86R17033 TSR-D
By: Martinez Fischer H.B. No. 4518
A BILL TO BE ENTITLED
AN ACT
relating to the privacy of a consumer's personal information
collected by certain businesses; imposing a civil penalty.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Title 11, Business & Commerce Code, is amended by
adding Subtitle C to read as follows:
SUBTITLE C. PRIVACY OF PERSONAL INFORMATION
CHAPTER 541. PRIVACY OF CONSUMER'S PERSONAL INFORMATION
SUBCHAPTER A. GENERAL PROVISIONS
Sec. 541.001. SHORT TITLE. This chapter may be cited as the
Texas Consumer Privacy Act.
Sec. 541.002. DEFINITIONS. In this chapter:
(1) "Aggregate consumer information" means
information that relates to a group or category of consumers from
which individual consumer identities have been removed and that is
not linked or reasonably linkable to a particular consumer or
household, including through a device. The term does not include
one or more individual consumer records that have been
deidentified.
(2) "Biometric information" means an individual's
physiological, biological, or behavioral characteristics that can
be used, alone or in combination with other characteristics or
other identifying data, to establish the individual's identity.
The term includes:
(A) deoxyribonucleic acid (DNA);
(B) an image of an iris, retina, fingerprint,
face, hand, palm, or vein pattern or a voice recording from which an
identifier template can be extracted such as a faceprint, minutiae
template, or voiceprint;
(C) keystroke patterns or rhythms;
(D) gait patterns or rhythms; and
(E) sleep, health, or exercise data that contains
identifying information.
(3) "Business" means a for-profit entity, including a
sole proprietorship, partnership, limited liability company,
corporation, association, or other legal entity that is organized
or operated for the profit or financial benefit of the entity's
shareholders or other owners.
(4) "Business purpose" means the use of personal
information for:
(A) the following operational purposes of a
business or service provider, provided that the use of the
information is reasonably necessary and proportionate to achieve
the operational purpose for which the information was collected or
processed or another operational purpose that is compatible with
the context in which the information was collected:
(i) auditing related to a current
interaction with a consumer and any concurrent transactions,
including counting ad impressions to unique visitors, verifying the
positioning and quality of ad impressions, and auditing compliance
with a specification or other standards for ad impressions;
(ii) detecting a security incident,
protecting against malicious, deceptive, fraudulent, or illegal
activity, and prosecuting those responsible for any illegal
activity described by this subparagraph;
(iii) identifying and repairing or removing
errors that impair the intended functionality of computer hardware
or software;
(iv) using personal information in the
short term or for a transient use, provided that the information is
not:
(a) disclosed to a third party; and
(b) used to build a profile about a
consumer or alter an individual consumer's experience outside of a
current interaction with the consumer, including the contextual
customization of an advertisement displayed as part of the same
interaction;
(v) performing a service on behalf of the
business or service provider, including:
(a) maintaining or servicing an
account, providing customer service, processing or fulfilling an
order or transaction, verifying customer information, processing a
payment, providing financing, providing advertising or marketing
services, or providing analytic services; or
(b) performing a service similar to a
service described by Sub-subparagraph (a) on behalf of the business
or service provider;
(vi) undertaking internal research for
technological development and demonstration; or
(vii) undertaking an activity to:
(a) verify or maintain the quality or
safety of a service or device that is owned by, manufactured by,
manufactured for, or controlled by the business; or
(b) improve, upgrade, or enhance a
service or device described by Sub-subparagraph (a); or
(B) another operational purpose for which notice
is given under this chapter.
(5) "Collect" means to buy, rent, gather, obtain,
receive, or access the personal information of a consumer by any
means, including by actively or passively receiving the information
from the consumer or by observing the consumer's behavior.
(6) "Commercial purpose" means a purpose that is
intended to result in a profit or other tangible benefit or the
advancement of a person's commercial or economic interests, such as
by inducing another person to buy, rent, lease, subscribe to,
provide, or exchange products, goods, property, information, or
services or by enabling or effecting, directly or indirectly, a
commercial transaction. The term does not include the purpose of
engaging in speech recognized by state or federal courts as
noncommercial speech, including political speech and journalism.
(7) "Consumer" means an individual who is a resident
of this state.
(8) "Deidentified information" means information that
cannot reasonably identify, relate to, describe, be associated
with, or be linked to, directly or indirectly, a particular
consumer.
(9) "Device" means any physical object capable of
connecting to the Internet, directly or indirectly, or to another
device.
(10) "Identifier" means data elements or other
information that alone or in conjunction with other information can
be used to identify a particular consumer, household, or device
that is linked to a particular consumer or household.
(11) "Person" means an individual, sole
proprietorship, firm, partnership, joint venture, syndicate,
business trust, company, corporation, limited liability company,
association, committee, and any other organization or group of
persons acting in concert.
