By: Capriglione H.B. No. 1709
A BILL TO BE ENTITLED
AN ACT
relating to the regulation and reporting on the use of artificial
intelligence systems by certain business entities and state
agencies; providing civil penalties.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. This Act may be cited as the Texas Responsible
Artificial Intelligence Governance Act
SECTION 2. Title 11, Business & Commerce Code, is amended by
adding Subtitle D to read as follows:
SUBTITLE D. ARTIFICIAL INTELLIGENCE PROTECTION
CHAPTER 551. ARTIFICIAL INTELLIGENCE PROTECTION
SUBCHAPTER A. GENERAL PROVISIONS
Sec. 551.001. DEFINITIONS. In this chapter:
(1) "Algorithmic discrimination" means any condition
in which an artificial intelligence system when deployed creates an
unlawful discrimination of a protected classification in violation
of the laws of this state or federal law.
(A) "Algorithmic discrimination" does not
include the offer, license, or use of a high-risk artificial
intelligence system by a developer or deployer for the sole purpose
of the developer's or deployer's self-testing, for a non-deployed
purpose, to identify, mitigate, or prevent discrimination or
otherwise ensure compliance with state and federal law.
(2) "Artificial intelligence system" means the use of
machine learning and related technologies that use data to train
statistical models for the purpose of enabling computer systems to
perform tasks normally associated with human intelligence or
perception, such as computer vision, speech or natural language
processing, and content generation.
(3) "Biometric identifier" means a retina or iris
scan, fingerprint, voiceprint, or record of hand or face geometry.
(4) "Council" means the Artificial Intelligence
Council established under Chapter 553.
(5) "Consequential decision" means any decision that
has a material, legal, or similarly significant, effect on a
consumer's access to, cost of, or terms or conditions of:
(A) a criminal case assessment, a sentencing or
plea agreement analysis, or a pardon, parole, probation, or release
decision;
(B) education enrollment or an education
opportunity;
(C) employment or an employment opportunity;
(D) a financial service;
(E) an essential government service;
(F) residential utility services;
(G) a health-care service or treatment;
(H) housing;
(I) insurance;
(J) a legal service;
(K) a transportation service;
(L) constitutionally protected services or
products; or
(M) elections or voting process.
(6) "Consumer" means an individual who is a resident
of this state acting only in an individual or household context.
The term does not include an individual acting in a commercial or
employment context.
(7) "Deploy" means to put into effect or
commercialize.
(8) "Deployer" means a person doing business in this
state that deploys a high-risk artificial intelligence system.
(9) "Developer" means a person doing business in this
state that develops a high-risk artificial intelligence system or
substantially or intentionally modifies an artificial intelligence
system.
(10) "Digital service" means a website, an
application, a program, or software that collects or processes
personal identifying information with Internet connectivity.
(11) "Digital service provider" means a person who:
(A) owns or operates a digital service;
(B) determines the purpose of collecting and
processing the personal identifying information of users of the
digital service; and
(C) determines the means used to collect and
process the personal identifying information of users of the
digital service.
(12) "Distributor" means a person, other than the
Developer, that makes an artificial intelligence system available
in the market for a commercial purpose.
(13) "Generative artificial intelligence" means
artificial intelligence models that can emulate the structure and
characteristics of input data in order to generate derived
synthetic content. This can include images, videos, audio, text,
and other digital content.
(14) "High-risk artificial intelligence system" means
any artificial intelligence system that is a substantial factor to
a consequential decision. The term does not include:
(A) an artificial intelligence system if the
artificial intelligence system is intended to detect
decision-making patterns or deviations from prior decision-making
patterns and is not intended to replace or influence a previously
completed human assessment without sufficient human review;
(B) an artificial intelligence system that
violates a provision of Subchapter B; or
(C) the following technologies, unless the
technologies, when deployed, make, or are a substantial factor in
making, a consequential decision:
(i) anti-malware;
(ii) anti-virus;
(iii) calculators;
(iv) cybersecurity;
(v) databases;
(vi) data storage;
(vii) firewall;
(viii) fraud detection systems;
(ix) internet domain registration;
(x) internet website loading;
(xi) networking;
(xii) operational technology;
(xiii) spam- and robocall-filtering;
(xiv) spell-checking;
(xv) spreadsheets;
(xvi) web caching;
(xvii) web scraping;
(xviii) web hosting or any similar
technology; or
(xviv) any technology that solely
communicates in natural language for the sole purpose of providing
users with information, making referrals or recommendations
relating to customer service, and answering questions and is
subject to an acceptable use policy that prohibits generating
content that is discriminatory or harmful, as long as the system
does not violate any provision listed in Subchapter B.
(15) "Open source artificial intelligence system"
means an artificial intelligence system that:
(A) can be used or modified for any purpose
without securing permission from the owner or creator of such an
artificial intelligence system;
(B) can be shared for any use with or without
modifications; and
(C) includes information about the data used to
train such system that is sufficiently detailed such that a person
skilled in artificial intelligence could create a substantially
equivalent system when the following are made available freely or
through a non-restrictive license:
(i) the same or similar data;
(ii) the source code used to train and run
such system; and
(iii) the model weights and parameters of
such system.
(16) "Operational technology" means hardware and
software that detects or causes a change through the direct
monitoring or control of physical devices, processes, and events in
the enterprise.
(17) "Personal data" has the meaning assigned to it by
Section 541.001, Business and Commerce Code.
(18) "Risk" means the composite measure of an event's
probability of occurring and the magnitude or degree of the
consequences of the corresponding event.
(19) "Sensitive personal attribute" means race,
political opinions, religious or philosophical beliefs, ethnic
orientation, mental health diagnosis, or sex. The term does not
include conduct that would be classified as an offense under
Chapter 21, Penal Code.
(20) "Social media platform" has the meaning assigned
by Section 120.001, Business and Commerce Code.
(21) "Substantial factor" means a factor that is:
(A) considered when making a consequential
decision;
(B) likely to alter the outcome of a
consequential decision; and
(C) weighed more heavily than any other factor
contributing to the consequential decision.
(22) "Intentional and substantial modification" or
"Substantial modification" means a deliberate change made to an
artificial intelligence system that reasonably increases the risk
of algorithmic discrimination.
