| 1 | 1 | | 87R8183 MLH-F |
|---|
| 2 | 2 | | By: Capriglione H.B. No. 3741 |
|---|
| 3 | 3 | | |
|---|
| 4 | 4 | | |
|---|
| 5 | 5 | | A BILL TO BE ENTITLED |
|---|
| 6 | 6 | | AN ACT |
|---|
| 7 | 7 | | relating to the personal identifying information collected, |
|---|
| 8 | 8 | | processed, or maintained by certain businesses; imposing a civil |
|---|
| 9 | 9 | | penalty. |
|---|
| 10 | 10 | | BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|---|
| 11 | 11 | | SECTION 1. Title 11, Business & Commerce Code, is amended by |
|---|
| 12 | 12 | | adding Subtitle C to read as follows: |
|---|
| 13 | 13 | | SUBTITLE C. PERSONAL IDENTIFYING INFORMATION |
|---|
| 14 | 14 | | CHAPTER 541. PERSONAL IDENTIFYING INFORMATION PROCESSED OR |
|---|
| 15 | 15 | | COLLECTED BY CERTAIN BUSINESSES |
|---|
| 16 | 16 | | SUBCHAPTER A. GENERAL PROVISIONS |
|---|
| 17 | 17 | | Sec. 541.001. DEFINITIONS. In this chapter: |
|---|
| 18 | 18 | | (1) "Business" means a for-profit entity, including a |
|---|
| 19 | 19 | | sole proprietorship, partnership, limited liability company, |
|---|
| 20 | 20 | | corporation, association, or other legal entity that is organized |
|---|
| 21 | 21 | | or operated for the profit or financial benefit of the entity's |
|---|
| 22 | 22 | | shareholders or other owners. |
|---|
| 23 | 23 | | (2) "Category one information" means personal |
|---|
| 24 | 24 | | identifying information that an individual may use in a personal, |
|---|
| 25 | 25 | | civic, or business setting, and includes: |
|---|
| 26 | 26 | | (A) a social security number; |
|---|
| 27 | 27 | | (B) a driver's license number, passport number, |
|---|
| 28 | 28 | | military identification number, or any other similar number issued |
|---|
| 29 | 29 | | on a government document and used to verify an individual's |
|---|
| 30 | 30 | | identity; |
|---|
| 31 | 31 | | (C) a financial account number, credit or debit |
|---|
| 32 | 32 | | card number, or any security code, access code, or password that is |
|---|
| 33 | 33 | | necessary to permit access to an individual's financial account; |
|---|
| 34 | 34 | | (D) unique biometric information, including a |
|---|
| 35 | 35 | | fingerprint, voice print, retina or iris image, or any other unique |
|---|
| 36 | 36 | | physical representation; |
|---|
| 37 | 37 | | (E) physical or mental health information, |
|---|
| 38 | 38 | | including health care information; and |
|---|
| 39 | 39 | | (F) the private communications or other |
|---|
| 40 | 40 | | user-created content of an individual that is not publicly |
|---|
| 41 | 41 | | available. |
|---|
| 42 | 42 | | (3) "Category two information" means personal |
|---|
| 43 | 43 | | identifying information that may present a privacy risk to an |
|---|
| 44 | 44 | | individual, including members of a constitutionally protected |
|---|
| 45 | 45 | | class, and includes: |
|---|
| 46 | 46 | | (A) racial or ethnic origin information; |
|---|
| 47 | 47 | | (B) religious affiliation or practice |
|---|
| 48 | 48 | | information; |
|---|
| 49 | 49 | | (C) age; |
|---|
| 50 | 50 | | (D) physical or mental impairment; |
|---|
| 51 | 51 | | (E) precise geolocation tracking data; and |
|---|
| 52 | 52 | | (F) unique genetic information. |
|---|
| 53 | 53 | | (4) "Category three information" means specific |
|---|
| 54 | 54 | | facets of personal identifying information and includes: |
|---|
| 55 | 55 | | (A) time of birth; and |
|---|
| 56 | 56 | | (B) political party or association. |
|---|
| 57 | 57 | | (5) "Collect" means: |
|---|
| 58 | 58 | | (A) buying, renting, gathering, obtaining, |
|---|
| 59 | 59 | | receiving, inferring, creating, or accessing any personal |
|---|
