Texas 2023 - 88th Regular

Texas House Bill HB4917 Compare Versions

Version 1 (Old)

Version 2 (New)

Old	New	Differences
1	1	88R9015 JES-F
2	2	By: Holland H.B. No. 4917
3	3
4	4
5	5	A BILL TO BE ENTITLED
6	6	AN ACT
7	7	relating to the regulation of third-party data collection entities;
8	8	providing a civil penalty and authorizing a fee.
9	9	BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
10	10	SECTION 1. Subtitle A, Title 11, Business & Commerce Code,
11	11	is amended by adding Chapter 509 to read as follows:
12	12	CHAPTER 509. THIRD-PARTY DATA COLLECTION
13	13	Sec. 509.001. DEFINITIONS. In this chapter:
14	14	(1) "Biometric identifier" has the meaning assigned by
15	15	Section 503.001.
16	16	(2) "Child" means an individual younger than 18 years
17	17	of age.
18	18	(3) "Collect," in the context of data, means to
19	19	obtain, receive, access, or otherwise acquire the data by any
20	20	means, including by purchasing or renting the data.
21	21	(4) "Covered data" means personal identifying
22	22	information to which this chapter applies as provided by Section
23	23	509.002.
24	24	(5) "Deidentified data" means information that does
25	25	not identify and is not linked or cannot reasonably be linked to an
26	26	individual or to a device linked to that individual, regardless of
27	27	whether the information is aggregated.
28	28	(6) "Employee" includes an individual who is a
29	29	director, officer, staff member, trainee, volunteer, or intern of
30	30	an employer or an individual working as an independent contractor
31	31	for an employer, regardless of whether the individual is paid,
32	32	unpaid, or employed on a temporary basis. The term does not include
33	33	an individual contractor who is a service provider.
34	34	(7) "Employee data" means information collected,
35	35	processed, or transferred by an employer if the information:
36	36	(A) is related to:
37	37	(i) a job applicant and was collected
38	38	during the course of the hiring and application process;
39	39	(ii) an employee who is acting in a
40	40	professional capacity for the employer, including the employee's
41	41	business contact information such as the employee's name, position,
42	42	title, business telephone number, business address, or business
43	43	e-mail address;
44	44	(iii) an employee's emergency contact
45	45	information; or
46	46	(iv) an employee or the employee's spouse,
47	47	dependent, covered family member, or beneficiary; and
48	48	(B) was collected, processed, or transferred
49	49	solely for:
50	50	(i) a purpose relating to the status of a
51	51	person described by Paragraph (A)(i) as a current or former job
52	52	applicant of the employer;
53	53	(ii) a purpose relating to the professional
54	54	activities of an employee described by Paragraph (A)(ii) on behalf
55	55	of the employer;
56	56	(iii) the purpose of having an emergency
57	57	contact on file for an employee described by Paragraph (A)(iii) and
58	58	for transferring the information in case of an emergency; and
59	59	(iv) the purpose of administering benefits
60	60	to which an employee described by Paragraph (A)(iv) is entitled or
61	61	to which another person described by that paragraph is entitled on
62	62	the basis of the employee's position with the employer.
63	63	(8) "Genetic data" means any data, regardless of
64	64	format, concerning an individual's genetic characteristics. The
65	65	term includes:
66	66	(A) raw sequence data derived from sequencing all
67	67	or a portion of an individual's extracted DNA; and
68	68	(B) genotypic and phenotypic information
69	69	obtained from analyzing an individual's raw sequence data.
70	70	(9) "Personal identifying information" has the
71	71	meaning assigned by Section 521.002.
72	72	(10) "Precise geolocation data" means information
73	73	accessed on a device or technology that shows the past or present
74	74	physical location of an individual or the individual's device with
75	75	sufficient precision to identify street-level location information
76	76	of the individual or device in a range of not more than 1,850 feet.
77	77	The term does not include location information regarding an
78	78	individual or device identifiable or derived solely from the visual
79	79	content of a legally obtained image, including the location of a
80	80	device that captured the image.
81	81	(11) "Process," in the context of data, means to
82	82	conduct or direct any operation or set of operations performed on
83	83	the data, including using, storing, or otherwise handling the data.