Sec. 551.002. APPLICABILITY OF CHAPTER. This chapter
applies only to a person that is not a small business as defined by
the United States Small Business Administration, and:
(1) conducts business, promotes, or advertises in this
state or produces a product or service consumed by residents of this
state; or
(2) engages in the development, distribution, or
deployment of a high-risk artificial intelligence system in this
state.
Sec. 551.003. DEVELOPER DUTIES. (a) A developer of a
high-risk artificial intelligence system shall use reasonable care
to protect consumers from any known or reasonably foreseeable risks
of algorithmic discrimination arising from the intended and
contracted uses of the high-risk artificial intelligence system.
(b) Prior to providing a high-risk artificial intelligence
system to a deployer, a developer shall provide to the deployer, in
writing, a High-Risk Report that consists of:
(1) a statement describing how the high-risk
artificial intelligence system should be used or not be used;
(2) any known limitations of the system that could
lead to algorithmic discrimination, the metrics used to measure the
system's performance, which shall include at a minimum, metrics
related to accuracy, explainability, transparency, reliability,
and security set forth in the most recent version of the "Artificial
Intelligence Risk Management Framework: Generative Artificial
Intelligence Profile" published by the National Institute of
Standards and Technology, and how the system performs under those
metrics in its intended use contexts;
(3) any known or reasonably foreseeable risks of
algorithmic discrimination, arising from its intended or likely
use;
(4) a high-level summary of the type of data used to
program or train the high-risk artificial intelligence system;
(5) the data governance measures used to cover the
training datasets and their collection, and the measures used to
examine the suitability of data sources and prevent unlawful
discriminatory biases; and
(6) appropriate principles, processes, and personnel
for the deployers' risk management policy.
(c) If a high-risk artificial intelligence system is
intentionally or substantially modified after a developer provides
it to a deployer, a developer shall make necessary information in
subsection (b) available to deployers within 30 days of the
modification.
(d) If a developer believes or has reason to believe, that
it deployed a high-risk artificial intelligence system that does
not comply with a requirement of this chapter, the developer shall
immediately take the necessary corrective actions to bring that
system into compliance, including by withdrawing it, disabling it,
and recalling it, as appropriate. Where applicable, the developer
shall inform the distributors or deployers of the high-risk
artificial intelligence system concerned.
(e) Where the high-risk artificial intelligence system
presents risks of algorithmic discrimination, unlawful use or
disclosure of personal data, or deceptive manipulation or coercion
of human behavior and the developer knows or should reasonably know
of that risk, it shall immediately investigate the causes, in
collaboration with the deployer, where applicable, and inform the
attorney general in writing of the nature of the non-compliance and
of any relevant corrective action taken.
(f) Developers shall keep detailed records of any
generative artificial intelligence training data used to develop a
generative artificial intelligence system or service, consistent
with the suggested actions under GV-1.2-007 of the "Artificial
Intelligence Risk Management Framework: Generative Artificial
Intelligence Profile" by the National Institute of Standards and
Technology, or any subsequent versions thereof.
Sec. 551.004. DISTRIBUTOR DUTIES. A distributor of a
high-risk artificial intelligence system shall use reasonable care
to protect consumers from any known or reasonably foreseeable risks
of algorithmic discrimination. If a distributor of a high-risk
artificial intelligence system knows or has reason to know that a
high-risk artificial intelligence system is not in compliance with
any requirement in this chapter, it shall immediately withdraw,
disable, or recall as appropriate, the high-risk artificial
intelligence system from the market until the system has been
brought into compliance with the requirements of this chapter. The
distributor shall inform the developers of the high-risk artificial
intelligence system concerned and, where applicable, the
deployers.
Sec. 551.005. DEPLOYER DUTIES. A deployer of a high-risk
artificial intelligence system shall use reasonable care to protect
consumers from any known or reasonably foreseeable risks of
algorithmic discrimination. If a deployer of a high-risk
artificial intelligence system knows or has reason to know that a
high-risk artificial intelligence system is not in compliance with
any requirement in this chapter, it shall immediately suspend the
use of the high-risk artificial intelligence system from the market
until the system has been brought into compliance with the
requirements of this chapter. The deployer shall inform the
developers of the high-risk artificial intelligence system
concerned and, where applicable, the distributors.
Sec. 551.006. IMPACT ASSESSMENTS. (a) A deployer that
deploys a high-risk artificial intelligence system shall complete
an impact assessment for the high-risk artificial intelligence
system. A deployer, or a third-party contracted by the deployer for
such purposes, shall complete an impact assessment annually and
within ninety days after any intentional and substantial
modification to the high-risk artificial intelligence system is
made available. An impact assessment must include, at a minimum,
and to the extent reasonably known by or available to the deployer:
(1) a statement by the deployer disclosing the
purpose, intended use cases, and deployment context of, and
benefits afforded by, the high-risk artificial intelligence
system;
(2) an analysis of whether the deployment of the
high-risk artificial intelligence system poses any known or
reasonably foreseeable risks of algorithmic discrimination and, if
so, the nature of the algorithmic discrimination and the steps that
have been taken to mitigate the risks;
(3) a description of the categories of data the
high-risk artificial intelligence system processes as inputs and
the outputs the high-risk artificial intelligence system produces;
(4) if the deployer used data to customize the
high-risk artificial intelligence system, an overview of the
categories of data the deployer used to customize the high-risk
artificial intelligence system;
(5) any metrics used to evaluate the performance and
known limitations of the high-risk artificial intelligence system;
(6) a description of any transparency measures taken
concerning the high-risk artificial intelligence system, including
any measures taken to disclose to a consumer that the high-risk
artificial intelligence system will be used;
(7) a description of the post-deployment monitoring
and user safeguards provided concerning the high-risk artificial
intelligence system, including the oversight, use, and learning
process established by the deployer to address issues arising from
the deployment of the high-risk artificial intelligence system; and
(8) a description of cybersecurity measures and threat
modeling conducted on the system.
