed by that department or
  a laboratory approved by that department.
         Sec. 560.005.  CONFIDENTIALITY OF GENETIC INFORMATION. (a)
  Except as provided by Sections 560.006(a) and (b), genetic
  information is confidential and privileged regardless of the source
  of the information.
         (b)  A governmental body that holds an individual's genetic
  information may not disclose or be compelled to disclose, by
  subpoena or otherwise, that information unless the disclosure is
  specifically authorized by the individual as provided by Section
  560.007.
         (c)  This section applies to a redisclosure of genetic
  information by a secondary recipient of the information after
  disclosure of the information by an initial recipient.  Except as
  provided by Section 560.006(b), a governmental body may not
  redisclose genetic information unless the redisclosure is
  consistent with the disclosures authorized by the tested individual
  under an authorization executed under Section 560.007.
         Sec. 560.006.  EXCEPTIONS TO CONFIDENTIALITY. (a) Subject
  to Subchapter G, Chapter 411, genetic information may be disclosed
  without an authorization under Section 560.007 if the disclosure
  is:
               (1)  authorized under a state or federal criminal law
  relating to:
                     (A)  the identification of individuals; or
                     (B)  a criminal or juvenile proceeding, an
  inquest, or a child fatality review by a multidisciplinary
  child-abuse team;
               (2)  required under a specific order of a state or
  federal court;
               (3)  needed to establish paternity as authorized under
  a state or federal law;
               (4)  needed to provide genetic information of a
  decedent and the information is disclosed to the blood relatives of
  the decedent for medical diagnosis; or
               (5)  needed to identify a decedent.
         (b)  A governmental body may redisclose genetic information
  without an authorization under Section 560.007 for actuarial or
  research studies if:
               (1)  a tested individual could not be identified in any
  actuarial or research report; and
               (2)  any materials that identify a tested individual
  are returned or destroyed as soon as reasonably practicable.
         (c)  A redisclosure authorized under Subsection (b) may
  contain only genetic information reasonably necessary to
  accomplish the purpose for which the information is disclosed.
         Sec. 560.007.  AUTHORIZED DISCLOSURE. An individual or an
  individual's legal representative may authorize disclosure of the
  individual's genetic information by submitting a statement that:
               (1)  is written in plain language and is signed by the
  individual or legal representative;
               (2)  is dated;
               (3)  contains a specific description of the information
  to be disclosed;
               (4)  identifies or describes each person authorized to
  disclose the genetic information;
               (5)  identifies or describes the individuals or
  entities to whom the genetic information may be disclosed or
  subsequently redisclosed;
               (6)  describes the specific purpose of the disclosure;
  and
               (7)  advises the individual or legal representative
  that the individual's authorized representative is entitled to
  receive a copy of the authorization.
         SECTION 14.  Section 33.012(a), Health and Safety Code, is
  amended to read as follows:
         (a)  Screening tests may not be administered to a newborn
  child whose parents, managing conservator, or guardian objects to
  [on the ground that] the tests [conflict with the religious tenets
  or practices of an organized church of which they are adherents].
         SECTION 15.  Subchapter C, Chapter 81, Health and Safety
  Code, is amended by adding Section 81.0465 to read as follows:
         Sec. 81.0465.  EXPRESS CONSENT FOR SPECIMEN COLLECTION, USE,
  AND DISCLOSURE; CONFIDENTIALITY; CIVIL PENALTY. (a) In this
  section:
               (1)  "COVID-19" means the 2019 novel coronavirus
  disease.
               (2)  "Express consent" means an individual's
  affirmative response to a clear and meaningful notice regarding the
  collection, use, or disclosure of a specimen for a specific
  purpose.
               (3)  "Specimen" means a sample of an individual's
  blood, urine, or other bodily fluid or tissue taken for scientific
  analysis to detect or diagnose a disease.
         (b)  A person who collects a specimen from an individual to
  test for a specific disease may not use or analyze the specimen for
  a purpose unrelated to the test without the individual's express
  consent to the use or analysis for another purpose.
         (c)  A person who possesses an individual's specimen that is
  collected for a commercial purpose shall destroy the specimen
  within a reasonable time, but not later than the first anniversary
  of the date the purpose for collecting the specimen expires.
         (d)  A person who obtains an individual's specimen or other
  personal information in relation to the collection of COVID-19 data
  may not disclose that information without the express consent of
  the individual.
         (e)  A person who violates this section is subject to a civil
  penalty of not more than $1,000 for each violation. The attorney
  general may bring an action to recover the civil penalty.
         (f)  This section does not apply to a specimen collected by a
  direct-to-individual genetic testing company as defined by Section
  503.0005, Business & Commerce Code.
         SECTION 16.  Article 18.25, Code of Criminal Procedure, as
  added by this Act, applies only to a warrant issued on or after the
  effective date of this Act.
         SECTION 17.  The changes in law made by this Act apply only
  to a biometric identifier captured, a specimen collected, or
  genetic information obtained or to a biometric identifier, a
  specimen, or genetic information requested on or after the
  effective date of this Act. A biometric identifier, a specimen, or
  genetic information captured, collected, obtained, or requested
  before that date is governed by the law in effect immediately before
  the effective date of this Act, and that law is continued in effect
  for that purpose.
         SECTION 18.  This Act takes effect September 1, 2023.