TX
Texas Senate Bill SB2105

Texas 2023 - 88th Regular

Texas Senate Bill SB2105 Compare Versions

OldNewDifferences
11 S.B. No. 2105
22
33
44 AN ACT
55 relating to the registration of and certain other requirements
66 relating to data brokers; providing a civil penalty and authorizing
77 a fee.
88 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
99 SECTION 1. Subtitle A, Title 11, Business & Commerce Code,
1010 is amended by adding Chapter 509 to read as follows:
1111 CHAPTER 509. DATA BROKERS
1212 Sec. 509.001. DEFINITIONS. In this chapter:
1313 (1) "Biometric data" means data generated by automatic
1414 measurements of an individual's biological patterns or
1515 characteristics, including fingerprint, voiceprint, retina or iris
1616 scan, information pertaining to an individual's DNA, or another
1717 unique biological pattern or characteristic that is used to
1818 identify a specific individual.
1919 (2) "Child" means an individual younger than 13 years
2020 of age.
2121 (3) "Collect," in the context of data, means to
2222 obtain, receive, access, or otherwise acquire the data by any
2323 means, including by purchasing or renting the data.
2424 (4) "Data broker" means a business entity whose
2525 principal source of revenue is derived from the collecting,
2626 processing, or transferring of personal data that the entity did
2727 not collect directly from the individual linked or linkable to the
2828 data.
2929 (5) "Deidentified data" means data that cannot
3030 reasonably be linked to an identified or identifiable individual or
3131 to a device linked to that individual.
3232 (6) "Employee" includes an individual who is a
3333 director, officer, staff member, trainee, volunteer, or intern of
3434 an employer or an individual working as an independent contractor
3535 for an employer, regardless of whether the individual is paid,
3636 unpaid, or employed on a temporary basis. The term does not include
3737 an individual contractor who is a service provider.
3838 (7) "Employee data" means information collected,
3939 processed, or transferred by an employer if the information:
4040 (A) is related to:
4141 (i) a job applicant and was collected
4242 during the course of the hiring and application process;
4343 (ii) an employee who is acting in a
4444 professional capacity for the employer, including the employee's
4545 business contact information such as the employee's name, position,
4646 title, business telephone number, business address, or business
4747 e-mail address;
4848 (iii) an employee's emergency contact
4949 information; or
5050 (iv) an employee or the employee's spouse,
5151 dependent, covered family member, or beneficiary; and
5252 (B) was collected, processed, or transferred
5353 solely for:
5454 (i) a purpose relating to the status of a
5555 person described by Paragraph (A)(i) as a current or former job
5656 applicant of the employer;
5757 (ii) a purpose relating to the professional
5858 activities of an employee described by Paragraph (A)(ii) on behalf
5959 of the employer;
6060 (iii) the purpose of having an emergency
6161 contact on file for an employee described by Paragraph (A)(iii) and
6262 for transferring the information in case of an emergency; and
6363 (iv) the purpose of administering benefits
6464 to which an employee described by Paragraph (A)(iv) is entitled or
6565 to which another person described by that paragraph is entitled on
6666 the basis of the employee's position with the employer.
6767 (8) "Genetic data" means any data, regardless of
6868 format, concerning an individual's genetic characteristics. The
6969 term includes:
7070 (A) raw sequence data derived from sequencing all
7171 or a portion of an individual's extracted DNA; and
7272 (B) genotypic and phenotypic information
7373 obtained from analyzing an individual's raw sequence data.
7474 (9) "Individual" means a natural person residing in
7575 this state.
7676 (10) "Known child" means a child under circumstances
7777 where a data broker has actual knowledge of, or wilfully disregards
7878 obtaining actual knowledge of, the child's age.
7979 (11) "Personal data" means any information, including
8080 sensitive data, that is linked or reasonably linkable to an
8181 identified or identifiable individual. The term includes
8282 pseudonymous data when the information is used by a controller or
8383 processor in conjunction with additional information that
8484 reasonably links the information to an identified or identifiable
8585 individual. The term does not include deidentified data, employee
8686 data, or publicly available information.
8787 (12) "Precise geolocation data" means information
8888 accessed on a device or technology that shows the past or present
8989 physical location of an individual or the individual's device with
9090 sufficient precision to identify street-level location information
9191 of the individual or device in a range of not more than 1,850 feet.
9292 The term does not include location information regarding an
9393 individual or device identifiable or derived solely from the visual
9494 content of a legally obtained image, including the location of a
9595 device that captured the image.
