TX
Texas House Bill HB4

Texas 2023 - 88th Regular

Texas House Bill HB4 Compare Versions

OldNewDifferences
11 H.B. No. 4
22
33
44 AN ACT
55 relating to the regulation of the collection, use, processing, and
66 treatment of consumers' personal data by certain business entities;
77 imposing a civil penalty.
88 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
99 SECTION 1. This Act may be cited as the Texas Data Privacy
1010 and Security Act.
1111 SECTION 2. Title 11, Business & Commerce Code, is amended by
1212 adding Subtitle C to read as follows:
1313 SUBTITLE C. CONSUMER DATA PROTECTION
1414 CHAPTER 541. CONSUMER DATA PROTECTION
1515 SUBCHAPTER A. GENERAL PROVISIONS
1616 Sec. 541.001. DEFINITIONS. In this chapter, unless a
1717 different meaning is required by the context:
1818 (1) "Affiliate" means a legal entity that controls, is
1919 controlled by, or is under common control with another legal entity
2020 or shares common branding with another legal entity. For purposes
2121 of this subdivision, "control" or "controlled" means:
2222 (A) the ownership of, or power to vote, more than
2323 50 percent of the outstanding shares of any class of voting security
2424 of a company;
2525 (B) the control in any manner over the election
2626 of a majority of the directors or of individuals exercising similar
2727 functions; or
2828 (C) the power to exercise controlling influence
2929 over the management of a company.
3030 (2) "Authenticate" means to verify through reasonable
3131 means that the consumer who is entitled to exercise the consumer's
3232 rights under Subchapter B is the same consumer exercising those
3333 consumer rights with respect to the personal data at issue.
3434 (3) "Biometric data" means data generated by automatic
3535 measurements of an individual's biological characteristics. The
3636 term includes a fingerprint, voiceprint, eye retina or iris, or
3737 other unique biological pattern or characteristic that is used to
3838 identify a specific individual. The term does not include a
3939 physical or digital photograph or data generated from a physical or
4040 digital photograph, a video or audio recording or data generated
4141 from a video or audio recording, or information collected, used, or
4242 stored for health care treatment, payment, or operations under the
4343 Health Insurance Portability and Accountability Act of 1996 (42
4444 U.S.C. Section 1320d et seq.).
4545 (4) "Business associate" has the meaning assigned to
4646 the term by the Health Insurance Portability and Accountability Act
4747 of 1996 (42 U.S.C. Section 1320d et seq.).
4848 (5) "Child" means an individual younger than 13 years
4949 of age.
5050 (6) "Consent," when referring to a consumer, means a
5151 clear affirmative act signifying a consumer's freely given,
5252 specific, informed, and unambiguous agreement to process personal
5353 data relating to the consumer. The term includes a written
5454 statement, including a statement written by electronic means, or
5555 any other unambiguous affirmative action. The term does not
5656 include:
5757 (A) acceptance of a general or broad terms of use
5858 or similar document that contains descriptions of personal data
5959 processing along with other, unrelated information;
6060 (B) hovering over, muting, pausing, or closing a
6161 given piece of content; or
6262 (C) agreement obtained through the use of dark
6363 patterns.
6464 (7) "Consumer" means an individual who is a resident
6565 of this state acting only in an individual or household context. The
6666 term does not include an individual acting in a commercial or
6767 employment context.
6868 (8) "Controller" means an individual or other person
6969 that, alone or jointly with others, determines the purpose and
7070 means of processing personal data.
7171 (9) "Covered entity" has the meaning assigned to the
7272 term by the Health Insurance Portability and Accountability Act of
7373 1996 (42 U.S.C. Section 1320d et seq.).
7474 (10) "Dark pattern" means a user interface designed or
7575 manipulated with the effect of substantially subverting or
7676 impairing user autonomy, decision-making, or choice, and includes
7777 any practice the Federal Trade Commission refers to as a dark
7878 pattern.
7979 (11) "Decision that produces a legal or similarly
8080 significant effect concerning a consumer" means a decision made by
8181 the controller that results in the provision or denial by the
8282 controller of:
8383 (A) financial and lending services;
8484 (B) housing, insurance, or health care services;
8585 (C) education enrollment;
8686 (D) employment opportunities;
8787 (E) criminal justice; or
8888 (F) access to basic necessities, such as food and
8989 water.
9090 (12) "Deidentified data" means data that cannot
9191 reasonably be linked to an identified or identifiable individual,
9292 or a device linked to that individual.
9393 (13) "Health care provider" has the meaning assigned
9494 to the term by the Health Insurance Portability and Accountability
9595 Act of 1996 (42 U.S.C. Section 1320d et seq.).
9696 (14) "Health record" means any written, printed, or
9797 electronically recorded material maintained by a health care
9898 provider in the course of providing health care services to an
9999 individual that concerns the individual and the services provided.
100100 The term includes:
101101 (A) the substance of any communication made by an
102102 individual to a health care provider in confidence during or in
103103 connection with the provision of health care services; or
104104 (B) information otherwise acquired by the health
105105 care provider about an individual in confidence and in connection
106106 with health care services provided to the individual.
107107 (15) "Identified or identifiable individual" means a
108108 consumer who can be readily identified, directly or indirectly.
109109 (16) "Institution of higher education" means:
110110 (A) an institution of higher education as defined
111111 by Section 61.003, Education Code; or
112112 (B) a private or independent institution of
113113 higher education as defined by Section 61.003, Education Code.
114114 (17) "Known child" means a child under circumstances
115115 where a controller has actual knowledge of, or wilfully disregards,
116116 the child's age.
117117 (18) "Nonprofit organization" means:
118118 (A) a corporation organized under Chapters 20 and
119119 22, Business Organizations Code, and the provisions of Title 1,
120120 Business Organizations Code, to the extent applicable to nonprofit
121121 corporations;
122122 (B) an organization exempt from federal taxation
123123 under Section 501(a), Internal Revenue Code of 1986, by being
124124 listed as an exempt organization under Section 501(c)(3),
125125 501(c)(6), 501(c)(12), or 501(c)(19) of that code;
126126 (C) a political organization; or
127127 (D) an organization that:
128128 (i) is exempt from federal taxation under
129129 Section 501(a), Internal Revenue Code of 1986, by being listed as an
130130 exempt organization under Section 501(c)(4) of that code; and
131131 (ii) is described by Section 701.052(a),
132132 Insurance Code.
133133 (19) "Personal data" means any information, including
134134 sensitive data, that is linked or reasonably linkable to an
135135 identified or identifiable individual. The term includes
136136 pseudonymous data when the data is used by a controller or processor
137137 in conjunction with additional information that reasonably links
138138 the data to an identified or identifiable individual. The term does
139139 not include deidentified data or publicly available information.
