88R228 YDB/JSC-D
By: Paxton S.B. No. 704
A BILL TO BE ENTITLED
AN ACT
relating to the capture and use of an individual's biometric
identifiers, specimen, or genetic information by a governmental
body or peace officer or by a person for commercial purposes;
authorizing civil penalties.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. The heading to Title 11, Business & Commerce
Code, is amended to read as follows:
TITLE 11. PERSONAL [IDENTITY] INFORMATION
SECTION 2. The heading to Subtitle A, Title 11, Business &
Commerce Code, is amended to read as follows:
SUBTITLE A. IDENTIFYING AND OTHER PERSONAL INFORMATION
SECTION 3. The heading to Chapter 503, Business & Commerce
Code, is amended to read as follows:
CHAPTER 503. BIOMETRIC IDENTIFIERS, GENETIC INFORMATION, AND
SPECIMEN COLLECTION
SECTION 4. Chapter 503, Business & Commerce Code, is
amended by adding Section 503.0005 to read as follows:
Sec. 503.0005. DEFINITIONS. In this chapter:
(1) "Deidentified data" means data not reasonably
linked to an identifiable individual.
(2) "Direct-to-individual genetic testing company"
means an entity that:
(A) offers genetic testing products or services
directly to individuals; or
(B) collects, uses, or analyzes genetic data that
an individual provides to the entity.
(3) "DNA" means deoxyribonucleic acid.
(4) "Express consent" means an individual's
affirmative response to a clear and meaningful notice regarding the
collection, use, or disclosure of genetic data for a specific
purpose.
(5) "Genetic data" means any data, regardless of
format, concerning an individual's genetic characteristics. The
term:
(A) includes:
(i) raw sequence data derived from
sequencing all or a portion of an individual's extracted DNA;
(ii) genotypic and phenotypic information
obtained from analyzing an individual's raw sequence data; and
(iii) health information regarding the
health conditions that an individual self-reports to a company and
that the company:
(a) uses for scientific research or
product development; and
(b) analyzes in connection with the
individual's raw sequence data; and
(B) does not include deidentified data.
(6) "Genetic testing" means:
(A) a laboratory test of an individual's complete
DNA, regions of DNA, chromosomes, genes, or gene products to
determine the presence of the individual's genetic
characteristics; or
(B) an interpretation of an individual's genetic
data.
(7) "Specimen" means a sample of an individual's
blood, urine, or other bodily fluid or tissue taken for scientific
analysis to detect or diagnose a disease.
SECTION 5. The heading to Section 503.001, Business &
Commerce Code, is amended to read as follows:
Sec. 503.001. CAPTURE OR USE OF BIOMETRIC IDENTIFIER;
COLLECTION OR USE OF SPECIMEN.
SECTION 6. Section 503.001, Business & Commerce Code, is
amended by amending Subsections (b) and (c) and adding Subsection
(c-3) to read as follows:
(b) A person may not capture a biometric identifier of or
collect a specimen from an individual for a commercial purpose
unless the person:
(1) informs the individual before capturing the
biometric identifier or collecting the specimen of the pending
capture or collection; [and]
(2) receives the individual's consent to capture the
biometric identifier or collect the specimen; and
(3) if capturing a biometric identifier, informs the
individual before capturing the biometric identifier of the
purposes for which the person will use the biometric identifier.
(c) A person who possesses a biometric identifier or
specimen of an individual that is captured or collected for a
commercial purpose:
(1) may not sell, lease, or otherwise disclose the
biometric identifier or specimen test results to another person
unless:
(A) the individual consents to the disclosure for
identification purposes in the event of the individual's
disappearance or death;
(B) the disclosure of a biometric identifier
completes a financial transaction that the individual requested or
authorized;
(C) the disclosure is required or permitted by a
federal statute or by a state statute other than Chapter 552,
Government Code; or
(D) the disclosure is made by or to a law
enforcement agency for a law enforcement purpose in response to a
warrant;
(2) shall store, transmit, and protect from disclosure
the biometric identifier or specimen test results using reasonable
care and in a manner that is the same as or more protective than the
manner in which the person stores, transmits, and protects any
other confidential information the person possesses; and
(3) shall destroy the biometric identifier or specimen
within a reasonable time, but not later than the first anniversary
of the date the purpose for capturing [collecting] the identifier
or collecting the specimen expires, except as provided by
Subsection (c-1).
(c-3) A person who captures a biometric identifier of or
collects a specimen from an individual for a commercial purpose
shall provide to the individual information on:
(1) the type of technology to be used on the identifier
or the scientific testing to be used on the specimen;
(2) the purpose of and method for capturing the
identifier or collecting the specimen; and
(3) the method for storing data related to the
captured identifier or collected specimen.
