87R7858 MLH-D
By: Capriglione H.B. No. 4164
A BILL TO BE ENTITLED
AN ACT
relating to the authority of individuals over the personal
identifying information collected, processed, or maintained about
the individuals and certain others by certain businesses.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Title 11, Business & Commerce Code, is amended by
adding Subtitle C to read as follows:
SUBTITLE C. PERSONAL IDENTIFYING INFORMATION
CHAPTER 541. PERSONAL IDENTIFYING INFORMATION PROCESSED OR
COLLECTED BY CERTAIN BUSINESSES
SUBCHAPTER A. GENERAL PROVISIONS
Sec. 541.001. DEFINITIONS. In this chapter:
(1) "Business" means a for-profit entity, including a
sole proprietorship, partnership, limited liability company,
corporation, association, or other legal entity that is organized
or operated for the profit or financial benefit of the entity's
shareholders or other owners.
(2) "Personal identifying information" means a
category of information relating to an identified or identifiable
individual. The term does not include a specific category of
personal identifying information that the attorney general exempts
from this definition by rule. The term includes:
(A) a social security number;
(B) a driver's license number, passport number,
military identification number, or any other similar number issued
on a government document and used to verify an individual's
identity;
(C) a financial account number, credit or debit
card number, or any security code, access code, or password that is
necessary to permit access to an individual's financial account;
(D) unique biometric information, including a
fingerprint, voice print, retina or iris image, or any other unique
physical representation;
(E) physical or mental health information,
including health care information;
(F) the private communications or other
user-created content of an individual that is not publicly
available;
(G) religious affiliation or practice
information;
(H) racial or ethnic origin information;
(I) precise geolocation tracking data; and
(J) unique genetic information.
(3) "Processing" means any operation or set of
operations that are performed on personal identifying information
or on sets of personal identifying information, including the
collection, creation, generation, recording, organization,
structuring, storage, adaptation, alteration, retrieval,
consultation, use, disclosure, transfer, or dissemination of the
information or otherwise making the information available.
(4) "Third party" means a person engaged by a business
to process, on behalf of the business, personal identifying
information collected by the business.
Sec. 541.002. APPLICABILITY. (a) This chapter applies
only to a business that:
(1) does business in this state;
(2) has more than 50 employees;
(3) collects the personal identifying information of
more than 5,000 individuals, households, or devices or has that
information collected on the business's behalf; and
(4) satisfies one or more of the following thresholds:
(A) has annual gross revenue in an amount that
exceeds $25 million; or
(B) derives 50 percent or more of the business's
annual revenue by processing personal identifying information.
(b) Except as provided by Subsection (c), this chapter
applies only to personal identifying information that is:
(1) collected over the Internet or any other digital
network or through a computing device that is associated with or
routinely used by an end user; and
(2) linked or reasonably linkable to a specific end
user.
(c) This chapter does not apply to personal identifying
information that is:
(1) collected solely for facilitating the
transmission, routing, or connections by which digital personal
identifying information and other data is transferred between or
among businesses; or
(2) transmitted to and from the individual to whom the
personal identifying information relates if the collector of the
information does not access, review, or modify the content of the
information, or otherwise perform or conduct any analytical,
algorithmic, or machine learning processes on the information.
Sec. 541.003. EXEMPTIONS. This chapter does not apply to:
(1) publicly available information;
(2) protected health information governed by Chapter
181, Health and Safety Code, or collected by a covered entity or a
business associate of a covered entity, as those terms are defined
by 45 C.F.R. Section 160.103, that is governed by the privacy,
security, and breach notification rules in 45 C.F.R. Parts 160 and
164 adopted by the United States Department of Health and Human
Services under the Health Insurance Portability and Accountability
Act of 1996 (Pub. L. No. 104-191) and Title XIII of the American
Recovery and Reinvestment Act of 2009 (Pub. L. No. 111-5);
(3) personal identifying information collected by a
consumer reporting agency, as defined by Section 20.01, if the
information is to be:
(A) reported in or used to generate a consumer
report, as defined by Section 1681a(d) of the Fair Credit Reporting
Act (15 U.S.C. Section 1681 et seq.); and
(B) used solely for a purpose authorized under
that Act;
(4) personal identifying information processed in
accordance with the Gramm-Leach-Bliley Act (Pub. L. No. 106-102)
and its implementing regulations; or
(5) education information that is not publicly
available personally identifiable information under the Family
Educational Rights and Privacy Act of 1974 (20 U.S.C. Section
1232g) (34 C.F.R. Part 99).
