TX
Texas House Bill HB4518

Texas 2019 - 86th Regular

Texas House Bill HB4518 Compare Versions

Only one version of the bill is available at this time.
OldNewDifferences
11 86R17033 TSR-D
22 By: Martinez Fischer H.B. No. 4518
33
44
55 A BILL TO BE ENTITLED
66 AN ACT
77 relating to the privacy of a consumer's personal information
88 collected by certain businesses; imposing a civil penalty.
99 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
1010 SECTION 1. Title 11, Business & Commerce Code, is amended by
1111 adding Subtitle C to read as follows:
1212 SUBTITLE C. PRIVACY OF PERSONAL INFORMATION
1313 CHAPTER 541. PRIVACY OF CONSUMER'S PERSONAL INFORMATION
1414 SUBCHAPTER A. GENERAL PROVISIONS
1515 Sec. 541.001. SHORT TITLE. This chapter may be cited as the
1616 Texas Consumer Privacy Act.
1717 Sec. 541.002. DEFINITIONS. In this chapter:
1818 (1) "Aggregate consumer information" means
1919 information that relates to a group or category of consumers from
2020 which individual consumer identities have been removed and that is
2121 not linked or reasonably linkable to a particular consumer or
2222 household, including through a device. The term does not include
2323 one or more individual consumer records that have been
2424 deidentified.
2525 (2) "Biometric information" means an individual's
2626 physiological, biological, or behavioral characteristics that can
2727 be used, alone or in combination with other characteristics or
2828 other identifying data, to establish the individual's identity.
2929 The term includes:
3030 (A) deoxyribonucleic acid (DNA);
3131 (B) an image of an iris, retina, fingerprint,
3232 face, hand, palm, or vein pattern or a voice recording from which an
3333 identifier template can be extracted such as a faceprint, minutiae
3434 template, or voiceprint;
3535 (C) keystroke patterns or rhythms;
3636 (D) gait patterns or rhythms; and
3737 (E) sleep, health, or exercise data that contains
3838 identifying information.
3939 (3) "Business" means a for-profit entity, including a
4040 sole proprietorship, partnership, limited liability company,
4141 corporation, association, or other legal entity that is organized
4242 or operated for the profit or financial benefit of the entity's
4343 shareholders or other owners.
4444 (4) "Business purpose" means the use of personal
4545 information for:
4646 (A) the following operational purposes of a
4747 business or service provider, provided that the use of the
4848 information is reasonably necessary and proportionate to achieve
4949 the operational purpose for which the information was collected or
5050 processed or another operational purpose that is compatible with
5151 the context in which the information was collected:
5252 (i) auditing related to a current
5353 interaction with a consumer and any concurrent transactions,
5454 including counting ad impressions to unique visitors, verifying the
5555 positioning and quality of ad impressions, and auditing compliance
5656 with a specification or other standards for ad impressions;
5757 (ii) detecting a security incident,
5858 protecting against malicious, deceptive, fraudulent, or illegal
5959 activity, and prosecuting those responsible for any illegal
6060 activity described by this subparagraph;
6161 (iii) identifying and repairing or removing
6262 errors that impair the intended functionality of computer hardware
6363 or software;
6464 (iv) using personal information in the
6565 short term or for a transient use, provided that the information is
6666 not:
6767 (a) disclosed to a third party; and
6868 (b) used to build a profile about a
6969 consumer or alter an individual consumer's experience outside of a
7070 current interaction with the consumer, including the contextual
7171 customization of an advertisement displayed as part of the same
7272 interaction;
7373 (v) performing a service on behalf of the
7474 business or service provider, including:
7575 (a) maintaining or servicing an
7676 account, providing customer service, processing or fulfilling an
7777 order or transaction, verifying customer information, processing a
7878 payment, providing financing, providing advertising or marketing
7979 services, or providing analytic services; or
8080 (b) performing a service similar to a
8181 service described by Sub-subparagraph (a) on behalf of the business
8282 or service provider;
8383 (vi) undertaking internal research for
8484 technological development and demonstration; or
8585 (vii) undertaking an activity to:
8686 (a) verify or maintain the quality or
8787 safety of a service or device that is owned by, manufactured by,
8888 manufactured for, or controlled by the business; or
8989 (b) improve, upgrade, or enhance a
9090 service or device described by Sub-subparagraph (a); or
9191 (B) another operational purpose for which notice
9292 is given under this chapter.
9393 (5) "Collect" means to buy, rent, gather, obtain,
9494 receive, or access the personal information of a consumer by any
9595 means, including by actively or passively receiving the information
9696 from the consumer or by observing the consumer's behavior.
9797 (6) "Commercial purpose" means a purpose that is
9898 intended to result in a profit or other tangible benefit or the
9999 advancement of a person's commercial or economic interests, such as
100100 by inducing another person to buy, rent, lease, subscribe to,
101101 provide, or exchange products, goods, property, information, or
102102 services or by enabling or effecting, directly or indirectly, a
103103 commercial transaction. The term does not include the purpose of
104104 engaging in speech recognized by state or federal courts as
105105 noncommercial speech, including political speech and journalism.
106106 (7) "Consumer" means an individual who is a resident
107107 of this state.
108108 (8) "Deidentified information" means information that
109109 cannot reasonably identify, relate to, describe, be associated
110110 with, or be linked to, directly or indirectly, a particular
111111 consumer.
112112 (9) "Device" means any physical object capable of
113113 connecting to the Internet, directly or indirectly, or to another
114114 device.
115115 (10) "Identifier" means data elements or other
116116 information that alone or in conjunction with other information can
117117 be used to identify a particular consumer, household, or device
118118 that is linked to a particular consumer or household.