(12) "Personal information" means information that
identifies, relates to, describes, can be associated with, or can
reasonably be linked to, directly or indirectly, a particular
consumer or household. The term does not include publicly
available information. The term includes the following categories
of information if the information identifies, relates to,
describes, can be associated with, or can reasonably be linked to,
directly or indirectly, a particular consumer or household:
(A) an identifier, including a real name, alias,
mailing address, account name, date of birth, driver's license
number, unique identifier, social security number, passport
number, signature, telephone number, or other government-issued
identification number, or other similar identifier;
(B) an online identifier, including an
electronic mail address or Internet Protocol address, or other
similar identifier;
(C) a physical characteristic or description,
including a characteristic of a protected classification under
state or federal law;
(D) commercial information, including:
(i) a record of personal property;
(ii) a good or service purchased, obtained,
or considered;
(iii) an insurance policy number; or
(iv) other purchasing or consuming
histories or tendencies;
(E) biometric information;
(F) Internet or other electronic network
activity information, including:
(i) browsing or search history; and
(ii) other information regarding a
consumer's interaction with an Internet website, application, or
advertisement;
(G) geolocation data;
(H) audio, electronic, visual, thermal,
olfactory, or other similar information;
(I) professional or employment-related
information;
(J) education information that is not publicly
available personally identifiable information under the Family
Educational Rights and Privacy Act of 1974 (20 U.S.C. Section
1232g) (34 C.F.R. Part 99);
(K) financial information, including a financial
institution account number, credit or debit card number, or
password or access code associated with a credit or debit card or
bank account;
(L) medical information;
(M) health insurance information; or
(N) inferences drawn from any of the information
listed under this subdivision to create a profile about a consumer
that reflects the consumer's preferences, characteristics,
psychological trends, predispositions, behavior, attitudes,
intelligence, abilities, or aptitudes.
(13) "Processing information" means performing any
operation or set of operations on personal data or on sets of
personal data, whether or not by automated means.
(14) "Publicly available information" means
information that is lawfully made available to the public from
federal, state, or local government records if the conditions
associated with making the information available are met. The term
does not include:
(A) biometric information of a consumer
collected by a business without the consumer's knowledge;
(B) data that is used for a purpose that is not
compatible with the purpose for which the data is:
(i) publicly maintained; or
(ii) maintained in and made available from
government records; or
(C) deidentified or aggregate consumer
information.
(15) "Service provider" means a for-profit entity as
described by Subdivision (3) that processes information on behalf
of a business and to which the business discloses, for a business
purpose, a consumer's personal information under a written
contract, provided that the contract prohibits the entity receiving
the information from retaining, using, or disclosing the
information for any purpose other than:
(A) providing the services specified in the
contract with the business; or
(B) for a purpose permitted by this chapter,
including for a commercial purpose other than providing those
specified services.
(16) "Third party" means a person who is not:
(A) a business to which this chapter applies that
collects personal information from consumers; or
(B) a person to whom the business discloses, for
a business purpose, a consumer's personal information under a
written contract, provided that the contract:
(i) prohibits the person receiving the
information from:
(a) selling the information;
(b) retaining, using, or disclosing
the information for any purpose other than providing the services
specified in the contract, including for a commercial purpose other
than providing those services; and
(c) retaining, using, or disclosing
the information outside of the direct business relationship between
the person and the business; and
(ii) includes a certification made by the
person receiving the personal information that the person
understands and will comply with the prohibitions under
Subparagraph (i).
(17) "Unique identifier" means a persistent
identifier that can be used over time and across different services
to recognize a consumer, a custodial parent or guardian, or any
minor children over which the parent or guardian has custody, or a
device that is linked to those individuals. The term includes:
(A) a device identifier;
(B) an Internet Protocol address;
(C) a cookie, beacon, pixel tag, mobile ad
identifier, or similar technology;
(D) a customer number, unique pseudonym, or user
alias;
(E) a telephone number; and
(F) another form of a persistent or probabilistic
identifier that can be used to identify a particular consumer or
device.
(18) "Verifiable consumer request" means a request:
(A) that is made by a consumer, a consumer on
behalf of the consumer's minor child, or a natural person or person
who is authorized by a consumer to act on the consumer's behalf; and
(B) that a business can reasonably verify, in
accordance with rules adopted under Section 541.009, was submitted
by:
(i) the consumer about whom the business
has collected personal information; or
(ii) the consumer on behalf of the
consumer's minor child about whom the business has collected
personal information.