SECTION 7. Chapter 503, Business & Commerce Code, is
amended by adding Sections 503.002, 503.003, 503.004, and 503.005
to read as follows:
Sec. 503.002. REQUIREMENTS FOR CERTAIN USES OF DEIDENTIFIED
DATA. (a) Except as otherwise provided by this chapter or other
law, a direct-to-individual genetic testing company that possesses
an individual's deidentified data shall:
(1) implement administrative and technical measures
to ensure the data is not associated with a specific individual; and
(2) publicly commit to maintaining and using data in
deidentified form and refraining from making any attempt to
identify an individual using the individual's deidentified data.
(b) If a direct-to-individual genetic testing company
shares an individual's deidentified data with another person, the
company shall enter into a legally enforceable contractual
obligation prohibiting the person from attempting to identify an
individual using the individual's deidentified data.
Sec. 503.003. REQUIREMENTS FOR CERTAIN USES OF GENETIC DATA
AND SPECIMEN. (a) A direct-to-individual genetic testing company
shall develop, implement, and maintain:
(1) a comprehensive security program to protect an
individual's genetic data against unauthorized access, use, or
disclosure; and
(2) a prominent, publicly available privacy notice
that includes information about the company's data collection,
consent, use, access, disclosure, transfer, security, retention,
and deletion practices.
(b) Before collecting, using, or disclosing an individual's
genetic data, a direct-to-individual genetic testing company shall
provide to the individual:
(1) information about the company's collection, use,
and disclosure of genetic data the company collects through a
genetic testing product or service, including information that:
(A) clearly describes the company's use of the
genetic data;
(B) specifies the persons who have access to test
results; and
(C) specifies the manner in which the company may
share the genetic data; and
(2) the privacy notice required by Subsection (a)(2).
(c) A direct-to-individual genetic testing company shall
provide a process for an individual to:
(1) access the individual's genetic data;
(2) delete the individual's account and genetic data;
and
(3) destroy or require the destruction of the
individual's specimen.
Sec. 503.004. REQUIRED CONSENT. A direct-to-individual
genetic testing company engaging in any of the following activities
must obtain:
(1) an individual's separate express consent for:
(A) the transfer or disclosure of the
individual's genetic data to any person other than the company's
vendors and service providers;
(B) the use of genetic data for a purpose other
than the primary purpose of the company's genetic testing product
or service; or
(C) the retention of any specimen provided by the
individual following the company's completion of the initial
testing service requested by the individual;
(2) an individual's informed consent in accordance
with guidelines for the protection of human subjects issued under
45 C.F.R. Part 46, for transfer or disclosure of the individual's
genetic data to a third party for:
(A) research purposes; or
(B) research conducted under the control of the
company for the purpose of publication or generalizable knowledge;
and
(3) an individual's express consent for:
(A) marketing by the company to the individual
based on the individual's genetic data; or
(B) marketing by a third party to the individual
based on the individual's ordering or purchasing of a genetic
testing product or service.
Sec. 503.005. PROHIBITED DISCLOSURES. (a) A
direct-to-individual genetic testing company may not disclose an
individual's genetic data to a law enforcement entity or other
governmental body unless:
(1) the company first obtains the individual's express
written consent; or
(2) the entity or body obtains a warrant under Article
18.25, Code of Criminal Procedure, or complies with another valid
legal process required by the company.
(b) A direct-to-individual genetic testing company may not
disclose, without first obtaining an individual's written consent,
the individual's genetic data to:
(1) an entity that offers health insurance, life
insurance, or long-term care insurance; or
(2) an employer of the individual.
SECTION 8. Section 503.001(d), Business & Commerce Code, is
redesignated as Section 503.006, Business & Commerce Code, and
amended to read as follows:
Sec. 503.006. CIVIL PENALTY. [(d)] A person who violates
this chapter [section] is subject to a civil penalty of not more
than $25,000 for each violation. The attorney general may bring an
action to recover the civil penalty.
SECTION 9. Chapter 18, Code of Criminal Procedure, is
amended by adding Article 18.25 to read as follows:
Art. 18.25. WARRANTS FOR GENETIC INFORMATION FROM CERTAIN
BUSINESSES. (a) This article applies to a business that collects
and analyzes genetic information to provide information about an
individual's genetic traits or biological relationships.
(b) A peace officer may require a business described by
Subsection (a) to provide the genetic information of a customer of
the business by obtaining a warrant under this chapter or by
obtaining the consent of the customer.
(c) A court may issue a warrant for genetic information held
by a business described by Subsection (a) only if the applicant for
the warrant shows that reasonable investigative leads have been
pursued and have failed to identify the perpetrator of an alleged
criminal offense. For purposes of this subsection, reasonable
investigative leads are credible, case-specific facts,
information, or circumstances that would lead a reasonably cautious
investigator to believe that pursuit of the leads would have a fair
probability of identifying the perpetrator of the offense.