(b) Following an intentional and substantial modification
to a high-risk artificial intelligence system, a deployer must
disclose the extent to which the high-risk artificial intelligence
system was used in a manner that was consistent with, or varied
from, the developer's intended uses of the high-risk artificial
intelligence system.
(c) A single impact assessment may address a comparable set
of high-risk artificial intelligence systems deployed by a
deployer.
(d) A deployer shall maintain the most recently completed
impact assessment for a high-risk artificial intelligence system,
all records concerning each impact assessment, and all prior impact
assessments, if any, for at least three years following the final
deployment of the high-risk artificial intelligence system.
(e) If a deployer, or a third party contracted by the
deployer, completes an impact assessment for the purpose of
complying with another applicable law or regulation, such impact
assessment shall be deemed to satisfy the requirements established
in this subsection if such impact assessment is reasonably similar
in scope and effect to the impact assessment that would otherwise be
completed pursuant to this subsection.
(f) A deployer may redact any trade secrets as defined by
Section 541.001(33), Business & Commerce Code or information
protected from disclosure by state or federal law.
(g) Except as provided in subsection (e) of this section, a
developer that makes a high-risk artificial intelligence system
available to a deployer shall make available to the deployer the
documentation and information necessary for a deployer to complete
an impact assessment pursuant to this section.
(h) A developer that also serves as a deployer for a
high-risk artificial intelligence system is not required to
generate and store an impact assessment unless the high-risk
artificial intelligence system is provided to an unaffiliated
deployer.
Sec. 551.007. DISCLOSURE OF A HIGH-RISK ARTIFICIAL
INTELLIGENCE SYSTEM TO CONSUMERS. (a) A deployer or developer that
deploys, offers, sells, leases, licenses, gives, or otherwise makes
available a high-risk artificial intelligence system that is
intended to interact with consumers shall disclose to each
consumer, before or at the time of interaction:
(1) that the consumer is interacting with an
artificial intelligence system;
(2) the purpose of the system;
(3) that the system may or will make a consequential
decision affecting the consumer;
(4) the nature of any consequential decision in which
the system is or may be a substantial factor;
(5) the factors to be used in making any consequential
decisions;
(6) contact information of the deployer;
(7) a description of:
(A) any human components of the system;
(B) any automated components of the system; and
(C) how human and automated components are used
to inform a consequential decision; and
(8) a declaration of the consumer's rights under
Section 551.108.
(b) Disclosure is required under subsection (a) of this
section regardless of whether it would be obvious to a reasonable
person that the person is interacting with an artificial
intelligence system.
(c) All disclosures under subsection (a) shall be clear and
conspicuous and written in plain language, and avoid the use of a
dark pattern as defined by 541.001, Business & Commerce Code.
(d) All disclosures under subsection (a) may be linked to a
separate webpage of the developer or deployer.
(e) Any requirement in this section that may conflict with
state or federal law may be exempt.
Sec. 551.008. RISK IDENTIFICATION AND MANAGEMENT POLICY.
(a) A developer or deployer of a high-risk artificial intelligence
system shall, prior to deployment, assess potential risks of
algorithmic discrimination and implement a risk management policy
to govern the development or deployment of the high-risk artificial
intelligence system. The risk management policy shall:
(1) specify and incorporate the principles and
processes that the developer or deployer uses to identify,
document, and mitigate, in the development or deployment of a
high-risk artificial intelligence system:
(A) known or reasonably foreseeable risks of
algorithmic discrimination; and
(B) prohibited uses and unacceptable risks under
Subchapter B; and
(2) be reasonable in size, scope, and breadth,
considering:
(A) guidance and standards set forth in the most
recent version of the "Artificial Intelligence Risk Management
Framework: Generative Artificial Intelligence Profile" published
by the National Institute of Standards and Technology;
(B) any existing risk management guidance,
standards or framework applicable to artificial intelligence
systems designated by the Banking Commissioner or Insurance
Commissioner, if the developer or deployer is regulated by the
Department of Banking or Department of Insurance;
(C) the size and complexity of the developer or
deployer;
(D) the nature, scope, and intended use of the
high-risk artificial intelligence systems developed or deployed;
and
(E) the sensitivity and volume of personal data
processed in connection with the high-risk artificial intelligence
systems.
(b) A risk management policy implemented pursuant to this
section may apply to more than one high-risk artificial
intelligence system developed or deployed, so long as the developer
or deployer complies with all of the forgoing requirements and
considerations in adopting and implementing the risk management
policy with respect to each high-risk artificial intelligence
system covered by the policy.
(c) A developer or deployer may redact or omit any trade
secrets as defined by Section 541.001(33), Business & Commerce Code
or information protected from disclosure by state or federal law.
Sec. 551.009. RELATIONSHIPS BETWEEN ARTIFICIAL
INTELLIGENCE PARTIES. Any distributor or deployer, shall be
considered to be a developer of a high-risk artificial intelligence
system for the purposes of this chapter and shall be subject to the
obligations and duties of a developer under this chapter in any of
the following circumstances:
(1) they put their name or trademark on a high-risk
artificial intelligence system already placed in the market or put
into service;
(2) they intentionally and substantially modify a
high-risk artificial intelligence system that has already been
placed in the market or has already been put into service in such a
way that it remains a high-risk artificial intelligence system
under this chapter; or
(3) they modify the intended purpose of an artificial
intelligence system which has not previously been classified as
high-risk and has already been placed in the market or put into
service in such a way that the artificial intelligence system
concerned becomes a high-risk artificial intelligence system in
accordance with this chapter of a high-risk artificial intelligence
system.
Sec. 551.010. DIGITAL SERVICE PROVIDER AND SOCIAL MEDIA
PLATFORM DUTIES REGARDING ARTIFICIAL INTELLIGENCE SYSTEMS. A
digital service provider as defined by Section 509.001(2), Business &
Commerce Code or a social media platform as defined by Section
120.001(1), Business & Commerce Code, shall require advertisers on
the service or platform to agree to terms preventing the deployment
of a high-risk artificial intelligence system on the service or
platform that could expose the users of the service or platform to
algorithmic discrimination or prohibited uses under Subchapter B.