Sec. 541.003. APPLICABILITY OF CHAPTER. (a) This chapter
applies only to:
(1) a business that:
(A) does business in this state;
(B) collects consumers' personal information or
has that information collected on the business's behalf;
(C) alone or in conjunction with others,
determines the purpose for and means of processing consumers'
personal information; and
(D) satisfies one or more of the following
thresholds:
(i) has annual gross revenue in an amount
that exceeds $25 million, as adjusted by the attorney general in
accordance with the rules adopted under Section 541.009;
(ii) alone or in combination with others,
annually buys, sells, or receives or shares for commercial purposes
the personal information of 50,000 or more consumers, households,
or devices; or
(iii) derives 50 percent or more of the
business's annual revenue from selling consumers' personal
information; and
(2) an entity that controls or is controlled by a
business described by Subdivision (1) and that shares a service
mark, trademark, or shared name with the business.
(b) For purposes of Subsection (a)(2), "control" means the:
(1) ownership of, or power to vote, more than 50
percent of the outstanding shares of any class of voting security of
a business;
(2) control in any manner over the election of a
majority of the directors or of individuals exercising similar
functions; or
(3) power to exercise a controlling influence over the
management of a company.
(c) For purposes of this chapter, a business sells a
consumer's personal information to another business or a third
party if the business sells, rents, discloses, disseminates, makes
available, transfers, or otherwise communicates, orally, in
writing, or by electronic or other means, the information to the
other business or third party for monetary or other valuable
consideration.
(d) For purposes of this chapter, a business does not sell a
consumer's personal information if:
(1) the consumer uses or directs the business to
intentionally disclose the information or uses the business to
intentionally interact with a third party, provided that the third
party does not sell the information, unless that disclosure is
consistent with this chapter; or
(2) the business:
(A) uses or shares an identifier of the consumer
to alert a third party that the consumer has opted out of the sale of
the information;
(B) uses or shares with a service provider a
consumer's personal information that is necessary to perform a
business purpose if:
(i) the business provided notice that the
information is being used or shared in the business's terms and
conditions consistent with Sections 541.054 and 541.102(a)(8); and
(ii) the service provider does not further
collect, sell, or use the information except as necessary to
perform the business purpose; or
(C) transfers to a third party a consumer's
personal information as an asset that is part of a merger,
acquisition, bankruptcy, or other transaction in which the third
party assumes control of all or part of the business, provided that
information is used or shared consistent with Sections 541.051,
541.053, and 541.054(e).
(e) For purposes of Subsection (d)(1), an intentional
interaction occurs if the consumer does one or more deliberate acts
with the intent to interact with a third party. Placing a cursor
over, muting, pausing, or closing online content does not
constitute a consumer's intent to interact with a third party.
Sec. 541.004. EXEMPTIONS. (a) This chapter does not apply
to:
(1) publicly available information;
(2) protected health information governed by Chapter
181, Health and Safety Code, or collected by a covered entity or a
business associate of a covered entity, as those terms are defined
by 45 C.F.R. Section 160.103, that is governed by the privacy,
security, and breach notification rules in 45 C.F.R. Parts 160 and
164 adopted by the United States Department of Health and Human
Services under the Health Insurance Portability and Accountability
Act of 1996 (Pub. L. No. 104-191) and Title XIII of the American
Recovery and Reinvestment Act of 2009 (Pub. L. No. 111-5);
(3) a health care provider governed by Chapter 181,
Health and Safety Code, or a covered entity described by
Subdivision (2) to the extent that the provider or entity maintains
the personal information of a patient in the same manner as
protected health information described by that subdivision;
(4) information collected as part of a clinical trial
subject to the Federal Policy for the Protection of Human Subjects
in accordance with the good clinical practice guidelines issued by
the International Council for Harmonisation or the human subject
protection requirements of the United States Food and Drug
Administration;
(5) the sale of personal information to or by a
consumer reporting agency, as defined by Section 20.01, if the
information is to be:
(A) reported in or used to generate a consumer
report, as defined by Section 1681a(d) of the Fair Credit Reporting
Act (15 U.S.C. Section 1681 et seq.); and
(B) used solely for a purpose authorized under
that act;
(6) personal information collected, processed, sold,
or disclosed in accordance with:
(A) the Gramm-Leach-Bliley Act (Pub. L. No.
106-102) and its implementing regulations; or
(B) the Driver's Privacy Protection Act of 1994
(18 U.S.C. Section 2721 et seq.);
(7) deidentified or aggregate consumer information;
or
(8) a consumer's personal information collected or
sold by a business, if every aspect of the collection or sale
occurred wholly outside of this state.
(b) For purposes of Subsection (a)(8), the collection or
sale of a consumer's personal information occurs wholly outside of
this state if:
(1) the business collects that information while the
consumer is outside of this state;
(2) no part of the sale of the information occurs in
this state; and
(3) the business does not sell any personal
information of the consumer collected while the consumer is in this
state.
(c) For purposes of Subsection (b), the collection or sale
of a consumer's personal information does not occur wholly outside
of this state if a business stores a consumer's personal
information, including on a device, when the consumer is in this
state and subsequently collects or sells that stored information
when the consumer and the information are outside of this state.