84	84	(12) "Publicly available information" means
85	85	information:
86	86	(A) that a business entity or service provider
87	87	reasonably believes is lawfully available to the general public:
88	88	(i) from a governmental record, unless use
89	89	of the information by the business entity violates the governmental
90	90	entity's restriction or terms of use for that information;
91	91	(ii) from widely distributed media,
92	92	including information from:
93	93	(a) a telephone book or online
94	94	directory;
95	95	(b) a television, Internet, or radio
96	96	program;
97	97	(c) the news media; or
98	98	(d) a generally available Internet
99	99	website or online service on which the relevant information has not
100	100	been restricted to a specific audience;
101	101	(iii) from a disclosure as required by law;
102	102	or
103	103	(iv) by visual observation in a public
104	104	place, other than data collected by a device in the individual's
105	105	possession; and
106	106	(B) that is not:
107	107	(i) an obscene visual depiction under 18
108	108	U.S.C. Section 1460;
109	109	(ii) an inference:
110	110	(a) made exclusively from multiple
111	111	independent sources of publicly available information; and
112	112	(b) that does not disclose an
113	113	individual's sensitive information;
114	114	(iii) a biometric identifier;
115	115	(iv) combined with personal identifying
116	116	information;
117	117	(v) genetic information not disclosed by
118	118	the individual in a manner provided by Paragraph (A); or
119	119	(vi) a nonconsensual intimate image, if
120	120	known to be nonconsensual.
121	121	(13) "Sensitive covered data" means:
122	122	(A) a government-issued identifier not required
123	123	by law to be available publicly, including:
124	124	(i) a social security number;
125	125	(ii) a passport number; or
126	126	(iii) a driver's license number;
127	127	(B) information that describes or reveals an
128	128	individual's mental or physical health diagnosis, condition, or
129	129	treatment;
130	130	(C) an individual's financial information,
131	131	except the last four digits of a debit or credit card number,
132	132	including:
133	133	(i) a financial account number;
134	134	(ii) a credit or debit card number; or
135	135	(iii) information that describes or reveals
136	136	the income level or bank account balances of the individual;
137	137	(D) a biometric identifier;
138	138	(E) genetic data;
139	139	(F) precise geolocation data;
140	140	(G) an individual's private communication that:
141	141	(i) if made using a device, is not made
142	142	using a device provided by the individual's employer that provides
143	143	conspicuous notice to the individual that the employer may access
144	144	communication made using the device; and
145	145	(ii) includes, unless the third-party data
146	146	collection entity is the sender or an intended recipient of the
147	147	communication:
148	148	(a) the individual's voicemails,
149	149	e-mails, texts, direct messages, or mail;
150	150	(b) information that identifies the
151	151	parties involved in the communications; and
152	152	(c) information that relates to the
153	153	transmission of the communications, including telephone numbers
154	154	called, telephone numbers from which calls were placed, the time
155	155	calls were made, call duration, and location information of the
156	156	parties to the call;
157	157	(H) a log-in credential, security code, or access
158	158	code for an account or device;
159	159	(I) information identifying the sexual behavior
160	160	of the individual in a manner inconsistent with the individual's
161	161	reasonable expectation regarding the collection, processing, or
162	162	transfer of the information;
163	163	(J) calendar information, address book
164	164	information, phone or text logs, photos, audio recordings, or
165	165	videos:
166	166	(i) maintained for private use by an
167	167	individual and stored on the individual's device or in another
168	168	location; and
169	169	(ii) not communicated using a device
170	170	provided by the individual's employer unless the employee was
171	171	provided conspicuous notice that the employer may access
172	172	communication made using the device;
173	173	(K) a photograph, film, video recording, or other
174	174	similar medium that shows the individual or a part of the individual
175	175	nude or wearing undergarments;
176	176	(L) information revealing the video content
177	177	requested or selected by an individual that is not:
178	178	(i) collected by a provider of broadcast
179	179	television service, cable service, satellite service, streaming
180	180	media service, or other video programming, as that term is defined
181	181	by 47 U.S.C. Section 613(h)(2); or
182	182	(ii) used solely for transfers for
183	183	independent video measurement;
184	184	(M) information regarding a known child;
185	185	(N) information revealing an individual's racial
186	186	or ethnic origin, color, religious beliefs, or union membership;
187	187	(O) information identifying an individual's
188	188	online activities over time accessing multiple Internet websites or
189	189	online services; or
190	190	(P) information collected, processed, or
191	191	transferred for the purpose of identifying information described by
192	192	this subdivision.
