TX
Texas House Bill HB1844

Texas 2023 - 88th Regular

Texas House Bill HB1844 Compare Versions

OldNewDifferences
11 88R10880 TYPED
22 By: Capriglione H.B. No. 1844
33
44
55 A BILL TO BE ENTITLED
66 AN ACT
77 relating to the regulation of the collection, use, processing, and
88 treatment of consumers' personal data by certain business entities;
99 imposing a civil penalty.
1010 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
1111 SECTION 1. Title 11, Business & Commerce Code, is amended by
1212 adding Subtitle C to read as follows:
1313 SUBTITLE C. CONSUMER DATA PROTECTION
1414 CHAPTER 541. CONSUMER DATA PROTECTION
1515 SUBCHAPTER A. GENERAL PROVISIONS
1616 Sec. 541.001 SHORT TITLE. This chapter may be cited as the
1717 Texas Data Privacy and Security Act.
1818 Sec. 541.002. DEFINITIONS. In this chapter, unless a
1919 different meaning is required by the context:
2020 (1) "Affiliate" means a legal entity that controls, is
2121 controlled by, or is under common control with another legal entity
2222 or shares common branding with another legal entity. For purposes
2323 of this subdivision, "control" or "controlled" means:
2424 (A) the ownership of, or power to vote, more than
2525 50 percent of the outstanding shares of any class of voting security
2626 of a company;
2727 (B) the control in any manner over the election
2828 of a majority of the directors or of individuals exercising similar
2929 functions; or
3030 (C) the power to exercise controlling influence
3131 over the management of a company.
3232 (2) "Authenticate" means to verify through reasonable
3333 means that the consumer who is entitled to exercise the consumer's
3434 rights under Subchapter B is the same consumer exercising those
3535 consumer rights with respect to the personal data at issue.
3636 (3) "Biometric data" "Biometric data" means data
3737 generated by automatic measurements of an individual's biological
3838 characteristics, such as fingerprint, voiceprint, eye retina or
3939 iris, or other unique biological patterns or characteristics, that
4040 are used to identify a specific individual. The term does not
4141 include physical or digital photograph, a video or audio recording,
4242 or data generated therefrom, or information collected, used, or
4343 stored for health care treatment, payment, or operations under the
4444 Health Insurance Portability and Accountability Act of 1996 (42
4545 U.S.C. Section 1320 et seq.)
4646 (4) "Business associate" has the meaning assigned to
4747 the term by the Health Insurance Portability and Accountability Act
4848 of 1996 (42 U.S.C. Section 1320d et seq.).
4949 (5) "Child" means an individual younger than 13 years
5050 of age.
5151 (6) "Consent," when referring to a consumer, means a
5252 clear affirmative act signifying a consumer's freely given,
5353 specific, informed, and unambiguous agreement to process personal
5454 data relating to the consumer. The term includes a written
5555 statement, including a statement written by electronic means, or
5656 any other unambiguous affirmative action. "Consent" does not
5757 include:
5858 (A) acceptance of a general or broad terms of use
5959 or similar document that contains descriptions of personal data
6060 processing along with other, unrelated information;
6161 (B) hovering over, muting, pausing or closing a
6262 given piece of content; or
6363 (C) agreement obtained through the use of dark
6464 patterns.
6565 (7) "Consumer" means an individual who is a resident
6666 of this state acting only in an individual or household context. The
6767 term does not include an individual acting in a commercial or
6868 employment context.
6969 (8) "Controller" means an individual or other person
7070 that, alone or jointly with others, determines the purpose and
7171 means of processing personal data.
7272 (9) "Covered entity" has the meaning assigned to the
7373 term by the Health Insurance Portability and Accountability Act of
7474 1996 (42 U.S.C. Section 1320d et seq.).
7575 (10) "Dark pattern" means a user interface designed or
7676 manipulated with the substantial effect of subverting or impairing
7777 user autonomy, decision-making or choice, and includes, but is not
7878 limited to, any practice the Federal Trade Commission refers to as a
7979 "dark pattern".
8080 (11) "Decision that produces a legal or similarly
8181 significant effect concerning a consumer" means a decision made by
8282 the controller that results in the provision or denial by the
8383 controller of:
8484 (A) financial and lending services;
8585 (B) housing, insurance, or health care services;
8686 (C) education enrollment;
8787 (D) employment opportunities;
8888 (E) criminal justice; or
8989 (F) access to basic necessities, such as food and
9090 water.
9191 (12) "Deidentified data" means data that cannot
9292 reasonably be linked to an identified or identifiable individual,
9393 or a device linked to that individual.
9494 (13) "Health care provider" has the meaning assigned
9595 to the term by the Health Insurance Portability and Accountability
9696 Act of 1996 (42 U.S.C. Section 1320d et seq.).
9797 (14) "Health record" means any written, printed, or
9898 electronically recorded material maintained by a health care
9999 provider in the course of providing health care services to an
100100 individual that concerns the individual and the services provided.
101101 The term includes:
102102 (A) the substance of any communication made by an
103103 individual to a health care provider in confidence during or in
104104 connection with the provision of health care services; or
105105 (B) information otherwise acquired by the health
106106 care provider about an individual in confidence and in connection
107107 with health care services provided to the individual.
108108 (15) "Identified or identifiable individual" means an
109109 individual who can be readily identified, directly or indirectly.
110110 (16) "Institution of higher education" means:
111111 (A) an institution of higher education as defined
112112 by Section 61.003, Education Code; or
113113 (B) a private or independent institution of
114114 higher education as defined by Section 61.003, Education Code.
