| 1 | 1 | | 87R7858 MLH-D |
|---|
| 2 | 2 | | By: Capriglione H.B. No. 4164 |
|---|
| 3 | 3 | | |
|---|
| 4 | 4 | | |
|---|
| 5 | 5 | | A BILL TO BE ENTITLED |
|---|
| 6 | 6 | | AN ACT |
|---|
| 7 | 7 | | relating to the authority of individuals over the personal |
|---|
| 8 | 8 | | identifying information collected, processed, or maintained about |
|---|
| 9 | 9 | | the individuals and certain others by certain businesses. |
|---|
| 10 | 10 | | BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|---|
| 11 | 11 | | SECTION 1. Title 11, Business & Commerce Code, is amended by |
|---|
| 12 | 12 | | adding Subtitle C to read as follows: |
|---|
| 13 | 13 | | SUBTITLE C. PERSONAL IDENTIFYING INFORMATION |
|---|
| 14 | 14 | | CHAPTER 541. PERSONAL IDENTIFYING INFORMATION PROCESSED OR |
|---|
| 15 | 15 | | COLLECTED BY CERTAIN BUSINESSES |
|---|
| 16 | 16 | | SUBCHAPTER A. GENERAL PROVISIONS |
|---|
| 17 | 17 | | Sec. 541.001. DEFINITIONS. In this chapter: |
|---|
| 18 | 18 | | (1) "Business" means a for-profit entity, including a |
|---|
| 19 | 19 | | sole proprietorship, partnership, limited liability company, |
|---|
| 20 | 20 | | corporation, association, or other legal entity that is organized |
|---|
| 21 | 21 | | or operated for the profit or financial benefit of the entity's |
|---|
| 22 | 22 | | shareholders or other owners. |
|---|
| 23 | 23 | | (2) "Personal identifying information" means a |
|---|
| 24 | 24 | | category of information relating to an identified or identifiable |
|---|
| 25 | 25 | | individual. The term does not include a specific category of |
|---|
| 26 | 26 | | personal identifying information that the attorney general exempts |
|---|
| 27 | 27 | | from this definition by rule. The term includes: |
|---|
| 28 | 28 | | (A) a social security number; |
|---|
| 29 | 29 | | (B) a driver's license number, passport number, |
|---|
| 30 | 30 | | military identification number, or any other similar number issued |
|---|
| 31 | 31 | | on a government document and used to verify an individual's |
|---|
| 32 | 32 | | identity; |
|---|
| 33 | 33 | | (C) a financial account number, credit or debit |
|---|
| 34 | 34 | | card number, or any security code, access code, or password that is |
|---|
| 35 | 35 | | necessary to permit access to an individual's financial account; |
|---|
| 36 | 36 | | (D) unique biometric information, including a |
|---|
| 37 | 37 | | fingerprint, voice print, retina or iris image, or any other unique |
|---|
| 38 | 38 | | physical representation; |
|---|
| 39 | 39 | | (E) physical or mental health information, |
|---|
| 40 | 40 | | including health care information; |
|---|
| 41 | 41 | | (F) the private communications or other |
|---|
| 42 | 42 | | user-created content of an individual that is not publicly |
|---|
| 43 | 43 | | available; |
|---|
| 44 | 44 | | (G) religious affiliation or practice |
|---|
| 45 | 45 | | information; |
|---|
| 46 | 46 | | (H) racial or ethnic origin information; |
|---|
| 47 | 47 | | (I) precise geolocation tracking data; and |
|---|
| 48 | 48 | | (J) unique genetic information. |
|---|
| 49 | 49 | | (3) "Processing" means any operation or set of |
|---|
| 50 | 50 | | operations that are performed on personal identifying information |
|---|
| 51 | 51 | | or on sets of personal identifying information, including the |
|---|
| 52 | 52 | | collection, creation, generation, recording, organization, |
|---|
| 53 | 53 | | structuring, storage, adaptation, alteration, retrieval, |
|---|
| 54 | 54 | | consultation, use, disclosure, transfer, or dissemination of the |
|---|
| 55 | 55 | | information or otherwise making the information available. |
|---|
| 56 | 56 | | (4) "Third party" means a person engaged by a business |
|---|
| 57 | 57 | | to process, on behalf of the business, personal identifying |
|---|
| 58 | 58 | | information collected by the business. |
|---|
| 59 | 59 | | Sec. 541.002. APPLICABILITY. (a) This chapter applies |
|---|
| 60 | 60 | | only to a business that: |
|---|
| 61 | 61 | | (1) does business in this state; |
|---|