193	193	(14) "Service provider" means a person that receives,
194	194	collects, processes, or transfers personal identifying information
195	195	on behalf of, and at the direction of, a business or governmental
196	196	entity, including a business or governmental entity that is another
197	197	service provider, in order for the person to perform a service or
198	198	function with or on behalf of the business or governmental entity.
199	199	(15) "Third-party data collection entity" means a
200	200	business entity that collects, processes, or transfers covered data
201	201	that the entity did not collect directly from the individual linked
202	202	or linkable to the data.
203	203	(16) "Transfer," in the context of data, means to
204	204	disclose, release, share, disseminate, make available, or license
205	205	the data by any means or medium.
206	206	Sec. 509.002. APPLICABILITY TO CERTAIN DATA. (a) Except as
207	207	provided by Subsection (b), this chapter applies to personal
208	208	identifying information from an individual who resides in this
209	209	state that is collected, transferred, or processed by a third-party
210	210	data collection entity.
211	211	(b) This chapter does not apply to the following data:
212	212	(1) deidentified data, if the third-party data
213	213	collection entity:
214	214	(A) takes reasonable technical measures to
215	215	ensure that the data is not able to be used to identify an
216	216	individual with whom the data is associated;
217	217	(B) publicly commits in a clear and conspicuous
218	218	manner:
219	219	(i) to process and transfer the data solely
220	220	in a deidentified form without any reasonable means for
221	221	reidentification; and
222	222	(ii) to not attempt to identify the
223	223	information to an individual with whom the data is associated; and
224	224	(C) contractually obligates a person that
225	225	receives the information from the provider:
226	226	(i) to comply with this subsection with
227	227	respect to the information; and
228	228	(ii) to require that those contractual
229	229	obligations be included in any subsequent transfer of the data to
230	230	another person;
231	231	(2) employee data;
232	232	(3) publicly available information; or
233	233	(4) inferences made exclusively from multiple
234	234	independent sources of publicly available information that do not
235	235	reveal sensitive covered data with respect to an individual.
236	236	Sec. 509.003. APPLICABILITY OF CHAPTER TO CERTAIN BUSINESS
237	237	ENTITIES. (a) Except as provided by Subsection (b), this chapter
238	238	applies to a third-party data collection entity, which is a
239	239	business entity that, in a 12-month period, derives:
240	240	(1) more than 50 percent of the entity's revenue from
241	241	processing or transferring covered data that the entity did not
242	242	collect directly from the individuals to whom the data pertains; or
243	243	(2) revenue from processing or transferring the
244	244	covered data of more than 50,000 individuals that the entity did not
245	245	collect directly from the individuals to whom the data pertains.
246	246	(b) This chapter does not apply to:
247	247	(1) a business entity that:
248	248	(A) is engaging in the business of processing
249	249	employee data for a third party for the sole purpose of providing
250	250	benefits to the third party's employees; or
251	251	(B) is collecting covered data from another
252	252	entity to which the entity is related by common ownership or
253	253	corporate control if a reasonable consumer would expect the
254	254	entities to share the relevant data;
255	255	(2) a business entity that is a service provider with
256	256	respect to the entity's use of covered data;
257	257	(3) a governmental entity or an entity that is
258	258	collecting, processing, or transferring covered data as a service
259	259	provider for a governmental entity; or
260	260	(4) an entity that serves as a congressionally
261	261	designated nonprofit, national resource center, or clearinghouse
262	262	to provide assistance to victims, families, child-serving
263	263	professionals, and the general public on missing and exploited
264	264	children issues.
265	265	Sec. 509.004. NOTICE ON WEBSITE OR MOBILE APPLICATION. A
266	266	third-party data collection entity that maintains an Internet
267	267	website or mobile application shall post a conspicuous notice on
268	268	the website or application that:
269	269	(1) states that the entity maintaining the website or
270	270	application is a third-party data collection entity;
271	271	(2) must be clear, not misleading, and be readily
272	272	accessible by the general public, including individuals with a
273	273	disability;
274	274	(3) contains language provided by rule of the
275	275	secretary of state for inclusion in the notice; and
276	276	(4) provides a link to the "do not collect" online
277	277	registry established under Section 509.006.