140140 (20) "Political organization" means a party,
141141 committee, association, fund, or other organization, regardless of
142142 whether incorporated, that is organized and operated primarily for
143143 the purpose of influencing or attempting to influence:
144144 (A) the selection, nomination, election, or
145145 appointment of an individual to a federal, state, or local public
146146 office or an office in a political organization, regardless of
147147 whether the individual is selected, nominated, elected, or
148148 appointed; or
149149 (B) the election of a
150150 presidential/vice-presidential elector, regardless of whether the
151151 elector is selected, nominated, elected, or appointed.
152152 (21) "Precise geolocation data" means information
153153 derived from technology, including global positioning system level
154154 latitude and longitude coordinates or other mechanisms, that
155155 directly identifies the specific location of an individual with
156156 precision and accuracy within a radius of 1,750 feet. The term does
157157 not include the content of communications or any data generated by
158158 or connected to an advanced utility metering infrastructure system
159159 or to equipment for use by a utility.
160160 (22) "Process" or "processing" means an operation or
161161 set of operations performed, whether by manual or automated means,
162162 on personal data or on sets of personal data, such as the
163163 collection, use, storage, disclosure, analysis, deletion, or
164164 modification of personal data.
165165 (23) "Processor" means a person that processes
166166 personal data on behalf of a controller.
167167 (24) "Profiling" means any form of solely automated
168168 processing performed on personal data to evaluate, analyze, or
169169 predict personal aspects related to an identified or identifiable
170170 individual's economic situation, health, personal preferences,
171171 interests, reliability, behavior, location, or movements.
172172 (25) "Protected health information" has the meaning
173173 assigned to the term by the Health Insurance Portability and
174174 Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.).
175175 (26) "Pseudonymous data" means any information that
176176 cannot be attributed to a specific individual without the use of
177177 additional information, provided that the additional information
178178 is kept separately and is subject to appropriate technical and
179179 organizational measures to ensure that the personal data is not
180180 attributed to an identified or identifiable individual.
181181 (27) "Publicly available information" means
182182 information that is lawfully made available through government
183183 records, or information that a business has a reasonable basis to
184184 believe is lawfully made available to the general public through
185185 widely distributed media, by a consumer, or by a person to whom a
186186 consumer has disclosed the information, unless the consumer has
187187 restricted the information to a specific audience.
188188 (28) "Sale of personal data" means the sharing,
189189 disclosing, or transferring of personal data for monetary or other
190190 valuable consideration by the controller to a third party. The term
191191 does not include:
192192 (A) the disclosure of personal data to a
193193 processor that processes the personal data on the controller's
194194 behalf;
195195 (B) the disclosure of personal data to a third
196196 party for purposes of providing a product or service requested by
197197 the consumer;
198198 (C) the disclosure or transfer of personal data
199199 to an affiliate of the controller;
200200 (D) the disclosure of information that the
201201 consumer:
202202 (i) intentionally made available to the
203203 general public through a mass media channel; and
204204 (ii) did not restrict to a specific
205205 audience; or
206206 (E) the disclosure or transfer of personal data
207207 to a third party as an asset that is part of a merger or acquisition.
208208 (29) "Sensitive data" means a category of personal
209209 data. The term includes:
210210 (A) personal data revealing racial or ethnic
211211 origin, religious beliefs, mental or physical health diagnosis,
212212 sexuality, or citizenship or immigration status;
213213 (B) genetic or biometric data that is processed
214214 for the purpose of uniquely identifying an individual;
215215 (C) personal data collected from a known child;
216216 or
217217 (D) precise geolocation data.
218218 (30) "State agency" means a department, commission,
219219 board, office, council, authority, or other agency in any branch of
220220 state government that is created by the constitution or a statute of
221221 this state, including a university system or institution of higher
222222 education as defined by Section 61.003, Education Code.
223223 (31) "Targeted advertising" means displaying to a
224224 consumer an advertisement that is selected based on personal data
225225 obtained from that consumer's activities over time and across
226226 nonaffiliated websites or online applications to predict the
227227 consumer's preferences or interests. The term does not include:
228228 (A) an advertisement that:
229229 (i) is based on activities within a
230230 controller's own websites or online applications;
231231 (ii) is based on the context of a consumer's
232232 current search query, visit to a website, or online application; or
233233 (iii) is directed to a consumer in response
234234 to the consumer's request for information or feedback; or
235235 (B) the processing of personal data solely for
236236 measuring or reporting advertising performance, reach, or
237237 frequency.
238238 (32) "Third party" means a person, other than the
239239 consumer, the controller, the processor, or an affiliate of the
240240 controller or processor.
241241 (33) "Trade secret" means all forms and types of
242242 information, including business, scientific, technical, economic,
243243 or engineering information, and any formula, design, prototype,
244244 pattern, plan, compilation, program device, program, code, device,
245245 method, technique, process, procedure, financial data, or list of
246246 actual or potential customers or suppliers, whether tangible or
247247 intangible and whether or how stored, compiled, or memorialized
248248 physically, electronically, graphically, photographically, or in
249249 writing if:
250250 (A) the owner of the trade secret has taken
251251 reasonable measures under the circumstances to keep the information
252252 secret; and
253253 (B) the information derives independent economic
254254 value, actual or potential, from not being generally known to, and
255255 not being readily ascertainable through proper means by, another
256256 person who can obtain economic value from the disclosure or use of
257257 the information.