9696 (13) "Process," in the context of data, means an
9797 operation or set of operations performed, whether by manual or
9898 automated means, on personal data or on sets of personal data, such
9999 as the collection, use, storage, disclosure, analysis, deletion, or
100100 modification of personal data.
101101 (14) "Publicly available information" means
102102 information that:
103103 (A) is lawfully made available through
104104 government records;
105105 (B) a business has a reasonable basis to believe
106106 is lawfully available to the general public through widely
107107 distributed media; or
108108 (C) is lawfully made available by a consumer, or
109109 by a person to whom a consumer has disclosed the information, unless
110110 the consumer has restricted access to the information to a specific
111111 audience.
112112 (15) "Sensitive data" means:
113113 (A) a government-issued identifier not required
114114 by law to be available publicly, including:
115115 (i) a social security number;
116116 (ii) a passport number; or
117117 (iii) a driver's license number;
118118 (B) information that describes or reveals an
119119 individual's mental or physical health diagnosis, condition, or
120120 treatment;
121121 (C) an individual's financial information,
122122 except the last four digits of a debit or credit card number,
123123 including:
124124 (i) a financial account number;
125125 (ii) a credit or debit card number; or
126126 (iii) information that describes or reveals
127127 the income level or bank account balances of the individual;
128128 (D) biometric data;
129129 (E) genetic data;
130130 (F) precise geolocation data;
131131 (G) an individual's private communication that:
132132 (i) if made using a device, is not made
133133 using a device provided by the individual's employer that provides
134134 conspicuous notice to the individual that the employer may access
135135 communication made using the device; and
136136 (ii) includes, unless the data broker is
137137 the sender or an intended recipient of the communication:
138138 (a) the individual's voicemails,
139139 e-mails, texts, direct messages, or mail;
140140 (b) information that identifies the
141141 parties involved in the communications; and
142142 (c) information that relates to the
143143 transmission of the communications, including telephone numbers
144144 called, telephone numbers from which calls were placed, the time
145145 calls were made, call duration, and location information of the
146146 parties to the call;
147147 (H) a log-in credential, security code, or access
148148 code for an account or device;
149149 (I) information identifying the sexual behavior
150150 of the individual in a manner inconsistent with the individual's
151151 reasonable expectation regarding the collection, processing, or
152152 transfer of the information;
153153 (J) calendar information, address book
154154 information, phone or text logs, photos, audio recordings, or
155155 videos:
156156 (i) maintained for private use by an
157157 individual and stored on the individual's device or in another
158158 location; and
159159 (ii) not communicated using a device
160160 provided by the individual's employer unless the employee was
161161 provided conspicuous notice that the employer may access
162162 communication made using the device;
163163 (K) a photograph, film, video recording, or other
164164 similar medium that shows the individual or a part of the individual
165165 nude or wearing undergarments;
166166 (L) information revealing the video content
167167 requested or selected by an individual that is not:
168168 (i) collected by a provider of broadcast
169169 television service, cable service, satellite service, streaming
170170 media service, or other video programming, as that term is defined
171171 by 47 U.S.C. Section 613(h)(2); or
172172 (ii) used solely for transfers for
173173 independent video measurement;
174174 (M) information regarding a known child;
175175 (N) information revealing an individual's racial
176176 or ethnic origin, color, religious beliefs, or union membership;
177177 (O) information identifying an individual's
178178 online activities over time accessing multiple Internet websites or
179179 online services; or
180180 (P) information collected, processed, or
181181 transferred for the purpose of identifying information described by
182182 this subdivision.
183183 (16) "Service provider" means a person that receives,
184184 collects, processes, or transfers personal data on behalf of, and
185185 at the direction of, a business or governmental entity, including a
186186 business or governmental entity that is another service provider,
187187 in order for the person to perform a service or function with or on
188188 behalf of the business or governmental entity.
189189 (17) "Transfer," in the context of data, means to
190190 disclose, release, share, disseminate, make available, sell, or
191191 license the data by any means or medium.
192192 Sec. 509.002. APPLICABILITY TO CERTAIN DATA. (a) Except as
193193 provided by Subsection (b), this chapter applies to personal data
194194 from an individual that is collected, transferred, or processed by
195195 a data broker.