115115 (17) "Known child" means a child under circumstances
116116 where a controller has actual knowledge of, or willfully
117117 disregards, the child's age.
118118 (18) "Nonprofit organization" means:
119119 (A) a corporation organized under Chapters 20 and
120120 22, Business Organizations Code, and the provisions of Title 1,
121121 Business Organizations Code, to the extent applicable to nonprofit
122122 corporations;
123123 (B) an organization exempt from federal taxation
124124 under Section 501(a), Internal Revenue Code of 1986, by being
125125 listed as an exempt organization under Section 501(c)(3),
126126 501(c)(6), or 501(c)(12) of that code;
127127 (C) a political organization;
128128 (D) an organization that:
129129 (i) is exempt from federal taxation under
130130 Section 501(a), Internal Revenue Code of 1986, by being listed as an
131131 exempt organization under Section 501(c)(4) of that code; and
132132 (ii) is described by Section 701.052(a),
133133 Insurance Code; or
134134 (E) a subsidiary or affiliate of an entity
135135 organized under Chapter 11, Utilities Code.
136136 (19) "Personal data" means any information, including
137137 pseudonymous data and sensitive data, that is linked or reasonably
138138 linkable to an identified or identifiable individual. The term does
139139 not include deidentified data or publicly available information.
140140 (20) "Political organization" means a party,
141141 committee, association, fund, or other organization, regardless of
142142 whether incorporated, that is organized and operated primarily for
143143 the purpose of influencing or attempting to influence:
144144 (A) the selection, nomination, election, or
145145 appointment of an individual to a federal, state, or local public
146146 office or an office in a political organization, regardless of
147147 whether the individual is selected, nominated, elected, or
148148 appointed; or
149149 (B) the election of a
150150 presidential/vice-presidential elector, regardless of whether the
151151 elector is selected, nominated, elected, or appointed.
152152 (21) "Precise geolocation data" means information
153153 derived from technology, including global positioning system level
154154 latitude and longitude coordinates or other mechanisms, that
155155 directly identifies the specific location of an individual with
156156 precision and accuracy within a radius of 1,750 feet. The term does
157157 not include the content of communications, or any data generated by
158158 or connected to an advanced utility metering infrastructure system
159159 or to equipment for use by a utility.
160160 (22) "Process" or "processing" means an operation or
161161 set of operations performed, whether by manual or automated means,
162162 on personal data or on sets of personal data, such as the
163163 collection, use, storage, disclosure, analysis, deletion, or
164164 modification of personal data.
165165 (23) "Processor" means a person that processes
166166 personal data on behalf of a controller.
167167 (24) "Profiling" means any form of automated
168168 processing performed on personal data to evaluate, analyze, or
169169 predict personal aspects related to an identified or identifiable
170170 individual's economic situation, health, personal preferences,
171171 interests, reliability, behavior, location, or movements.
172172 (25) "Protected health information" has the meaning
173173 assigned to the term by the Health Insurance Portability and
174174 Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.).
175175 (26) "Pseudonymous data" means personal data that
176176 cannot be attributed to a specific individual without the use of
177177 additional information, provided that the additional information
178178 is kept separately and is subject to appropriate technical and
179179 organizational measures to ensure that the personal data is not
180180 attributed to an identified or identifiable individual.
181181 (27) "Publicly available information" means
182182 information that is lawfully made available through government
183183 records, or information that a business has a reasonable basis to
184184 believe is lawfully made available to the general public through
185185 widely distributed media, by a consumer, or by a person to whom a
186186 consumer has disclosed the information, unless the consumer has
187187 restricted the information to a specific audience.
188188 (28) "Sale of personal data" means the sharing,
189189 disclosing, or transferring of personal data for monetary or other
190190 valuable consideration by the controller to a third party. The term
191191 does not include:
192192 (A) the disclosure of personal data to a
193193 processor that processes the personal data on the controller's
194194 behalf;
195195 (B) the disclosure of personal data to a third
196196 party for purposes of providing a product or service requested by
197197 the consumer;
198198 (C) the disclosure or transfer of personal data
199199 to an affiliate of the controller;
200200 (D) the disclosure of information that the
201201 consumer:
202202 (i) intentionally made available to the
203203 general public through a mass media channel; and
204204 (ii) did not restrict to a specific
205205 audience; or
206206 (E) the disclosure or transfer of personal data
207207 to a third party as an asset that is part of a merger or acquisition.
208208 (29) "Sensitive data" means a category of personal
209209 data. The term includes:
210210 (A) personal data revealing racial or ethnic
211211 origin, religious beliefs, mental or physical health diagnosis,
212212 sexual orientation, or citizenship or immigration status;
213213 (B) genetic or biometric data that is processed
214214 for the purpose of uniquely identifying an individual;
215215 (C) personal data collected from a known child;
216216 or
217217 (D) precise geolocation data.
218218 (30) "State agency" means a department, commission,
219219 board, office, council, authority, or other agency in the executive
220220 branch of state government that is created by the constitution or a
221221 statute of this state, including a university system or institution
222222 of higher education as defined by Section 61.003, Education Code.
223223 (31) "Targeted advertising" means displaying to a
224224 consumer an advertisement that is selected based on personal data
225225 obtained from that consumer's activities over time and across
226226 nonaffiliated websites or online applications to predict the
227227 consumer's preferences or interests. The term does not include:
228228 (A) an advertisement that:
229229 (i) is based on activities within a
230230 controller's own websites or online applications;
231231 (ii) is based on the context of a consumer's
232232 current search query, visit to a website, or online application; or
233233 (iii) is directed to a consumer in response
234234 to the consumer's request for information or feedback; or
235235 (B) the processing of personal data solely for
236236 measuring or reporting advertising performance, reach, or
237237 frequency.