278	278	Sec. 509.005. REGISTRATION. (a) To conduct business in
279	279	this state, a third-party data collection entity to which this
280	280	chapter applies that collects, processes, or transfers the covered
281	281	date of individuals residing in this state shall register with the
282	282	secretary of state by filing a registration statement and paying a
283	283	registration fee of $300.
284	284	(b) The registration statement must include:
285	285	(1) the legal name of the third-party data collection
286	286	entity;
287	287	(2) a contact person and the primary physical address,
288	288	e-mail address, telephone number, and Internet website address for
289	289	the entity;
290	290	(3) a description of the categories of data the entity
291	291	processes and transfers;
292	292	(4) a statement of whether or not the entity
293	293	implements a purchaser credentialing process that includes taking
294	294	reasonable steps to confirm that:
295	295	(A) the actual identity of the entity's customer
296	296	and the customer's use of the data matches the identity and intended
297	297	use provided to the entity by the customer; and
298	298	(B) the entity's customers will not use the data
299	299	for a nefarious purpose;
300	300	(5) if the entity has actual knowledge that the entity
301	301	possesses personal identifying information of a child:
302	302	(A) a statement detailing the data collection
303	303	practices, databases, sales activities, and opt-out policies that
304	304	are applicable to the personal identifying information of a child;
305	305	and
306	306	(B) a statement on how the entity complies with
307	307	applicable federal and state law regarding the collection, use, or
308	308	disclosure of personal identifying information from and about a
309	309	child on the Internet;
310	310	(6) the number of security breaches the entity has
311	311	experienced during the year immediately preceding the year in which
312	312	the registration is filed, and if known, the total number of
313	313	consumers affected by each breach;
314	314	(7) any litigation or unresolved complaints related to
315	315	the operation of the entity; and
316	316	(8) any Internet website link the entity provides to
317	317	allow individuals to easily access the "do not collect" online
318	318	registry established under Section 509.006.
319	319	(c) A registration of a third-party data collection entity
320	320	may include any additional information or explanation the
321	321	third-party data collection entity chooses to provide to the
322	322	secretary of state concerning the entity's data collection
323	323	practices.
324	324	(d) A registration certificate expires on the first
325	325	anniversary of its date of issuance. A third-party data collection
326	326	entity may renew a registration certificate by filing a renewal
327	327	application, in the form prescribed by the secretary of state, and
328	328	paying a renewal fee in the amount of $300.
329	329	Sec. 509.006. REGISTRY OF THIRD-PARTY COLLECTING ENTITIES;
330	330	DO NOT COLLECT REQUESTS. (a) The secretary of state shall
331	331	establish and maintain, on its Internet website, a searchable,
332	332	central registry of third-party data collection entities
333	333	registered under Section 509.005.
334	334	(b) The registry must include:
335	335	(1) a search feature that allows a person searching
336	336	the registry to identify a specific third-party data collection
337	337	entity;
338	338	(2) for each third-party data collection entity, the
339	339	information filed under Section 509.005(b); and
340	340	(3) a link and mechanism by which individuals may
341	341	submit do not collect requests to third-party collection entities,
342	342	other than consumer reporting agencies, as provided by Subsection
343	343	(c).
344	344	(c) The secretary of state shall ensure that under the
345	345	mechanism described by Subsection (b) an individual has the
346	346	capability to easily submit a single request requiring all
347	347	registered third-party data collection entities to:
348	348	(1) delete, not later than the 30th day after
349	349	receiving the request, all covered data related to the requesting
350	350	individual that is in their possession and was not collected from
351	351	the individual directly; and
352	352	(2) cease collecting, processing, or transferring
353	353	covered data related to the requesting individual, unless the
354	354	entity receives the individual's affirmative express consent to
355	355	continue to collect, process, or transfer data, as applicable, in
356	356	accordance with Subsection (e).
357	357	(d) Notwithstanding Subsection (c), a third-party data
358	358	collection entity may decline to comply with a request under that
359	359	subsection if the entity:
360	360	(1) knows that the individual has been convicted of a
361	361	crime related to the abduction or sexual exploitation of a child,
362	362	and that the data the entity is collecting is necessary to
363	363	effectuate the purposes of a federal or state sex offender registry
364	364	or of an entity described by Section 509.003(b)(4); or
365	365	(2) is a consumer reporting agency governed by the
366	366	Fair Credit Reporting Act (15 U.S.C. Section 1681 et seq.).