| 62 | 62 | | (2) has more than 50 employees; |
|---|
| 63 | 63 | | (3) collects the personal identifying information of |
|---|
| 64 | 64 | | more than 5,000 individuals, households, or devices or has that |
|---|
| 65 | 65 | | information collected on the business's behalf; and |
|---|
| 66 | 66 | | (4) satisfies one or more of the following thresholds: |
|---|
| 67 | 67 | | (A) has annual gross revenue in an amount that |
|---|
| 68 | 68 | | exceeds $25 million; or |
|---|
| 69 | 69 | | (B) derives 50 percent or more of the business's |
|---|
| 70 | 70 | | annual revenue by processing personal identifying information. |
|---|
| 71 | 71 | | (b) Except as provided by Subsection (c), this chapter |
|---|
| 72 | 72 | | applies only to personal identifying information that is: |
|---|
| 73 | 73 | | (1) collected over the Internet or any other digital |
|---|
| 74 | 74 | | network or through a computing device that is associated with or |
|---|
| 75 | 75 | | routinely used by an end user; and |
|---|
| 76 | 76 | | (2) linked or reasonably linkable to a specific end |
|---|
| 77 | 77 | | user. |
|---|
| 78 | 78 | | (c) This chapter does not apply to personal identifying |
|---|
| 79 | 79 | | information that is: |
|---|
| 80 | 80 | | (1) collected solely for facilitating the |
|---|
| 81 | 81 | | transmission, routing, or connections by which digital personal |
|---|
| 82 | 82 | | identifying information and other data is transferred between or |
|---|
| 83 | 83 | | among businesses; or |
|---|
| 84 | 84 | | (2) transmitted to and from the individual to whom the |
|---|
| 85 | 85 | | personal identifying information relates if the collector of the |
|---|
| 86 | 86 | | information does not access, review, or modify the content of the |
|---|
| 87 | 87 | | information, or otherwise perform or conduct any analytical, |
|---|
| 88 | 88 | | algorithmic, or machine learning processes on the information. |
|---|
| 89 | 89 | | Sec. 541.003. EXEMPTIONS. This chapter does not apply to: |
|---|
| 90 | 90 | | (1) publicly available information; |
|---|
| 91 | 91 | | (2) protected health information governed by Chapter |
|---|
| 92 | 92 | | 181, Health and Safety Code, or collected by a covered entity or a |
|---|
| 93 | 93 | | business associate of a covered entity, as those terms are defined |
|---|
| 94 | 94 | | by 45 C.F.R. Section 160.103, that is governed by the privacy, |
|---|
| 95 | 95 | | security, and breach notification rules in 45 C.F.R. Parts 160 and |
|---|
| 96 | 96 | | 164 adopted by the United States Department of Health and Human |
|---|
| 97 | 97 | | Services under the Health Insurance Portability and Accountability |
|---|
| 98 | 98 | | Act of 1996 (Pub. L. No. 104-191) and Title XIII of the American |
|---|
| 99 | 99 | | Recovery and Reinvestment Act of 2009 (Pub. L. No. 111-5); |
|---|
| 100 | 100 | | (3) personal identifying information collected by a |
|---|
| 101 | 101 | | consumer reporting agency, as defined by Section 20.01, if the |
|---|
| 102 | 102 | | information is to be: |
|---|
| 103 | 103 | | (A) reported in or used to generate a consumer |
|---|
| 104 | 104 | | report, as defined by Section 1681a(d) of the Fair Credit Reporting |
|---|
| 105 | 105 | | Act (15 U.S.C. Section 1681 et seq.); and |
|---|
| 106 | 106 | | (B) used solely for a purpose authorized under |
|---|
| 107 | 107 | | that Act; |
|---|
| 108 | 108 | | (4) personal identifying information processed in |
|---|
| 109 | 109 | | accordance with the Gramm-Leach-Bliley Act (Pub. L. No. 106-102) |
|---|
| 110 | 110 | | and its implementing regulations; or |
|---|
| 111 | 111 | | (5) education information that is not publicly |
|---|
| 112 | 112 | | available personally identifiable information under the Family |
|---|
| 113 | 113 | | Educational Rights and Privacy Act of 1974 (20 U.S.C. Section |
|---|
| 114 | 114 | | 1232g) (34 C.F.R. Part 99). |
|---|
| 115 | 115 | | Sec. 541.004. RULES. The attorney general shall adopt |
|---|
| 116 | 116 | | rules necessary to implement, administer, and enforce this chapter. |
|---|