Sec. 541.005. CERTAIN RIGHTS AND OBLIGATIONS NOT AFFECTED.
A right or obligation under this chapter does not apply to the
extent that the exercise of the right or performance of the
obligation:
(1) adversely affects a right of another consumer; or
(2) infringes on a noncommercial activity of:
(A) a publisher, editor, reporter, or other
person connected with or employed by a newspaper, magazine, or
other publication of general circulation, including a periodical
newsletter, pamphlet, or report;
(B) a radio or television station that holds a
license issued by the Federal Communications Commission; or
(C) an entity that provides an information
service, including a press association or wire service.
Sec. 541.006. COMPLIANCE WITH OTHER LAWS; LEGAL
PROCEEDINGS. This chapter does not:
(1) restrict a business's ability to:
(A) comply with:
(i) applicable federal, state, or local
laws; or
(ii) a civil, criminal, or regulatory
inquiry, investigation, subpoena, or summons by a federal, state,
or local authority;
(B) cooperate with a law enforcement agency
concerning conduct or activity that the business, a service
provider of the business, or a third party reasonably and in good
faith believes may violate other applicable federal, state, or
local laws; or
(C) pursue or defend against a legal claim; or
(2) require a business to violate an evidentiary
privilege under federal or state law or prevent a business from
disclosing to a person covered by an evidentiary privilege the
personal information of a consumer as part of a privileged
communication.
Sec. 541.007. CONSTRUCTION; RELATION TO OTHER STATE AND
FEDERAL LAW. (a) This chapter shall be liberally construed to
effect its purposes and to harmonize, to the extent possible, with
other laws of this state relating to the privacy or protection of
personal information.
(b) To the extent of a conflict between a provision of this
chapter and a provision of federal law, including a regulation or an
interpretation of federal law, federal law controls and conflicting
requirements or other provisions of this chapter do not apply.
(c) To the extent of a conflict between a provision of this
chapter and another statute of this state with respect to the
privacy or protection of consumers' personal information, the
provision of law that affords the greatest privacy or protection to
consumers prevails.
Sec. 541.008. PREEMPTION OF LOCAL LAW. This chapter
preempts and supersedes any ordinance, order, or rule adopted by a
political subdivision of this state relating to the collection or
sale by a business of a consumer's personal information.
Sec. 541.009. RULES. (a) The attorney general shall adopt
rules necessary to implement, administer, and enforce this chapter.
(b) The rules adopted under Subsection (a) must establish:
(1) procedures for the adjustment of the monetary
threshold under Section 541.003(a)(1)(D) in January of every
odd-numbered year to reflect any increase in the consumer price
index;
(2) procedures governing the determination of,
submission of, and compliance with a verifiable consumer request
for information with the goal of minimizing administrative burdens
on consumers and businesses subject to this chapter by taking into
account available technology and security concerns, including:
(A) treating as a verifiable consumer request a
request submitted through a password-protected online account
maintained by the consumer with the business while logged into the
account; and
(B) providing a mechanism for a request submitted
by a consumer who does not maintain an account with the business;
(3) procedures to facilitate and govern the submission
of and compliance with a request to opt out of the sale of personal
information under Section 541.054;
(4) guidelines for the development of a recognizable
and uniform opt-out logo or button for use on businesses' Internet
websites in a manner that promotes consumer awareness of the
opportunity to opt out of the sale of personal information; and
(5) procedures and guidelines, including any
necessary exceptions, to ensure that the notices and information
businesses are required to provide under this chapter, including
information regarding financial incentive offerings, are:
(A) provided in a manner that is easily
understood by the average consumer;
(B) accessible by consumers with disabilities;
and
(C) available in the languages primarily used by
consumers to interact with businesses.
(c) The attorney general may adopt other rules necessary to
further the purposes of this chapter, including rules as necessary
to:
(1) update the categories of personal information
listed under Section 541.002(12) and the definition of identifier
under Section 541.002 to account for privacy concerns,
implementation obstacles, or changes in technology and data
collection methods;
(2) update the designated methods for submitting
requests to facilitate a consumer's ability to obtain information
from a business under Section 541.103; and
(3) establish any exceptions necessary to comply with
federal law or other laws of this state, including laws relating to
trade secrets and intellectual property rights.
Sec. 541.010. ATTORNEY GENERAL OPINION. A business or a
third party may seek an opinion from the attorney general for
guidance on how to comply with this chapter.