| 60 | 60 | | identifying information pertaining to an individual by any means; |
|---|
| 61 | 61 | | or |
|---|
| 62 | 62 | | (B) obtaining personal identifying information |
|---|
| 63 | 63 | | relating to an individual, actively or passively, or by observing |
|---|
| 64 | 64 | | the individual's behavior. |
|---|
| 65 | 65 | | (6) "Device" means any physical object capable of |
|---|
| 66 | 66 | | connecting to the Internet, directly or indirectly, or to another |
|---|
| 67 | 67 | | device and transmitting information. |
|---|
| 68 | 68 | | (7) "Geolocation tracking" means the use of |
|---|
| 69 | 69 | | geolocation technology to determine or record the position of a |
|---|
| 70 | 70 | | person, including the use of a global positioning system, web-based |
|---|
| 71 | 71 | | imagery, and cell tower triangulation. |
|---|
| 72 | 72 | | (8) "Personal identifying information" means a |
|---|
| 73 | 73 | | category of information relating to an identified or identifiable |
|---|
| 74 | 74 | | individual. The term does not include a specific category of |
|---|
| 75 | 75 | | personal identifying information that the attorney general exempts |
|---|
| 76 | 76 | | from this definition by rule. The term includes: |
|---|
| 77 | 77 | | (A) a social security number; |
|---|
| 78 | 78 | | (B) a driver's license number, passport number, |
|---|
| 79 | 79 | | military identification number, or any other similar number issued |
|---|
| 80 | 80 | | on a government document and used to verify an individual's |
|---|
| 81 | 81 | | identity; |
|---|
| 82 | 82 | | (C) a financial account number, credit or debit |
|---|
| 83 | 83 | | card number, or any security code, access code, or password that is |
|---|
| 84 | 84 | | necessary to permit access to an individual's financial account; |
|---|
| 85 | 85 | | (D) unique biometric information, including a |
|---|
| 86 | 86 | | fingerprint, voice print, retina or iris image, or any other unique |
|---|
| 87 | 87 | | physical representation; |
|---|
| 88 | 88 | | (E) physical or mental health information, |
|---|
| 89 | 89 | | including health care information; |
|---|
| 90 | 90 | | (F) the private communications or other |
|---|
| 91 | 91 | | user-created content of an individual that is not publicly |
|---|
| 92 | 92 | | available; |
|---|
| 93 | 93 | | (G) religious affiliation or practice |
|---|
| 94 | 94 | | information; |
|---|
| 95 | 95 | | (H) racial or ethnic origin information; |
|---|
| 96 | 96 | | (I) precise geolocation tracking data; and |
|---|
| 97 | 97 | | (J) unique genetic information. |
|---|
| 98 | 98 | | (9) "Privacy risk" means potential adverse |
|---|
| 99 | 99 | | consequences to an individual or society at large arising from the |
|---|
| 100 | 100 | | processing of personal identifying information, including: |
|---|
| 101 | 101 | | (A) direct or indirect financial loss or economic |
|---|
| 102 | 102 | | harm; |
|---|
| 103 | 103 | | (B) physical harm; |
|---|
| 104 | 104 | | (C) psychological harm, including anxiety, |
|---|
| 105 | 105 | | embarrassment, fear, or other demonstrable mental trauma; |
|---|
| 106 | 106 | | (D) significant inconvenience or expenditure of |
|---|
| 107 | 107 | | time; |
|---|
| 108 | 108 | | (E) adverse outcomes or decisions with respect to |
|---|
| 109 | 109 | | an individual's eligibility for a right, benefit, or privilege in |
|---|
| 110 | 110 | | employment, including hiring, firing, promotion, demotion, or |
|---|
| 111 | 111 | | compensation; |
|---|
| 112 | 112 | | (F) credit or insurance harm, including denial of |
|---|
| 113 | 113 | | an application or obtaining less favorable terms related to |
|---|
| 114 | 114 | | housing, education, professional certification, or health care |