119119 (11) "Person" means an individual, sole
120120 proprietorship, firm, partnership, joint venture, syndicate,
121121 business trust, company, corporation, limited liability company,
122122 association, committee, and any other organization or group of
123123 persons acting in concert.
124124 (12) "Personal information" means information that
125125 identifies, relates to, describes, can be associated with, or can
126126 reasonably be linked to, directly or indirectly, a particular
127127 consumer or household. The term does not include publicly
128128 available information. The term includes the following categories
129129 of information if the information identifies, relates to,
130130 describes, can be associated with, or can reasonably be linked to,
131131 directly or indirectly, a particular consumer or household:
132132 (A) an identifier, including a real name, alias,
133133 mailing address, account name, date of birth, driver's license
134134 number, unique identifier, social security number, passport
135135 number, signature, telephone number, or other government-issued
136136 identification number, or other similar identifier;
137137 (B) an online identifier, including an
138138 electronic mail address or Internet Protocol address, or other
139139 similar identifier;
140140 (C) a physical characteristic or description,
141141 including a characteristic of a protected classification under
142142 state or federal law;
143143 (D) commercial information, including:
144144 (i) a record of personal property;
145145 (ii) a good or service purchased, obtained,
146146 or considered;
147147 (iii) an insurance policy number; or
148148 (iv) other purchasing or consuming
149149 histories or tendencies;
150150 (E) biometric information;
151151 (F) Internet or other electronic network
152152 activity information, including:
153153 (i) browsing or search history; and
154154 (ii) other information regarding a
155155 consumer's interaction with an Internet website, application, or
156156 advertisement;
157157 (G) geolocation data;
158158 (H) audio, electronic, visual, thermal,
159159 olfactory, or other similar information;
160160 (I) professional or employment-related
161161 information;
162162 (J) education information that is not publicly
163163 available personally identifiable information under the Family
164164 Educational Rights and Privacy Act of 1974 (20 U.S.C. Section
165165 1232g) (34 C.F.R. Part 99);
166166 (K) financial information, including a financial
167167 institution account number, credit or debit card number, or
168168 password or access code associated with a credit or debit card or
169169 bank account;
170170 (L) medical information;
171171 (M) health insurance information; or
172172 (N) inferences drawn from any of the information
173173 listed under this subdivision to create a profile about a consumer
174174 that reflects the consumer's preferences, characteristics,
175175 psychological trends, predispositions, behavior, attitudes,
176176 intelligence, abilities, or aptitudes.
177177 (13) "Processing information" means performing any
178178 operation or set of operations on personal data or on sets of
179179 personal data, whether or not by automated means.
180180 (14) "Publicly available information" means
181181 information that is lawfully made available to the public from
182182 federal, state, or local government records if the conditions
183183 associated with making the information available are met. The term
184184 does not include:
185185 (A) biometric information of a consumer
186186 collected by a business without the consumer's knowledge;
187187 (B) data that is used for a purpose that is not
188188 compatible with the purpose for which the data is:
189189 (i) publicly maintained; or
190190 (ii) maintained in and made available from
191191 government records; or
192192 (C) deidentified or aggregate consumer
193193 information.
194194 (15) "Service provider" means a for-profit entity as
195195 described by Subdivision (3) that processes information on behalf
196196 of a business and to which the business discloses, for a business
197197 purpose, a consumer's personal information under a written
198198 contract, provided that the contract prohibits the entity receiving
199199 the information from retaining, using, or disclosing the
200200 information for any purpose other than:
201201 (A) providing the services specified in the
202202 contract with the business; or
203203 (B) for a purpose permitted by this chapter,
204204 including for a commercial purpose other than providing those
205205 specified services.
206206 (16) "Third party" means a person who is not:
207207 (A) a business to which this chapter applies that
208208 collects personal information from consumers; or
209209 (B) a person to whom the business discloses, for
210210 a business purpose, a consumer's personal information under a
211211 written contract, provided that the contract:
212212 (i) prohibits the person receiving the
213213 information from:
214214 (a) selling the information;
215215 (b) retaining, using, or disclosing
216216 the information for any purpose other than providing the services
217217 specified in the contract, including for a commercial purpose other
218218 than providing those services; and
219219 (c) retaining, using, or disclosing
220220 the information outside of the direct business relationship between
221221 the person and the business; and
222222 (ii) includes a certification made by the
223223 person receiving the personal information that the person
224224 understands and will comply with the prohibitions under
225225 Subparagraph (i).
226226 (17) "Unique identifier" means a persistent
227227 identifier that can be used over time and across different services
228228 to recognize a consumer, a custodial parent or guardian, or any
229229 minor children over which the parent or guardian has custody, or a
230230 device that is linked to those individuals. The term includes:
231231 (A) a device identifier;
232232 (B) an Internet Protocol address;
233233 (C) a cookie, beacon, pixel tag, mobile ad
234234 identifier, or similar technology;
235235 (D) a customer number, unique pseudonym, or user
236236 alias;
237237 (E) a telephone number; and
238238 (F) another form of a persistent or probabilistic
239239 identifier that can be used to identify a particular consumer or
240240 device.
241241 (18) "Verifiable consumer request" means a request:
242242 (A) that is made by a consumer, a consumer on
243243 behalf of the consumer's minor child, or a natural person or person
244244 who is authorized by a consumer to act on the consumer's behalf; and
245245 (B) that a business can reasonably verify, in
246246 accordance with rules adopted under Section 541.009, was submitted
247247 by:
248248 (i) the consumer about whom the business
249249 has collected personal information; or
250250 (ii) the consumer on behalf of the
251251 consumer's minor child about whom the business has collected
252252 personal information.