Sec. 551.011. REPORTING REQUIREMENTS. (a) A deployer must
notify, in writing, the council, the attorney general, or the
director of the appropriate state agency that regulates the
deployer's industry, and affected consumers as soon as practicable
after the date on which the deployer discovers or is made aware that
a deployed high-risk artificial intelligence system has caused
algorithmic discrimination of an individual or group of
individuals.
(b) If a developer discovers or is made aware that a
deployed high-risk artificial intelligence system is using inputs
or providing outputs that constitute a violation of Subchapter B,
the deployer must cease operation of the offending system as soon as
technically feasible and provide notice to the council and the
attorney general as soon as practicable and not later than the 10th
day after the date on which the developer discovers or is made aware
of the unacceptable risk.
Sec. 551.012. SANDBOX PROGRAM EXCEPTION. (a) Excluding
violations of Subchapter B, this chapter does not apply to the
development of an artificial intelligence system that is used
exclusively for research, training, testing, or other
pre-deployment activities performed by active participants of the
sandbox program in compliance with Chapter 552.
SUBCHAPTER B. PROHIBITED USES AND UNACCEPTABLE RISK
Sec. 551.051. MANIPULATION OF HUMAN BEHAVIOR TO CIRCUMVENT
INFORMED DECISION-MAKING. An artificial intelligence system shall
not be developed or deployed that uses subliminal techniques beyond
a person's consciousness, or purposefully manipulative or
deceptive techniques, with the objective or the effect of
materially distorting the behavior of a person or a group of persons
by appreciably impairing their ability to make an informed
decision, thereby causing a person to make a decision that the
person would not have otherwise made, in a manner that causes or is
likely to cause significant harm to that person or another person or
group of persons.
Sec. 551.052. SOCIAL SCORING. An artificial intelligence
system shall not be developed or deployed for the evaluation or
classification of natural persons or groups of natural persons
based on their social behavior or known, inferred, or predicted
personal characteristics with the intent to determine a social
score or similar categorical estimation or valuation of a person or
groups of persons.
Sec. 551.053. CAPTURE OF BIOMETRIC IDENTIFIERS USING
ARTIFICIAL INTELLIGENCE. An artificial intelligence system
developed with biometric identifiers of individuals and the
targeted or untargeted gathering of images or other media from the
internet or any other publicly available source shall not be
deployed for the purpose of uniquely identifying a specific
individual. An individual is not considered to be informed nor to
have provided consent for such purpose pursuant to Section 503.001,
Business and Commerce Code, based solely upon the existence on the
internet, or other publicly available source, of an image or other
media containing one or more biometric identifiers.
Sec. 551.054. CATEGORIZATION BASED ON SENSITIVE
ATTRIBUTES. An artificial intelligence system shall not be
developed or deployed with the specific purpose of inferring or
interpreting, sensitive personal attributes of a person or group of
persons using biometric identifiers, except for the labeling or
filtering of lawfully acquired biometric identifier data.
Sec. 551.055. UTILIZATION OF PERSONAL ATTRIBUTES FOR HARM.
An artificial intelligence system shall not utilize
characteristics of a person or a specific group of persons based on
their race, color, disability, religion, sex, national origin, age,
or a specific social or economic situation, with the objective, or
the effect, of materially distorting the behavior of that person or
a person belonging to that group in a manner that causes or is
reasonably likely to cause that person or another person harm.
Sec. 551.056. CERTAIN SEXUALLY EXPLICIT VIDEOS, IMAGES, AND
CHILD PORNOGRAPHY. An artificial intelligence system shall not be
developed or deployed that produces, assists, or aids in producing,
or is capable of producing unlawful visual material in violation of
Section 43.26, Penal Code or an unlawful deep fake video or image in
violation of Section 21.165, Penal Code.
SUBCHAPTER C. ENFORCEMENT AND CONSUMER PROTECTIONS
Sec. 551.101. CONSTRUCTION AND APPLICATION. (a) This
chapter shall be broadly construed and applied to promote its
underlying purposes, which are:
(1) to facilitate and advance the responsible
development and use of artificial intelligence systems;
(2) to protect individuals and groups of individuals
from known, and unknown but reasonably foreseeable, risks,
including unlawful algorithmic discrimination;
(3) to provide transparency regarding those risks in
the development, deployment, or use of artificial intelligence
systems; and
(4) to provide reasonable notice regarding the use or
considered use of artificial intelligence systems by state
agencies.
(b) this chapter does not apply to the developer of an open
source artificial intelligence system, provided that:
(1) the system is not deployed as a high-risk
artificial intelligence system and the developer has taken
reasonable steps to ensure that the system cannot be used as a
high-risk artificial intelligence system without substantial
modifications; and
(2) the weights and technical architecture of the
system are made publicly available.
Sec. 551.102. ENFORCEMENT AUTHORITY. The attorney general
has authority to enforce this chapter. Excluding violations of
Subchapter B, researching, training, testing, or the conducting of
other pre-deployment activities by active participants of the
sandbox program, in compliance with Chapter 552, does not subject a
developer or deployer to penalties or actions.
Sec. 551.103. INTERNET WEBSITE AND COMPLAINT MECHANISM.
The attorney general shall post on the attorney general's Internet
website:
(1) information relating to:
(A) the responsibilities of a developer,
distributor, and deployer under Subchapter A; and
(B) an online mechanism through which a consumer
may submit a complaint under this chapter to the attorney general.
Sec. 551.104. INVESTIGATIVE AUTHORITY. (a) If the
attorney general has reasonable cause to believe that a person has
engaged in or is engaging in a violation of this chapter, the
attorney general may issue a civil investigative demand. The
attorney general shall issue such demands in accordance with and
under the procedures established under Section 15.10.
(b) The attorney general may request, pursuant to a civil
investigative demand issued under Subsection (a), that a developer
or deployer of a high-risk artificial intelligence system disclose
their risk management policy and impact assessments required under
Subchapter A. The attorney general may evaluate the risk
management policy and impact assessments for compliance with the
requirements set forth in Subchapter A.
(c) The attorney general may not institute an action for a
civil penalty against a developer or deployer for artificial
intelligence systems that remain isolated from customer
interaction in a pre-deployment environment.