238238 (32) "Third party" means a person, other than the
239239 consumer, the controller, the processor, or an affiliate of the
240240 controller or processor.
241241 (33) "Trade secret" means all forms and types of
242242 information, including business, scientific, technical, economic,
243243 or engineering information, and any formula, design, prototype,
244244 pattern, plan, compilation, program device, program, code, device,
245245 method, technique, process, procedure, financial data, or list of
246246 actual or potential customers or suppliers, whether tangible or
247247 intangible and whether or how stored, compiled, or memorialized
248248 physically, electronically, graphically, photographically, or in
249249 writing if:
250250 (A) the owner of the trade secret has taken
251251 reasonable measures under the circumstances to keep the information
252252 secret; and
253253 (B) the information derives independent economic
254254 value, actual or potential, from not being generally known to, and
255255 not being readily ascertainable through proper means by, another
256256 person who can obtain economic value from the disclosure or use of
257257 the information.
258258 Sec. 541.003. APPLICABILITY OF CHAPTER. (a) This chapter
259259 applies only to a person that:
260260 (1) conducts business in this state or produces a
261261 product or service consumed by residents of this state;
262262 (2) processes or engages in the sale of personal data;
263263 and
264264 (3) is not a small business as defined by the United
265265 States Small Business Administration.
266266 (b) This chapter does not apply to:
267267 (1) a state agency or a political subdivision of this
268268 state;
269269 (2) a financial institution or data subject to Title
270270 V, Gramm-Leach-Bliley Act (15 U.S.C. Section 6801 et seq.);
271271 (3) a covered entity or business associate governed by
272272 the privacy, security, and breach notification rules issued by the
273273 United States Department of Health and Human Services, 45 C.F.R.
274274 Parts 160 and 164, established under the Health Insurance
275275 Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d
276276 et seq.), and the Health Information Technology for Economic and
277277 Clinical Health Act (Division A, Title XIII, and Division B, Title
278278 IV, Pub. L. No. 111-5);
279279 (4) a nonprofit organization; or
280280 (5) an institution of higher education.
281281 Sec. 541.004. CERTAIN INFORMATION EXEMPT FROM CHAPTER. The
282282 following information is exempt from this chapter:
283283 (1) protected health information under the Health
284284 Insurance Portability and Accountability Act of 1996 (42 U.S.C.
285285 Section 1320d et seq.);
286286 (2) health records;
287287 (3) patient identifying information for purposes of 42
288288 U.S.C. Section 290dd-2;
289289 (4) identifiable private information:
290290 (A) for purposes of the federal policy for the
291291 protection of human subjects under 45 C.F.R. Part 46;
292292 (B) collected as part of human subjects research
293293 in accordance with the good clinical practice guidelines issued by
294294 The International Council for Harmonisation of Technical
295295 Requirements for Pharmaceuticals for Human Use (ICH) or of the
296296 protection of human subjects under 21 C.F.R. Parts 6, 50, and 56; or
297297 (C) that is personal data used or shared in
298298 research conducted in accordance with the requirements set forth in
299299 this chapter or other research conducted in accordance with
300300 applicable law;
301301 (5) information and documents created for purposes of
302302 the Health Care Quality Improvement Act of 1986 (42 U.S.C. Section
303303 11101 et seq.);
304304 (6) patient safety work product for purposes of the
305305 Patient Safety and Quality Improvement Act of 2005 (42 U.S.C.
306306 Section 299b-21 et seq.);
307307 (7) information derived from any of the health
308308 care-related information listed in this section that is
309309 deidentified in accordance with the requirements for
310310 deidentification under the Health Insurance Portability and
311311 Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.);
312312 (8) information originating from, and intermingled to
313313 be indistinguishable with, or information treated in the same
314314 manner as, information exempt under this section that is maintained
315315 by a covered entity or business associate as defined by the Health
316316 Insurance Portability and Accountability Act of 1996 (42 U.S.C.
317317 Section 1320d et seq.) or by a program or a qualified service
318318 organization as defined by 42 U.S.C. Section 290dd-2;
319319 (9) information collected or used only for public
320320 health activities and purposes as authorized by the Health
321321 Insurance Portability and Accountability Act of 1996 (42 U.S.C.
322322 Section 1320d et seq.);
323323 (10) the collection, maintenance, disclosure, sale,
324324 communication, or use of any personal information bearing on a
325325 consumer's creditworthiness, credit standing, credit capacity,
326326 character, general reputation, personal characteristics, or mode
327327 of living by a consumer reporting agency or furnisher that provides
328328 information for use in a consumer report, and by a user of a
329329 consumer report, but only to the extent that the activity is
330330 regulated by and authorized under the Fair Credit Reporting Act (15
331331 U.S.C. Section 1681 et seq.);
332332 (11) personal data collected, processed, sold, or
333333 disclosed in compliance with the Driver's Privacy Protection Act of
334334 1994 (18 U.S.C. Section 2721 et seq.);
335335 (12) personal data regulated by the Family Educational
336336 Rights and Privacy Act of 1974 (20 U.S.C. Section 1232g);
337337 (13) personal data collected, processed, sold, or
338338 disclosed in compliance with the Farm Credit Act of 1971 (12 U.S.C.