253253 Sec. 541.003. APPLICABILITY OF CHAPTER. (a) This chapter
254254 applies only to:
255255 (1) a business that:
256256 (A) does business in this state;
257257 (B) collects consumers' personal information or
258258 has that information collected on the business's behalf;
259259 (C) alone or in conjunction with others,
260260 determines the purpose for and means of processing consumers'
261261 personal information; and
262262 (D) satisfies one or more of the following
263263 thresholds:
264264 (i) has annual gross revenue in an amount
265265 that exceeds $25 million, as adjusted by the attorney general in
266266 accordance with the rules adopted under Section 541.009;
267267 (ii) alone or in combination with others,
268268 annually buys, sells, or receives or shares for commercial purposes
269269 the personal information of 50,000 or more consumers, households,
270270 or devices; or
271271 (iii) derives 50 percent or more of the
272272 business's annual revenue from selling consumers' personal
273273 information; and
274274 (2) an entity that controls or is controlled by a
275275 business described by Subdivision (1) and that shares a service
276276 mark, trademark, or shared name with the business.
277277 (b) For purposes of Subsection (a)(2), "control" means the:
278278 (1) ownership of, or power to vote, more than 50
279279 percent of the outstanding shares of any class of voting security of
280280 a business;
281281 (2) control in any manner over the election of a
282282 majority of the directors or of individuals exercising similar
283283 functions; or
284284 (3) power to exercise a controlling influence over the
285285 management of a company.
286286 (c) For purposes of this chapter, a business sells a
287287 consumer's personal information to another business or a third
288288 party if the business sells, rents, discloses, disseminates, makes
289289 available, transfers, or otherwise communicates, orally, in
290290 writing, or by electronic or other means, the information to the
291291 other business or third party for monetary or other valuable
292292 consideration.
293293 (d) For purposes of this chapter, a business does not sell a
294294 consumer's personal information if:
295295 (1) the consumer uses or directs the business to
296296 intentionally disclose the information or uses the business to
297297 intentionally interact with a third party, provided that the third
298298 party does not sell the information, unless that disclosure is
299299 consistent with this chapter; or
300300 (2) the business:
301301 (A) uses or shares an identifier of the consumer
302302 to alert a third party that the consumer has opted out of the sale of
303303 the information;
304304 (B) uses or shares with a service provider a
305305 consumer's personal information that is necessary to perform a
306306 business purpose if:
307307 (i) the business provided notice that the
308308 information is being used or shared in the business's terms and
309309 conditions consistent with Sections 541.054 and 541.102(a)(8); and
310310 (ii) the service provider does not further
311311 collect, sell, or use the information except as necessary to
312312 perform the business purpose; or
313313 (C) transfers to a third party a consumer's
314314 personal information as an asset that is part of a merger,
315315 acquisition, bankruptcy, or other transaction in which the third
316316 party assumes control of all or part of the business, provided that
317317 information is used or shared consistent with Sections 541.051,
318318 541.053, and 541.054(e).
319319 (e) For purposes of Subsection (d)(1), an intentional
320320 interaction occurs if the consumer does one or more deliberate acts
321321 with the intent to interact with a third party. Placing a cursor
322322 over, muting, pausing, or closing online content does not
323323 constitute a consumer's intent to interact with a third party.
324324 Sec. 541.004. EXEMPTIONS. (a) This chapter does not apply
325325 to:
326326 (1) publicly available information;
327327 (2) protected health information governed by Chapter
328328 181, Health and Safety Code, or collected by a covered entity or a
329329 business associate of a covered entity, as those terms are defined
330330 by 45 C.F.R. Section 160.103, that is governed by the privacy,
331331 security, and breach notification rules in 45 C.F.R. Parts 160 and
332332 164 adopted by the United States Department of Health and Human
333333 Services under the Health Insurance Portability and Accountability
334334 Act of 1996 (Pub. L. No. 104-191) and Title XIII of the American
335335 Recovery and Reinvestment Act of 2009 (Pub. L. No. 111-5);
336336 (3) a health care provider governed by Chapter 181,
337337 Health and Safety Code, or a covered entity described by
338338 Subdivision (2) to the extent that the provider or entity maintains
339339 the personal information of a patient in the same manner as
340340 protected health information described by that subdivision;
341341 (4) information collected as part of a clinical trial
342342 subject to the Federal Policy for the Protection of Human Subjects
343343 in accordance with the good clinical practice guidelines issued by
344344 the International Council for Harmonisation or the human subject
345345 protection requirements of the United States Food and Drug
346346 Administration;
347347 (5) the sale of personal information to or by a
348348 consumer reporting agency, as defined by Section 20.01, if the
349349 information is to be:
350350 (A) reported in or used to generate a consumer
351351 report, as defined by Section 1681a(d) of the Fair Credit Reporting
352352 Act (15 U.S.C. Section 1681 et seq.); and
353353 (B) used solely for a purpose authorized under
354354 that act;
355355 (6) personal information collected, processed, sold,
356356 or disclosed in accordance with:
357357 (A) the Gramm-Leach-Bliley Act (Pub. L. No.
358358 106-102) and its implementing regulations; or
359359 (B) the Driver's Privacy Protection Act of 1994
360360 (18 U.S.C. Section 2721 et seq.);
361361 (7) deidentified or aggregate consumer information;
362362 or
363363 (8) a consumer's personal information collected or
364364 sold by a business, if every aspect of the collection or sale
365365 occurred wholly outside of this state.
366366 (b) For purposes of Subsection (a)(8), the collection or
367367 sale of a consumer's personal information occurs wholly outside of
368368 this state if:
369369 (1) the business collects that information while the
370370 consumer is outside of this state;
371371 (2) no part of the sale of the information occurs in
372372 this state; and
373373 (3) the business does not sell any personal
374374 information of the consumer collected while the consumer is in this
375375 state.