|---|
| 115 | 115 | | services; |
|---|
| 116 | 116 | | (G) stigmatization or reputational harm; |
|---|
| 117 | 117 | | (H) disruption and intrusion from unwanted |
|---|
| 118 | 118 | | commercial communications or contacts; |
|---|
| 119 | 119 | | (I) price discrimination; and |
|---|
| 120 | 120 | | (J) any other adverse consequence that affects an |
|---|
| 121 | 121 | | individual's private life, private family matters, actions or |
|---|
| 122 | 122 | | communications within an individual's home or similar physical, |
|---|
| 123 | 123 | | online, or digital location, if an individual has a reasonable |
|---|
| 124 | 124 | | expectation that personal identifying information will not be |
|---|
| 125 | 125 | | processed. |
|---|
| 126 | 126 | | (10) "Processing" means any operation or set of |
|---|
| 127 | 127 | | operations that are performed on personal identifying information |
|---|
| 128 | 128 | | or on sets of personal identifying information, including the |
|---|
| 129 | 129 | | collection, creation, generation, recording, organization, |
|---|
| 130 | 130 | | structuring, storage, adaptation, alteration, retrieval, |
|---|
| 131 | 131 | | consultation, use, disclosure, transfer, or dissemination of the |
|---|
| 132 | 132 | | information or otherwise making the information available. |
|---|
| 133 | 133 | | (11) "Third party" means a person engaged by a |
|---|
| 134 | 134 | | business to process, on behalf of the business, personal |
|---|
| 135 | 135 | | identifying information collected by the business. |
|---|
| 136 | 136 | | Sec. 541.002. APPLICABILITY. (a) This chapter applies |
|---|
| 137 | 137 | | only to a business that: |
|---|
| 138 | 138 | | (1) does business in this state; |
|---|
| 139 | 139 | | (2) has more than 50 employees; |
|---|
| 140 | 140 | | (3) collects the personal identifying information of |
|---|
| 141 | 141 | | more than 5,000 individuals, households, or devices or has that |
|---|
| 142 | 142 | | information collected on the business's behalf; and |
|---|
| 143 | 143 | | (4) satisfies one or more of the following thresholds: |
|---|
| 144 | 144 | | (A) has annual gross revenue in an amount that |
|---|
| 145 | 145 | | exceeds $25 million; or |
|---|
| 146 | 146 | | (B) derives 50 percent or more of the business's |
|---|
| 147 | 147 | | annual revenue by processing personal identifying information. |
|---|
| 148 | 148 | | (b) Except as provided by Subsection (c), this chapter |
|---|
| 149 | 149 | | applies only to personal identifying information that is: |
|---|
| 150 | 150 | | (1) collected over the Internet or any other digital |
|---|
| 151 | 151 | | network or through a computing device that is associated with or |
|---|
| 152 | 152 | | routinely used by an end user; and |
|---|
| 153 | 153 | | (2) linked or reasonably linkable to a specific end |
|---|
| 154 | 154 | | user. |
|---|
| 155 | 155 | | (c) This chapter does not apply to personal identifying |
|---|
| 156 | 156 | | information that is: |
|---|
| 157 | 157 | | (1) collected solely for facilitating the |
|---|
| 158 | 158 | | transmission, routing, or connections by which digital personal |
|---|
| 159 | 159 | | identifying information and other data is transferred between or |
|---|
| 160 | 160 | | among businesses; or |
|---|
| 161 | 161 | | (2) transmitted to and from the individual to whom the |
|---|
| 162 | 162 | | personal identifying information relates if the collector of the |
|---|
| 163 | 163 | | information does not access, review, or modify the content of the |
|---|
| 164 | 164 | | information, or otherwise perform or conduct any analytical, |
|---|
| 165 | 165 | | algorithmic, or machine learning processes on the information. |