258258 Sec. 541.002. APPLICABILITY OF CHAPTER. (a) This chapter
259259 applies only to a person that:
260260 (1) conducts business in this state or produces a
261261 product or service consumed by residents of this state;
262262 (2) processes or engages in the sale of personal data;
263263 and
264264 (3) is not a small business as defined by the United
265265 States Small Business Administration, except to the extent that
266266 Section 541.107 applies to a person described by this subdivision.
267267 (b) This chapter does not apply to:
268268 (1) a state agency or a political subdivision of this
269269 state;
270270 (2) a financial institution or data subject to Title
271271 V, Gramm-Leach-Bliley Act (15 U.S.C. Section 6801 et seq.);
272272 (3) a covered entity or business associate governed by
273273 the privacy, security, and breach notification rules issued by the
274274 United States Department of Health and Human Services, 45 C.F.R.
275275 Parts 160 and 164, established under the Health Insurance
276276 Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d
277277 et seq.), and the Health Information Technology for Economic and
278278 Clinical Health Act (Division A, Title XIII, and Division B, Title
279279 IV, Pub. L. No. 111-5);
280280 (4) a nonprofit organization;
281281 (5) an institution of higher education; or
282282 (6) an electric utility, a power generation company,
283283 or a retail electric provider, as those terms are defined by Section
284284 31.002, Utilities Code.
285285 Sec. 541.003. CERTAIN INFORMATION EXEMPT FROM CHAPTER. The
286286 following information is exempt from this chapter:
287287 (1) protected health information under the Health
288288 Insurance Portability and Accountability Act of 1996 (42 U.S.C.
289289 Section 1320d et seq.);
290290 (2) health records;
291291 (3) patient identifying information for purposes of 42
292292 U.S.C. Section 290dd-2;
293293 (4) identifiable private information:
294294 (A) for purposes of the federal policy for the
295295 protection of human subjects under 45 C.F.R. Part 46;
296296 (B) collected as part of human subjects research
297297 under the good clinical practice guidelines issued by The
298298 International Council for Harmonisation of Technical Requirements
299299 for Pharmaceuticals for Human Use (ICH) or of the protection of
300300 human subjects under 21 C.F.R. Parts 50 and 56; or
301301 (C) that is personal data used or shared in
302302 research conducted in accordance with the requirements set forth in
303303 this chapter or other research conducted in accordance with
304304 applicable law;
305305 (5) information and documents created for purposes of
306306 the Health Care Quality Improvement Act of 1986 (42 U.S.C. Section
307307 11101 et seq.);
308308 (6) patient safety work product for purposes of the
309309 Patient Safety and Quality Improvement Act of 2005 (42 U.S.C.
310310 Section 299b-21 et seq.);
311311 (7) information derived from any of the health
312312 care-related information listed in this section that is
313313 deidentified in accordance with the requirements for
314314 deidentification under the Health Insurance Portability and
315315 Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.);
316316 (8) information originating from, and intermingled to
317317 be indistinguishable with, or information treated in the same
318318 manner as, information exempt under this section that is maintained
319319 by a covered entity or business associate as defined by the Health
320320 Insurance Portability and Accountability Act of 1996 (42 U.S.C.
321321 Section 1320d et seq.) or by a program or a qualified service
322322 organization as defined by 42 U.S.C. Section 290dd-2;
323323 (9) information that is included in a limited data set
324324 as described by 45 C.F.R. Section 164.514(e), to the extent that the
325325 information is used, disclosed, and maintained in the manner
326326 specified by 45 C.F.R. Section 164.514(e);
327327 (10) information collected or used only for public
328328 health activities and purposes as authorized by the Health
329329 Insurance Portability and Accountability Act of 1996 (42 U.S.C.
330330 Section 1320d et seq.);
331331 (11) the collection, maintenance, disclosure, sale,
332332 communication, or use of any personal information bearing on a
333333 consumer's creditworthiness, credit standing, credit capacity,
334334 character, general reputation, personal characteristics, or mode
335335 of living by a consumer reporting agency or furnisher that provides
336336 information for use in a consumer report, and by a user of a
337337 consumer report, but only to the extent that the activity is
338338 regulated by and authorized under the Fair Credit Reporting Act (15
339339 U.S.C. Section 1681 et seq.);
340340 (12) personal data collected, processed, sold, or
341341 disclosed in compliance with the Driver's Privacy Protection Act of
342342 1994 (18 U.S.C. Section 2721 et seq.);
343343 (13) personal data regulated by the Family Educational
344344 Rights and Privacy Act of 1974 (20 U.S.C. Section 1232g);
345345 (14) personal data collected, processed, sold, or
346346 disclosed in compliance with the Farm Credit Act of 1971 (12 U.S.C.
347347 Section 2001 et seq.);
348348 (15) data processed or maintained in the course of an
349349 individual applying to, being employed by, or acting as an agent or
350350 independent contractor of a controller, processor, or third party,
351351 to the extent that the data is collected and used within the context
352352 of that role;
353353 (16) data processed or maintained as the emergency
354354 contact information of an individual under this chapter that is
355355 used for emergency contact purposes; or
356356 (17) data that is processed or maintained and is
357357 necessary to retain to administer benefits for another individual
358358 that relates to an individual described by Subdivision (15) and
359359 used for the purposes of administering those benefits.
360360 Sec. 541.004. INAPPLICABILITY OF CHAPTER. This chapter
361361 does not apply to the processing of personal data by a person in the
362362 course of a purely personal or household activity.
363363 Sec. 541.005. EFFECT OF COMPLIANCE WITH PARENTAL CONSENT
364364 REQUIREMENTS UNDER CERTAIN FEDERAL LAW. A controller or processor
365365 that complies with the verifiable parental consent requirements of
366366 the Children's Online Privacy Protection Act of 1998 (15 U.S.C.
367367 Section 6501 et seq.) with respect to data collected online is
368368 considered to be in compliance with any requirement to obtain
369369 parental consent under this chapter.
370370 SUBCHAPTER B. CONSUMER'S RIGHTS
371371 Sec. 541.051. CONSUMER'S PERSONAL DATA RIGHTS; REQUEST TO
372372 EXERCISE RIGHTS. (a) A consumer is entitled to exercise the
373373 consumer rights authorized by this section at any time by
374374 submitting a request to a controller specifying the consumer rights
375375 the consumer wishes to exercise. With respect to the processing of
376376 personal data belonging to a known child, a parent or legal guardian
377377 of the child may exercise the consumer rights on behalf of the
378378 child.