376376 (c) For purposes of Subsection (b), the collection or sale
377377 of a consumer's personal information does not occur wholly outside
378378 of this state if a business stores a consumer's personal
379379 information, including on a device, when the consumer is in this
380380 state and subsequently collects or sells that stored information
381381 when the consumer and the information are outside of this state.
382382 Sec. 541.005. CERTAIN RIGHTS AND OBLIGATIONS NOT AFFECTED.
383383 A right or obligation under this chapter does not apply to the
384384 extent that the exercise of the right or performance of the
385385 obligation:
386386 (1) adversely affects a right of another consumer; or
387387 (2) infringes on a noncommercial activity of:
388388 (A) a publisher, editor, reporter, or other
389389 person connected with or employed by a newspaper, magazine, or
390390 other publication of general circulation, including a periodical
391391 newsletter, pamphlet, or report;
392392 (B) a radio or television station that holds a
393393 license issued by the Federal Communications Commission; or
394394 (C) an entity that provides an information
395395 service, including a press association or wire service.
396396 Sec. 541.006. COMPLIANCE WITH OTHER LAWS; LEGAL
397397 PROCEEDINGS. This chapter does not:
398398 (1) restrict a business's ability to:
399399 (A) comply with:
400400 (i) applicable federal, state, or local
401401 laws; or
402402 (ii) a civil, criminal, or regulatory
403403 inquiry, investigation, subpoena, or summons by a federal, state,
404404 or local authority;
405405 (B) cooperate with a law enforcement agency
406406 concerning conduct or activity that the business, a service
407407 provider of the business, or a third party reasonably and in good
408408 faith believes may violate other applicable federal, state, or
409409 local laws; or
410410 (C) pursue or defend against a legal claim; or
411411 (2) require a business to violate an evidentiary
412412 privilege under federal or state law or prevent a business from
413413 disclosing to a person covered by an evidentiary privilege the
414414 personal information of a consumer as part of a privileged
415415 communication.
416416 Sec. 541.007. CONSTRUCTION; RELATION TO OTHER STATE AND
417417 FEDERAL LAW. (a) This chapter shall be liberally construed to
418418 effect its purposes and to harmonize, to the extent possible, with
419419 other laws of this state relating to the privacy or protection of
420420 personal information.
421421 (b) To the extent of a conflict between a provision of this
422422 chapter and a provision of federal law, including a regulation or an
423423 interpretation of federal law, federal law controls and conflicting
424424 requirements or other provisions of this chapter do not apply.
425425 (c) To the extent of a conflict between a provision of this
426426 chapter and another statute of this state with respect to the
427427 privacy or protection of consumers' personal information, the
428428 provision of law that affords the greatest privacy or protection to
429429 consumers prevails.
430430 Sec. 541.008. PREEMPTION OF LOCAL LAW. This chapter
431431 preempts and supersedes any ordinance, order, or rule adopted by a
432432 political subdivision of this state relating to the collection or
433433 sale by a business of a consumer's personal information.
434434 Sec. 541.009. RULES. (a) The attorney general shall adopt
435435 rules necessary to implement, administer, and enforce this chapter.
436436 (b) The rules adopted under Subsection (a) must establish:
437437 (1) procedures for the adjustment of the monetary
438438 threshold under Section 541.003(a)(1)(D) in January of every
439439 odd-numbered year to reflect any increase in the consumer price
440440 index;
441441 (2) procedures governing the determination of,
442442 submission of, and compliance with a verifiable consumer request
443443 for information with the goal of minimizing administrative burdens
444444 on consumers and businesses subject to this chapter by taking into
445445 account available technology and security concerns, including:
446446 (A) treating as a verifiable consumer request a
447447 request submitted through a password-protected online account
448448 maintained by the consumer with the business while logged into the
449449 account; and
450450 (B) providing a mechanism for a request submitted
451451 by a consumer who does not maintain an account with the business;
452452 (3) procedures to facilitate and govern the submission
453453 of and compliance with a request to opt out of the sale of personal
454454 information under Section 541.054;
455455 (4) guidelines for the development of a recognizable
456456 and uniform opt-out logo or button for use on businesses' Internet
457457 websites in a manner that promotes consumer awareness of the
458458 opportunity to opt out of the sale of personal information; and
459459 (5) procedures and guidelines, including any
460460 necessary exceptions, to ensure that the notices and information
461461 businesses are required to provide under this chapter, including
462462 information regarding financial incentive offerings, are:
463463 (A) provided in a manner that is easily
464464 understood by the average consumer;
465465 (B) accessible by consumers with disabilities;
466466 and
467467 (C) available in the languages primarily used by
468468 consumers to interact with businesses.
469469 (c) The attorney general may adopt other rules necessary to
470470 further the purposes of this chapter, including rules as necessary
471471 to:
472472 (1) update the categories of personal information
473473 listed under Section 541.002(12) and the definition of identifier
474474 under Section 541.002 to account for privacy concerns,
475475 implementation obstacles, or changes in technology and data
476476 collection methods;
477477 (2) update the designated methods for submitting
478478 requests to facilitate a consumer's ability to obtain information
479479 from a business under Section 541.103; and
480480 (3) establish any exceptions necessary to comply with
481481 federal law or other laws of this state, including laws relating to
482482 trade secrets and intellectual property rights.
483483 Sec. 541.010. ATTORNEY GENERAL OPINION. A business or a
484484 third party may seek an opinion from the attorney general for
485485 guidance on how to comply with this chapter.