196196 (b) This chapter does not apply to the following data:
197197 (1) deidentified data, if the data broker:
198198 (A) takes reasonable technical measures to
199199 ensure that the data is not able to be used to identify an
200200 individual with whom the data is associated;
201201 (B) publicly commits in a clear and conspicuous
202202 manner:
203203 (i) to process and transfer the data solely
204204 in a deidentified form without any reasonable means for
205205 reidentification; and
206206 (ii) to not attempt to identify the
207207 information to an individual with whom the data is associated; and
208208 (C) contractually obligates a person that
209209 receives the information from the provider:
210210 (i) to comply with this subsection with
211211 respect to the information; and
212212 (ii) to require that those contractual
213213 obligations be included in any subsequent transfer of the data to
214214 another person;
215215 (2) employee data;
216216 (3) publicly available information;
217217 (4) inferences made exclusively from multiple
218218 independent sources of publicly available information that do not
219219 reveal sensitive data with respect to an individual; or
220220 (5) data subject to Title V, Gramm-Leach-Bliley Act
221221 (15 U.S.C. Section 6801 et seq.).
222222 Sec. 509.003. APPLICABILITY OF CHAPTER TO CERTAIN ENTITIES.
223223 (a) Except as provided by Subsection (b), this chapter applies only
224224 to a data broker that, in a 12-month period, derives:
225225 (1) more than 50 percent of the data broker's revenue
226226 from processing or transferring personal data that the data broker
227227 did not collect directly from the individuals to whom the data
228228 pertains; or
229229 (2) revenue from processing or transferring the
230230 personal data of more than 50,000 individuals that the data broker
231231 did not collect directly from the individuals to whom the data
232232 pertains.
233233 (b) This chapter does not apply to:
234234 (1) a service provider, including a service provider
235235 that engages in the business of processing employee data for a
236236 third-party employer for the sole purpose of providing benefits to
237237 the third-party employer's employees;
238238 (2) a person or entity that collects personal data
239239 from another person or entity to which the person or entity is
240240 related by common ownership or corporate control, provided a
241241 reasonable consumer would expect the persons or entities to share
242242 data;
243243 (3) a federal, state, tribal, territorial, or local
244244 governmental entity, including a body, authority, board, bureau,
245245 commission, district, agency, or political subdivision of a
246246 governmental entity;
247247 (4) an entity that serves as a congressionally
248248 designated nonprofit, national resource center, or clearinghouse
249249 to provide assistance to victims, families, child-serving
250250 professionals, and the general public on missing and exploited
251251 children issues;
252252 (5) a consumer reporting agency or other person or
253253 entity that furnishes information for inclusion in a consumer
254254 credit report or obtains a consumer credit report, but only to the
255255 extent the person or entity engages in activity regulated or
256256 authorized by the Fair Credit Reporting Act (15 U.S.C. Section 1681
257257 et seq.), including the collection, maintenance, disclosure, sale,
258258 communication, or use of any personal information bearing on a
259259 consumer's creditworthiness, credit standing, credit capacity,
260260 character, general reputation, personal characteristics, or mode
261261 of living; or
262262 (6) a financial institution subject to Title V,
263263 Gramm-Leach-Bliley Act (15 U.S.C. Section 6801 et seq.).
264264 Sec. 509.004. NOTICE ON WEBSITE OR MOBILE APPLICATION. A
265265 data broker that maintains an Internet website or mobile
266266 application shall post a conspicuous notice on the website or
267267 application that:
268268 (1) states that the entity maintaining the website or
269269 application is a data broker;
270270 (2) is clear, not misleading, and readily accessible
271271 by the general public, including individuals with a disability; and
272272 (3) contains language provided by rule of the
273273 secretary of state for inclusion in the notice.
274274 Sec. 509.005. REGISTRATION. (a) To conduct business in
275275 this state, a data broker to which this chapter applies shall
276276 register with the secretary of state by filing a registration
277277 statement and paying a registration fee of $300.
278278 (b) The registration statement must include:
279279 (1) the legal name of the data broker;
280280 (2) a contact person and the primary physical address,
281281 e-mail address, telephone number, and Internet website address for
282282 the data broker;
283283 (3) a description of the categories of data the data
284284 broker processes and transfers;
285285 (4) a statement of whether or not the data broker
286286 implements a purchaser credentialing process;
287287 (5) if the data broker has actual knowledge that the
288288 data broker possesses personal data of a known child:
289289 (A) a statement detailing the data collection
290290 practices, databases, sales activities, and opt-out policies that
291291 are applicable to the personal data of a known child; and
292292 (B) a statement on how the data broker complies
293293 with applicable federal and state law regarding the collection,
294294 use, or disclosure of personal data from and about a child on the
295295 Internet; and
296296 (6) the number of security breaches the data broker
297297 has experienced during the year immediately preceding the year in
298298 which the registration is filed, and if known, the total number of
299299 consumers affected by each breach.