Sec. 551.105. NOTICE OF VIOLATION OF CHAPTER; OPPORTUNITY
TO CURE. Before bringing an action under Section 551.106, the
attorney general shall notify a developer, distributor, or deployer
in writing, not later than the 30th day before bringing the action,
identifying the specific provisions of this chapter the attorney
general alleges have been or are being violated. The attorney
general may not bring an action against the developer or deployer
if:
(1) within the 30-day period, the developer or
deployer cures the identified violation; and
(2) the developer or deployer provides the attorney
general a written statement that the developer or deployer:
(A) cured the alleged violation;
(B) notified the consumer, if technically
feasible, and the council that the developer or deployer's
violation was addressed, if the consumer's contact information has
been made available to the developer or deployer and the attorney
general;
(C) provided supportive documentation to show
how the violation was cured; and
(D) made changes to internal policies, if
necessary, to reasonably ensure that no such further violations are
likely to occur.
Sec. 551.106. CIVIL PENALTY; INJUNCTION. (a) The attorney
general may bring an action in the name of this state to restrain or
enjoin the person from violating this chapter and seek injunctive
relief.
(b) The attorney general may recover reasonable attorney's
fees and other reasonable expenses incurred in investigating and
bringing an action under this section.
(c) The attorney general may assess and collect an
administrative fine against a developer or deployer who fails to
timely cure a violation or who breaches a written statement
provided to the attorney general, other than those for a prohibited
use, of not less than $50,000 and not more than $100,000 per uncured
violation.
(d) The attorney general may assess and collect an
administrative fine against a developer or deployer who fails to
timely cure a violation of a prohibited use, or whose violation is
determined to be uncurable, of not less than $80,000 and not more
than $200,000 per violation.
(e) A developer or deployer who was found in violation of
and continues to operate with the provisions of this chapter shall
be assessed an administrative fine of not less than $2,000 and not
more than $40,000 per day.
(f) There is a rebuttable presumption that a developer,
distributor, or deployer used reasonable care as required under
this chapter if the developer, distributor, or deployer complied
with their duties under Subchapter A.
Sec. 551.107. ENFORCEMENT ACTIONS BY STATE AGENCIES. A
state agency may sanction an individual licensed, registered, or
certified by that agency for violations of Subchapter B, including:
(1) the suspension, probation, or revocation of a
license, registration, certificate, or other form of permission to
engage in an activity; and
(2) monetary penalties up to $100,000.
Sec. 551.108. CONSUMER RIGHTS AND REMEDIES. A consumer may
appeal a consequential decision made by a high-risk artificial
intelligence system which has an adverse impact on their health,
safety, or fundamental rights, and shall have the right to obtain
from the deployer clear and meaningful explanations of the role of
the high-risk artificial intelligence system in the
decision-making procedure and the main elements of the decision
taken.
SUBCHAPTER D. CONSTRUCTION OF CHAPTER; LOCAL PREEMPTION
Sec. 551.151. CONSTRUCTION OF CHAPTER. This chapter may
not be construed as imposing a requirement on a developer, a
deployer, or other person that adversely affects the rights or
freedoms of any person, including the right of free speech.
Sec. 551.152. LOCAL PREEMPTION. This chapter supersedes
and preempts any ordinance, resolution, rule, or other regulation
adopted by a political subdivision regarding the use of high-risk
artificial intelligence systems.
CHAPTER 552. ARTIFICIAL INTELLIGENCE REGULATORY SANDBOX PROGRAM
SUBCHAPTER A. GENERAL PROVISIONS
Sec. 552.001. DEFINITIONS. In this chapter:
(1) "Applicable agency" means a state agency
responsible for regulating a specific sector impacted by an
artificial intelligence system.
(2) "Consumer" means a person who engages in
transactions involving an artificial intelligence system or is
directly affected by the use of such a system.
(3) "Council" means the Artificial Intelligence
Council established by Chapter 553.
(4) "Department" means the Texas Department of
Information Resources.
(5) "Program participant" means a person or business
entity approved to participate in the sandbox program.
(6) "Sandbox program" means the regulatory framework
established under this chapter that allows temporary testing of
artificial intelligence systems in a controlled, limited manner
without full regulatory compliance.
SUBCHAPTER B. SANDBOX PROGRAM FRAMEWORK
Sec. 552.051. ESTABLISHMENT OF SANDBOX PROGRAM. (a) The
department, in coordination with the council, shall administer the
Artificial Intelligence Regulatory Sandbox Program to facilitate
the development, testing, and deployment of innovative artificial
intelligence systems in Texas.
(b) The sandbox program is designed to:
(1) promote the safe and innovative use of artificial
intelligence across various sectors including healthcare, finance,
education, and public services;
(2) encourage the responsible deployment of
artificial intelligence systems while balancing the need for
consumer protection, privacy, and public safety; and
(3) provide clear guidelines for artificial
intelligence developers to test systems while temporarily exempt
from certain regulatory requirements.
Sec. 552.052. APPLICATION PROCESS. (a) A person or
business entity seeking to participate in the sandbox program must
submit an application to the council.
(b) The application must include:
(1) a detailed description of the artificial
intelligence system and its intended use;
(2) a risk assessment that addresses potential impacts
on consumers, privacy, and public safety;
(3) a plan for mitigating any adverse consequences
during the testing phase; and
(4) proof of compliance with federal artificial
intelligence laws and regulations, where applicable.
Sec. 552.053. DURATION AND SCOPE OF PARTICIPATION. A
participant may test an artificial intelligence system under the
sandbox program for a period of up to 36 months, unless extended by
the department for good cause.
SUBCHAPTER C. OVERSIGHT AND COMPLIANCE
Sec. 552.101. AGENCY COORDINATION. (a) The department
shall coordinate with all relevant state regulatory agencies to
oversee the operations of the sandbox participants.
(b) A relevant agency may recommend to the department that a
participant's sandbox privileges be revoked if the artificial
intelligence system:
(1) poses undue risk to public safety or welfare;
(2) violates any federal or state laws that the
sandbox program cannot override.