339339 Section 2001 et seq.);
340340 (14) data processed or maintained in the course of an
341341 individual applying to, employed by, or acting as an agent or
342342 independent contractor of a controller, processor, or third party,
343343 to the extent that the data is collected and used within the context
344344 of that role;
345345 (15) data processed or maintained as the emergency
346346 contact information of an individual under this chapter that is
347347 used for emergency contact purposes; or
348348 (16) data that is processed or maintained and is
349349 necessary to retain to administer benefits for another individual
350350 that relates to an individual described by Subdivision (14) and
351351 used for the purposes of administering those benefits.
352352 Sec. 541.005. INAPPLICABILITY OF CHAPTER. This chapter
353353 does not apply to the processing of personal data by a person in the
354354 course of a purely personal or household activity.
355355 Sec. 541.006. EFFECT OF COMPLIANCE WITH PARENTAL CONSENT
356356 REQUIREMENTS UNDER CERTAIN FEDERAL LAW. A controller or processor
357357 that complies with the verifiable parental consent requirements of
358358 the Children's Online Privacy Protection Act (15 U.S.C. Section
359359 6501 et seq.) with respect to data collected online is considered to
360360 be in compliance with any requirement to obtain parental consent
361361 under this chapter.
362362 SUBCHAPTER B. CONSUMER'S RIGHTS
363363 Sec. 541.051. CONSUMER'S PERSONAL DATA RIGHTS; REQUEST TO
364364 EXERCISE RIGHTS. (a) A consumer is entitled to exercise the
365365 consumer rights authorized by this section at any time by
366366 submitting a request to a controller specifying the consumer rights
367367 the consumer wishes to exercise. With respect to the processing of
368368 personal data belonging to a known child, a parent or legal guardian
369369 of the child may exercise the consumer rights on behalf of the
370370 child.
371371 (b) A controller shall comply with an authenticated
372372 consumer request to exercise the right to:
373373 (1) confirm whether a controller is processing the
374374 consumer's personal data and to access the personal data;
375375 (2) correct inaccuracies in the consumer's personal
376376 data, taking into account the nature of the personal data and the
377377 purposes of the processing of the consumer's personal data;
378378 (3) delete personal data provided by or obtained about
379379 the consumer;
380380 (4) if the data is available in a digital format,
381381 obtain a copy of the consumer's personal data that the consumer
382382 previously provided to the controller in a portable and, to the
383383 extent technically feasible, readily usable format that allows the
384384 consumer to transmit the data to another controller without
385385 hindrance; or
386386 (5) opt out of the processing of the personal data for
387387 purposes of:
388388 (A) targeted advertising;
389389 (B) the sale of personal data; or
390390 (C) profiling in furtherance of a decision that
391391 produces a legal or similarly significant effect concerning the
392392 consumer.
393393 Sec. 541.052. CONTROLLER RESPONSE TO CONSUMER REQUEST. (a)
394394 Except as otherwise provided by this chapter, a controller shall
395395 comply with a request submitted by a consumer to exercise the
396396 consumer's rights pursuant to Section 541.051 as provided by this
397397 section.
398398 (b) A controller shall respond to the consumer request
399399 without undue delay, which may not be later than the 45th day after
400400 the date of receipt of the request. The controller may extend the
401401 response period once by an additional 45 days when reasonably
402402 necessary, taking into account the complexity and number of the
403403 consumer's requests, so long as the controller informs the consumer
404404 of the extension within the initial 45-day response period,
405405 together with the reason for the extension.
406406 (c) If a controller declines to take action regarding the
407407 consumer's request, the controller shall inform the consumer
408408 without undue delay, which may not be later than the 45th day after
409409 the date of receipt of the request, of the justification for
410410 declining to take action and provide instructions on how to appeal
411411 the decision in accordance with Section 541.053.
412412 (d) A controller shall provide information in response to a
413413 consumer request free of charge, up to twice annually per consumer.
414414 If a request from a consumer is manifestly unfounded, excessive, or
415415 repetitive, the controller may charge the consumer a reasonable fee
416416 to cover the administrative costs of complying with the request or
417417 may decline to act on the request. The controller bears the burden
418418 of demonstrating for purposes of this subsection that a request is
419419 manifestly unfounded, excessive, or repetitive.
420420 (e) If a controller is unable to authenticate the request
421421 using commercially reasonable efforts, the controller is not
422422 required to comply with a consumer request submitted under Section
423423 541.051 and may request that the consumer provide additional
424424 information reasonably necessary to authenticate the consumer and
425425 the consumer's request.
426426 (f) A controller that has obtained personal data about a
427427 consumer from a source other than the consumer is considered in
428428 compliance with a consumer's request to delete that personal data
429429 pursuant to Section 541.051(b)(3) by:
430430 (1) retaining a record of the deletion request and the
431431 minimum data necessary for the purpose of ensuring the consumer's
432432 personal data remains deleted from the business's records and not
433433 using the retained data for any other purpose under this chapter; or
434434 (2) opting the consumer out of the processing of that
435435 personal data for any purpose other than a purpose that is exempt
436436 under the provisions of this chapter.
437437 Sec. 541.053. APPEAL. (a) A controller shall establish a
438438 process for a consumer to appeal the controller's refusal to take
439439 action on a request within a reasonable period of time after the
440440 consumer's receipt of the decision under Section 541.052(c).
441441 (b) The appeal process must be conspicuously available and
442442 similar to the process for initiating action to exercise consumer
443443 rights by submitting a request under Section 541.051.
444444 (c) A controller shall inform the consumer in writing of any
445445 action taken or not taken in response to an appeal under this
446446 section not later than the 60th day after the date of receipt of the
447447 appeal, including a written explanation of the reason or reasons
448448 for the decision.
449449 (d) If the controller denies an appeal, the controller shall
450450 provide the consumer with an online mechanism, if available, or
451451 another method through which the consumer may contact the attorney
452452 general to submit a complaint.