Sec. 541.011. USE OF PERSONAL INFORMATION IN RESEARCH. For
purposes of this chapter, "research" means scientific, systematic
study and observation, including basic research or applied research
that is in the public interest and that adheres to all other
applicable ethics and privacy laws or studies conducted in the
public interest in the area of public health. Research with
personal information that may have been collected from a consumer
in the course of the consumer's interactions with a business's
service or device for other purposes must be:
(1) compatible with the business purpose for which the
personal information was collected;
(2) subsequently pseudonymized and deidentified, or
deidentified and in the aggregate, such that the information cannot
reasonably identify, relate to, describe, be capable of being
associated with, or be linked, directly or indirectly, to a
particular consumer;
(3) made subject to technical safeguards that prohibit
reidentification of the consumer to whom the information may
pertain;
(4) subject to business processes that specifically
prohibit reidentification of the information;
(5) made subject to business processes to prevent
inadvertent release of deidentified information;
(6) protected from any reidentification attempts;
(7) used solely for research purposes that are
compatible with the context in which the personal information was
collected;
(8) not used for any commercial purpose; and
(9) subjected by the business conducting the research
to additional security controls that limit access to the research
data to only those individuals in a business as are necessary to
carry out the research purpose.
SUBCHAPTER B. CONSUMER'S RIGHTS
Sec. 541.051. RIGHT TO DISCLOSURE OF PERSONAL INFORMATION
COLLECTED. (a) A consumer is entitled to request that a business
that collects the consumer's personal information disclose to the
consumer the categories and specific items of personal information
the business has collected.
(b) To receive the disclosure of information under
Subsection (a), a consumer must submit to the business a verifiable
consumer request using a method designated by the business under
Section 541.103.
(c) On receipt of a verifiable consumer request under this
section, a business shall disclose to the consumer in the time and
manner provided by Section 541.105:
(1) each enumerated category and item within each
category of personal information under Section 541.002(12) that the
business collected about the consumer during the 12 months
preceding the date of the request;
(2) each category of sources from which the
information was collected;
(3) the business or commercial purpose for collecting
or selling the personal information; and
(4) each category of third parties with whom the
business shares the personal information.
(d) This section does not require a business to:
(1) retain a consumer's personal information that was
collected for a one-time transaction if the information is not sold
or retained in the ordinary course of business; or
(2) reidentify or otherwise link any data that, in the
ordinary course of business, is not maintained in a manner that
would be considered personal information.
Sec. 541.052. RIGHT TO DELETION OF PERSONAL INFORMATION
COLLECTED. (a) A consumer is entitled to request that a business
that collects the consumer's personal information delete any
personal information the business has collected from the consumer
by submitting a verifiable consumer request using a method
designated by the business under Section 541.103.
(b) Except as provided by Subsection (c), on receipt of a
verifiable consumer request under this section, a business shall
delete from the business's records any personal information
collected from the consumer and direct a service provider of the
business to delete the information from the provider's records.
(c) A business or service provider of the business is not
required to comply with a verifiable consumer request received
under this section if the business or service provider needs to
retain the consumer's personal information to:
(1) complete the transaction for which the information
was collected;
(2) provide a good or service requested by the
consumer or reasonably anticipated to be requested by the consumer
in the context of the ongoing business relationship between the
business and consumer;
(3) perform under a contract between the business and
the consumer;
(4) detect a security incident, protect against
malicious, deceptive, fraudulent, or illegal activity, or
prosecute those responsible for any illegal activity described by
this subdivision;
(5) identify and repair or remove errors from computer
hardware or software that impair its intended functionality;
(6) exercise free speech or ensure the right of
another consumer to exercise the right of free speech or another
right afforded by law;
(7) comply with Chapter 1289 (H.B. 2268), Acts of the
83rd Legislature, Regular Session, 2013, or a legal obligation;
(8) engage in public or peer-reviewed scientific,
historical, or statistical research that is in the public interest
and that adheres to all other applicable ethics and privacy laws
provided that:
(A) the business's deletion of the information is
likely to render impossible or seriously impair the achievement of
that research; and
(B) the consumer has provided to the business
informed consent to retain the information; or
(9) use the information internally:
(A) so long as the use is reasonably aligned with
the expectations of the consumer based on the consumer's
relationship with the business; or
(B) in a manner that is lawful and compatible
with the context in which the consumer provided the information.
Sec. 541.053. RIGHT TO DISCLOSURE OF PERSONAL INFORMATION
SOLD OR DISCLOSED. (a) A consumer is entitled to request that a
business that sells, or discloses for a business purpose, the
consumer's personal information disclose to the consumer:
(1) the categories of personal information the
business collected about the consumer;
(2) the categories of personal information about the
consumer the business sold, or disclosed for a business purpose;
and
(3) the categories of third parties to whom the
personal information was sold or disclosed.
(b) To receive the disclosure of information under
Subsection (a), a consumer must submit to the business a verifiable
consumer request using a method designated by the business under
Section 541.103.