367	367	(e) For purposes of Subsection (c)(2), an individual is
368	368	considered to have given the individual's affirmative express
369	369	consent if the individual, by an affirmative act, clearly
370	370	communicates the individual's specific and unambiguous
371	371	authorization for the act or practice in response to a specific
372	372	request by a third-party data collection entity that:
373	373	(1) is provided to the individual in a clear,
374	374	conspicuous, and separate disclosure presented through:
375	375	(A) the primary medium by which the entity offers
376	376	its products or services; or
377	377	(B) another medium regularly used in conjunction
378	378	with the entity's products or services;
379	379	(2) includes a description of the processing purpose
380	380	for which the individual's consent is sought, that:
381	381	(A) clearly states the specific categories of
382	382	personal identifying information the business will collect,
383	383	process, or transfer for that purpose;
384	384	(B) includes a prominent heading; and
385	385	(C) is written in easily understood language
386	386	intended to enable a reasonable individual to identify and
387	387	understand the processing purpose for which consent is sought;
388	388	(3) explains the individual's right to give and revoke
389	389	consent under this section;
390	390	(4) is made in a manner reasonably accessible to and
391	391	usable by an individual with a disability;
392	392	(5) is made available in each language in which the
393	393	business provides a product or service for which consent is sought;
394	394	(6) presents the option to refuse consent at least as
395	395	prominently as the option to accept; and
396	396	(7) ensures that refusing to consent takes not more
397	397	than the same amount of steps to complete as the option to accept
398	398	consent.
399	399	(f) If the processing purpose disclosed to an individual in
400	400	a request made under Subsection (e) changes, a third-party data
401	401	collection entity must request and receive a new consent that meets
402	402	the requirements of that subsection before the entity is able to
403	403	collect, transfer, or process any further information pursuant to
404	404	that consent.
405	405	(g) An individual's inaction or continued use of a service
406	406	or product provided by a third-party data collection entity does
407	407	not constitute an individual's affirmative express consent for
408	408	purposes of Subsection (e).
409	409	(h) A third-party data collection entity may not obtain or
410	410	attempt to obtain an individual's affirmative express consent under
411	411	Subsection (b) through:
412	412	(1) the use of a false, fraudulent, or materially
413	413	misleading statement or representation; or
414	414	(2) the design, modification, or manipulation of a
415	415	user interface to impair a reasonable individual's autonomy to
416	416	consent or to withhold certain personal identifying information.
417	417	Sec. 509.007. CIVIL PENALTY. (a) A third-party data
418	418	collection entity that violates Section 509.004, 509.005, or
419	419	509.006 is liable to this state for a civil penalty as prescribed by
420	420	this section.
421	421	(b) A civil penalty imposed against a third-party data
422	422	collection entity under this section:
423	423	(1) subject to Subdivision (2), may not be in an amount
424	424	less than the total of:
425	425	(A) $100 for each day the entity is in violation
426	426	of Section 509.004 or 509.005; and
427	427	(B) the amount of unpaid registration fees for
428	428	each year the entity failed to register in violation of Section
429	429	509.005; and
430	430	(2) may not exceed $10,000 assessed against the same
431	431	entity in a 12-month period.
432	432	(c) The attorney general may bring an action to recover a
433	433	civil penalty imposed under this section. The attorney general may
434	434	recover reasonable attorney's fees and court costs incurred in
435	435	bringing the action.
436	436	Sec. 509.008. DECEPTIVE TRADE PRACTICE. A violation of
437	437	this chapter constitutes a deceptive trade practice in addition to
438	438	the practices described by Subchapter E, Chapter 17, and is
439	439	actionable under that subchapter.
440	440	Sec. 509.009. RULES. The secretary of state shall adopt
441	441	rules as necessary to implement this chapter.
442	442	SECTION 2. Not later than December 1, 2023, the secretary of
443	443	state shall adopt rules necessary to facilitate registration by a
444	444	third-party data collection entity under Section 509.005, Business &
445	445	Commerce Code, as added by this Act.
446	446	SECTION 3. Chapter 509, Business & Commerce Code, as added
447	447	by this Act, applies only to the collection, processing, or
448	448	transfer of personal identifying information by a third-party data
449	449	collection entity on or after the effective date of this Act.
450	450	SECTION 4. This Act takes effect September 1, 2023.