87R8183 MLH-F
By: Capriglione H.B. No. 3741
A BILL TO BE ENTITLED
AN ACT
relating to the personal identifying information collected,
processed, or maintained by certain businesses; imposing a civil
penalty.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Title 11, Business & Commerce Code, is amended by
adding Subtitle C to read as follows:
SUBTITLE C. PERSONAL IDENTIFYING INFORMATION
CHAPTER 541. PERSONAL IDENTIFYING INFORMATION PROCESSED OR
COLLECTED BY CERTAIN BUSINESSES
SUBCHAPTER A. GENERAL PROVISIONS
Sec. 541.001. DEFINITIONS. In this chapter:
(1) "Business" means a for-profit entity, including a
sole proprietorship, partnership, limited liability company,
corporation, association, or other legal entity that is organized
or operated for the profit or financial benefit of the entity's
shareholders or other owners.
(2) "Category one information" means personal
identifying information that an individual may use in a personal,
civic, or business setting, and includes:
(A) a social security number;
(B) a driver's license number, passport number,
military identification number, or any other similar number issued
on a government document and used to verify an individual's
identity;
(C) a financial account number, credit or debit
card number, or any security code, access code, or password that is
necessary to permit access to an individual's financial account;
(D) unique biometric information, including a
fingerprint, voice print, retina or iris image, or any other unique
physical representation;
(E) physical or mental health information,
including health care information; and
(F) the private communications or other
user-created content of an individual that is not publicly
available.
(3) "Category two information" means personal
identifying information that may present a privacy risk to an
individual, including members of a constitutionally protected
class, and includes:
(A) racial or ethnic origin information;
(B) religious affiliation or practice
information;
(C) age;
(D) physical or mental impairment;
(E) precise geolocation tracking data; and
(F) unique genetic information.
(4) "Category three information" means specific
facets of personal identifying information and includes:
(A) time of birth; and
(B) political party or association.
(5) "Collect" means:
(A) buying, renting, gathering, obtaining,
receiving, inferring, creating, or accessing any personal
identifying information pertaining to an individual by any means;
or
(B) obtaining personal identifying information
relating to an individual, actively or passively, or by observing
the individual's behavior.
(6) "Device" means any physical object capable of
connecting to the Internet, directly or indirectly, or to another
device and transmitting information.
(7) "Geolocation tracking" means the use of
geolocation technology to determine or record the position of a
person, including the use of a global positioning system, web-based
imagery, and cell tower triangulation.
(8) "Personal identifying information" means a
category of information relating to an identified or identifiable
individual. The term does not include a specific category of
personal identifying information that the attorney general exempts
from this definition by rule. The term includes:
(A) a social security number;
(B) a driver's license number, passport number,
military identification number, or any other similar number issued
on a government document and used to verify an individual's
identity;
(C) a financial account number, credit or debit
card number, or any security code, access code, or password that is
necessary to permit access to an individual's financial account;
(D) unique biometric information, including a
fingerprint, voice print, retina or iris image, or any other unique
physical representation;
(E) physical or mental health information,
including health care information;
(F) the private communications or other
user-created content of an individual that is not publicly
available;
(G) religious affiliation or practice
information;
(H) racial or ethnic origin information;
(I) precise geolocation tracking data; and
(J) unique genetic information.
(9) "Privacy risk" means potential adverse
consequences to an individual or society at large arising from the
processing of personal identifying information, including:
(A) direct or indirect financial loss or economic
harm;
(B) physical harm;
(C) psychological harm, including anxiety,
embarrassment, fear, or other demonstrable mental trauma;
(D) significant inconvenience or expenditure of
time;
(E) adverse outcomes or decisions with respect to
an individual's eligibility for a right, benefit, or privilege in
employment, including hiring, firing, promotion, demotion, or
compensation;
(F) credit or insurance harm, including denial of
an application or obtaining less favorable terms related to
housing, education, professional certification, or health care
services;
(G) stigmatization or reputational harm;
(H) disruption and intrusion from unwanted
commercial communications or contacts;
(I) price discrimination; and
(J) any other adverse consequence that affects an
individual's private life, private family matters, actions or
communications within an individual's home or similar physical,
online, or digital location, if an individual has a reasonable
expectation that personal identifying information will not be
processed.