| 117 | 117 | | SUBCHAPTER B. AUTHORITY OF INDIVIDUALS TO ACCESS AND DELETE CERTAIN |
|---|
| 118 | 118 | | INFORMATION |
|---|
| 119 | 119 | | Sec. 541.051. ACCESS TO INFORMATION; DATA PORTABILITY. (a) |
|---|
| 120 | 120 | | An individual is entitled to: |
|---|
| 121 | 121 | | (1) access and obtain personal identifying |
|---|
| 122 | 122 | | information related to the individual or someone for whom the |
|---|
| 123 | 123 | | individual is a legal representative or guardian that is collected |
|---|
| 124 | 124 | | by a business; and |
|---|
| 125 | 125 | | (2) at the option of the individual, transfer personal |
|---|
| 126 | 126 | | identifying information from one business to another business, |
|---|
| 127 | 127 | | including in connection with the sale of that information under a |
|---|
| 128 | 128 | | contract described by Subchapter C. |
|---|
| 129 | 129 | | (b) A business shall allow an individual to promptly and |
|---|
| 130 | 130 | | reasonably obtain: |
|---|
| 131 | 131 | | (1) confirmation of whether personal identifying |
|---|
| 132 | 132 | | information concerning the individual or someone for whom the |
|---|
| 133 | 133 | | individual is a legal representative or guardian is processed by |
|---|
| 134 | 134 | | the business; |
|---|
| 135 | 135 | | (2) a description of the categories of personal |
|---|
| 136 | 136 | | identifying information processed by the business; |
|---|
| 137 | 137 | | (3) an explanation in plain language of the specific |
|---|
| 138 | 138 | | types of personal identifying information collected by the |
|---|
| 139 | 139 | | business; |
|---|
| 140 | 140 | | (4) a description of the inferences the business has |
|---|
| 141 | 141 | | drawn about the individual or someone for whom the individual is a |
|---|
| 142 | 142 | | personal representative or guardian from the information collected |
|---|
| 143 | 143 | | by the business; and |
|---|
| 144 | 144 | | (5) access to the individual's personal identifying |
|---|
| 145 | 145 | | information, including in accordance with Subsection (c), a copy of |
|---|
| 146 | 146 | | the individual's personal identifying information in a portable and |
|---|
| 147 | 147 | | transferable format. |
|---|
| 148 | 148 | | (c) On request of an individual, a business shall without |
|---|
| 149 | 149 | | undue delay provide the individual with all personal identifying |
|---|
| 150 | 150 | | information collected by the business that relates to the |
|---|
| 151 | 151 | | individual or someone for whom the individual is a legal |
|---|
| 152 | 152 | | representative or guardian. The business shall provide the |
|---|
| 153 | 153 | | requested information to an individual under this section in a |
|---|
| 154 | 154 | | portable, readily usable format that may be transferred, including |
|---|
| 155 | 155 | | in connection with the sale of the information, by the individual to |
|---|
| 156 | 156 | | another business. |
|---|
| 157 | 157 | | Sec. 541.052. DELETION OF PERSONAL IDENTIFYING |
|---|
| 158 | 158 | | INFORMATION. (a) An individual is entitled to request that a |
|---|
| 159 | 159 | | business delete personal identifying information collected by the |
|---|
| 160 | 160 | | business that relates to that individual or someone for whom the |
|---|
| 161 | 161 | | individual is a legal representative or guardian. |
|---|
| 162 | 162 | | (b) If an individual who maintains an account with a |
|---|
| 163 | 163 | | business closes the account, the business shall: |
|---|
| 164 | 164 | | (1) stop processing the individual's personal |
|---|
| 165 | 165 | | identifying information on the date the individual closes the |
|---|
| 166 | 166 | | account; and |
|---|
| 167 | 167 | | (2) not later than the one-year anniversary of the |
|---|
| 168 | 168 | | date the account is closed, permanently delete the individual's |
|---|
| 169 | 169 | | personal identifying information unless retention of the |
|---|
| 170 | 170 | | information is required by other law or is necessary to comply with |
|---|
| 171 | 171 | | other law. |
|---|