|---|
| 166 | 166 | | Sec. 541.003. EXEMPTIONS. This chapter does not apply to: |
|---|
| 167 | 167 | | (1) publicly available information; |
|---|
| 168 | 168 | | (2) protected health information governed by Chapter |
|---|
| 169 | 169 | | 181, Health and Safety Code, or collected by a covered entity or a |
|---|
| 170 | 170 | | business associate of a covered entity, as those terms are defined |
|---|
| 171 | 171 | | by 45 C.F.R. Section 160.103, that is governed by the privacy, |
|---|
| 172 | 172 | | security, and breach notification rules in 45 C.F.R. Parts 160 and |
|---|
| 173 | 173 | | 164 adopted by the United States Department of Health and Human |
|---|
| 174 | 174 | | Services under the Health Insurance Portability and Accountability |
|---|
| 175 | 175 | | Act of 1996 (Pub. L. No. 104-191) and Title XIII of the American |
|---|
| 176 | 176 | | Recovery and Reinvestment Act of 2009 (Pub. L. No. 111-5); |
|---|
| 177 | 177 | | (3) personal identifying information collected by a |
|---|
| 178 | 178 | | consumer reporting agency, as defined by Section 20.01, if the |
|---|
| 179 | 179 | | information is to be: |
|---|
| 180 | 180 | | (A) reported in or used to generate a consumer |
|---|
| 181 | 181 | | report, as defined by Section 1681a(d) of the Fair Credit Reporting |
|---|
| 182 | 182 | | Act (15 U.S.C. Section 1681 et seq.); and |
|---|
| 183 | 183 | | (B) used solely for a purpose authorized under |
|---|
| 184 | 184 | | that Act; |
|---|
| 185 | 185 | | (4) personal identifying information processed in |
|---|
| 186 | 186 | | accordance with the Gramm-Leach-Bliley Act (Pub. L. No. 106-102) |
|---|
| 187 | 187 | | and its implementing regulations; or |
|---|
| 188 | 188 | | (5) education information that is not publicly |
|---|
| 189 | 189 | | available personally identifiable information under the Family |
|---|
| 190 | 190 | | Educational Rights and Privacy Act of 1974 (20 U.S.C. Section |
|---|
| 191 | 191 | | 1232g) (34 C.F.R. Part 99). |
|---|
| 192 | 192 | | Sec. 541.004. RULES. The attorney general shall adopt |
|---|
| 193 | 193 | | rules necessary to implement, administer, and enforce this chapter. |
|---|
| 194 | 194 | | SUBCHAPTER B. CONSUMER RIGHTS |
|---|
| 195 | 195 | | Sec. 541.051. RIGHT TO KNOW: DISCLOSURE AND USE OF |
|---|
| 196 | 196 | | COLLECTED PERSONAL INFORMATION. An individual is entitled to |
|---|
| 197 | 197 | | request that a business that collects personal identifying |
|---|
| 198 | 198 | | information relating to the individual or someone for whom the |
|---|
| 199 | 199 | | individual is a legal representative or guardian disclose to the |
|---|
| 200 | 200 | | individual: |
|---|
| 201 | 201 | | (1) the personal identifying information that is being |
|---|
| 202 | 202 | | collected by the business, including the categories and specific |
|---|
| 203 | 203 | | items of information the business collects; |
|---|
| 204 | 204 | | (2) the sources from which the business collects the |
|---|
| 205 | 205 | | information; |
|---|
| 206 | 206 | | (3) the business's purpose in collecting the |
|---|
| 207 | 207 | | information; and |
|---|
| 208 | 208 | | (4) the names of third parties to which the |
|---|
| 209 | 209 | | information has been distributed or transferred by the business, |
|---|
| 210 | 210 | | including to names of any third parties that have purchased the |
|---|
| 211 | 211 | | information from the business. |
|---|
| 212 | 212 | | Sec. 541.052. RIGHT TO HAVE INACCURATE INFORMATION |
|---|
| 213 | 213 | | CORRECTED. Subject to Section 541.153, an individual is entitled |
|---|
| 214 | 214 | | to request that a business that collects personal identifying |
|---|