453453 Sec. 541.054. WAIVER OR LIMITATION OF CONSUMER RIGHTS
454454 PROHIBITED. Any provision of a contract or agreement that waives or
455455 limits in any way a consumer right described by Sections 541.051,
456456 541.052, and 541.053 is contrary to public policy and is void and
457457 unenforceable.
458458 Sec. 541.055. METHODS FOR SUBMITTING CONSUMER REQUESTS.
459459 (a) A controller shall establish two or more secure and reliable
460460 methods to enable consumers to submit a request to exercise their
461461 consumer rights under this chapter. The methods must take into
462462 account:
463463 (1) the ways in which consumers normally interact with
464464 the controller;
465465 (2) the necessity for secure and reliable
466466 communications of those requests; and
467467 (3) the ability of the controller to authenticate the
468468 identity of the consumer making the request.
469469 (b) A controller may not require a consumer to create a new
470470 account to exercise the consumer's rights under this subchapter but
471471 may require a consumer to use an existing account.
472472 (c) Except as provided by Subsection (d), if the controller
473473 maintains an Internet website, the controller must make the website
474474 available to consumers to submit requests for information required
475475 to be disclosed under this chapter.
476476 (d) A controller that operates exclusively online and has a
477477 direct relationship with a consumer from whom the controller
478478 collects personal information is only required to provide an e-mail
479479 address for the submission of requests described by Subsection (c).
480480 SUBCHAPTER C. CONTROLLER AND PROCESSOR DATA-RELATED DUTIES AND
481481 PROHIBITIONS
482482 Sec. 541.101. CONTROLLER DUTIES; TRANSPARENCY. (a) A
483483 controller:
484484 (1) shall limit the collection of personal data to
485485 what is adequate, relevant, and reasonably necessary in relation to
486486 the purposes for which that personal data is processed, as
487487 disclosed to the consumer; and
488488 (2) for purposes of protecting the confidentiality,
489489 integrity, and accessibility of personal data, shall establish,
490490 implement, and maintain reasonable administrative, technical, and
491491 physical data security practices that are appropriate to the volume
492492 and nature of the personal data at issue.
493493 (b) A controller may not:
494494 (1) except as otherwise provided by this chapter,
495495 process personal data for a purpose that is neither reasonably
496496 necessary to nor compatible with the disclosed purpose for which
497497 the personal data is processed, as disclosed to the consumer,
498498 unless the controller obtains the consumer's consent;
499499 (2) process personal data in violation of state and
500500 federal laws that prohibit unlawful discrimination against
501501 consumers;
502502 (3) discriminate against a consumer for exercising any
503503 of the consumer rights contained in this chapter, including by
504504 denying goods or services, charging different prices or rates for
505505 goods or services, or providing a different level of quality of
506506 goods or services to the consumer; or
507507 (4) process the sensitive data of a consumer without
508508 obtaining the consumer's consent, or, in the case of processing the
509509 sensitive data of a known child, without processing that data in
510510 accordance with the Children's Online Privacy Protection Act (15
511511 U.S.C. Section 6501 et seq.).
512512 (c) Subsection (b)(3) may not be construed to require a
513513 controller to provide a product or service that requires the
514514 personal data of a consumer that the controller does not collect or
515515 maintain or to prohibit a controller from offering a different
516516 price, rate, level, quality, or selection of goods or services to a
517517 consumer, including offering goods or services for no fee, if the
518518 consumer has exercised the consumer's right to opt out under
519519 Section 541.051 or the offer is related to a consumer's voluntary
520520 participation in a bona fide loyalty, rewards, premium features,
521521 discounts, or club card program.
522522 Sec. 541.102. PRIVACY NOTICE. A controller shall provide
523523 consumers with a reasonably accessible and clear privacy notice
524524 that includes:
525525 (1) the categories of personal data processed by the
526526 controller;
527527 (a) if applicable, the categories must include
528528 any sensitive data processed by the controller;
529529 (2) the purpose for processing personal data;
530530 (3) how consumers may exercise their consumer rights
531531 under Subchapter B, including the process by which a consumer may
532532 appeal a controller's decision with regard to the consumer's
533533 request;
534534 (4) if applicable, the categories of personal data
535535 that the controller shares with third parties;
536536 (5) if applicable, the categories of third parties
537537 with whom the controller shares personal data; and
538538 (6) a description of the methods required under
539539 Section 541.055 through which consumers can submit requests to
540540 exercise their consumer rights under this chapter.
541541 Sec. 541.103. SALE OF DATA TO THIRD PARTIES AND PROCESSING
542542 DATA FOR TARGETED ADVERTISING; DISCLOSURE. If a controller sells
543543 personal data to third parties or processes personal data for
544544 targeted advertising, the controller shall clearly and
545545 conspicuously disclose such processing and the manner in which a
546546 consumer may exercise the right to opt out of such processing.
547547 Sec. 541.104. DUTIES OF PROCESSOR. (a) A processor shall
548548 adhere to the instructions of a controller and shall assist the
549549 controller in meeting or complying with the controller's duties or
550550 requirements under this chapter, including:
551551 (1) assisting the controller in responding to consumer
552552 rights requests submitted under Section 541.051 by using
553553 appropriate technical and organizational measures, as reasonably
554554 practicable, taking into account the nature of processing and the
555555 information available to the processor;
556556 (2) assisting the controller with regard to complying
557557 with the requirement relating to the security of processing
558558 personal data and to the notification of a breach of security of the
559559 processor's system under Chapter 521, taking into account the
560560 nature of processing and the information available to the
561561 processor; and
562562 (3) providing necessary information to enable the
563563 controller to conduct and document data protection assessments
564564 under Section 541.105.