379379 (b) A controller shall comply with an authenticated
380380 consumer request to exercise the right to:
381381 (1) confirm whether a controller is processing the
382382 consumer's personal data and to access the personal data;
383383 (2) correct inaccuracies in the consumer's personal
384384 data, taking into account the nature of the personal data and the
385385 purposes of the processing of the consumer's personal data;
386386 (3) delete personal data provided by or obtained about
387387 the consumer;
388388 (4) if the data is available in a digital format,
389389 obtain a copy of the consumer's personal data that the consumer
390390 previously provided to the controller in a portable and, to the
391391 extent technically feasible, readily usable format that allows the
392392 consumer to transmit the data to another controller without
393393 hindrance; or
394394 (5) opt out of the processing of the personal data for
395395 purposes of:
396396 (A) targeted advertising;
397397 (B) the sale of personal data; or
398398 (C) profiling in furtherance of a decision that
399399 produces a legal or similarly significant effect concerning the
400400 consumer.
401401 Sec. 541.052. CONTROLLER RESPONSE TO CONSUMER REQUEST. (a)
402402 Except as otherwise provided by this chapter, a controller shall
403403 comply with a request submitted by a consumer to exercise the
404404 consumer's rights pursuant to Section 541.051 as provided by this
405405 section.
406406 (b) A controller shall respond to the consumer request
407407 without undue delay, which may not be later than the 45th day after
408408 the date of receipt of the request. The controller may extend the
409409 response period once by an additional 45 days when reasonably
410410 necessary, taking into account the complexity and number of the
411411 consumer's requests, so long as the controller informs the consumer
412412 of the extension within the initial 45-day response period,
413413 together with the reason for the extension.
414414 (c) If a controller declines to take action regarding the
415415 consumer's request, the controller shall inform the consumer
416416 without undue delay, which may not be later than the 45th day after
417417 the date of receipt of the request, of the justification for
418418 declining to take action and provide instructions on how to appeal
419419 the decision in accordance with Section 541.053.
420420 (d) A controller shall provide information in response to a
421421 consumer request free of charge, at least twice annually per
422422 consumer. If a request from a consumer is manifestly unfounded,
423423 excessive, or repetitive, the controller may charge the consumer a
424424 reasonable fee to cover the administrative costs of complying with
425425 the request or may decline to act on the request. The controller
426426 bears the burden of demonstrating for purposes of this subsection
427427 that a request is manifestly unfounded, excessive, or repetitive.
428428 (e) If a controller is unable to authenticate the request
429429 using commercially reasonable efforts, the controller is not
430430 required to comply with a consumer request submitted under Section
431431 541.051 and may request that the consumer provide additional
432432 information reasonably necessary to authenticate the consumer and
433433 the consumer's request.
434434 (f) A controller that has obtained personal data about a
435435 consumer from a source other than the consumer is considered in
436436 compliance with a consumer's request to delete that personal data
437437 pursuant to Section 541.051(b)(3) by:
438438 (1) retaining a record of the deletion request and the
439439 minimum data necessary for the purpose of ensuring the consumer's
440440 personal data remains deleted from the business's records and not
441441 using the retained data for any other purpose under this chapter; or
442442 (2) opting the consumer out of the processing of that
443443 personal data for any purpose other than a purpose that is exempt
444444 under the provisions of this chapter.
445445 Sec. 541.053. APPEAL. (a) A controller shall establish a
446446 process for a consumer to appeal the controller's refusal to take
447447 action on a request within a reasonable period of time after the
448448 consumer's receipt of the decision under Section 541.052(c).
449449 (b) The appeal process must be conspicuously available and
450450 similar to the process for initiating action to exercise consumer
451451 rights by submitting a request under Section 541.051.
452452 (c) A controller shall inform the consumer in writing of any
453453 action taken or not taken in response to an appeal under this
454454 section not later than the 60th day after the date of receipt of the
455455 appeal, including a written explanation of the reason or reasons
456456 for the decision.
457457 (d) If the controller denies an appeal, the controller shall
458458 provide the consumer with the online mechanism described by Section
459459 541.152 through which the consumer may contact the attorney general
460460 to submit a complaint.
461461 Sec. 541.054. WAIVER OR LIMITATION OF CONSUMER RIGHTS
462462 PROHIBITED. Any provision of a contract or agreement that waives or
463463 limits in any way a consumer right described by Sections 541.051,
464464 541.052, and 541.053 is contrary to public policy and is void and
465465 unenforceable.
466466 Sec. 541.055. METHODS FOR SUBMITTING CONSUMER REQUESTS.
467467 (a) A controller shall establish two or more secure and reliable
468468 methods to enable consumers to submit a request to exercise their
469469 consumer rights under this chapter. The methods must take into
470470 account:
471471 (1) the ways in which consumers normally interact with
472472 the controller;
473473 (2) the necessity for secure and reliable
474474 communications of those requests; and
475475 (3) the ability of the controller to authenticate the
476476 identity of the consumer making the request.
477477 (b) A controller may not require a consumer to create a new
478478 account to exercise the consumer's rights under this subchapter but
479479 may require a consumer to use an existing account.
480480 (c) Except as provided by Subsection (d), if the controller
481481 maintains an Internet website, the controller must provide a
482482 mechanism on the website for consumers to submit requests for
483483 information required to be disclosed under this chapter.
484484 (d) A controller that operates exclusively online and has a
485485 direct relationship with a consumer from whom the controller
486486 collects personal information is only required to provide an e-mail
487487 address for the submission of requests described by Subsection (c).
488488 (e) A consumer may designate another person to serve as the
489489 consumer's authorized agent and act on the consumer's behalf to opt
490490 out of the processing of the consumer's personal data under
491491 Sections 541.051(b)(5)(A) and (B). A consumer may designate an
492492 authorized agent using a technology, including a link to an
493493 Internet website, an Internet browser setting or extension, or a
494494 global setting on an electronic device, that allows the consumer to
495495 indicate the consumer's intent to opt out of the processing. A
496496 controller shall comply with an opt-out request received from an
497497 authorized agent under this subsection if the controller is able to
498498 verify, with commercially reasonable effort, the identity of the
499499 consumer and the authorized agent's authority to act on the
500500 consumer's behalf. A controller is not required to comply with an
501501 opt-out request received from an authorized agent under this
502502 subsection if:
503503 (1) the authorized agent does not communicate the
504504 request to the controller in a clear and unambiguous manner;
505505 (2) the controller is not able to verify, with
506506 commercially reasonable effort, that the consumer is a resident of
507507 this state;
508508 (3) the controller does not possess the ability to
509509 process the request; or
510510 (4) the controller does not process similar or
511511 identical requests the controller receives from consumers for the
512512 purpose of complying with similar or identical laws or regulations
513513 of another state.