(10) "Processing" means any operation or set of
operations that are performed on personal identifying information
or on sets of personal identifying information, including the
collection, creation, generation, recording, organization,
structuring, storage, adaptation, alteration, retrieval,
consultation, use, disclosure, transfer, or dissemination of the
information or otherwise making the information available.
(11) "Third party" means a person engaged by a
business to process, on behalf of the business, personal
identifying information collected by the business.
Sec. 541.002. APPLICABILITY. (a) This chapter applies
only to a business that:
(1) does business in this state;
(2) has more than 50 employees;
(3) collects the personal identifying information of
more than 5,000 individuals, households, or devices or has that
information collected on the business's behalf; and
(4) satisfies one or more of the following thresholds:
(A) has annual gross revenue in an amount that
exceeds $25 million; or
(B) derives 50 percent or more of the business's
annual revenue by processing personal identifying information.
(b) Except as provided by Subsection (c), this chapter
applies only to personal identifying information that is:
(1) collected over the Internet or any other digital
network or through a computing device that is associated with or
routinely used by an end user; and
(2) linked or reasonably linkable to a specific end
user.
(c) This chapter does not apply to personal identifying
information that is:
(1) collected solely for facilitating the
transmission, routing, or connections by which digital personal
identifying information and other data is transferred between or
among businesses; or
(2) transmitted to and from the individual to whom the
personal identifying information relates if the collector of the
information does not access, review, or modify the content of the
information, or otherwise perform or conduct any analytical,
algorithmic, or machine learning processes on the information.
Sec. 541.003. EXEMPTIONS. This chapter does not apply to:
(1) publicly available information;
(2) protected health information governed by Chapter
181, Health and Safety Code, or collected by a covered entity or a
business associate of a covered entity, as those terms are defined
by 45 C.F.R. Section 160.103, that is governed by the privacy,
security, and breach notification rules in 45 C.F.R. Parts 160 and
164 adopted by the United States Department of Health and Human
Services under the Health Insurance Portability and Accountability
Act of 1996 (Pub. L. No. 104-191) and Title XIII of the American
Recovery and Reinvestment Act of 2009 (Pub. L. No. 111-5);
(3) personal identifying information collected by a
consumer reporting agency, as defined by Section 20.01, if the
information is to be:
(A) reported in or used to generate a consumer
report, as defined by Section 1681a(d) of the Fair Credit Reporting
Act (15 U.S.C. Section 1681 et seq.); and
(B) used solely for a purpose authorized under
that Act;
(4) personal identifying information processed in
accordance with the Gramm-Leach-Bliley Act (Pub. L. No. 106-102)
and its implementing regulations; or
(5) education information that is not publicly
available personally identifiable information under the Family
Educational Rights and Privacy Act of 1974 (20 U.S.C. Section
1232g) (34 C.F.R. Part 99).
Sec. 541.004. RULES. The attorney general shall adopt
rules necessary to implement, administer, and enforce this chapter.
SUBCHAPTER B. CONSUMER RIGHTS
Sec. 541.051. RIGHT TO KNOW: DISCLOSURE AND USE OF
COLLECTED PERSONAL INFORMATION. An individual is entitled to
request that a business that collects personal identifying
information relating to the individual or someone for whom the
individual is a legal representative or guardian disclose to the
individual:
(1) the personal identifying information that is being
collected by the business, including the categories and specific
items of information the business collects;
(2) the sources from which the business collects the
information;
(3) the business's purpose in collecting the
information; and
(4) the names of third parties to which the
information has been distributed or transferred by the business,
including to names of any third parties that have purchased the
information from the business.
