88R7062 SHH-D
	By: Hughes	S.B. No. 1691

	A BILL TO BE ENTITLED
	AN ACT
	relating to requiring operators of smart devices to provide
	information to users about the collection of personal data.
	BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
	SECTION 1.  Title 12, Business & Commerce Code, is amended by
	adding Chapter 610 to read as follows:
	CHAPTER 610. SMART DEVICE DATA COLLECTION TRANSPARENCY
	Sec. 610.001.  DEFINITIONS. In this chapter:
	(1)  "Personal data" means information relating to a
	user's active or passive usage of a smart device.
	(2)  "Smart device" means a home appliance, consumer
	electronic device, or wearable device that:
	(A)  connects to the Internet;
	(B)  collects and stores biometrics, data,
	images, sound, video, or voice recordings in the course of its
	operation; and
	(C)  has the ability to transmit data to the
	device's manufacturer or retailer or to a third party, regardless
	of whether this feature is enabled.
	(3)  "Smart device operator" means:
	(A)  the manufacturer of a smart device; or
	(B)  another person who:
	(i)  remotely operates, monitors, or updates
	the smart device;
	(ii)  provides physical or digital services
	to a user of a smart device; or
	(iii)  receives, or has the capacity to
	receive, the personal data of the user of a smart device.
	(4)  "User" means an individual who:
	(A)  purchases a smart device;
	(B)  actively or passively uses a smart device;
	(C)  lives in a dwelling to which a smart device is
	fixed, or where a smart device is regularly used; or
	(D)  wears a smart device.
	Sec. 610.002.  APPLICABILITY. (a)  This chapter applies to a
	smart device operator who:
	(1)  does business in this state;
	(2)  manufactures, sells, or operates a smart device in
	this state; or
	(3)  processes or engages in the sale of personal data
	captured by a smart device used in this state.
	(b)  This chapter does not apply to a state agency, a
	political subdivision of this state, or a utility provider doing
	business in this state.
	Sec. 610.003.  REQUIREMENT TO SUMMARIZE PERSONAL DATA
	COLLECTION. (a)  A smart device operator shall develop and offer to
	users a mobile application that provides a user with information
	regarding:
	(1)  the nature of the personal data collected by the
	smart device;
	(2)  the purposes for which the personal data is
	collected and stored;
	(3)  the methods by which a user's personal data is
	captured, including the use of any audio, biometric, or video
	recording devices;
	(4)  the personal data stored by the smart device
	operator;
	(5)  whether the personal data is stored locally on the
	smart device or transmitted to another location;
	(6)  the security and privacy policies governing the
	storage of the personal data;
	(7)  the identity of all persons with the ability to
	access the personal data; and
	(8)  the identity of all third parties with which a
	user's personal data is shared, including whether the personal data
	is anonymized before being shared with the third party.
	(b)  The mobile application must provide the user with
	information updated at least once a month.
	(c)  The mobile application must allow a user to:
	(1)  view the information described by Subsection (a);
	(2)  stop the acquisition of personal data through the
	smart device; and
	(3)  stop the use of any audio, biometric, or video
	recording features on the smart device.
	Sec. 610.004.  USER NOTIFICATION. (a)  On at least a
	quarterly basis, a smart device operator shall notify each user for
	which the operator has contact information of the availability of
	the mobile application and the methods by which the application may
	be used to customize personal data collection and sharing.
	(b)  The notification under Subsection (a) must:
	(1)  be sent to the user by text message, e-mail, or
	regular mail; and
	(2)  be sent in a communication containing only the
	notification required under Subsection (a).
	SECTION 2.  This Act takes effect September 1, 2023.