514514 (f) A technology described by Subsection (e):
515515 (1) may not unfairly disadvantage another controller;
516516 (2) may not make use of a default setting, but must
517517 require the consumer to make an affirmative, freely given, and
518518 unambiguous choice to indicate the consumer's intent to opt out of
519519 any processing of a consumer's personal data; and
520520 (3) must be consumer-friendly and easy to use by the
521521 average consumer.
522522 SUBCHAPTER C. CONTROLLER AND PROCESSOR DATA-RELATED DUTIES AND
523523 PROHIBITIONS
524524 Sec. 541.101. CONTROLLER DUTIES; TRANSPARENCY. (a) A
525525 controller:
526526 (1) shall limit the collection of personal data to
527527 what is adequate, relevant, and reasonably necessary in relation to
528528 the purposes for which that personal data is processed, as
529529 disclosed to the consumer; and
530530 (2) for purposes of protecting the confidentiality,
531531 integrity, and accessibility of personal data, shall establish,
532532 implement, and maintain reasonable administrative, technical, and
533533 physical data security practices that are appropriate to the volume
534534 and nature of the personal data at issue.
535535 (b) A controller may not:
536536 (1) except as otherwise provided by this chapter,
537537 process personal data for a purpose that is neither reasonably
538538 necessary to nor compatible with the disclosed purpose for which
539539 the personal data is processed, as disclosed to the consumer,
540540 unless the controller obtains the consumer's consent;
541541 (2) process personal data in violation of state and
542542 federal laws that prohibit unlawful discrimination against
543543 consumers;
544544 (3) discriminate against a consumer for exercising any
545545 of the consumer rights contained in this chapter, including by
546546 denying goods or services, charging different prices or rates for
547547 goods or services, or providing a different level of quality of
548548 goods or services to the consumer; or
549549 (4) process the sensitive data of a consumer without
550550 obtaining the consumer's consent, or, in the case of processing the
551551 sensitive data of a known child, without processing that data in
552552 accordance with the Children's Online Privacy Protection Act of
553553 1998 (15 U.S.C. Section 6501 et seq.).
554554 (c) Subsection (b)(3) may not be construed to require a
555555 controller to provide a product or service that requires the
556556 personal data of a consumer that the controller does not collect or
557557 maintain or to prohibit a controller from offering a different
558558 price, rate, level, quality, or selection of goods or services to a
559559 consumer, including offering goods or services for no fee, if the
560560 consumer has exercised the consumer's right to opt out under
561561 Section 541.051 or the offer is related to a consumer's voluntary
562562 participation in a bona fide loyalty, rewards, premium features,
563563 discounts, or club card program.
564564 Sec. 541.102. PRIVACY NOTICE. (a) A controller shall
565565 provide consumers with a reasonably accessible and clear privacy
566566 notice that includes:
567567 (1) the categories of personal data processed by the
568568 controller, including, if applicable, any sensitive data processed
569569 by the controller;
570570 (2) the purpose for processing personal data;
571571 (3) how consumers may exercise their consumer rights
572572 under Subchapter B, including the process by which a consumer may
573573 appeal a controller's decision with regard to the consumer's
574574 request;
575575 (4) if applicable, the categories of personal data
576576 that the controller shares with third parties;
577577 (5) if applicable, the categories of third parties
578578 with whom the controller shares personal data; and
579579 (6) a description of the methods required under
580580 Section 541.055 through which consumers can submit requests to
581581 exercise their consumer rights under this chapter.
582582 (b) If a controller engages in the sale of personal data
583583 that is sensitive data, the controller shall include the following
584584 notice:
585585 "NOTICE: We may sell your sensitive personal data." The
586586 notice must be posted in the same location and in the same manner as
587587 the privacy notice described by Subsection (a).
588588 (c) If a controller engages in the sale of personal data
589589 that is biometric data, the controller shall include the following
590590 notice:
591591 "NOTICE: We may sell your biometric personal data." The
592592 notice must be posted in the same location and in the same manner as
593593 the privacy notice described by Subsection (a).
594594 Sec. 541.103. SALE OF DATA TO THIRD PARTIES AND PROCESSING
595595 DATA FOR TARGETED ADVERTISING; DISCLOSURE. If a controller sells
596596 personal data to third parties or processes personal data for
597597 targeted advertising, the controller shall clearly and
598598 conspicuously disclose that process and the manner in which a
599599 consumer may exercise the right to opt out of that process.
600600 Sec. 541.104. DUTIES OF PROCESSOR. (a) A processor shall
601601 adhere to the instructions of a controller and shall assist the
602602 controller in meeting or complying with the controller's duties or
603603 requirements under this chapter, including:
604604 (1) assisting the controller in responding to consumer
605605 rights requests submitted under Section 541.051 by using
606606 appropriate technical and organizational measures, as reasonably
607607 practicable, taking into account the nature of processing and the
608608 information available to the processor;
609609 (2) assisting the controller with regard to complying
610610 with the requirement relating to the security of processing
611611 personal data and to the notification of a breach of security of the
612612 processor's system under Chapter 521, taking into account the
613613 nature of processing and the information available to the
614614 processor; and
615615 (3) providing necessary information to enable the
616616 controller to conduct and document data protection assessments
617617 under Section 541.105.
618618 (b) A contract between a controller and a processor shall
619619 govern the processor's data processing procedures with respect to
620620 processing performed on behalf of the controller. The contract must
621621 include:
622622 (1) clear instructions for processing data;
623623 (2) the nature and purpose of processing;
624624 (3) the type of data subject to processing;
625625 (4) the duration of processing;
626626 (5) the rights and obligations of both parties; and
627627 (6) a requirement that the processor shall:
628628 (A) ensure that each person processing personal
629629 data is subject to a duty of confidentiality with respect to the
630630 data;
631631 (B) at the controller's direction, delete or
632632 return all personal data to the controller as requested after the
633633 provision of the service is completed, unless retention of the
634634 personal data is required by law;
635635 (C) make available to the controller, on
636636 reasonable request, all information in the processor's possession
637637 necessary to demonstrate the processor's compliance with the
638638 requirements of this chapter;
639639 (D) allow, and cooperate with, reasonable
640640 assessments by the controller or the controller's designated
641641 assessor; and
642642 (E) engage any subcontractor pursuant to a
643643 written contract that requires the subcontractor to meet the
644644 requirements of the processor with respect to the personal data.