565565 (b) A contract between a controller and a processor shall
566566 govern the processor's data processing procedures with respect to
567567 processing performed on behalf of the controller. The contract must
568568 include:
569569 (1) clear instructions for processing data;
570570 (2) the nature and purpose of processing;
571571 (3) the type of data subject to processing;
572572 (4) the duration of processing;
573573 (5) the rights and obligations of both parties; and
574574 (6) a requirement that the processor shall:
575575 (A) ensure that each person processing personal
576576 data is subject to a duty of confidentiality with respect to the
577577 data;
578578 (B) at the controller's direction, delete or
579579 return all personal data to the controller as requested after the
580580 provision of the service is completed, unless retention of the
581581 personal data is required by law;
582582 (C) make available to the controller, on
583583 reasonable request, all information in the processor's possession
584584 necessary to demonstrate the processor's compliance with the
585585 requirements of this chapter;
586586 (D) allow, and cooperate with, reasonable
587587 assessments by the controller or the controller's designated
588588 assessor; and
589589 (E) engage any subcontractor pursuant to a
590590 written contract that requires the subcontractor to meet the
591591 requirements of the processor with respect to the personal data.
592592 (c) Notwithstanding the requirement described by Subsection
593593 (b)(6)(D), a processor, in the alternative, may arrange for a
594594 qualified and independent assessor to conduct an assessment of the
595595 processor's policies and technical and organizational measures in
596596 support of the requirements under this chapter using an appropriate
597597 and accepted control standard or framework and assessment
598598 procedure. The processor shall provide a report of the assessment
599599 to the controller on request.
600600 (d) This section may not be construed to relieve a
601601 controller or a processor from the liabilities imposed on the
602602 controller or processor by virtue of its role in the processing
603603 relationship as described by this chapter.
604604 (e) A determination of whether a person is acting as a
605605 controller or processor with respect to a specific processing of
606606 data is a fact-based determination that depends on the context in
607607 which personal data is to be processed. A processor that continues
608608 to adhere to a controller's instructions with respect to a specific
609609 processing of personal data remains in the role of a processor.
610610 Sec. 541.105. DATA PROTECTION ASSESSMENTS. (a) A
611611 controller shall conduct and document a data protection assessment
612612 of each of the following processing activities involving personal
613613 data:
614614 (1) the processing of personal data for purposes of
615615 targeted advertising;
616616 (2) the sale of personal data;
617617 (3) the processing of personal data for purposes of
618618 profiling, if the profiling presents a reasonably foreseeable risk
619619 of:
620620 (A) unfair or deceptive treatment of or unlawful
621621 disparate impact on consumers;
622622 (B) financial, physical, or reputational injury
623623 to consumers;
624624 (C) a physical or other intrusion on the solitude
625625 or seclusion, or the private affairs or concerns, of consumers, if
626626 the intrusion would be offensive to a reasonable person; or
627627 (D) other substantial injury to consumers;
628628 (4) the processing of sensitive data; and
629629 (5) any processing activities involving personal data
630630 that present a heightened risk of harm to consumers.
631631 (b) A data protection assessment conducted under Subsection
632632 (a) must:
633633 (1) identify and weigh the direct or indirect benefits
634634 that may flow from the processing to the controller, the consumer,
635635 other stakeholders, and the public, against the potential risks to
636636 the rights of the consumer associated with that processing, as
637637 mitigated by safeguards that can be employed by the controller to
638638 reduce the risks; and
639639 (2) factor into the assessment:
640640 (A) the use of deidentified data;
641641 (B) the reasonable expectations of consumers;
642642 (C) the context of the processing; and
643643 (D) the relationship between the controller and
644644 the consumer whose personal data will be processed.
645645 (c) A controller shall make a data protection assessment
646646 requested under Section 541.152(b) available to the attorney
647647 general.
648648 (d) A data protection assessment is confidential and exempt
649649 from public inspection and copying under Chapter 552, Government
650650 Code. Disclosure of a data protection assessment in compliance with
651651 a request from the attorney general does not constitute a waiver of
652652 attorney-client privilege or work product protection with respect
653653 to the assessment and any information contained in the assessment.
654654 (e) A single data protection assessment may address a
655655 comparable set of processing operations that include similar
656656 activities.
657657 (f) A data protection assessment conducted by a controller
658658 for the purpose of compliance with other laws or regulations may
659659 constitute compliance with the requirements of this section if the
660660 assessment has a reasonably comparable scope and effect.
661661 Sec. 541.106. DEIDENTIFIED OR PSEUDONYMOUS DATA. (a) A
662662 controller in possession of deidentified data shall:
663663 (1) take reasonable measures to ensure that the data
664664 cannot be associated with an individual;
665665 (2) publicly commit to maintaining and using
666666 deidentified data without attempting to reidentify the data; and
667667 (3) contractually obligate any recipient of the
668668 deidentified data to comply with the provisions of this chapter.
669669 (b) This chapter may not be construed to require a
670670 controller or processor to:
671671 (1) reidentify deidentified data or pseudonymous
672672 data;
673673 (2) maintain data in identifiable form or obtain,
674674 retain, or access any data or technology for the purpose of allowing
675675 the controller or processor to associate a consumer request with
676676 personal data; or
677677 (3) comply with an authenticated consumer rights
678678 request under Section 541.051, if the controller:
679679 (A) is not reasonably capable of associating the
680680 request with the personal data or it would be unreasonably
681681 burdensome for the controller to associate the request with the
682682 personal data;
683683 (B) does not use the personal data to recognize
684684 or respond to the specific consumer who is the subject of the
685685 personal data or associate the personal data with other personal
686686 data about the same specific consumer; and
687687 (C) does not sell the personal data to any third
688688 party or otherwise voluntarily disclose the personal data to any
689689 third party other than a processor, except as otherwise permitted
690690 by this section.