300300 (c) A registration of a data broker may include any
301301 additional information or explanation the data broker chooses to
302302 provide to the secretary of state concerning the data broker's data
303303 collection practices.
304304 (d) A registration certificate expires on the first
305305 anniversary of its date of issuance. A data broker may renew a
306306 registration certificate by filing a renewal application, in the
307307 form prescribed by the secretary of state, and paying a renewal fee
308308 in the amount of $300.
309309 Sec. 509.006. REGISTRY OF DATA BROKERS. (a) The secretary
310310 of state shall establish and maintain, on its Internet website, a
311311 searchable, central registry of data brokers registered under
312312 Section 509.005.
313313 (b) The registry must include:
314314 (1) a search feature that allows a person searching
315315 the registry to identify a specific data broker; and
316316 (2) for each data broker, the information filed under
317317 Section 509.005(b).
318318 Sec. 509.007. PROTECTION OF PERSONAL DATA: COMPREHENSIVE
319319 INFORMATION SECURITY PROGRAM. (a) A data broker conducting
320320 business in this state has a duty to protect personal data held by
321321 that data broker as provided by this section.
322322 (b) A data broker shall develop, implement, and maintain a
323323 comprehensive information security program that is written in one
324324 or more readily accessible parts and contains administrative,
325325 technical, and physical safeguards that are appropriate for:
326326 (1) the data broker's size, scope, and type of
327327 business;
328328 (2) the amount of resources available to the data
329329 broker;
330330 (3) the amount of data stored by the data broker; and
331331 (4) the need for security and confidentiality of
332332 personal data stored by the data broker.
333333 (c) The comprehensive information security program required
334334 by this section must:
335335 (1) incorporate safeguards that are consistent with
336336 the safeguards for protection of personal data and information of a
337337 similar character under state or federal laws and regulations
338338 applicable to the data broker;
339339 (2) include the designation of one or more employees
340340 of the data broker to maintain the program;
341341 (3) require the identification and assessment of
342342 reasonably foreseeable internal and external risks to the security,
343343 confidentiality, and integrity of any electronic, paper, or other
344344 record containing personal data, and the establishment of a process
345345 for evaluating and improving, as necessary, the effectiveness of
346346 the current safeguards for limiting those risks, including by:
347347 (A) requiring ongoing employee and contractor
348348 education and training, including education and training for
349349 temporary employees and contractors of the data broker, on the
350350 proper use of security procedures and protocols and the importance
351351 of personal data security;
352352 (B) mandating employee compliance with policies
353353 and procedures established under the program; and
354354 (C) providing a means for detecting and
355355 preventing security system failures;
356356 (4) include security policies for the data broker's
357357 employees relating to the storage, access, and transportation of
358358 records containing personal data outside of the broker's physical
359359 business premises;
360360 (5) provide disciplinary measures for violations of a
361361 policy or procedure established under the program;
362362 (6) include measures for preventing a terminated
363363 employee from accessing records containing personal data;
364364 (7) provide policies for the supervision of
365365 third-party service providers that include:
366366 (A) taking reasonable steps to select and retain
367367 third-party service providers that are capable of maintaining
368368 appropriate security measures to protect personal data consistent
369369 with applicable law; and
370370 (B) requiring third-party service providers by
371371 contract to implement and maintain appropriate security measures
372372 for personal data;
373373 (8) provide reasonable restrictions on physical
374374 access to records containing personal data, including by requiring
375375 the records containing the data to be stored in a locked facility,
376376 storage area, or container;
377377 (9) include regular monitoring to ensure that the
378378 program is operating in a manner reasonably calculated to prevent
379379 unauthorized access to or unauthorized use of personal data and, as
380380 necessary, upgrading information safeguards to limit the risk of
381381 unauthorized access to or unauthorized use of personal data;
382382 (10) require the regular review of the scope of the
383383 program's security measures that must occur:
384384 (A) at least annually; and
385385 (B) whenever there is a material change in the
386386 data broker's business practices that may reasonably affect the
387387 security or integrity of records containing personal data;
388388 (11) require the documentation of responsive actions
389389 taken in connection with any incident involving a breach of
390390 security, including a mandatory post-incident review of each event
391391 and the actions taken, if any, to make changes in business practices
392392 relating to protection of personal data in response to that event;
393393 and
394394 (12) to the extent technically feasible, include the