Sec. 552.102. REPORTING REQUIREMENTS. (a) Each sandbox
participant must submit quarterly reports to the department, which
shall include:
(1) system performance metrics;
(2) updates on how the system mitigates any risks
associated with its operation; and
(3) feedback from consumers and affected stakeholders
that are using a product that has been deployed from this section.
(b) The department must submit an annual report to the
legislature detailing:
(1) the number of participants in the sandbox program;
(2) the overall performance and impact of artificial
intelligence systems tested within the program; and
(3) recommendations for future legislative or
regulatory reforms.
CHAPTER 553. TEXAS ARTIFICIAL INTELLIGENCE COUNCIL
SUBCHAPTER A. CREATION AND ORGANIZATION OF COUNCIL
Sec. 553.001. CREATION OF COUNCIL. (a) The Artificial
Intelligence Council is administratively attached to the office of
the governor, and the office of the governor shall provide
administrative support to the council as provided by this section.
(b) The office of the governor and the council shall enter
into a memorandum of understanding detailing:
(1) the administrative support the council requires
from the office of the governor to fulfill the purposes of this
chapter;
(2) the reimbursement of administrative expenses to
the office of the governor; and
(3) any other provisions available by law to ensure
the efficient operation of the council as attached to the office of
the governor.
(c) The purpose of the council is to:
(1) ensure artificial intelligence systems are
ethical and in the public's best interest and do not harm public
safety or undermine individual freedoms by finding gaps in the
Penal Code and Chapter 82, Civil Practice and Remedies Code and
making recommendations to the Legislature.
(2) identify existing laws and regulations that impede
innovation in artificial intelligence development and recommend
appropriate reforms;
(3) analyze opportunities to improve the efficiency
and effectiveness of state government operations through the use of
artificial intelligence systems;
(4) investigate and evaluate potential instances of
regulatory capture, including undue influence by technology
companies or disproportionate burdens on smaller innovators;
(5) investigate and evaluate the influence of
technology companies on other companies and determine the existence
or use of tools or processes designed to censor competitors or
users; and
(6) offer guidance and recommendations to state
agencies including advisory opinions on the ethical and legal use
of artificial intelligence;
Sec. 553.002. COUNCIL MEMBERSHIP. (a) The council is
composed of 10 members as follows:
(1) four members of the public appointed by the
governor;
(2) two members of the public appointed by the
lieutenant governor;
(3) two members of the public appointed by the speaker
of the house of representatives;
(4) one senator appointed by the lieutenant governor
as a nonvoting member; and
(5) one member of the house of representatives
appointed by the speaker of the house of representatives as a
nonvoting member.
(b) Voting members of the council serve staggered four-year
terms, with the terms of four members expiring every two years.
(c) The governor shall appoint a chair from among the
members, and the council shall elect a vice chair from its
membership.
(d) The council may establish an advisory board composed of
individuals from the public who possess expertise directly related
to the council's functions, including technical, ethical,
regulatory, and other relevant areas.
Sec. 553.003. QUALIFICATIONS. (a) Members of the council
must be Texas residents and have knowledge or expertise in one or
more of the following areas:
(1) artificial intelligence technologies;
(2) data privacy and security;
(3) ethics in technology or law;
(4) public policy and regulation; or
(5) risk management or safety related to artificial
intelligence systems.
(b) Members must not hold an office or profit under the
state or federal government at the time of appointment.
Sec. 553.004. STAFF AND ADMINISTRATION. The council may
employ an executive director and other personnel as necessary to
perform its duties.
SUBCHAPTER B. POWERS AND DUTIES OF THE COUNCIL
Sec. 553.101. ISSUANCE OF ADVISORY OPINIONS. (a) A state
agency may request a written advisory opinion from the council
regarding the use of artificial intelligence systems in the state.
(b) The council may issue advisory opinions on state use of
artificial intelligence systems regarding:
(1) the compliance of artificial intelligence systems
with Texas law;
(2) the ethical implications of artificial
intelligence deployments in the state;
(3) data privacy and security concerns related to
artificial intelligence systems; or
(4) potential liability or legal risks associated with
the use of AI.
Sec. 553.102. RULEMAKING AUTHORITY. (a) The council may
adopt rules necessary to administer its duties under this chapter,
including:
(1) procedures for requesting advisory opinions;
(2) standards for ethical artificial intelligence
development and deployment;
(3) guidelines for evaluating the safety, privacy, and
fairness of artificial intelligence systems.
(b) The council's rules shall align with state laws on
artificial intelligence, technology, data security, and consumer
protection.
Sec. 553.103. TRAINING AND EDUCATIONAL OUTREACH. The
council shall conduct training programs for state agencies and
local governments on the ethical use of artificial intelligence
systems.
SECTION 3. Section 503.001, Business & Commerce Code is
amended by adding Subsection (c-3) to read as follows:
(c-3) This section does not apply to the training,
processing, or storage of biometric identifiers involved in machine
learning or artificial intelligence systems, unless performed for
the purpose of uniquely identifying a specific individual. If a
biometric identifier captured for the purpose of training an
artificial intelligence system is subsequently used for a
commercial purpose, the person possessing the biometric identifier
is subject to this section's provisions for the possession and
destruction of a biometric identifier and the associated penalties.
SECTION 4. Sections 541.051(b), 541.101(a), 541.102(a),
and Sec.541.104(a), Business & Commerce Code, are amended to read
as follows:
Sec. 541.051. CONSUMER'S PERSONAL DATA RIGHTS; REQUEST TO
EXERCISE RIGHTS. (a) A consumer is entitled to exercise the
consumer rights authorized by this section at any time by
submitting a request to a controller specifying the consumer rights
the consumer wishes to exercise. With respect to the processing of
personal data belonging to a known child, a parent or legal guardian
of the child may exercise the consumer rights on behalf of the
child.