(d) A peace officer who obtains a warrant with respect to
genetic information held by a business described by Subsection (a)
may apply to the court issuing the warrant for an order commanding
the business to whom the warrant is directed not to disclose to any
person the existence of the warrant. The order is effective for the
period the court considers appropriate. The court shall enter the
order under this subsection if the court determines that there is
reason to believe that notification of the existence of the warrant
will lead to an adverse result, including:
(1) endangering the life or physical safety of an
individual;
(2) flight from prosecution;
(3) destruction of or tampering with evidence;
(4) intimidation of a potential witness; or
(5) otherwise seriously jeopardizing an investigation
or unduly delaying a trial.
(e) Unless an order is issued under Subsection (d), the
peace officer who executes a warrant for the genetic information of
a customer shall notify the customer of the existence of the
warrant.
SECTION 10. The heading to Chapter 560, Government Code, is
amended to read as follows:
CHAPTER 560. BIOMETRIC IDENTIFIER AND GENETIC INFORMATION
SECTION 11. Section 560.001, Government Code, is amended to
read as follows:
Sec. 560.001. DEFINITIONS. In this chapter:
(1) "Biometric identifier" means any measurement of
the human body or its movement that is used to attempt to uniquely
identify or authenticate the identity of an individual, including a
blood sample, hair sample, skin sample, body scan, retina or iris
scan, fingerprint, voiceprint, or record of hand or face geometry.
(2) "Genetic information" means information that is:
(A) obtained from or based on a scientific or
medical determination of the presence or absence in an individual
of a genetic characteristic; or
(B) derived from the results of a genetic test of
an individual's genes, gene products, or chromosomes.
(3) "Genetic test" has the meaning assigned by Section
546.001, Insurance Code.
(4) "Governmental body" has the meaning assigned by
Section 552.003, except that the term includes each entity within
or created by the judicial branch of state government.
SECTION 12. Chapter 560, Government Code, is amended by
adding Section 560.0015 to read as follows:
Sec. 560.0015. STATUTORY AUTHORITY REQUIRED. (a) A
governmental body may not capture or possess a biometric identifier
of an individual or require a biometric identifier as a
prerequisite for providing a governmental service to the individual
unless the governmental body:
(1) has specific, explicit statutory authority that:
(A) allows the governmental body to:
(i) capture or possess the individual's
biometric identifier; or
(ii) require the individual's biometric
identifier as a prerequisite for providing a governmental service
to the individual; or
(B) allows the governmental body to require and
obtain the written consent of the individual or the individual's
legal guardian before:
(i) capturing or possessing the
individual's biometric identifier; or
(ii) requiring the individual's biometric
identifier as a prerequisite for providing a governmental service
to the individual;
(2) obtains the voluntary, written consent of the
individual or the individual's legal guardian;
(3) is a health care provider or health care facility
that captures, possesses, or requires the individual's biometric
identifier in the provision of health care services to the
individual; or
(4) is a criminal justice agency, as defined by
Article 66.001, Code of Criminal Procedure, that captures,
possesses, or requires the individual's biometric identifier while
engaged in the administration of criminal justice, as defined by
that article.
(b) For purposes of Subsection (a), Subchapter B, Chapter
33, Health and Safety Code, is specific, explicit statutory
authority under Subsection (a)(1)(A)(i) to capture or possess an
individual's biometric identifier in the conduct of newborn
screening as provided by that subchapter.
SECTION 13. Chapter 560, Government Code, is amended by
adding Sections 560.004, 560.005, 560.006, and 560.007 to read as
follows:
Sec. 560.004. DESTRUCTION OF SAMPLE GENETIC MATERIAL;
EXCEPTIONS. A governmental body shall promptly destroy a sample of
genetic material obtained from an individual for a genetic test
after the purpose for which the sample was obtained is accomplished
unless:
(1) the sample is retained under a court order;
(2) the individual authorizes retention of the sample
for medical treatment or scientific research;
(3) the sample was obtained for research authorized by
an institutional review board and retention of the sample is:
(A) under a requirement the institutional review
board imposes on a specific research project; or
(B) authorized by the research participant with
institutional review board approval in accordance with federal law;
or
(4) the sample was obtained for a screening test
prescribed by the Department of State Health Services under Section
33.011, Health and Safety Code, and performed by that department or
a laboratory approved by that department.
Sec. 560.005. CONFIDENTIALITY OF GENETIC INFORMATION. (a)
Except as provided by Sections 560.006(a) and (b), genetic
information is confidential and privileged regardless of the source
of the information.