(c) On receipt of a verifiable consumer request under this
section, a business shall disclose to the consumer in the time and
manner provided by Section 541.105:
(1) each enumerated category of personal information
under Section 541.002(12) that the business collected about the
consumer during the 12 months preceding the date of the request;
(2) the categories of third parties to whom the
business sold the consumer's personal information during the 12
months preceding the date of the request, by reference to each
enumerated category of information under Section 541.002(12) sold
to each third party; and
(3) the categories of third parties to whom the
business disclosed for a business purpose the consumer's personal
information during the 12 months preceding the date of the request,
by reference to each enumerated category of information under
Section 541.002(12) disclosed to each third party.
(d) A business shall provide the information described by
Subsections (c)(2) and (3) in two separate lists.
(e) A business that did not sell, or disclose for a business
purpose, the consumer's personal information during the 12 months
preceding the date of receiving the consumer's verifiable consumer
request under this section shall disclose that fact to the
consumer.
Sec. 541.054. RIGHT TO OPT OUT OF SALE OF PERSONAL
INFORMATION. (a) A consumer is entitled at any time to opt out of
the sale of the consumer's personal information by a business to
third parties by directing the business not to sell the
information. A consumer may authorize another person solely to opt
out of the sale of the consumer's personal information on the
consumer's behalf. Except as provided by Subsection (c), a
business shall comply with a direction not to sell that is received
under this subsection.
(b) A business that sells to a third party consumers'
personal information shall provide on the business's Internet
website's home page:
(1) notice to consumers that:
(A) the information may be sold; and
(B) consumers have the right to opt out of the
sale; and
(2) a clear and conspicuous link that:
(A) enables a consumer, or a person authorized by
the consumer, to opt out of the sale of the consumer's personal
information; and
(B) is titled "DO NOT SELL MY PERSONAL
INFORMATION."
(c) A business may not sell to a third party the personal
information of a consumer who opts out of the sale of that
information under this section before the first anniversary of the
date the consumer opted out, unless the consumer provides express
authorization for the business to sell the consumer's personal
information. After the period prescribed by this subsection
expires, a business may request that the consumer consent to the
sale of the consumer's personal information by the business.
(d) A business may use any personal information collected
from the consumer in connection with the consumer's opting out
under this section solely to comply with this section.
(e) A third party to whom a business has sold the personal
information of a consumer may not sell the information unless the
consumer receives explicit notice of the potential sale and is
provided the opportunity to exercise the right to opt out of the
sale as provided by this section.
(f) Notwithstanding Subsection (b), a business is not
required to provide the link required by that subsection on the
Internet website the business makes available to the public if the
business:
(1) provides the required link on a separate and
additional Internet website that is maintained by the business and
dedicated to consumers; and
(2) takes reasonable steps to ensure that consumers
are directed to the website described by Subdivision (1) instead of
the website the business makes available to the public.
(g) A business may not require a consumer to create an
account with the business to opt out of the sale of the consumer's
personal information.
Sec. 541.055. RIGHT TO OPT IN FOR SALE OF PERSONAL
INFORMATION OF CERTAIN MINORS. (a) The requirement for consent to
sell a consumer's personal information under this section may be
referred to as the consumer's "right to opt in."
(b) A business may not sell a consumer's personal
information if the business has actual knowledge that the consumer
is younger than 16 years of age unless:
(1) for a consumer who is at least 13 years of age but
younger than 16 years of age, the business receives express
authorization to sell the consumer's personal information from the
consumer; or
(2) for a consumer who is younger than 13 years of age,
the business receives express authorization to sell the consumer's
personal information from the consumer's parent or legal guardian.
(c) A business that wilfully disregards the age of a
consumer whose personal information the business sells to a third
party is considered to have actual knowledge of the consumer's age.
Sec. 541.056. WAIVER OR LIMITATION PROVISION VOID. (a) A
provision of a contract or other agreement that purports to waive or
limit a right, remedy, or means of enforcement under this chapter is
contrary to public policy and is void.
(b) This section does not prevent a consumer from:
(1) declining to request information from a business;
(2) declining to opt out of a business's sale of the
consumer's personal information; or
(3) authorizing a business to sell the consumer's
personal information after previously opting out.
SUBCHAPTER C. BUSINESS RIGHTS AND OBLIGATIONS
Sec. 541.101. NOTIFICATION OF COLLECTION REQUIRED. (a) A
business that collects a consumer's personal information shall, at
or before the point of collection, notify the consumer of each
category of personal information to be collected and the purposes
for which the category of information will be used.
(b) A business may not collect an additional category of
personal information or use personal information collected for an
additional purpose unless the business provides notice to the
consumer of the additional category or purpose in accordance with
Subsection (a).
(c) If a third party that assumes control of all or part of a
business as described by Section 541.003(d)(2)(C) materially
alters the practices of the business in how personal information is
used or shared, and the practices are materially inconsistent with
a notice provided to a consumer under Subsection (a) or (b), the
third party must notify the consumer of the third party's new or
changed practices before the third party uses or shares the
personal information in a conspicuous manner that allows the
consumer to easily exercise a right provided under this chapter.