486486 Sec. 541.011. USE OF PERSONAL INFORMATION IN RESEARCH. For
487487 purposes of this chapter, "research" means scientific, systematic
488488 study and observation, including basic research or applied research
489489 that is in the public interest and that adheres to all other
490490 applicable ethics and privacy laws or studies conducted in the
491491 public interest in the area of public health. Research with
492492 personal information that may have been collected from a consumer
493493 in the course of the consumer's interactions with a business's
494494 service or device for other purposes must be:
495495 (1) compatible with the business purpose for which the
496496 personal information was collected;
497497 (2) subsequently pseudonymized and deidentified, or
498498 deidentified and in the aggregate, such that the information cannot
499499 reasonably identify, relate to, describe, be capable of being
500500 associated with, or be linked, directly or indirectly, to a
501501 particular consumer;
502502 (3) made subject to technical safeguards that prohibit
503503 reidentification of the consumer to whom the information may
504504 pertain;
505505 (4) subject to business processes that specifically
506506 prohibit reidentification of the information;
507507 (5) made subject to business processes to prevent
508508 inadvertent release of deidentified information;
509509 (6) protected from any reidentification attempts;
510510 (7) used solely for research purposes that are
511511 compatible with the context in which the personal information was
512512 collected;
513513 (8) not used for any commercial purpose; and
514514 (9) subjected by the business conducting the research
515515 to additional security controls that limit access to the research
516516 data to only those individuals in a business as are necessary to
517517 carry out the research purpose.
518518 SUBCHAPTER B. CONSUMER'S RIGHTS
519519 Sec. 541.051. RIGHT TO DISCLOSURE OF PERSONAL INFORMATION
520520 COLLECTED. (a) A consumer is entitled to request that a business
521521 that collects the consumer's personal information disclose to the
522522 consumer the categories and specific items of personal information
523523 the business has collected.
524524 (b) To receive the disclosure of information under
525525 Subsection (a), a consumer must submit to the business a verifiable
526526 consumer request using a method designated by the business under
527527 Section 541.103.
528528 (c) On receipt of a verifiable consumer request under this
529529 section, a business shall disclose to the consumer in the time and
530530 manner provided by Section 541.105:
531531 (1) each enumerated category and item within each
532532 category of personal information under Section 541.002(12) that the
533533 business collected about the consumer during the 12 months
534534 preceding the date of the request;
535535 (2) each category of sources from which the
536536 information was collected;
537537 (3) the business or commercial purpose for collecting
538538 or selling the personal information; and
539539 (4) each category of third parties with whom the
540540 business shares the personal information.
541541 (d) This section does not require a business to:
542542 (1) retain a consumer's personal information that was
543543 collected for a one-time transaction if the information is not sold
544544 or retained in the ordinary course of business; or
545545 (2) reidentify or otherwise link any data that, in the
546546 ordinary course of business, is not maintained in a manner that
547547 would be considered personal information.
548548 Sec. 541.052. RIGHT TO DELETION OF PERSONAL INFORMATION
549549 COLLECTED. (a) A consumer is entitled to request that a business
550550 that collects the consumer's personal information delete any
551551 personal information the business has collected from the consumer
552552 by submitting a verifiable consumer request using a method
553553 designated by the business under Section 541.103.
554554 (b) Except as provided by Subsection (c), on receipt of a
555555 verifiable consumer request under this section, a business shall
556556 delete from the business's records any personal information
557557 collected from the consumer and direct a service provider of the
558558 business to delete the information from the provider's records.
559559 (c) A business or service provider of the business is not
560560 required to comply with a verifiable consumer request received
561561 under this section if the business or service provider needs to
562562 retain the consumer's personal information to:
563563 (1) complete the transaction for which the information
564564 was collected;
565565 (2) provide a good or service requested by the
566566 consumer or reasonably anticipated to be requested by the consumer
567567 in the context of the ongoing business relationship between the
568568 business and consumer;
569569 (3) perform under a contract between the business and
570570 the consumer;
571571 (4) detect a security incident, protect against
572572 malicious, deceptive, fraudulent, or illegal activity, or
573573 prosecute those responsible for any illegal activity described by
574574 this subdivision;
575575 (5) identify and repair or remove errors from computer
576576 hardware or software that impair its intended functionality;
577577 (6) exercise free speech or ensure the right of
578578 another consumer to exercise the right of free speech or another
579579 right afforded by law;
580580 (7) comply with Chapter 1289 (H.B. 2268), Acts of the
581581 83rd Legislature, Regular Session, 2013, or a legal obligation;
582582 (8) engage in public or peer-reviewed scientific,
583583 historical, or statistical research that is in the public interest
584584 and that adheres to all other applicable ethics and privacy laws
585585 provided that:
586586 (A) the business's deletion of the information is
587587 likely to render impossible or seriously impair the achievement of
588588 that research; and
589589 (B) the consumer has provided to the business
590590 informed consent to retain the information; or
591591 (9) use the information internally:
592592 (A) so long as the use is reasonably aligned with
593593 the expectations of the consumer based on the consumer's
594594 relationship with the business; or
595595 (B) in a manner that is lawful and compatible
596596 with the context in which the consumer provided the information.
597597 Sec. 541.053. RIGHT TO DISCLOSURE OF PERSONAL INFORMATION
598598 SOLD OR DISCLOSED. (a) A consumer is entitled to request that a
599599 business that sells, or discloses for a business purpose, the
600600 consumer's personal information disclose to the consumer:
601601 (1) the categories of personal information the
602602 business collected about the consumer;
603603 (2) the categories of personal information about the
604604 consumer the business sold, or disclosed for a business purpose;
605605 and
606606 (3) the categories of third parties to whom the
607607 personal information was sold or disclosed.