Sec. 541.052. RIGHT TO HAVE INACCURATE INFORMATION
CORRECTED. Subject to Section 541.153, an individual is entitled
to request that a business that collects personal identifying
information related to the individual or someone for whom the
individual is a legal representative or guardian correct any
inaccurate information collected or maintained by the business that
relates to the individual or the person for whom the individual is a
legal representative or guardian.
Sec. 541.053. RIGHT TO ACCESS AND OBTAIN INFORMATION.
Subject to Section 541.154, an individual is entitled to:
(1) access and obtain personal identifying
information related to the individual or someone for whom the
individual is a legal representative or guardian that is collected
by a business; and
(2) at the option of the individual, transfer personal
identifying information from one business to another business,
including in connection with the sale of that information under a
contract described by Subchapter C.
Sec. 541.054. RIGHT TO DELETION OF SENSITIVE PERSONAL
INFORMATION. Subject to Section 541.155, an individual is entitled
to request that a business delete sensitive personal information
collected by the business that relates to that individual or
someone for whom the individual is a legal representative or
guardian.
SUBCHAPTER C. CONTRACTS WITH INDIVIDUALS
Sec. 541.101. DEFINITION. In this subchapter, "data
stream" means the continuous transmission of an individual's
personal identifying information through online activity or with a
device connected to the Internet that can be used by the business to
provide for the monetization of the information, customer
relationship management, or continuous identification of an
individual for commercial purposes.
Sec. 541.102. APPLICABILITY. This subchapter applies only
to a contract between a business and an individual under which, as a
term of the contract, the individual allows the business to
collect, store, or use the individual's personal identifying
information.
Sec. 541.103. CONSIDERATION UNDER CONTRACT. (a) An
individual may provide the individual's data stream or information
obtained by the individual under Section 541.154 as consideration
under a contract.
(b) A business may provide consideration in the form of
money or other incentive, including as an incentive to purchase
goods or services, under a contract that is reasonably related to
the value of the information or access offered by the individual
under the contract. This subsection does not prohibit a business
from differentiating the consideration offered to individuals
based on information or access offered by individuals, including
offering different individuals different prices or rates for goods
or services or providing different levels of quality for goods or
services based on the information and access offered by
individuals.
Sec. 541.104. CONTRACT REQUIREMENTS. (a) A contract
subject to this subchapter:
(1) must clearly state the terms, including the
duration, of the contract; and
(2) may not:
(A) require that the individual exclusively
contract with the business or otherwise restrict the individual's
ability to sell the individual's personal identifying information;
and
(B) prevent the individual from receiving or
considering alternative offers to purchase the individual's
personal identifying information.
(b) A contract provision that violates Subsection (a)(2) is
void and unenforceable.
SUBCHAPTER D. BUSINESS DUTIES
Sec. 541.151. RESTRICTIONS ON USE OF PERSONAL IDENTIFYING
INFORMATION. (a) Subject to the requirements of this section, a
business may collect and process category one and category two
information.
(b) A business may not:
(1) sell, transfer, or communicate category two
information to any third party; or
(2) collect or process category three information.
(c) Without the express written consent of the individual, a
business may not:
(1) perform geolocation tracking of an individual,
including for purposes of contact tracing; or
(2) sell data relating to an individual that is
collected from geolocation tracking.
(d) A business shall protect and properly secure all
personal identifying information collected by or in the possession
of the business.
Sec. 541.152. NOTICE REQUIRED. (a) A business in a
conspicuous manner shall provide a notice that includes a
reasonably full and complete description of the business's
practices governing the processing of personal identifying
information before collecting personal identifying information.
The notice must include:
(1) the categories of personal identifying
information processed by the business;
(2) details on the type of processing used by the
business;
(3) the purposes for which the business processes
personal identifying information; and
(4) the involvement of any third party in processing
personal identifying information on behalf of the business.
(b) The notice required by Subsection (a) must be:
(1) clear, drafted in plain language, and easy to
understand; and
(2) located in a prominent location at the business
and on the business's Internet website if the business has an
Internet website.