(b) A controller shall comply with an authenticated
consumer request to exercise the right to:
(1) confirm whether a controller is processing the
consumer's personal data and to access the personal data;
(2) correct inaccuracies in the consumer's personal
data, taking into account the nature of the personal data and the
purposes of the processing of the consumer's personal data;
(3) delete personal data provided by or obtained about
the consumer;
(4) if the data is available in a digital format,
obtain a copy of the consumer's personal data that the consumer
previously provided to the controller in a portable and, to the
extent technically feasible, readily usable format that allows the
consumer to transmit the data to another controller without
hindrance; [or]
(5) know if the consumer's personal data is or will be
used in any artificial intelligence system and for what purposes;
or
([5]6) opt out of the processing of the personal data
for purposes of:
(A) targeted advertising;
(B) the sale of personal data; [or]
(C) the sale of personal data for use in
artificial intelligence systems prior to being collected; or
([C]D) profiling in furtherance of a decision
that produces a legal or similarly significant effect concerning
the consumer.
Sec. 541.101. CONTROLLER DUTIES; TRANSPARENCY. (a) A
controller:
(1) shall limit the collection of personal data to
what is adequate, relevant, and reasonably necessary in relation to
the purposes for which that personal data is processed, as
disclosed to the consumer; [and]
(2) for purposes of protecting the confidentiality,
integrity, and accessibility of personal data, shall establish,
implement, and maintain reasonable administrative, technical, and
physical data security practices that are appropriate to the volume
and nature of the personal data at issue.; and
(3) for purposes of protecting the unauthorized
access, disclosure, alteration, or destruction of data collected,
stored, and processed by artificial intelligence systems, shall
establish, implement, and maintain, reasonable administrative,
technical, and physical data security practices that are
appropriate to the volume and nature of the data collected, stored,
and processed by artificial intelligence systems.
Sec.541.102. PRIVACY NOTICE. (a) A controller shall
provide consumers with a reasonably accessible and clear privacy
notice that includes:
(1) the categories of personal data processed by the
controller, including, if applicable, any sensitive data processed
by the controller;
(2) the purpose for processing personal data;
(3) how consumers may exercise their consumer rights
under Subchapter B, including the process by which a consumer may
appeal a controller's decision with regard to the consumer's
request;
(4) if applicable, the categories of personal data
that the controller shares with third parties;
(5) if applicable, the categories of third parties
with whom the controller shares personal data; [and]
(6) if applicable, an acknowledgement of the
collection, use, and sharing of personal data for artificial
intelligence purposes; and
([6]7) a description of the methods required under
Section 541.055 through which consumers can submit requests to
exercise their consumer rights under this chapter.
Sec. 541.104. DUTIES OF PROCESSOR. (a) A processor shall
adhere to the instructions of a controller and shall assist the
controller in meeting or complying with the controller's duties or
requirements under this chapter, including:
(1) assisting the controller in responding to consumer
rights requests submitted under Section 541.051 by using
appropriate technical and organizational measures, as reasonably
practicable, taking into account the nature of processing and the
information available to the processor;
(2) assisting the controller with regard to complying
with the [requirement]requirements relating to the security of
processing personal data, and if applicable, the data collected,
stored, and processed by artificial intelligence systems and to the
notification of a breach of security of the processor's system
under Chapter 521, taking into account the nature of processing and
the information available to the processor; and
(3) providing necessary information to enable the
controller to conduct and document data protection assessments
under Section 541.105.
SECTION 5. Subtitle E, Title 4, Labor Code, is amended by
adding Chapter 319 to read as follows:
CHAPTER 319. TEXAS ARTIFICIAL INTELLIGENCE WORKFORCE DEVELOPMENT
GRANT PROGRAM
SUBCHAPTER A. GENERAL PROVISIONS
Sec. 319.001. DEFINITIONS. In this chapter:
(1) "Artificial intelligence industry" means
businesses, research organizations, governmental entities, and
educational institutions engaged in the development, deployment,
or use of artificial intelligence technologies in Texas.
(2) "Commission" means the Texas Workforce
Commission.
(3) "Eligible entity" means Texas-based businesses in
the artificial intelligence industry, public school districts,
community colleges, public technical institutes, and workforce
development organizations.
(4) "Program" means the Texas Artificial Intelligence
Workforce Development Grant Program established under this
chapter.
SUBCHAPTER B. ARTIFICIAL INTELLIGENCE WORKFORCE DEVELOPMENT GRANT
PROGRAM
Sec. 319.051. ESTABLISHMENT OF GRANT PROGRAM. (a) The
commission shall establish the Texas Artificial Intelligence
Workforce Development Grant Program to:
(1) support and assist Texas-based artificial
intelligence companies in developing a skilled workforce;
(2) provide grants to local community colleges and
public high schools to implement or expand career and technical
education programs focused on artificial intelligence readiness
and skill development; and
(3) offer opportunities to retrain and reskill workers
through partnerships with the artificial intelligence industry and
workforce development programs.
(b) The program is intended to:
(1) prepare Texas workers and students for employment
in the rapidly growing artificial intelligence industry;
(2) support the creation of postsecondary programs and
certifications relevant to current artificial intelligence
opportunities;
(3) ensure that Texas maintains a competitive edge in
artificial intelligence innovation and workforce development; and
(4) address workforce gaps in artificial
intelligence-related fields, including data science,
cybersecurity, machine learning, robotics, and automation.
(c) The commission shall adopt rules necessary to implement
this subchapter.
Sec. 319.052. FEDERAL FUNDS AND GIFTS, GRANTS, AND
DONATIONS.
In addition to other money appropriated by the legislature,
for the purpose of providing artificial intelligence workforce
opportunities under the program established under this subchapter
the commission may:
(1) seek and apply for any available federal funds;
and
(2) solicit and accept gifts, grants, and donations
from any other source, public or private, as necessary to ensure
effective implementation of the program.
Sec. 319.053. ELIGIBILITY FOR GRANTS. (a) The following
entities are eligible to apply for grants under this program:
(1) Texas-based businesses engaged in the development
or deployment of artificial intelligence technologies;
(2) public school districts and charter schools
offering or seeking to offer career and technical education
programs in artificial intelligence-related fields or to update
existing curricula to address these fields;
(3) public community colleges and technical
institutes that develop artificial intelligence-related curricula
or training programs or update existing curricula or training
programs to incorporate artificial intelligence training; and
(4) workforce development organizations in
partnership with artificial intelligence companies to reskill and
retrain workers in artificial intelligence competencies.