608608 (b) To receive the disclosure of information under
609609 Subsection (a), a consumer must submit to the business a verifiable
610610 consumer request using a method designated by the business under
611611 Section 541.103.
612612 (c) On receipt of a verifiable consumer request under this
613613 section, a business shall disclose to the consumer in the time and
614614 manner provided by Section 541.105:
615615 (1) each enumerated category of personal information
616616 under Section 541.002(12) that the business collected about the
617617 consumer during the 12 months preceding the date of the request;
618618 (2) the categories of third parties to whom the
619619 business sold the consumer's personal information during the 12
620620 months preceding the date of the request, by reference to each
621621 enumerated category of information under Section 541.002(12) sold
622622 to each third party; and
623623 (3) the categories of third parties to whom the
624624 business disclosed for a business purpose the consumer's personal
625625 information during the 12 months preceding the date of the request,
626626 by reference to each enumerated category of information under
627627 Section 541.002(12) disclosed to each third party.
628628 (d) A business shall provide the information described by
629629 Subsections (c)(2) and (3) in two separate lists.
630630 (e) A business that did not sell, or disclose for a business
631631 purpose, the consumer's personal information during the 12 months
632632 preceding the date of receiving the consumer's verifiable consumer
633633 request under this section shall disclose that fact to the
634634 consumer.
635635 Sec. 541.054. RIGHT TO OPT OUT OF SALE OF PERSONAL
636636 INFORMATION. (a) A consumer is entitled at any time to opt out of
637637 the sale of the consumer's personal information by a business to
638638 third parties by directing the business not to sell the
639639 information. A consumer may authorize another person solely to opt
640640 out of the sale of the consumer's personal information on the
641641 consumer's behalf. Except as provided by Subsection (c), a
642642 business shall comply with a direction not to sell that is received
643643 under this subsection.
644644 (b) A business that sells to a third party consumers'
645645 personal information shall provide on the business's Internet
646646 website's home page:
647647 (1) notice to consumers that:
648648 (A) the information may be sold; and
649649 (B) consumers have the right to opt out of the
650650 sale; and
651651 (2) a clear and conspicuous link that:
652652 (A) enables a consumer, or a person authorized by
653653 the consumer, to opt out of the sale of the consumer's personal
654654 information; and
655655 (B) is titled "DO NOT SELL MY PERSONAL
656656 INFORMATION."
657657 (c) A business may not sell to a third party the personal
658658 information of a consumer who opts out of the sale of that
659659 information under this section before the first anniversary of the
660660 date the consumer opted out, unless the consumer provides express
661661 authorization for the business to sell the consumer's personal
662662 information. After the period prescribed by this subsection
663663 expires, a business may request that the consumer consent to the
664664 sale of the consumer's personal information by the business.
665665 (d) A business may use any personal information collected
666666 from the consumer in connection with the consumer's opting out
667667 under this section solely to comply with this section.
668668 (e) A third party to whom a business has sold the personal
669669 information of a consumer may not sell the information unless the
670670 consumer receives explicit notice of the potential sale and is
671671 provided the opportunity to exercise the right to opt out of the
672672 sale as provided by this section.
673673 (f) Notwithstanding Subsection (b), a business is not
674674 required to provide the link required by that subsection on the
675675 Internet website the business makes available to the public if the
676676 business:
677677 (1) provides the required link on a separate and
678678 additional Internet website that is maintained by the business and
679679 dedicated to consumers; and
680680 (2) takes reasonable steps to ensure that consumers
681681 are directed to the website described by Subdivision (1) instead of
682682 the website the business makes available to the public.
683683 (g) A business may not require a consumer to create an
684684 account with the business to opt out of the sale of the consumer's
685685 personal information.
686686 Sec. 541.055. RIGHT TO OPT IN FOR SALE OF PERSONAL
687687 INFORMATION OF CERTAIN MINORS. (a) The requirement for consent to
688688 sell a consumer's personal information under this section may be
689689 referred to as the consumer's "right to opt in."
690690 (b) A business may not sell a consumer's personal
691691 information if the business has actual knowledge that the consumer
692692 is younger than 16 years of age unless:
693693 (1) for a consumer who is at least 13 years of age but
694694 younger than 16 years of age, the business receives express
695695 authorization to sell the consumer's personal information from the
696696 consumer; or
697697 (2) for a consumer who is younger than 13 years of age,
698698 the business receives express authorization to sell the consumer's
699699 personal information from the consumer's parent or legal guardian.
700700 (c) A business that wilfully disregards the age of a
701701 consumer whose personal information the business sells to a third
702702 party is considered to have actual knowledge of the consumer's age.
703703 Sec. 541.056. WAIVER OR LIMITATION PROVISION VOID. (a) A
704704 provision of a contract or other agreement that purports to waive or
705705 limit a right, remedy, or means of enforcement under this chapter is
706706 contrary to public policy and is void.
707707 (b) This section does not prevent a consumer from:
708708 (1) declining to request information from a business;
709709 (2) declining to opt out of a business's sale of the
710710 consumer's personal information; or
711711 (3) authorizing a business to sell the consumer's
712712 personal information after previously opting out.
713713 SUBCHAPTER C. BUSINESS RIGHTS AND OBLIGATIONS
714714 Sec. 541.101. NOTIFICATION OF COLLECTION REQUIRED. (a) A
715715 business that collects a consumer's personal information shall, at
716716 or before the point of collection, notify the consumer of each
717717 category of personal information to be collected and the purposes
718718 for which the category of information will be used.
719719 (b) A business may not collect an additional category of
720720 personal information or use personal information collected for an
721721 additional purpose unless the business provides notice to the
722722 consumer of the additional category or purpose in accordance with
723723 Subsection (a).
724724 (c) If a third party that assumes control of all or part of a
725725 business as described by Section 541.003(d)(2)(C) materially
726726 alters the practices of the business in how personal information is
727727 used or shared, and the practices are materially inconsistent with
728728 a notice provided to a consumer under Subsection (a) or (b), the
729729 third party must notify the consumer of the third party's new or
730730 changed practices before the third party uses or shares the
731731 personal information in a conspicuous manner that allows the
732732 consumer to easily exercise a right provided under this chapter.