| 215 | 215 | | information related to the individual or someone for whom the |
|---|
| 216 | 216 | | individual is a legal representative or guardian correct any |
|---|
| 217 | 217 | | inaccurate information collected or maintained by the business that |
|---|
| 218 | 218 | | relates to the individual or the person for whom the individual is a |
|---|
| 219 | 219 | | legal representative or guardian. |
|---|
| 220 | 220 | | Sec. 541.053. RIGHT TO ACCESS AND OBTAIN INFORMATION. |
|---|
| 221 | 221 | | Subject to Section 541.154, an individual is entitled to: |
|---|
| 222 | 222 | | (1) access and obtain personal identifying |
|---|
| 223 | 223 | | information related to the individual or someone for whom the |
|---|
| 224 | 224 | | individual is a legal representative or guardian that is collected |
|---|
| 225 | 225 | | by a business; and |
|---|
| 226 | 226 | | (2) at the option of the individual, transfer personal |
|---|
| 227 | 227 | | identifying information from one business to another business, |
|---|
| 228 | 228 | | including in connection with the sale of that information under a |
|---|
| 229 | 229 | | contract described by Subchapter C. |
|---|
| 230 | 230 | | Sec. 541.054. RIGHT TO DELETION OF SENSITIVE PERSONAL |
|---|
| 231 | 231 | | INFORMATION. Subject to Section 541.155, an individual is entitled |
|---|
| 232 | 232 | | to request that a business delete sensitive personal information |
|---|
| 233 | 233 | | collected by the business that relates to that individual or |
|---|
| 234 | 234 | | someone for whom the individual is a legal representative or |
|---|
| 235 | 235 | | guardian. |
|---|
| 236 | 236 | | SUBCHAPTER C. CONTRACTS WITH INDIVIDUALS |
|---|
| 237 | 237 | | Sec. 541.101. DEFINITION. In this subchapter, "data |
|---|
| 238 | 238 | | stream" means the continuous transmission of an individual's |
|---|
| 239 | 239 | | personal identifying information through online activity or with a |
|---|
| 240 | 240 | | device connected to the Internet that can be used by the business to |
|---|
| 241 | 241 | | provide for the monetization of the information, customer |
|---|
| 242 | 242 | | relationship management, or continuous identification of an |
|---|
| 243 | 243 | | individual for commercial purposes. |
|---|
| 244 | 244 | | Sec. 541.102. APPLICABILITY. This subchapter applies only |
|---|
| 245 | 245 | | to a contract between a business and an individual under which, as a |
|---|
| 246 | 246 | | term of the contract, the individual allows the business to |
|---|
| 247 | 247 | | collect, store, or use the individual's personal identifying |
|---|
| 248 | 248 | | information. |
|---|
| 249 | 249 | | Sec. 541.103. CONSIDERATION UNDER CONTRACT. (a) An |
|---|
| 250 | 250 | | individual may provide the individual's data stream or information |
|---|
| 251 | 251 | | obtained by the individual under Section 541.154 as consideration |
|---|
| 252 | 252 | | under a contract. |
|---|
| 253 | 253 | | (b) A business may provide consideration in the form of |
|---|
| 254 | 254 | | money or other incentive, including as an incentive to purchase |
|---|
| 255 | 255 | | goods or services, under a contract that is reasonably related to |
|---|
| 256 | 256 | | the value of the information or access offered by the individual |
|---|
| 257 | 257 | | under the contract. This subsection does not prohibit a business |
|---|
| 258 | 258 | | from differentiating the consideration offered to individuals |
|---|
| 259 | 259 | | based on information or access offered by individuals, including |
|---|
| 260 | 260 | | offering different individuals different prices or rates for goods |
|---|
| 261 | 261 | | or services or providing different levels of quality for goods or |
|---|