691691 (c) The consumer rights under Sections 541.051(b)(1)-(4)
692692 and controller duties under Section 541.101 do not apply to
693693 pseudonymous data in cases in which the controller is able to
694694 demonstrate any information necessary to identify the consumer is
695695 kept separately and is subject to effective technical and
696696 organizational controls that prevent the controller from accessing
697697 the information.
698698 (d) A controller that discloses pseudonymous data or
699699 deidentified data shall exercise reasonable oversight to monitor
700700 compliance with any contractual commitments to which the
701701 pseudonymous data or deidentified data is subject and shall take
702702 appropriate steps to address any breach of the contractual
703703 commitments.
704704 SUBCHAPTER D. ENFORCEMENT
705705 Sec. 541.151. ENFORCEMENT AUTHORITY EXCLUSIVE. The
706706 attorney general has exclusive authority to enforce this chapter.
707707 Sec. 541.152. INVESTIGATIVE AUTHORITY. (a) If the
708708 attorney general has reasonable cause to believe that a person has
709709 engaged in, is engaging in, or is about to engage in a violation of
710710 this chapter, the attorney general may issue a civil investigative
711711 demand. The procedures established for the issuance of a civil
712712 investigative demand under Section 15.10 apply to the same extent
713713 and manner to the issuance of a civil investigative demand under
714714 this section.
715715 (b) The attorney general may request, pursuant to a civil
716716 investigative demand issued under Subsection (a), that a controller
717717 disclose any data protection assessment that is relevant to an
718718 investigation conducted by the attorney general. The attorney
719719 general may evaluate the data protection assessment for compliance
720720 with the requirements set forth in Sections 541.101, 541.102, and
721721 541.103.
722722 Sec. 541.153. NOTICE OF VIOLATION OF CHAPTER; OPPORTUNITY
723723 TO CURE. Before bringing an action under Section 541.154, the
724724 attorney general shall notify a person in writing, not later than
725725 the 30th day before bringing the action, identifying the specific
726726 provisions of this chapter the attorney general alleges have been
727727 or are being violated. The attorney general may not bring an action
728728 against the person if:
729729 (1) within the 30-day period, the person cures the
730730 identified violation; and
731731 (2) the person provides the attorney general a written
732732 statement that the alleged violation has been cured and that no
733733 further violations will occur.
734734 Sec. 541.154. CIVIL PENALTY; INJUNCTION. (a) A person who
735735 violates this chapter following the cure period described by
736736 Section 541.153 or who breaches a written statement provided to the
737737 attorney general under that section is liable for a civil penalty in
738738 an amount not to exceed $7,500 for each violation.
739739 (b) The attorney general may bring an action in the name of
740740 this state to:
741741 (1) recover a civil penalty under this section;
742742 (2) restrain or enjoin the person from violating this
743743 chapter; or
744744 (3) recover the civil penalty and seek injunctive
745745 relief.
746746 (c) The attorney general may recover reasonable attorney's
747747 fees and other reasonable expenses incurred in investigating and
748748 bringing an action under this section.
749749 (d) The attorney general shall deposit a civil penalty
750750 collected under this section in the state treasury to the credit of
751751 the general revenue fund.
752752 Sec. 541.155. NO PRIVATE RIGHT OF ACTION. This chapter may
753753 not be construed to create a private right of action for a violation
754754 of this chapter or any other chapter.
755755 SUBCHAPTER E. CONSTRUCTION Of CHAPTER; EXEMPTIONS FOR CERTAIN USES
756756 OF CONSUMER PERSONAL DATA
757757 Sec. 541.201. CONSTRUCTION OF CHAPTER. (a) This chapter
758758 may not be construed to restrict a controller's or processor's
759759 ability to:
760760 (1) comply with federal, state, or local laws, rules,
761761 or regulations;
762762 (2) comply with a civil, criminal, or regulatory
763763 inquiry, investigation, subpoena, or summons by federal, state,
764764 local, or other governmental authorities;
765765 (3) investigate, establish, exercise, prepare for, or
766766 defend legal claims;
767767 (4) provide a product or service specifically
768768 requested by a consumer or the parent or guardian of a child,
769769 perform a contract to which the consumer is a party, including
770770 fulfilling the terms of a written warranty, or take steps at the
771771 request of the consumer before entering into a contract;
772772 (5) take immediate steps to protect an interest that
773773 is essential for the life or physical safety of the consumer or of
774774 another individual and in which the processing cannot be manifestly
775775 based on another legal basis;
776776 (6) prevent, detect, protect against, or respond to
777777 security incidents, identity theft, fraud, harassment, malicious
778778 or deceptive activities, or any illegal activity;
779779 (7) preserve the integrity or security of systems or
780780 investigate, report, or prosecute those responsible for breaches of
781781 system security;
782782 (8) engage in public or peer-reviewed scientific or
783783 statistical research in the public interest that adheres to all
784784 other applicable ethics and privacy laws and is approved,
785785 monitored, and governed by an institutional review board or similar
786786 independent oversight entity that determines:
787787 (A) if the deletion of the information is likely
788788 to provide substantial benefits that do not exclusively accrue to
789789 the controller;
790790 (B) whether the expected benefits of the research
791791 outweigh the privacy risks; and
792792 (C) if the controller has implemented reasonable
793793 safeguards to mitigate privacy risks associated with research,
794794 including any risks associated with reidentification; or
795795 (9) assist another controller, processor, or third
796796 party with any of the requirements under this subsection.