(b) A governmental body that holds an individual's genetic
information may not disclose or be compelled to disclose, by
subpoena or otherwise, that information unless the disclosure is
specifically authorized by the individual as provided by Section
560.007.
(c) This section applies to a redisclosure of genetic
information by a secondary recipient of the information after
disclosure of the information by an initial recipient. Except as
provided by Section 560.006(b), a governmental body may not
redisclose genetic information unless the redisclosure is
consistent with the disclosures authorized by the tested individual
under an authorization executed under Section 560.007.
Sec. 560.006. EXCEPTIONS TO CONFIDENTIALITY. (a) Subject
to Subchapter G, Chapter 411, genetic information may be disclosed
without an authorization under Section 560.007 if the disclosure
is:
(1) authorized under a state or federal criminal law
relating to:
(A) the identification of individuals; or
(B) a criminal or juvenile proceeding, an
inquest, or a child fatality review by a multidisciplinary
child-abuse team;
(2) required under a specific order of a state or
federal court;
(3) needed to establish paternity as authorized under
a state or federal law;
(4) needed to provide genetic information of a
decedent and the information is disclosed to the blood relatives of
the decedent for medical diagnosis; or
(5) needed to identify a decedent.
(b) A governmental body may redisclose genetic information
without an authorization under Section 560.007 for actuarial or
research studies if:
(1) a tested individual could not be identified in any
actuarial or research report; and
(2) any materials that identify a tested individual
are returned or destroyed as soon as reasonably practicable.
(c) A redisclosure authorized under Subsection (b) may
contain only genetic information reasonably necessary to
accomplish the purpose for which the information is disclosed.
Sec. 560.007. AUTHORIZED DISCLOSURE. An individual or an
individual's legal representative may authorize disclosure of the
individual's genetic information by submitting a statement that:
(1) is written in plain language and is signed by the
individual or legal representative;
(2) is dated;
(3) contains a specific description of the information
to be disclosed;
(4) identifies or describes each person authorized to
disclose the genetic information;
(5) identifies or describes the individuals or
entities to whom the genetic information may be disclosed or
subsequently redisclosed;
(6) describes the specific purpose of the disclosure;
and
(7) advises the individual or legal representative
that the individual's authorized representative is entitled to
receive a copy of the authorization.
SECTION 14. Section 33.012(a), Health and Safety Code, is
amended to read as follows:
(a) Screening tests may not be administered to a newborn
child whose parents, managing conservator, or guardian objects to
[on the ground that] the tests [conflict with the religious tenets
or practices of an organized church of which they are adherents].
SECTION 15. Subchapter C, Chapter 81, Health and Safety
Code, is amended by adding Section 81.0465 to read as follows:
Sec. 81.0465. EXPRESS CONSENT FOR SPECIMEN COLLECTION, USE,
AND DISCLOSURE; CONFIDENTIALITY; CIVIL PENALTY. (a) In this
section:
(1) "COVID-19" means the 2019 novel coronavirus
disease.
(2) "Express consent" means an individual's
affirmative response to a clear and meaningful notice regarding the
collection, use, or disclosure of a specimen for a specific
purpose.
(3) "Specimen" means a sample of an individual's
blood, urine, or other bodily fluid or tissue taken for scientific
analysis to detect or diagnose a disease.
(b) A person who collects a specimen from an individual to
test for a specific disease may not use or analyze the specimen for
a purpose unrelated to the test without the individual's express
consent to the use or analysis for another purpose.
(c) A person who possesses an individual's specimen that is
collected for a commercial purpose shall destroy the specimen
within a reasonable time, but not later than the first anniversary
of the date the purpose for collecting the specimen expires.
(d) A person who obtains an individual's specimen or other
personal information in relation to the collection of COVID-19 data
may not disclose that information without the express consent of
the individual.
(e) A person who violates this section is subject to a civil
penalty of not more than $1,000 for each violation. The attorney
general may bring an action to recover the civil penalty.
(f) This section does not apply to a specimen collected by a
direct-to-individual genetic testing company as defined by Section
503.0005, Business & Commerce Code.
SECTION 16. Article 18.25, Code of Criminal Procedure, as
added by this Act, applies only to a warrant issued on or after the
effective date of this Act.
SECTION 17. The changes in law made by this Act apply only
to a biometric identifier captured, a specimen collected, or
genetic information obtained or to a biometric identifier, a
specimen, or genetic information requested on or after the
effective date of this Act. A biometric identifier, a specimen, or
genetic information captured, collected, obtained, or requested
before that date is governed by the law in effect immediately before
the effective date of this Act, and that law is continued in effect
for that purpose.
SECTION 18. This Act takes effect September 1, 2023.