| 262 | 262 | | services based on the information and access offered by |
|---|
| 263 | 263 | | individuals. |
|---|
| 264 | 264 | | Sec. 541.104. CONTRACT REQUIREMENTS. (a) A contract |
|---|
| 265 | 265 | | subject to this subchapter: |
|---|
| 266 | 266 | | (1) must clearly state the terms, including the |
|---|
| 267 | 267 | | duration, of the contract; and |
|---|
| 268 | 268 | | (2) may not: |
|---|
| 269 | 269 | | (A) require that the individual exclusively |
|---|
| 270 | 270 | | contract with the business or otherwise restrict the individual's |
|---|
| 271 | 271 | | ability to sell the individual's personal identifying information; |
|---|
| 272 | 272 | | and |
|---|
| 273 | 273 | | (B) prevent the individual from receiving or |
|---|
| 274 | 274 | | considering alternative offers to purchase the individual's |
|---|
| 275 | 275 | | personal identifying information. |
|---|
| 276 | 276 | | (b) A contract provision that violates Subsection (a)(2) is |
|---|
| 277 | 277 | | void and unenforceable. |
|---|
| 278 | 278 | | SUBCHAPTER D. BUSINESS DUTIES |
|---|
| 279 | 279 | | Sec. 541.151. RESTRICTIONS ON USE OF PERSONAL IDENTIFYING |
|---|
| 280 | 280 | | INFORMATION. (a) Subject to the requirements of this section, a |
|---|
| 281 | 281 | | business may collect and process category one and category two |
|---|
| 282 | 282 | | information. |
|---|
| 283 | 283 | | (b) A business may not: |
|---|
| 284 | 284 | | (1) sell, transfer, or communicate category two |
|---|
| 285 | 285 | | information to any third party; or |
|---|
| 286 | 286 | | (2) collect or process category three information. |
|---|
| 287 | 287 | | (c) Without the express written consent of the individual, a |
|---|
| 288 | 288 | | business may not: |
|---|
| 289 | 289 | | (1) perform geolocation tracking of an individual, |
|---|
| 290 | 290 | | including for purposes of contact tracing; or |
|---|
| 291 | 291 | | (2) sell data relating to an individual that is |
|---|
| 292 | 292 | | collected from geolocation tracking. |
|---|
| 293 | 293 | | (d) A business shall protect and properly secure all |
|---|
| 294 | 294 | | personal identifying information collected by or in the possession |
|---|
| 295 | 295 | | of the business. |
|---|
| 296 | 296 | | Sec. 541.152. NOTICE REQUIRED. (a) A business in a |
|---|
| 297 | 297 | | conspicuous manner shall provide a notice that includes a |
|---|
| 298 | 298 | | reasonably full and complete description of the business's |
|---|
| 299 | 299 | | practices governing the processing of personal identifying |
|---|
| 300 | 300 | | information before collecting personal identifying information. |
|---|
| 301 | 301 | | The notice must include: |
|---|
| 302 | 302 | | (1) the categories of personal identifying |
|---|
| 303 | 303 | | information processed by the business; |
|---|
| 304 | 304 | | (2) details on the type of processing used by the |
|---|
| 305 | 305 | | business; |
|---|
| 306 | 306 | | (3) the purposes for which the business processes |
|---|
| 307 | 307 | | personal identifying information; and |
|---|
| 308 | 308 | | (4) the involvement of any third party in processing |
|---|
| 309 | 309 | | personal identifying information on behalf of the business. |
|---|
| 310 | 310 | | (b) The notice required by Subsection (a) must be: |
|---|
| 311 | 311 | | (1) clear, drafted in plain language, and easy to |
|---|
| 312 | 312 | | understand; and |
|---|
| 313 | 313 | | (2) located in a prominent location at the business |
|---|
| 314 | 314 | | and on the business's Internet website if the business has an |
|---|
| 315 | 315 | | Internet website. |
|---|
| 316 | 316 | | Sec. 541.153. DUTY TO MAINTAIN ACCURATE INFORMATION. (a) A |
|---|