(d) Subsection (c) does not authorize a business to make a
material, retroactive change or other change to a business's
privacy policy in a manner that would be a deceptive trade practice
actionable under Subchapter E, Chapter 17.
Sec. 541.102. ONLINE PRIVACY POLICY OR POLICY NOTICE. (a)
A business that collects, sells, or for a business purpose
discloses a consumer's personal information shall disclose the
following information in the business's online privacy policy or
other notice of the business's policies:
(1) a description of a consumer's rights under
Sections 541.051, 541.053, and 541.107 and designated methods for
submitting a verifiable consumer request for information under this
chapter;
(2) for a business that collects personal information
about consumers, a description of the consumer's right to request
the deletion of the consumer's personal information;
(3) separate lists containing the categories of
consumers' personal information described by Section 541.002(12)
that, during the 12 months preceding the date the business updated
the information as required by Subsection (b), the business:
(A) collected;
(B) sold, if applicable; or
(C) disclosed for a business purpose, if
applicable;
(4) the categories of sources from which the
information under Subdivision (3) is collected;
(5) the business or commercial purposes for collecting
personal information;
(6) if the business does not sell consumers' personal
information or disclose the information for a business or
commercial purpose, a statement of that fact;
(7) the categories of third parties to whom the
business sells or discloses personal information;
(8) if the business sells consumers' personal
information, the Internet link required by Section 541.054(b); and
(9) if applicable, the financial incentives offered to
consumers under Section 541.108.
(b) If a business described by Subsection (a) does not have
an online privacy policy or other notice of the business's
policies, the business shall make the information required under
Subsection (a) available to consumers on the business's Internet
website or another website the business maintains that is dedicated
to consumers in this state.
(c) A business must update the information required by
Subsection (a) at least once each year.
Sec. 541.103. METHODS TO SUBMIT VERIFIABLE CONSUMER
REQUEST. (a) A business shall designate and make available to
consumers, in a form that is reasonably accessible, at least two
methods for submitting a verifiable consumer request for
information required to be disclosed or deleted under Subchapter B.
The methods must include, at a minimum:
(1) a toll-free telephone number that a consumer may
call to submit the request; and
(2) the business's Internet website at which the
consumer may submit the request, if the business maintains an
Internet website.
(b) The methods designated under Subsection (a) may also
include:
(1) a mailing address;
(2) an electronic mail address;
(3) another Internet web page or portal;
(4) other contact information; or
(5) any consumer-friendly method approved by the
attorney general under Section 541.009.
(c) A business may not require a consumer to create an
account with the business to submit a verifiable consumer request.
Sec. 541.104. VERIFICATION OF CONSUMER REQUEST. (a) A
business that receives a consumer request under Section 541.051 or
541.053 shall promptly take steps to reasonably verify, in
accordance with rules adopted under Section 541.009, that:
(1) the consumer who is the subject of the request is a
consumer about whom the business has collected, sold, or for a
business purpose disclosed personal information; and
(2) the request is made by:
(A) the consumer;
(B) a consumer on behalf of the consumer's minor
child; or
(C) a person authorized to act on the consumer's
behalf.
(b) A business may use any personal information collected
from the consumer in connection with the business's verification of
a request under this section solely to verify the request.
(c) A business that is unable to verify a consumer request
under this section is not required to comply with the request.
Sec. 541.105. DISCLOSURE REQUIREMENTS. (a) Not later than
the 45th day after the date a business receives a verifiable
consumer request under Section 541.051 or 541.053, the business
shall disclose free of charge to the consumer the information
required to be disclosed under those sections.
(b) A business may extend the time in which to comply with
Subsection (a) once by an additional 45 days if reasonably
necessary or by an additional 90 days after taking into account the
number and complexity of verifiable consumer requests received by
the business. A business that extends the time in which to comply
with Subsection (a) shall notify the consumer of the extension and
reason for the delay within the period prescribed by that
subsection.
(c) The disclosure required by Subsection (a) must:
(1) cover personal information collected, sold, or
disclosed for a business purpose, as applicable, during the 12
months preceding the date the business receives the request; and
(2) be made in writing and delivered to the consumer:
(A) by mail or electronically, at the consumer's
option, if the consumer does not have an account with the business;
or
(B) through the consumer's account with the
business.
(d) An electronic disclosure under Subsection (c) must be in
a readily accessible format that allows the consumer to
electronically transmit the information to another person or
entity.
(e) A business is not required to make the disclosure
required by Subsection (a) to the same consumer more than twice in a
12-month period.
(f) Notwithstanding Subsection (a), if a consumer's
verifiable consumer request is manifestly baseless or excessive, in
particular because of repetitiveness, a business may charge a
reasonable fee after taking into account the administrative costs
of compliance or refusal to comply with the request. The business
has the burden of demonstrating that a request is manifestly
baseless or excessive.
