88R7062 SHH-D
 
  By: Hughes S.B. No. 1691
 
 
 
A BILL TO BE ENTITLED
 
AN ACT
  relating to requiring operators of smart devices to provide
  information to users about the collection of personal data.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  Title 12, Business & Commerce Code, is amended by
  adding Chapter 610 to read as follows:
  CHAPTER 610. SMART DEVICE DATA COLLECTION TRANSPARENCY
         Sec. 610.001.  DEFINITIONS. In this chapter:
               (1)  "Personal data" means information relating to a
  user's active or passive usage of a smart device.
               (2)  "Smart device" means a home appliance, consumer
  electronic device, or wearable device that:
                     (A)  connects to the Internet;
                     (B)  collects and stores biometrics, data,
  images, sound, video, or voice recordings in the course of its
  operation; and
                     (C)  has the ability to transmit data to the
  device's manufacturer or retailer or to a third party, regardless
  of whether this feature is enabled.
               (3)  "Smart device operator" means:
                     (A)  the manufacturer of a smart device; or 
                     (B)  another person who:
                           (i)  remotely operates, monitors, or updates
  the smart device;
                           (ii)  provides physical or digital services
  to a user of a smart device; or
                           (iii)  receives, or has the capacity to
  receive, the personal data of the user of a smart device.
               (4)  "User" means an individual who:
                     (A)  purchases a smart device;
                     (B)  actively or passively uses a smart device;
                     (C)  lives in a dwelling to which a smart device is
  fixed, or where a smart device is regularly used; or
                     (D)  wears a smart device.
         Sec. 610.002.  APPLICABILITY. (a)  This chapter applies to a
  smart device operator who:
               (1)  does business in this state;
               (2)  manufactures, sells, or operates a smart device in
  this state; or
               (3)  processes or engages in the sale of personal data
  captured by a smart device used in this state.
         (b)  This chapter does not apply to a state agency, a
  political subdivision of this state, or a utility provider doing
  business in this state.
         Sec. 610.003.  REQUIREMENT TO SUMMARIZE PERSONAL DATA
  COLLECTION. (a)  A smart device operator shall develop and offer to
  users a mobile application that provides a user with information
  regarding:
               (1)  the nature of the personal data collected by the
  smart device;
               (2)  the purposes for which the personal data is
  collected and stored;
               (3)  the methods by which a user's personal data is
  captured, including the use of any audio, biometric, or video
  recording devices;
               (4)  the personal data stored by the smart device
  operator;
               (5)  whether the personal data is stored locally on the
  smart device or transmitted to another location;
               (6)  the security and privacy policies governing the
  storage of the personal data;
               (7)  the identity of all persons with the ability to
  access the personal data; and
               (8)  the identity of all third parties with which a
  user's personal data is shared, including whether the personal data
  is anonymized before being shared with the third party.
         (b)  The mobile application must provide the user with
  information updated at least once a month.
         (c)  The mobile application must allow a user to:
               (1)  view the information described by Subsection (a);
               (2)  stop the acquisition of personal data through the
  smart device; and
               (3)  stop the use of any audio, biometric, or video
  recording features on the smart device.
         Sec. 610.004.  USER NOTIFICATION. (a)  On at least a
  quarterly basis, a smart device operator shall notify each user for
  which the operator has contact information of the availability of
  the mobile application and the methods by which the application may
  be used to customize personal data collection and sharing.
         (b)  The notification under Subsection (a) must:
               (1)  be sent to the user by text message, e-mail, or
  regular mail; and
               (2)  be sent in a communication containing only the
  notification required under Subsection (a).
         SECTION 2.  This Act takes effect September 1, 2023.