395395 following procedures and protocols with respect to computer system
396396 security requirements or procedures and protocols providing a
397397 higher degree of security, for the protection of personal data:
398398 (A) the use of secure user authentication
399399 protocols that include each of the following features:
400400 (i) controlling user log-in credentials and
401401 other identifiers;
402402 (ii) using a reasonably secure method of
403403 assigning and selecting passwords or using unique identifier
404404 technologies, which may include biometrics or token devices;
405405 (iii) controlling data security passwords
406406 to ensure that the passwords are kept in a location and format that
407407 do not compromise the security of the data the passwords protect;
408408 (iv) restricting access to only active
409409 users and active user accounts; and
410410 (v) blocking access to user credentials or
411411 identification after multiple unsuccessful attempts to gain
412412 access;
413413 (B) the use of secure access control measures
414414 that include:
415415 (i) restricting access to records and files
416416 containing personal data to only employees or contractors who need
417417 access to that personal data to perform the job duties of the
418418 employees or contractors; and
419419 (ii) assigning to each employee or
420420 contractor with access to a computer containing personal data
421421 unique identification and a password, which may not be a
422422 vendor-supplied default password, or using another protocol
423423 reasonably designed to maintain the integrity of the security of
424424 the access controls to personal data;
425425 (C) encryption of:
426426 (i) transmitted records and files
427427 containing personal data that will travel across public networks;
428428 and
429429 (ii) data containing personal data that is
430430 transmitted wirelessly;
431431 (D) reasonable monitoring of systems for
432432 unauthorized use of or access to personal data;
433433 (E) encryption of all personal data stored on
434434 laptop computers or other portable devices;
435435 (F) for files containing personal data on a
436436 system that is connected to the Internet, the use of reasonably
437437 current firewall protection and operating system security patches
438438 that are reasonably designed to maintain the integrity of the
439439 personal data; and
440440 (G) the use of:
441441 (i) a reasonably current version of system
442442 security agent software that must include malware protection and
443443 reasonably current patches and virus definitions; or
444444 (ii) a version of system security agent
445445 software that is supportable with current patches and virus
446446 definitions and is set to receive the most current security updates
447447 on a regular basis.
448448 Sec. 509.008. CIVIL PENALTY. (a) A data broker that
449449 violates Section 509.004 or 509.005 is liable to this state for a
450450 civil penalty as prescribed by this section.
451451 (b) A civil penalty imposed against a data broker under this
452452 section:
453453 (1) subject to Subdivision (2), may not be in an amount
454454 less than the total of:
455455 (A) $100 for each day the entity is in violation
456456 of Section 509.004 or 509.005; and
457457 (B) the amount of unpaid registration fees for
458458 each year the entity failed to register in violation of Section
459459 509.005; and
460460 (2) may not exceed $10,000 assessed against the same
461461 data broker in a 12-month period.
462462 (c) The attorney general may bring an action to recover a
463463 civil penalty imposed under this section. The attorney general may
464464 recover reasonable attorney's fees and court costs incurred in
465465 bringing the action.
466466 Sec. 509.009. DECEPTIVE TRADE PRACTICE. A violation of
467467 Section 509.007 by a data broker constitutes a deceptive trade
468468 practice in addition to the practices described by Subchapter E,
469469 Chapter 17, and is actionable under that subchapter.
470470 Sec. 509.010. RULES. The secretary of state shall adopt
471471 rules as necessary to implement this chapter.
472472 SECTION 2. Not later than December 1, 2023, the secretary of
473473 state shall adopt rules necessary to facilitate registration by a
474474 data broker under Section 509.005, Business & Commerce Code, as
475475 added by this Act, including by incorporating into the rules
476476 adequate time for a data broker to comply with Chapter 509, Business &
477477 Commerce Code, as added by this Act, following the adoption of the
478478 rules.
479479 SECTION 3. Chapter 509, Business & Commerce Code, as added
480480 by this Act, applies only to the collection, processing, or
481481 transfer of personal data by a data broker on or after December 1,
482482 2023.
483483 SECTION 4. This Act takes effect September 1, 2023.
484484 ______________________________ ______________________________
485485 President of the Senate Speaker of the House
486486 I hereby certify that S.B. No. 2105 passed the Senate on
487487 May 3, 2023, by the following vote: Yeas 29, Nays 2.
488488 ______________________________
489489 Secretary of the Senate
490490 I hereby certify that S.B. No. 2105 passed the House on
491491 May 24, 2023, by the following vote: Yeas 117, Nays 21,
492492 one present not voting.
493493 ______________________________
494494 Chief Clerk of the House
495495 Approved:
496496 ______________________________
497497 Date
498498 ______________________________
499499 Governor