645645 (c) Notwithstanding the requirement described by Subsection
646646 (b)(6)(D), a processor, in the alternative, may arrange for a
647647 qualified and independent assessor to conduct an assessment of the
648648 processor's policies and technical and organizational measures in
649649 support of the requirements under this chapter using an appropriate
650650 and accepted control standard or framework and assessment
651651 procedure. The processor shall provide a report of the assessment
652652 to the controller on request.
653653 (d) This section may not be construed to relieve a
654654 controller or a processor from the liabilities imposed on the
655655 controller or processor by virtue of its role in the processing
656656 relationship as described by this chapter.
657657 (e) A determination of whether a person is acting as a
658658 controller or processor with respect to a specific processing of
659659 data is a fact-based determination that depends on the context in
660660 which personal data is to be processed. A processor that continues
661661 to adhere to a controller's instructions with respect to a specific
662662 processing of personal data remains in the role of a processor.
663663 Sec. 541.105. DATA PROTECTION ASSESSMENTS. (a) A
664664 controller shall conduct and document a data protection assessment
665665 of each of the following processing activities involving personal
666666 data:
667667 (1) the processing of personal data for purposes of
668668 targeted advertising;
669669 (2) the sale of personal data;
670670 (3) the processing of personal data for purposes of
671671 profiling, if the profiling presents a reasonably foreseeable risk
672672 of:
673673 (A) unfair or deceptive treatment of or unlawful
674674 disparate impact on consumers;
675675 (B) financial, physical, or reputational injury
676676 to consumers;
677677 (C) a physical or other intrusion on the solitude
678678 or seclusion, or the private affairs or concerns, of consumers, if
679679 the intrusion would be offensive to a reasonable person; or
680680 (D) other substantial injury to consumers;
681681 (4) the processing of sensitive data; and
682682 (5) any processing activities involving personal data
683683 that present a heightened risk of harm to consumers.
684684 (b) A data protection assessment conducted under Subsection
685685 (a) must:
686686 (1) identify and weigh the direct or indirect benefits
687687 that may flow from the processing to the controller, the consumer,
688688 other stakeholders, and the public, against the potential risks to
689689 the rights of the consumer associated with that processing, as
690690 mitigated by safeguards that can be employed by the controller to
691691 reduce the risks; and
692692 (2) factor into the assessment:
693693 (A) the use of deidentified data;
694694 (B) the reasonable expectations of consumers;
695695 (C) the context of the processing; and
696696 (D) the relationship between the controller and
697697 the consumer whose personal data will be processed.
698698 (c) A controller shall make a data protection assessment
699699 requested under Section 541.153(b) available to the attorney
700700 general pursuant to a civil investigative demand under Section
701701 541.153.
702702 (d) A data protection assessment is confidential and exempt
703703 from public inspection and copying under Chapter 552, Government
704704 Code. Disclosure of a data protection assessment in compliance with
705705 a request from the attorney general does not constitute a waiver of
706706 attorney-client privilege or work product protection with respect
707707 to the assessment and any information contained in the assessment.
708708 (e) A single data protection assessment may address a
709709 comparable set of processing operations that include similar
710710 activities.
711711 (f) A data protection assessment conducted by a controller
712712 for the purpose of compliance with other laws or regulations may
713713 constitute compliance with the requirements of this section if the
714714 assessment has a reasonably comparable scope and effect.
715715 Sec. 541.106. DEIDENTIFIED OR PSEUDONYMOUS DATA. (a) A
716716 controller in possession of deidentified data shall:
717717 (1) take reasonable measures to ensure that the data
718718 cannot be associated with an individual;
719719 (2) publicly commit to maintaining and using
720720 deidentified data without attempting to reidentify the data; and
721721 (3) contractually obligate any recipient of the
722722 deidentified data to comply with the provisions of this chapter.
723723 (b) This chapter may not be construed to require a
724724 controller or processor to:
725725 (1) reidentify deidentified data or pseudonymous
726726 data;
727727 (2) maintain data in identifiable form or obtain,
728728 retain, or access any data or technology for the purpose of allowing
729729 the controller or processor to associate a consumer request with
730730 personal data; or
731731 (3) comply with an authenticated consumer rights
732732 request under Section 541.051, if the controller:
733733 (A) is not reasonably capable of associating the
734734 request with the personal data or it would be unreasonably
735735 burdensome for the controller to associate the request with the
736736 personal data;
737737 (B) does not use the personal data to recognize
738738 or respond to the specific consumer who is the subject of the
739739 personal data or associate the personal data with other personal
740740 data about the same specific consumer; and
741741 (C) does not sell the personal data to any third
742742 party or otherwise voluntarily disclose the personal data to any
743743 third party other than a processor, except as otherwise permitted
744744 by this section.
745745 (c) The consumer rights under Sections 541.051(b)(1)-(4)
746746 and controller duties under Section 541.101 do not apply to
747747 pseudonymous data in cases in which the controller is able to
748748 demonstrate any information necessary to identify the consumer is
749749 kept separately and is subject to effective technical and
750750 organizational controls that prevent the controller from accessing
751751 the information.
752752 (d) A controller that discloses pseudonymous data or
753753 deidentified data shall exercise reasonable oversight to monitor
754754 compliance with any contractual commitments to which the
755755 pseudonymous data or deidentified data is subject and shall take
756756 appropriate steps to address any breach of the contractual
757757 commitments.
758758 Sec. 541.107. REQUIREMENTS FOR SMALL BUSINESSES. (a) A
759759 person described by Section 541.002(a)(3) may not engage in the
760760 sale of personal data that is sensitive data without receiving
761761 prior consent from the consumer.
762762 (b) A person who violates this section is subject to the
763763 penalty under Section 541.155.
764764 SUBCHAPTER D. ENFORCEMENT
765765 Sec. 541.151. ENFORCEMENT AUTHORITY EXCLUSIVE. The
766766 attorney general has exclusive authority to enforce this chapter.