Sec. 541.004. RULES. The attorney general shall adopt
rules necessary to implement, administer, and enforce this chapter.
SUBCHAPTER B. AUTHORITY OF INDIVIDUALS TO ACCESS AND DELETE CERTAIN
INFORMATION
Sec. 541.051. ACCESS TO INFORMATION; DATA PORTABILITY. (a)
An individual is entitled to:
(1) access and obtain personal identifying
information related to the individual or someone for whom the
individual is a legal representative or guardian that is collected
by a business; and
(2) at the option of the individual, transfer personal
identifying information from one business to another business,
including in connection with the sale of that information under a
contract described by Subchapter C.
(b) A business shall allow an individual to promptly and
reasonably obtain:
(1) confirmation of whether personal identifying
information concerning the individual or someone for whom the
individual is a legal representative or guardian is processed by
the business;
(2) a description of the categories of personal
identifying information processed by the business;
(3) an explanation in plain language of the specific
types of personal identifying information collected by the
business;
(4) a description of the inferences the business has
drawn about the individual or someone for whom the individual is a
personal representative or guardian from the information collected
by the business; and
(5) access to the individual's personal identifying
information, including in accordance with Subsection (c), a copy of
the individual's personal identifying information in a portable and
transferable format.
(c) On request of an individual, a business shall without
undue delay provide the individual with all personal identifying
information collected by the business that relates to the
individual or someone for whom the individual is a legal
representative or guardian. The business shall provide the
requested information to an individual under this section in a
portable, readily usable format that may be transferred, including
in connection with the sale of the information, by the individual to
another business.
Sec. 541.052. DELETION OF PERSONAL IDENTIFYING
INFORMATION. (a) An individual is entitled to request that a
business delete personal identifying information collected by the
business that relates to that individual or someone for whom the
individual is a legal representative or guardian.
(b) If an individual who maintains an account with a
business closes the account, the business shall:
(1) stop processing the individual's personal
identifying information on the date the individual closes the
account; and
(2) not later than the one-year anniversary of the
date the account is closed, permanently delete the individual's
personal identifying information unless retention of the
information is required by other law or is necessary to comply with
other law.
(c) If an individual makes a request for a business to
delete personal identifying information under this section, and
that business has provided the personal identifying information to
a third party, the business shall notify the third party of the
individual's request. The third party shall delete the individual's
personal identifying information not later than the one-year
anniversary of the date the third party received the notification
under this subsection.
SUBCHAPTER C. CONTRACTS WITH INDIVIDUALS
Sec. 541.101. DEFINITION. In this subchapter, "data
stream" means the continuous transmission of an individual's
personal identifying information through online activity or with a
device connected to the Internet that can be used by the business to
provide for the monetization of the information, customer
relationship management, or continuous identification of an
individual for commercial purposes.
Sec. 541.102. APPLICABILITY. This subchapter applies only
to a contract between a business and an individual under which, as a
term of the contract, the individual allows the business to
collect, store, or use the individual's personal identifying
information.
Sec. 541.103. CONSIDERATION UNDER CONTRACT. (a) An
individual may provide the individual's data stream or information
obtained by the individual under Section 541.051 as consideration
under a contract.
(b) A business may provide consideration in the form of
money or other incentive, including as an incentive to purchase
goods or services, under a contract that is reasonably related to
the value of the information or access offered by the individual
under the contract. This subsection does not prohibit a business
from differentiating the consideration offered to individuals
based on information or access offered by individuals, including
offering different individuals different prices or rates for goods
or services or providing different levels of quality for goods or
services based on the information and access offered by
individuals.
Sec. 541.104. CONTRACT REQUIREMENTS. (a) A contract
subject to this subchapter:
(1) must clearly state the terms, including the
duration, of the contract; and
(2) may not:
(A) require that the individual exclusively
contract with the business or otherwise restrict the individual's
ability to sell the individual's personal identifying information;
and
(B) prevent the individual from receiving or
considering alternative offers to purchase the individual's
personal identifying information.
(b) A contract provision that violates Subsection (a)(2) is
void and unenforceable.
SECTION 2. (a) Except as provided by Subsection (b) of this
section, this Act takes effect September 1, 2021.
(b) Section 541.052, Business & Commerce Code, as added by
this Act, takes effect January 1, 2022.