| 317 | 317 | | business must ensure that the personal identifying information the |
|---|
| 318 | 318 | | business maintains is accurate. |
|---|
| 319 | 319 | | (b) A business shall clearly and conspicuously publish an |
|---|
| 320 | 320 | | e-mail address, fax number, or mailing address to enable an |
|---|
| 321 | 321 | | individual to dispute the accuracy of the personal identifying |
|---|
| 322 | 322 | | information collected or maintained by the business. |
|---|
| 323 | 323 | | (c) If a business receives a dispute regarding the accuracy |
|---|
| 324 | 324 | | of personal identifying information that relates to the individual |
|---|
| 325 | 325 | | or someone for whom the individual is a legal representative or |
|---|
| 326 | 326 | | guardian from the individual, the business shall, unless the |
|---|
| 327 | 327 | | business conducts an investigation and determines the information |
|---|
| 328 | 328 | | is accurate, promptly correct the inaccurate information. The |
|---|
| 329 | 329 | | individual making the dispute may provide supplementary |
|---|
| 330 | 330 | | information when necessary to correct inaccurate personal |
|---|
| 331 | 331 | | identifying information. |
|---|
| 332 | 332 | | (d) The business may not charge a fee to remove, correct, or |
|---|
| 333 | 333 | | modify inaccurate personal identifying information under this |
|---|
| 334 | 334 | | section. |
|---|
| 335 | 335 | | (e) A business shall provide written notice to the |
|---|
| 336 | 336 | | individual who disputed the accuracy of the personal identifying |
|---|
| 337 | 337 | | information of the actions it has taken in response to the dispute |
|---|
| 338 | 338 | | not later than the fifth business day after the date on which the |
|---|
| 339 | 339 | | dispute was received. |
|---|
| 340 | 340 | | Sec. 541.154. ACCESS TO INFORMATION; DATA PORTABILITY. (a) |
|---|
| 341 | 341 | | A business shall allow an individual to promptly and reasonably |
|---|
| 342 | 342 | | obtain: |
|---|
| 343 | 343 | | (1) confirmation of whether personal identifying |
|---|
| 344 | 344 | | information concerning the individual or someone for whom the |
|---|
| 345 | 345 | | individual is a legal representative or guardian is processed by |
|---|
| 346 | 346 | | the business; |
|---|
| 347 | 347 | | (2) a description of the categories of personal |
|---|
| 348 | 348 | | identifying information processed by the business; |
|---|
| 349 | 349 | | (3) an explanation in plain language of the specific |
|---|
| 350 | 350 | | types of personal identifying information collected by the |
|---|
| 351 | 351 | | business; |
|---|
| 352 | 352 | | (4) a description of the inferences the business has |
|---|
| 353 | 353 | | drawn about the individual or someone for whom the individual is a |
|---|
| 354 | 354 | | personal representative or guardian from the information collected |
|---|
| 355 | 355 | | by the business; and |
|---|
| 356 | 356 | | (5) access to the individual's personal identifying |
|---|
| 357 | 357 | | information, including in accordance with Subsection (b), a copy of |
|---|
| 358 | 358 | | the individual's personal identifying information in a portable and |
|---|
| 359 | 359 | | transferable format. |
|---|
| 360 | 360 | | (b) On request of an individual, a business shall without |
|---|
| 361 | 361 | | undue delay provide the individual with all personal identifying |
|---|
| 362 | 362 | | information collected by the business that relates to the |
|---|
| 363 | 363 | | individual or someone for whom the individual is a legal |
|---|
| 364 | 364 | | representative or guardian. The business shall provide the |
|---|
| 365 | 365 | | requested information to an individual under this section in a |