767767 Sec. 541.152. INTERNET WEBSITE AND COMPLAINT MECHANISM.
768768 The attorney general shall post on the attorney general's Internet
769769 website:
770770 (1) information relating to:
771771 (A) the responsibilities of a controller under
772772 Subchapters B and C;
773773 (B) the responsibilities of a processor under
774774 Subchapter C; and
775775 (C) a consumer's rights under Subchapter B; and
776776 (2) an online mechanism through which a consumer may
777777 submit a complaint under this chapter to the attorney general.
778778 Sec. 541.153. INVESTIGATIVE AUTHORITY. (a) If the
779779 attorney general has reasonable cause to believe that a person has
780780 engaged in or is engaging in a violation of this chapter, the
781781 attorney general may issue a civil investigative demand. The
782782 procedures established for the issuance of a civil investigative
783783 demand under Section 15.10 apply to the same extent and manner to
784784 the issuance of a civil investigative demand under this section.
785785 (b) The attorney general may request, pursuant to a civil
786786 investigative demand issued under Subsection (a), that a controller
787787 disclose any data protection assessment that is relevant to an
788788 investigation conducted by the attorney general. The attorney
789789 general may evaluate the data protection assessment for compliance
790790 with the requirements set forth in Sections 541.101, 541.102, and
791791 541.103.
792792 Sec. 541.154. NOTICE OF VIOLATION OF CHAPTER; OPPORTUNITY
793793 TO CURE. Before bringing an action under Section 541.155, the
794794 attorney general shall notify a person in writing, not later than
795795 the 30th day before bringing the action, identifying the specific
796796 provisions of this chapter the attorney general alleges have been
797797 or are being violated. The attorney general may not bring an action
798798 against the person if:
799799 (1) within the 30-day period, the person cures the
800800 identified violation; and
801801 (2) the person provides the attorney general a written
802802 statement that the person:
803803 (A) cured the alleged violation;
804804 (B) notified the consumer that the consumer's
805805 privacy violation was addressed, if the consumer's contact
806806 information has been made available to the person;
807807 (C) provided supportive documentation to show
808808 how the privacy violation was cured; and
809809 (D) made changes to internal policies, if
810810 necessary, to ensure that no such further violations will occur.
811811 Sec. 541.155. CIVIL PENALTY; INJUNCTION. (a) A person who
812812 violates this chapter following the cure period described by
813813 Section 541.154 or who breaches a written statement provided to the
814814 attorney general under that section is liable for a civil penalty in
815815 an amount not to exceed $7,500 for each violation.
816816 (b) The attorney general may bring an action in the name of
817817 this state to:
818818 (1) recover a civil penalty under this section;
819819 (2) restrain or enjoin the person from violating this
820820 chapter; or
821821 (3) recover the civil penalty and seek injunctive
822822 relief.
823823 (c) The attorney general may recover reasonable attorney's
824824 fees and other reasonable expenses incurred in investigating and
825825 bringing an action under this section.
826826 (d) The attorney general shall deposit a civil penalty
827827 collected under this section in accordance with Section 402.007,
828828 Government Code.
829829 Sec. 541.156. NO PRIVATE RIGHT OF ACTION. This chapter may
830830 not be construed as providing a basis for, or being subject to, a
831831 private right of action for a violation of this chapter or any other
832832 law.
833833 SUBCHAPTER E. CONSTRUCTION OF CHAPTER; EXEMPTIONS FOR CERTAIN USES
834834 OF CONSUMER PERSONAL DATA
835835 Sec. 541.201. CONSTRUCTION OF CHAPTER. (a) This chapter
836836 may not be construed to restrict a controller's or processor's
837837 ability to:
838838 (1) comply with federal, state, or local laws, rules,
839839 or regulations;
840840 (2) comply with a civil, criminal, or regulatory
841841 inquiry, investigation, subpoena, or summons by federal, state,
842842 local, or other governmental authorities;
843843 (3) investigate, establish, exercise, prepare for, or
844844 defend legal claims;
845845 (4) provide a product or service specifically
846846 requested by a consumer or the parent or guardian of a child,
847847 perform a contract to which the consumer is a party, including
848848 fulfilling the terms of a written warranty, or take steps at the
849849 request of the consumer before entering into a contract;
850850 (5) take immediate steps to protect an interest that
851851 is essential for the life or physical safety of the consumer or of
852852 another individual and in which the processing cannot be manifestly
853853 based on another legal basis;
854854 (6) prevent, detect, protect against, or respond to
855855 security incidents, identity theft, fraud, harassment, malicious
856856 or deceptive activities, or any illegal activity;
857857 (7) preserve the integrity or security of systems or
858858 investigate, report, or prosecute those responsible for breaches of
859859 system security;
860860 (8) engage in public or peer-reviewed scientific or
861861 statistical research in the public interest that adheres to all
862862 other applicable ethics and privacy laws and is approved,
863863 monitored, and governed by an institutional review board or similar
864864 independent oversight entity that determines:
865865 (A) if the deletion of the information is likely
866866 to provide substantial benefits that do not exclusively accrue to
867867 the controller;
868868 (B) whether the expected benefits of the research
869869 outweigh the privacy risks; and
870870 (C) if the controller has implemented reasonable
871871 safeguards to mitigate privacy risks associated with research,
872872 including any risks associated with reidentification; or
873873 (9) assist another controller, processor, or third
874874 party with any of the requirements under this subsection.
875875 (b) This chapter may not be construed to prevent a
876876 controller or processor from providing personal data concerning a
877877 consumer to a person covered by an evidentiary privilege under the
878878 laws of this state as part of a privileged communication.
879879 (c) This chapter may not be construed as imposing a
880880 requirement on controllers and processors that adversely affects
881881 the rights or freedoms of any person, including the right of free
882882 speech.
883883 (d) This chapter may not be construed as requiring a
884884 controller, processor, third party, or consumer to disclose a trade
885885 secret.