797797 (b) This chapter may not be construed to prevent a
798798 controller or processor from providing personal data concerning a
799799 consumer to a person covered by an evidentiary privilege under the
800800 laws of this state as part of a privileged communication.
801801 (c) This chapter may not be construed as imposing a
802802 requirement on controllers and processors that adversely affects
803803 the rights or freedoms of any person, including the right of free
804804 speech.
805805 (d) This chapter may not be construed as requiring a
806806 controller, processor, third party, or consumer to disclose a trade
807807 secret.
808808 Sec. 541.202. COLLECTION, USE, OR RETENTION OF DATA FOR
809809 CERTAIN PURPOSES. (a) The requirements imposed on controllers and
810810 processors under this chapter may not restrict a controller's or
811811 processor's ability to collect, use, or retain data to:
812812 (1) conduct internal research to develop, improve, or
813813 repair products, services, or technology;
814814 (2) effect a product recall;
815815 (3) identify and repair technical errors that impair
816816 existing or intended functionality; or
817817 (4) perform internal operations that:
818818 (A) are reasonably aligned with the expectations
819819 of the consumer;
820820 (B) are reasonably anticipated based on the
821821 consumer's existing relationship with the controller; or
822822 (C) are otherwise compatible with processing
823823 data in furtherance of the provision of a product or service
824824 specifically requested by a consumer or the performance of a
825825 contract to which the consumer is a party.
826826 (b) A requirement imposed on a controller or processor under
827827 this chapter does not apply if compliance with the requirement by
828828 the controller or processor, as applicable, would violate an
829829 evidentiary privilege under the laws of this state.
830830 Sec. 541.203. DISCLOSURE OF PERSONAL DATA TO THIRD-PARTY
831831 CONTROLLER OR PROCESSOR. (a) A controller or processor that
832832 discloses personal data to a third-party controller or processor,
833833 in compliance with the requirements of this chapter, does not
834834 violate this chapter if the third-party controller or processor
835835 that receives and processes that personal data is in violation of
836836 this chapter, provided that, at the time of the data's disclosure,
837837 the disclosing controller or processor did not have actual
838838 knowledge that the recipient intended to commit a violation.
839839 (b) A third-party controller or processor receiving
840840 personal data from a controller or processor in compliance with the
841841 requirements of this chapter does not violate this chapter for the
842842 transgressions of the controller or processor from which the
843843 third-party controller or processor receives the personal data.
844844 Sec. 541.204. PROCESSING OF CERTAIN PERSONAL DATA BY
845845 CONTROLLER OR OTHER PERSON. (a) Personal data processed by a
846846 controller under this subchapter may not be processed for any
847847 purpose other than a purpose listed in this subchapter unless
848848 otherwise allowed by this chapter. Personal data processed by a
849849 controller under this subchapter may be processed to the extent
850850 that the processing of the data is:
851851 (1) reasonably necessary and proportionate to the
852852 purposes listed in this subchapter; and
853853 (2) adequate, relevant, and limited to what is
854854 necessary in relation to the specific purposes listed in this
855855 subchapter.
856856 (b) Personal data collected, used, or retained under
857857 Section 541.202(a) must, where applicable, take into account the
858858 nature and purpose of such collection, use, or retention. The
859859 personal data described by this subsection is subject to reasonable
860860 administrative, technical, and physical measures to protect the
861861 confidentiality, integrity, and accessibility of the personal data
862862 and to reduce reasonably foreseeable risks of harm to consumers
863863 relating to the collection, use, or retention of personal data.
864864 (c) A controller that processes personal data under an
865865 exemption in this subchapter bears the burden of demonstrating that
866866 the processing of the personal data qualifies for the exemption and
867867 complies with the requirements of Subsections (a) and (b).
868868 (d) The processing of personal data by an entity for the
869869 purposes described by Section 541.201 does not solely make the
870870 entity a controller with respect to the processing of the data.
871871 Sec. 541.205. LOCAL PREEMPTION. This chapter supersedes
872872 and preempts any ordinance, resolution, rule, or other regulation
873873 adopted by a local political subdivision regarding the processing
874874 of personal data by a controller or processor.
875875 SECTION 2. (a) The Department of Information Resources,
876876 under the management of the chief privacy officer, shall review the
877877 implementation of the requirements of Chapter 541, Business &
878878 Commerce Code, as added by this Act.
879879 (b) Not later than March 1, 2024, the Department of
880880 Information Resources shall create an online portal available on
881881 the department's Internet website for members of the public to
882882 provide feedback and recommend changes to Chapter 541, Business &
883883 Commerce Code, as added by this Act. The online portal must remain
884884 open for receiving feedback from the public for at least 90 days.
885885 (c) Not later than January 1, 2025, the Department of
886886 Information Resources shall make available to the public a report
887887 detailing the status of the implementation of the requirements of
888888 Chapter 541, Business & Commerce Code, as added by this Act, and any
889889 recommendations to the legislature regarding changes to that law.
890890 (d) This section expires September 1, 2025.
891891 SECTION 3. The provisions of this Act are hereby declared
892892 severable, and if any provision of this Act or the application of
893893 such provision to any person or circumstance is declared invalid
894894 for any reason, such declaration shall not affect the validity of
895895 the remaining portions of this Act.
896896 SECTION 4. This Act takes effect September 1, 2023.