733733 (d) Subsection (c) does not authorize a business to make a
734734 material, retroactive change or other change to a business's
735735 privacy policy in a manner that would be a deceptive trade practice
736736 actionable under Subchapter E, Chapter 17.
737737 Sec. 541.102. ONLINE PRIVACY POLICY OR POLICY NOTICE. (a)
738738 A business that collects, sells, or for a business purpose
739739 discloses a consumer's personal information shall disclose the
740740 following information in the business's online privacy policy or
741741 other notice of the business's policies:
742742 (1) a description of a consumer's rights under
743743 Sections 541.051, 541.053, and 541.107 and designated methods for
744744 submitting a verifiable consumer request for information under this
745745 chapter;
746746 (2) for a business that collects personal information
747747 about consumers, a description of the consumer's right to request
748748 the deletion of the consumer's personal information;
749749 (3) separate lists containing the categories of
750750 consumers' personal information described by Section 541.002(12)
751751 that, during the 12 months preceding the date the business updated
752752 the information as required by Subsection (b), the business:
753753 (A) collected;
754754 (B) sold, if applicable; or
755755 (C) disclosed for a business purpose, if
756756 applicable;
757757 (4) the categories of sources from which the
758758 information under Subdivision (3) is collected;
759759 (5) the business or commercial purposes for collecting
760760 personal information;
761761 (6) if the business does not sell consumers' personal
762762 information or disclose the information for a business or
763763 commercial purpose, a statement of that fact;
764764 (7) the categories of third parties to whom the
765765 business sells or discloses personal information;
766766 (8) if the business sells consumers' personal
767767 information, the Internet link required by Section 541.054(b); and
768768 (9) if applicable, the financial incentives offered to
769769 consumers under Section 541.108.
770770 (b) If a business described by Subsection (a) does not have
771771 an online privacy policy or other notice of the business's
772772 policies, the business shall make the information required under
773773 Subsection (a) available to consumers on the business's Internet
774774 website or another website the business maintains that is dedicated
775775 to consumers in this state.
776776 (c) A business must update the information required by
777777 Subsection (a) at least once each year.
778778 Sec. 541.103. METHODS TO SUBMIT VERIFIABLE CONSUMER
779779 REQUEST. (a) A business shall designate and make available to
780780 consumers, in a form that is reasonably accessible, at least two
781781 methods for submitting a verifiable consumer request for
782782 information required to be disclosed or deleted under Subchapter B.
783783 The methods must include, at a minimum:
784784 (1) a toll-free telephone number that a consumer may
785785 call to submit the request; and
786786 (2) the business's Internet website at which the
787787 consumer may submit the request, if the business maintains an
788788 Internet website.
789789 (b) The methods designated under Subsection (a) may also
790790 include:
791791 (1) a mailing address;
792792 (2) an electronic mail address;
793793 (3) another Internet web page or portal;
794794 (4) other contact information; or
795795 (5) any consumer-friendly method approved by the
796796 attorney general under Section 541.009.
797797 (c) A business may not require a consumer to create an
798798 account with the business to submit a verifiable consumer request.
799799 Sec. 541.104. VERIFICATION OF CONSUMER REQUEST. (a) A
800800 business that receives a consumer request under Section 541.051 or
801801 541.053 shall promptly take steps to reasonably verify, in
802802 accordance with rules adopted under Section 541.009, that:
803803 (1) the consumer who is the subject of the request is a
804804 consumer about whom the business has collected, sold, or for a
805805 business purpose disclosed personal information; and
806806 (2) the request is made by:
807807 (A) the consumer;
808808 (B) a consumer on behalf of the consumer's minor
809809 child; or
810810 (C) a person authorized to act on the consumer's
811811 behalf.
812812 (b) A business may use any personal information collected
813813 from the consumer in connection with the business's verification of
814814 a request under this section solely to verify the request.
815815 (c) A business that is unable to verify a consumer request
816816 under this section is not required to comply with the request.
817817 Sec. 541.105. DISCLOSURE REQUIREMENTS. (a) Not later than
818818 the 45th day after the date a business receives a verifiable
819819 consumer request under Section 541.051 or 541.053, the business
820820 shall disclose free of charge to the consumer the information
821821 required to be disclosed under those sections.
822822 (b) A business may extend the time in which to comply with
823823 Subsection (a) once by an additional 45 days if reasonably
824824 necessary or by an additional 90 days after taking into account the
825825 number and complexity of verifiable consumer requests received by
826826 the business. A business that extends the time in which to comply
827827 with Subsection (a) shall notify the consumer of the extension and
828828 reason for the delay within the period prescribed by that
829829 subsection.
830830 (c) The disclosure required by Subsection (a) must:
831831 (1) cover personal information collected, sold, or
832832 disclosed for a business purpose, as applicable, during the 12
833833 months preceding the date the business receives the request; and
834834 (2) be made in writing and delivered to the consumer:
835835 (A) by mail or electronically, at the consumer's
836836 option, if the consumer does not have an account with the business;
837837 or
838838 (B) through the consumer's account with the
839839 business.
840840 (d) An electronic disclosure under Subsection (c) must be in
841841 a readily accessible format that allows the consumer to
842842 electronically transmit the information to another person or
843843 entity.
844844 (e) A business is not required to make the disclosure
845845 required by Subsection (a) to the same consumer more than twice in a
846846 12-month period.