886886 Sec. 541.202. COLLECTION, USE, OR RETENTION OF DATA FOR
887887 CERTAIN PURPOSES. (a) The requirements imposed on controllers and
888888 processors under this chapter may not restrict a controller's or
889889 processor's ability to collect, use, or retain data to:
890890 (1) conduct internal research to develop, improve, or
891891 repair products, services, or technology;
892892 (2) effect a product recall;
893893 (3) identify and repair technical errors that impair
894894 existing or intended functionality; or
895895 (4) perform internal operations that:
896896 (A) are reasonably aligned with the expectations
897897 of the consumer;
898898 (B) are reasonably anticipated based on the
899899 consumer's existing relationship with the controller; or
900900 (C) are otherwise compatible with processing
901901 data in furtherance of the provision of a product or service
902902 specifically requested by a consumer or the performance of a
903903 contract to which the consumer is a party.
904904 (b) A requirement imposed on a controller or processor under
905905 this chapter does not apply if compliance with the requirement by
906906 the controller or processor, as applicable, would violate an
907907 evidentiary privilege under the laws of this state.
908908 Sec. 541.203. DISCLOSURE OF PERSONAL DATA TO THIRD-PARTY
909909 CONTROLLER OR PROCESSOR. (a) A controller or processor that
910910 discloses personal data to a third-party controller or processor,
911911 in compliance with the requirements of this chapter, does not
912912 violate this chapter if the third-party controller or processor
913913 that receives and processes that personal data is in violation of
914914 this chapter, provided that, at the time of the data's disclosure,
915915 the disclosing controller or processor did not have actual
916916 knowledge that the recipient intended to commit a violation.
917917 (b) A third-party controller or processor receiving
918918 personal data from a controller or processor in compliance with the
919919 requirements of this chapter does not violate this chapter for the
920920 transgressions of the controller or processor from which the
921921 third-party controller or processor receives the personal data.
922922 Sec. 541.204. PROCESSING OF CERTAIN PERSONAL DATA BY
923923 CONTROLLER OR OTHER PERSON. (a) Personal data processed by a
924924 controller under this subchapter may not be processed for any
925925 purpose other than a purpose listed in this subchapter unless
926926 otherwise allowed by this chapter. Personal data processed by a
927927 controller under this subchapter may be processed to the extent
928928 that the processing of the data is:
929929 (1) reasonably necessary and proportionate to the
930930 purposes listed in this subchapter; and
931931 (2) adequate, relevant, and limited to what is
932932 necessary in relation to the specific purposes listed in this
933933 subchapter.
934934 (b) Personal data collected, used, or retained under
935935 Section 541.202(a) must, where applicable, take into account the
936936 nature and purpose of such collection, use, or retention. The
937937 personal data described by this subsection is subject to reasonable
938938 administrative, technical, and physical measures to protect the
939939 confidentiality, integrity, and accessibility of the personal data
940940 and to reduce reasonably foreseeable risks of harm to consumers
941941 relating to the collection, use, or retention of personal data.
942942 (c) A controller that processes personal data under an
943943 exemption in this subchapter bears the burden of demonstrating that
944944 the processing of the personal data qualifies for the exemption and
945945 complies with the requirements of Subsections (a) and (b).
946946 (d) The processing of personal data by an entity for the
947947 purposes described by Section 541.201 does not solely make the
948948 entity a controller with respect to the processing of the data.
949949 Sec. 541.205. LOCAL PREEMPTION. This chapter supersedes
950950 and preempts any ordinance, resolution, rule, or other regulation
951951 adopted by a political subdivision regarding the processing of
952952 personal data by a controller or processor.
953953 SECTION 3. (a) The Department of Information Resources,
954954 under the management of the chief privacy officer, shall review the
955955 implementation of the requirements of Chapter 541, Business &
956956 Commerce Code, as added by this Act.
957957 (b) Not later than September 1, 2024, the Department of
958958 Information Resources shall create an online portal available on
959959 the department's Internet website for members of the public to
960960 provide feedback and recommend changes to Chapter 541, Business &
961961 Commerce Code, as added by this Act. The online portal must remain
962962 open for receiving feedback from the public for at least 90 days.
963963 (c) Not later than January 1, 2025, the Department of
964964 Information Resources shall make available to the public a report
965965 detailing the status of the implementation of the requirements of
966966 Chapter 541, Business & Commerce Code, as added by this Act, and any
967967 recommendations to the legislature regarding changes to that law.
968968 (d) This section expires September 1, 2025.
969969 SECTION 4. Data protection assessments required to be
970970 conducted under Section 541.105, Business & Commerce Code, as added
971971 by this Act, apply only to processing activities generated after
972972 the effective date of this Act and are not retroactive.
973973 SECTION 5. Not later than July 1, 2024, the attorney general
974974 shall post the information and online mechanism required by Section
975975 541.152, Business & Commerce Code, as added by this Act.
976976 SECTION 6. The provisions of this Act are hereby declared
977977 severable, and if any provision of this Act or the application of
978978 such provision to any person or circumstance is declared invalid
979979 for any reason, such declaration shall not affect the validity of
980980 the remaining portions of this Act.
981981 SECTION 7. (a) Except as provided by Subsection (b) of this
982982 section, this Act takes effect July 1, 2024.
983983 (b) Section 541.055(e), Business & Commerce Code, as added
984984 by this Act, takes effect January 1, 2025.
985985 ______________________________ ______________________________
986986 President of the Senate Speaker of the House
987987 I certify that H.B. No. 4 was passed by the House on April 5,
988988 2023, by the following vote: Yeas 146, Nays 0, 1 present, not
989989 voting; that the House refused to concur in Senate amendments to
990990 H.B. No. 4 on May 15, 2023, and requested the appointment of a
991991 conference committee to consider the differences between the two
992992 houses; and that the House adopted the conference committee report
993993 on H.B. No. 4 on May 28, 2023, by the following vote: Yeas 144,
994994 Nays 0, 1 present, not voting.
995995 ______________________________
996996 Chief Clerk of the House
997997 I certify that H.B. No. 4 was passed by the Senate, with
998998 amendments, on May 10, 2023, by the following vote: Yeas 30, Nays
999999 0; at the request of the House, the Senate appointed a conference
10001000 committee to consider the differences between the two houses; and
10011001 that the Senate adopted the conference committee report on H.B. No.
10021002 4 on May 27, 2023, by the following vote: Yeas 31, Nays 0.
10031003 ______________________________
10041004 Secretary of the Senate
10051005 APPROVED: __________________
10061006 Date
10071007 __________________
10081008 Governor