| 172 | 172 | | (c) If an individual makes a request for a business to |
|---|
| 173 | 173 | | delete personal identifying information under this section, and |
|---|
| 174 | 174 | | that business has provided the personal identifying information to |
|---|
| 175 | 175 | | a third party, the business shall notify the third party of the |
|---|
| 176 | 176 | | individual's request. The third party shall delete the individual's |
|---|
| 177 | 177 | | personal identifying information not later than the one-year |
|---|
| 178 | 178 | | anniversary of the date the third party received the notification |
|---|
| 179 | 179 | | under this subsection. |
|---|
| 180 | 180 | | SUBCHAPTER C. CONTRACTS WITH INDIVIDUALS |
|---|
| 181 | 181 | | Sec. 541.101. DEFINITION. In this subchapter, "data |
|---|
| 182 | 182 | | stream" means the continuous transmission of an individual's |
|---|
| 183 | 183 | | personal identifying information through online activity or with a |
|---|
| 184 | 184 | | device connected to the Internet that can be used by the business to |
|---|
| 185 | 185 | | provide for the monetization of the information, customer |
|---|
| 186 | 186 | | relationship management, or continuous identification of an |
|---|
| 187 | 187 | | individual for commercial purposes. |
|---|
| 188 | 188 | | Sec. 541.102. APPLICABILITY. This subchapter applies only |
|---|
| 189 | 189 | | to a contract between a business and an individual under which, as a |
|---|
| 190 | 190 | | term of the contract, the individual allows the business to |
|---|
| 191 | 191 | | collect, store, or use the individual's personal identifying |
|---|
| 192 | 192 | | information. |
|---|
| 193 | 193 | | Sec. 541.103. CONSIDERATION UNDER CONTRACT. (a) An |
|---|
| 194 | 194 | | individual may provide the individual's data stream or information |
|---|
| 195 | 195 | | obtained by the individual under Section 541.051 as consideration |
|---|
| 196 | 196 | | under a contract. |
|---|
| 197 | 197 | | (b) A business may provide consideration in the form of |
|---|
| 198 | 198 | | money or other incentive, including as an incentive to purchase |
|---|
| 199 | 199 | | goods or services, under a contract that is reasonably related to |
|---|
| 200 | 200 | | the value of the information or access offered by the individual |
|---|
| 201 | 201 | | under the contract. This subsection does not prohibit a business |
|---|
| 202 | 202 | | from differentiating the consideration offered to individuals |
|---|
| 203 | 203 | | based on information or access offered by individuals, including |
|---|
| 204 | 204 | | offering different individuals different prices or rates for goods |
|---|
| 205 | 205 | | or services or providing different levels of quality for goods or |
|---|
| 206 | 206 | | services based on the information and access offered by |
|---|
| 207 | 207 | | individuals. |
|---|
| 208 | 208 | | Sec. 541.104. CONTRACT REQUIREMENTS. (a) A contract |
|---|
| 209 | 209 | | subject to this subchapter: |
|---|
| 210 | 210 | | (1) must clearly state the terms, including the |
|---|
| 211 | 211 | | duration, of the contract; and |
|---|
| 212 | 212 | | (2) may not: |
|---|
| 213 | 213 | | (A) require that the individual exclusively |
|---|
| 214 | 214 | | contract with the business or otherwise restrict the individual's |
|---|
| 215 | 215 | | ability to sell the individual's personal identifying information; |
|---|
| 216 | 216 | | and |
|---|
| 217 | 217 | | (B) prevent the individual from receiving or |
|---|
| 218 | 218 | | considering alternative offers to purchase the individual's |
|---|
| 219 | 219 | | personal identifying information. |
|---|
| 220 | 220 | | (b) A contract provision that violates Subsection (a)(2) is |
|---|
| 221 | 221 | | void and unenforceable. |
|---|
| 222 | 222 | | SECTION 2. (a) Except as provided by Subsection (b) of this |
|---|
| 223 | 223 | | section, this Act takes effect September 1, 2021. |
|---|
| 224 | 224 | | (b) Section 541.052, Business & Commerce Code, as added by |
|---|
| 225 | 225 | | this Act, takes effect January 1, 2022. |
|---|