(b) To be eligible, the entity must:
(1) submit an application to the commission in the
form and manner prescribed by the commission; and
(2) demonstrate the capacity to develop and implement
training, educational, or workforce development programs that
align with the needs of the artificial intelligence industry in
Texas and lead to knowledge, skills, and work-based experiences
that are transferable to similar employment opportunities in the
artificial intelligence industry.
Sec. 319.054. USE OF GRANTS. (a) Grants awarded under the
program may be used for:
(1) developing or expanding workforce training
programs for artificial intelligence-related skills, including but
not limited to machine learning, data analysis, software
development, and robotics;
(2) creating or enhancing career and technical
education programs in artificial intelligence for high school
students, with a focus on preparing them for careers in artificial
intelligence or related fields;
(3) providing financial support for instructors,
equipment, and technology necessary for artificial
intelligence-related workforce training;
(4) partnering with local businesses to develop
internship programs, on-the-job training opportunities, instructor
externships, and apprenticeships in the artificial intelligence
industry;
(5) funding scholarships or stipends for students,
instructors, and workers participating in artificial intelligence
training programs, particularly for individuals from underserved
or underrepresented communities; or
(6) reskilling and retraining workers displaced by
technological changes or job automation, with an emphasis on
artificial intelligence-related job roles.
(b) The commission shall prioritize funding for:
(1) initiatives that partner with rural and
underserved communities to promote artificial intelligence
education and career pathways;
(2) programs that lead to credentials of value in
artificial intelligence or related fields; and
(3) proposals that include partnerships between the
artificial intelligence industry, a public or private institution
of higher education in this state, and workforce development
organizations.
SECTION 6. Section 325.011, Government Code, is amended to
read as follows:
Sec. 325.011. CRITERIA FOR REVIEW. The commission and its
staff shall consider the following criteria in determining whether
a public need exists for the continuation of a state agency or its
advisory committees or for the performance of the functions of the
agency or its advisory committees:
(1) the efficiency and effectiveness with which the
agency or the advisory committee operates;
(2)(A) an identification of the mission, goals, and
objectives intended for the agency or advisory committee and of the
problem or need that the agency or advisory committee was intended
to address; and
(B) the extent to which the mission, goals, and
objectives have been achieved and the problem or need has been
addressed;
(3)(A) an identification of any activities of the
agency in addition to those granted by statute and of the authority
for those activities; and
(B) the extent to which those activities are
needed;
(4) an assessment of authority of the agency relating
to fees, inspections, enforcement, and penalties;
(5) whether less restrictive or alternative methods of
performing any function that the agency performs could adequately
protect or provide service to the public;
(6) the extent to which the jurisdiction of the agency
and the programs administered by the agency overlap or duplicate
those of other agencies, the extent to which the agency coordinates
with those agencies, and the extent to which the programs
administered by the agency can be consolidated with the programs of
other state agencies;
(7) the promptness and effectiveness with which the
agency addresses complaints concerning entities or other persons
affected by the agency, including an assessment of the agency's
administrative hearings process;
(8) an assessment of the agency's rulemaking process
and the extent to which the agency has encouraged participation by
the public in making its rules and decisions and the extent to which
the public participation has resulted in rules that benefit the
public;
(9) the extent to which the agency has complied with:
(A) federal and state laws and applicable rules
regarding equality of employment opportunity and the rights and
privacy of individuals; and
(B) state law and applicable rules of any state
agency regarding purchasing guidelines and programs for
historically underutilized businesses;
(10) the extent to which the agency issues and
enforces rules relating to potential conflicts of interest of its
employees;
(11) the extent to which the agency complies with
Chapters 551 and 552 and follows records management practices that
enable the agency to respond efficiently to requests for public
information;
(12) the effect of federal intervention or loss of
federal funds if the agency is abolished;
(13) the extent to which the purpose and effectiveness
of reporting requirements imposed on the agency justifies the
continuation of the requirement; [and]
(14) an assessment of the agency's cybersecurity
practices using confidential information available from the
Department of Information Resources or any other appropriate state
agency; and
(15) an assessment, using information available from
the Department of Information Resources, the Attorney General, or
any other appropriate state agency, of the agency's use of
artificial intelligence systems, high-risk artificial intelligence
systems, in its operations and its oversight of the use of
artificial intelligence systems by entities or persons under the
agency's jurisdiction, and any related impact on the agency's
ability to achieve its mission, goals, and objectives.
SECTION 7. Section 2054.068(b), Government Code, is amended
to read as follows:
(b) The department shall collect from each state agency
information on the status and condition of the agency's information
technology infrastructure, including information regarding:
(1) the agency's information security program;
(2) an inventory of the agency's servers, mainframes,
cloud services, and other information technology equipment;
(3) identification of vendors that operate and manage
the agency's information technology infrastructure; [and]
(4) any additional related information requested by
the department; and
(5) an evaluation of the use, or considered use, of
artificial intelligence systems and high-risk artificial
intelligence systems by each state agency.
SECTION 8. Section 2054.0965(b), Government Code, is
amended to read as follows:
Sec. 2054.0965. INFORMATION RESOURCES DEPLOYMENT REVIEW.
(b) Except as otherwise modified by rules adopted by the
department, the review must include:
(1) an inventory of the agency's major information
systems, as defined by Section 2054.008, and other operational or
logistical components related to deployment of information
resources as prescribed by the department;
(2) an inventory of the agency's major databases,
artificial intelligence systems, and applications;
(3) a description of the agency's existing and planned
telecommunications network configuration;
(4) an analysis of how information systems,
components, databases, applications, and other information
resources have been deployed by the agency in support of:
(A) applicable achievement goals established
under Section 2056.006 and the state strategic plan adopted under
Section 2056.009;
(B) the state strategic plan for information
resources; and
(C) the agency's business objectives, mission,
and goals;
(5) agency information necessary to support the state
goals for interoperability and reuse; and
(6) confirmation by the agency of compliance with
state statutes, rules, and standards relating to information
resources.
SECTION 9. Not later than September 1, 2025, the attorney
general shall post on the attorney general's Internet website the
information and online mechanism required by Section 551.041,
Business & Commerce Code, as added by this Act.
SECTION 10. This Act takes effect September 1, 2025.