847847 (f) Notwithstanding Subsection (a), if a consumer's
848848 verifiable consumer request is manifestly baseless or excessive, in
849849 particular because of repetitiveness, a business may charge a
850850 reasonable fee after taking into account the administrative costs
851851 of compliance or refusal to comply with the request. The business
852852 has the burden of demonstrating that a request is manifestly
853853 baseless or excessive.
854854 (g) A business that does not comply with a consumer's
855855 verifiable consumer request under Subsection (a) shall notify the
856856 consumer, within the time the business is required to respond to a
857857 request under this section, of the reasons for the refusal and the
858858 rights the consumer may have to appeal that decision.
859859 Sec. 541.106. DEIDENTIFIED INFORMATION. (a) A business
860860 that uses deidentified information may not reidentify or attempt to
861861 reidentify a consumer who is the subject of deidentified
862862 information without obtaining the consumer's consent or
863863 authorization.
864864 (b) A business that uses deidentified information shall
865865 implement:
866866 (1) technical safeguards and business processes to
867867 prohibit reidentification of the consumer to whom the information
868868 may pertain; and
869869 (2) business processes to prevent inadvertent release
870870 of deidentified information.
871871 (c) This chapter may not be construed to require a business
872872 to reidentify or otherwise link information that is not maintained
873873 in a manner that would be considered personal information.
874874 Sec. 541.107. DISCRIMINATION PROHIBITED. (a) A business may
875875 not discriminate against a consumer because the consumer exercised
876876 a right under this chapter, including by:
877877 (1) denying a good or service to the consumer;
878878 (2) charging the consumer a different price or rate
879879 for a good or service, including denying the use of a discount or
880880 other benefit or imposing a penalty;
881881 (3) providing a different level or quality of a good or
882882 service to the consumer; or
883883 (4) suggesting that the consumer will be charged a
884884 different price or rate for, or provided a different level or
885885 quality of, a good or service.
886886 (b) This section does not prohibit a business from offering
887887 or charging a consumer a different price or rate for a good or
888888 service, or offering or providing to the consumer a different level
889889 or quality of a good or service, if the difference is reasonably
890890 related to the value provided to the consumer by the consumer's
891891 data.
892892 Sec. 541.108. FINANCIAL INCENTIVES. (a) Subject to
893893 Subsection (b), a business may offer a financial incentive to a
894894 consumer, including a payment as compensation, for the collection,
895895 sale, or disclosure of the consumer's personal information.
896896 (b) A business may enroll a customer in a financial
897897 incentive program only if the business provides to the consumer a
898898 clear description of the material terms of the program and obtains
899899 the consumer's prior opt-in consent, which:
900900 (1) contains a clear description of those material
901901 terms; and
902902 (2) may be revoked by the consumer at any time.
903903 (c) A business may not use financial incentive practices
904904 that are unjust, unreasonable, coercive, or usurious in nature.
905905 Sec. 541.109. CERTAIN ACTIONS TO AVOID REQUIREMENTS
906906 PROHIBITED. (a) A business may not divide a single transaction into
907907 more than one transaction with the intent to avoid the requirements
908908 of this chapter.
909909 (b) For purposes of this chapter, two or more substantially
910910 similar or related transactions are considered a single transaction
911911 if the transactions:
912912 (1) are entered into contemporaneously; and
913913 (2) have at least one common party.
914914 (c) A court shall disregard any intermediate transactions
915915 conducted by a business with the intent to avoid the requirements of
916916 this chapter, including the disclosure of information by a business
917917 to a third party to avoid complying with the requirements under this
918918 chapter applicable to a sale of the information.
919919 Sec. 541.110. INFORMATION REQUIRED. A business shall
920920 ensure that each person responsible for handling consumer inquiries
921921 about the business's privacy practices or compliance with this
922922 chapter is informed of the requirements of this chapter and of how
923923 to direct a consumer in exercising any of the rights to which a
924924 consumer is entitled under this chapter.
925925 SUBCHAPTER D. REMEDIES
926926 Sec. 541.151. CIVIL PENALTY; INJUNCTION. (a) A person who
927927 violates this chapter is liable to this state for a civil penalty in
928928 an amount not to exceed:
929929 (1) $2,500 for each violation; or
930930 (2) $7,500 for each violation, if the violation is
931931 intentional.
932932 (b) If it appears to the attorney general that a person is
933933 engaging in, has engaged in, or is about to engage in conduct that
934934 violates this chapter, the attorney general may give notice to the
935935 person of the alleged violation. If the person fails to cure the
936936 alleged violation before the 30th day after the date notice is
937937 given, the attorney general may bring an action in the name of the
938938 state against the person to restrain the violation by a temporary
939939 restraining order or by a permanent or temporary injunction or to
940940 recover the civil penalty imposed under this section, or both.
941941 (c) The attorney general is entitled to recover reasonable
942942 expenses, including reasonable attorney's fees, court costs, and
943943 investigatory costs, incurred in obtaining injunctive relief or
944944 civil penalties, or both, under this section. Amounts collected
945945 under this section shall be deposited in a dedicated account in the
946946 general revenue fund and may be appropriated only for the purposes
947947 of the administration and enforcement of this chapter.
948948 Sec. 541.152. BUSINESS IMMUNITY FROM LIABILITY. A business
949949 that discloses to a third party, or discloses for a business purpose
950950 to a service provider, a consumer's personal information in
951951 compliance with this chapter may not be held liable for a violation
952952 of this chapter by the third party or service provider if the
953953 business does not have actual knowledge or a reasonable belief that
954954 the third party or service provider intends to violate this
955955 chapter.
956956 Sec. 541.153. SERVICE PROVIDER IMMUNITY FROM LIABILITY. A
957957 business's service provider may not be held liable for a violation
958958 of this chapter by the business.
959959 SECTION 2. This Act takes effect September 1, 2020.