Sec. 541.153. DUTY TO MAINTAIN ACCURATE INFORMATION. (a) A
business must ensure that the personal identifying information the
business maintains is accurate.
(b) A business shall clearly and conspicuously publish an
e-mail address, fax number, or mailing address to enable an
individual to dispute the accuracy of the personal identifying
information collected or maintained by the business.
(c) If a business receives a dispute regarding the accuracy
of personal identifying information that relates to the individual
or someone for whom the individual is a legal representative or
guardian from the individual, the business shall, unless the
business conducts an investigation and determines the information
is accurate, promptly correct the inaccurate information. The
individual making the dispute may provide supplementary
information when necessary to correct inaccurate personal
identifying information.
(d) The business may not charge a fee to remove, correct, or
modify inaccurate personal identifying information under this
section.
(e) A business shall provide written notice to the
individual who disputed the accuracy of the personal identifying
information of the actions it has taken in response to the dispute
not later than the fifth business day after the date on which the
dispute was received.
Sec. 541.154. ACCESS TO INFORMATION; DATA PORTABILITY. (a)
A business shall allow an individual to promptly and reasonably
obtain:
(1) confirmation of whether personal identifying
information concerning the individual or someone for whom the
individual is a legal representative or guardian is processed by
the business;
(2) a description of the categories of personal
identifying information processed by the business;
(3) an explanation in plain language of the specific
types of personal identifying information collected by the
business;
(4) a description of the inferences the business has
drawn about the individual or someone for whom the individual is a
personal representative or guardian from the information collected
by the business; and
(5) access to the individual's personal identifying
information, including in accordance with Subsection (b), a copy of
the individual's personal identifying information in a portable and
transferable format.
(b) On request of an individual, a business shall without
undue delay provide the individual with all personal identifying
information collected by the business that relates to the
individual or someone for whom the individual is a legal
representative or guardian. The business shall provide the
requested information to an individual under this section in a
portable, readily usable format that may be transferred, including
in connection with the sale of the information, by the individual to
another business.
Sec. 541.155. DELETION OF PERSONAL IDENTIFYING
INFORMATION. (a) If an individual who maintains an account with a
business closes the account, the business shall:
(1) stop processing the individual's personal
identifying information on the date the individual closes the
account; and
(2) not later than the one-year anniversary of the
date the account is closed, permanently delete the individual's
personal identifying information unless retention of the
information is required by other law or is necessary to comply with
other law.
(b) If an individual makes a request for a business to
delete personal identifying information under this section, and
that business has provided the personal identifying information to
a third party, the business shall notify the third party of the
individual's request. The third party shall delete the individual's
personal identifying information not later than the one-year
anniversary of the date the third party received the notification
under this subsection.
SUBCHAPTER E. ENFORCEMENT
Sec. 541.201. CIVIL PENALTY. (a) A business that violates
this chapter or a third party that violates Section 541.155(b) is
liable to this state for a civil penalty in an amount of not more
than $10,000 for each violation, not to exceed a total amount of $1
million.
(b) The attorney general may bring an action in the name of
the state against the business or third party to recover the civil
penalty imposed under this section.
(c) The attorney general is entitled to recover reasonable
expenses, including reasonable attorney's fees, court costs, and
investigatory costs, incurred in bringing an action under this
section.
Sec. 541.202. BUSINESS IMMUNITY FROM LIABILITY. A business
that is in compliance with this chapter and engages a third party to
process on behalf of the business personal identifying information
collected by the business may not be held liable for a violation of
Section 541.155(b) by the third party if the business does not have
actual knowledge or a reasonable belief that the third party
intends to violate that section.
Sec. 541.203. NO PRIVATE CAUSE OF ACTION. This chapter does
not create a private cause of action.
SECTION 2. (a) Except as provided by Subsection (b) of this
section, this Act takes effect September 1, 2021.
(b) Sections 541.054 and 541.155, Business & Commerce Code,
as added by this Act, take effect January 1, 2022.