|---|
| 366 | 366 | | portable, readily usable format that may be transferred, including |
|---|
| 367 | 367 | | in connection with the sale of the information, by the individual to |
|---|
| 368 | 368 | | another business. |
|---|
| 369 | 369 | | Sec. 541.155. DELETION OF PERSONAL IDENTIFYING |
|---|
| 370 | 370 | | INFORMATION. (a) If an individual who maintains an account with a |
|---|
| 371 | 371 | | business closes the account, the business shall: |
|---|
| 372 | 372 | | (1) stop processing the individual's personal |
|---|
| 373 | 373 | | identifying information on the date the individual closes the |
|---|
| 374 | 374 | | account; and |
|---|
| 375 | 375 | | (2) not later than the one-year anniversary of the |
|---|
| 376 | 376 | | date the account is closed, permanently delete the individual's |
|---|
| 377 | 377 | | personal identifying information unless retention of the |
|---|
| 378 | 378 | | information is required by other law or is necessary to comply with |
|---|
| 379 | 379 | | other law. |
|---|
| 380 | 380 | | (b) If an individual makes a request for a business to |
|---|
| 381 | 381 | | delete personal identifying information under this section, and |
|---|
| 382 | 382 | | that business has provided the personal identifying information to |
|---|
| 383 | 383 | | a third party, the business shall notify the third party of the |
|---|
| 384 | 384 | | individual's request. The third party shall delete the individual's |
|---|
| 385 | 385 | | personal identifying information not later than the one-year |
|---|
| 386 | 386 | | anniversary of the date the third party received the notification |
|---|
| 387 | 387 | | under this subsection. |
|---|
| 388 | 388 | | SUBCHAPTER E. ENFORCEMENT |
|---|
| 389 | 389 | | Sec. 541.201. CIVIL PENALTY. (a) A business that violates |
|---|
| 390 | 390 | | this chapter or a third party that violates Section 541.155(b) is |
|---|
| 391 | 391 | | liable to this state for a civil penalty in an amount of not more |
|---|
| 392 | 392 | | than $10,000 for each violation, not to exceed a total amount of $1 |
|---|
| 393 | 393 | | million. |
|---|
| 394 | 394 | | (b) The attorney general may bring an action in the name of |
|---|
| 395 | 395 | | the state against the business or third party to recover the civil |
|---|
| 396 | 396 | | penalty imposed under this section. |
|---|
| 397 | 397 | | (c) The attorney general is entitled to recover reasonable |
|---|
| 398 | 398 | | expenses, including reasonable attorney's fees, court costs, and |
|---|
| 399 | 399 | | investigatory costs, incurred in bringing an action under this |
|---|
| 400 | 400 | | section. |
|---|
| 401 | 401 | | Sec. 541.202. BUSINESS IMMUNITY FROM LIABILITY. A business |
|---|
| 402 | 402 | | that is in compliance with this chapter and engages a third party to |
|---|
| 403 | 403 | | process on behalf of the business personal identifying information |
|---|
| 404 | 404 | | collected by the business may not be held liable for a violation of |
|---|
| 405 | 405 | | Section 541.155(b) by the third party if the business does not have |
|---|
| 406 | 406 | | actual knowledge or a reasonable belief that the third party |
|---|
| 407 | 407 | | intends to violate that section. |
|---|
| 408 | 408 | | Sec. 541.203. NO PRIVATE CAUSE OF ACTION. This chapter does |
|---|
| 409 | 409 | | not create a private cause of action. |
|---|
| 410 | 410 | | SECTION 2. (a) Except as provided by Subsection (b) of this |
|---|
| 411 | 411 | | section, this Act takes effect September 1, 2021. |
|---|
| 412 | 412 | | (b) Sections 541.054 and 541.155, Business & Commerce Code, |
|---|
| 413 | 413 | | as added by this Act, take effect January 1, 2022. |
|---|