(g) A business that does not comply with a consumer's
verifiable consumer request under Subsection (a) shall notify the
consumer, within the time the business is required to respond to a
request under this section, of the reasons for the refusal and the
rights the consumer may have to appeal that decision.
Sec. 541.106. DEIDENTIFIED INFORMATION. (a) A business
that uses deidentified information may not reidentify or attempt to
reidentify a consumer who is the subject of deidentified
information without obtaining the consumer's consent or
authorization.
(b) A business that uses deidentified information shall
implement:
(1) technical safeguards and business processes to
prohibit reidentification of the consumer to whom the information
may pertain; and
(2) business processes to prevent inadvertent release
of deidentified information.
(c) This chapter may not be construed to require a business
to reidentify or otherwise link information that is not maintained
in a manner that would be considered personal information.
Sec. 541.107. DISCRIMINATION PROHIBITED. (a) A business may
not discriminate against a consumer because the consumer exercised
a right under this chapter, including by:
(1) denying a good or service to the consumer;
(2) charging the consumer a different price or rate
for a good or service, including denying the use of a discount or
other benefit or imposing a penalty;
(3) providing a different level or quality of a good or
service to the consumer; or
(4) suggesting that the consumer will be charged a
different price or rate for, or provided a different level or
quality of, a good or service.
(b) This section does not prohibit a business from offering
or charging a consumer a different price or rate for a good or
service, or offering or providing to the consumer a different level
or quality of a good or service, if the difference is reasonably
related to the value provided to the consumer by the consumer's
data.
Sec. 541.108. FINANCIAL INCENTIVES. (a) Subject to
Subsection (b), a business may offer a financial incentive to a
consumer, including a payment as compensation, for the collection,
sale, or disclosure of the consumer's personal information.
(b) A business may enroll a customer in a financial
incentive program only if the business provides to the consumer a
clear description of the material terms of the program and obtains
the consumer's prior opt-in consent, which:
(1) contains a clear description of those material
terms; and
(2) may be revoked by the consumer at any time.
(c) A business may not use financial incentive practices
that are unjust, unreasonable, coercive, or usurious in nature.
Sec. 541.109. CERTAIN ACTIONS TO AVOID REQUIREMENTS
PROHIBITED. (a) A business may not divide a single transaction into
more than one transaction with the intent to avoid the requirements
of this chapter.
(b) For purposes of this chapter, two or more substantially
similar or related transactions are considered a single transaction
if the transactions:
(1) are entered into contemporaneously; and
(2) have at least one common party.
(c) A court shall disregard any intermediate transactions
conducted by a business with the intent to avoid the requirements of
this chapter, including the disclosure of information by a business
to a third party to avoid complying with the requirements under this
chapter applicable to a sale of the information.
Sec. 541.110. INFORMATION REQUIRED. A business shall
ensure that each person responsible for handling consumer inquiries
about the business's privacy practices or compliance with this
chapter is informed of the requirements of this chapter and of how
to direct a consumer in exercising any of the rights to which a
consumer is entitled under this chapter.
SUBCHAPTER D. REMEDIES
Sec. 541.151. CIVIL PENALTY; INJUNCTION. (a) A person who
violates this chapter is liable to this state for a civil penalty in
an amount not to exceed:
(1) $2,500 for each violation; or
(2) $7,500 for each violation, if the violation is
intentional.
(b) If it appears to the attorney general that a person is
engaging in, has engaged in, or is about to engage in conduct that
violates this chapter, the attorney general may give notice to the
person of the alleged violation. If the person fails to cure the
alleged violation before the 30th day after the date notice is
given, the attorney general may bring an action in the name of the
state against the person to restrain the violation by a temporary
restraining order or by a permanent or temporary injunction or to
recover the civil penalty imposed under this section, or both.
(c) The attorney general is entitled to recover reasonable
expenses, including reasonable attorney's fees, court costs, and
investigatory costs, incurred in obtaining injunctive relief or
civil penalties, or both, under this section. Amounts collected
under this section shall be deposited in a dedicated account in the
general revenue fund and may be appropriated only for the purposes
of the administration and enforcement of this chapter.
Sec. 541.152. BUSINESS IMMUNITY FROM LIABILITY. A business
that discloses to a third party, or discloses for a business purpose
to a service provider, a consumer's personal information in
compliance with this chapter may not be held liable for a violation
of this chapter by the third party or service provider if the
business does not have actual knowledge or a reasonable belief that
the third party or service provider intends to violate this
chapter.
Sec. 541.153. SERVICE PROVIDER IMMUNITY FROM LIABILITY. A
business's service provider may not be held liable for a violation
of this chapter by the business.
SECTION 2. This Act takes effect September 1, 2020.