Bill Text: TX HB4917 | 2023-2024 | 88th Legislature | Introduced
Bill Title: Relating to the regulation of third-party data collection entities; providing a civil penalty and authorizing a fee.
Spectrum: Partisan Bill (Republican 1-0)
Status: (Introduced - Dead) 2023-03-23 - Referred to Business & Industry [HB4917 Detail]
Download: Texas-2023-HB4917-Introduced.html
88R9015 JES-F | ||
By: Holland | H.B. No. 4917 |
|
||
|
||
relating to the regulation of third-party data collection entities; | ||
providing a civil penalty and authorizing a fee. | ||
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: | ||
SECTION 1. Subtitle A, Title 11, Business & Commerce Code, | ||
is amended by adding Chapter 509 to read as follows: | ||
CHAPTER 509. THIRD-PARTY DATA COLLECTION | ||
Sec. 509.001. DEFINITIONS. In this chapter: | ||
(1) "Biometric identifier" has the meaning assigned by | ||
Section 503.001. | ||
(2) "Child" means an individual younger than 18 years | ||
of age. | ||
(3) "Collect," in the context of data, means to | ||
obtain, receive, access, or otherwise acquire the data by any | ||
means, including by purchasing or renting the data. | ||
(4) "Covered data" means personal identifying | ||
information to which this chapter applies as provided by Section | ||
509.002. | ||
(5) "Deidentified data" means information that does | ||
not identify and is not linked or cannot reasonably be linked to an | ||
individual or to a device linked to that individual, regardless of | ||
whether the information is aggregated. | ||
(6) "Employee" includes an individual who is a | ||
director, officer, staff member, trainee, volunteer, or intern of | ||
an employer or an individual working as an independent contractor | ||
for an employer, regardless of whether the individual is paid, | ||
unpaid, or employed on a temporary basis. The term does not include | ||
an individual contractor who is a service provider. | ||
(7) "Employee data" means information collected, | ||
processed, or transferred by an employer if the information: | ||
(A) is related to: | ||
(i) a job applicant and was collected | ||
during the course of the hiring and application process; | ||
(ii) an employee who is acting in a | ||
professional capacity for the employer, including the employee's | ||
business contact information such as the employee's name, position, | ||
title, business telephone number, business address, or business | ||
e-mail address; | ||
(iii) an employee's emergency contact | ||
information; or | ||
(iv) an employee or the employee's spouse, | ||
dependent, covered family member, or beneficiary; and | ||
(B) was collected, processed, or transferred | ||
solely for: | ||
(i) a purpose relating to the status of a | ||
person described by Paragraph (A)(i) as a current or former job | ||
applicant of the employer; | ||
(ii) a purpose relating to the professional | ||
activities of an employee described by Paragraph (A)(ii) on behalf | ||
of the employer; | ||
(iii) the purpose of having an emergency | ||
contact on file for an employee described by Paragraph (A)(iii) and | ||
for transferring the information in case of an emergency; and | ||
(iv) the purpose of administering benefits | ||
to which an employee described by Paragraph (A)(iv) is entitled or | ||
to which another person described by that paragraph is entitled on | ||
the basis of the employee's position with the employer. | ||
(8) "Genetic data" means any data, regardless of | ||
format, concerning an individual's genetic characteristics. The | ||
term includes: | ||
(A) raw sequence data derived from sequencing all | ||
or a portion of an individual's extracted DNA; and | ||
(B) genotypic and phenotypic information | ||
obtained from analyzing an individual's raw sequence data. | ||
(9) "Personal identifying information" has the | ||
meaning assigned by Section 521.002. | ||
(10) "Precise geolocation data" means information | ||
accessed on a device or technology that shows the past or present | ||
physical location of an individual or the individual's device with | ||
sufficient precision to identify street-level location information | ||
of the individual or device in a range of not more than 1,850 feet. | ||
The term does not include location information regarding an | ||
individual or device identifiable or derived solely from the visual | ||
content of a legally obtained image, including the location of a | ||
device that captured the image. | ||
(11) "Process," in the context of data, means to | ||
conduct or direct any operation or set of operations performed on | ||
the data, including using, storing, or otherwise handling the data. | ||
(12) "Publicly available information" means | ||
information: | ||
(A) that a business entity or service provider | ||
reasonably believes is lawfully available to the general public: | ||
(i) from a governmental record, unless use | ||
of the information by the business entity violates the governmental | ||
entity's restriction or terms of use for that information; | ||
(ii) from widely distributed media, | ||
including information from: | ||
(a) a telephone book or online | ||
directory; | ||
(b) a television, Internet, or radio | ||
program; | ||
(c) the news media; or | ||
(d) a generally available Internet | ||
website or online service on which the relevant information has not | ||
been restricted to a specific audience; | ||
(iii) from a disclosure as required by law; | ||
or | ||
(iv) by visual observation in a public | ||
place, other than data collected by a device in the individual's | ||
possession; and | ||
(B) that is not: | ||
(i) an obscene visual depiction under 18 | ||
U.S.C. Section 1460; | ||
(ii) an inference: | ||
(a) made exclusively from multiple | ||
independent sources of publicly available information; and | ||
(b) that does not disclose an | ||
individual's sensitive information; | ||
(iii) a biometric identifier; | ||
(iv) combined with personal identifying | ||
information; | ||
(v) genetic information not disclosed by | ||
the individual in a manner provided by Paragraph (A); or | ||
(vi) a nonconsensual intimate image, if | ||
known to be nonconsensual. | ||
(13) "Sensitive covered data" means: | ||
(A) a government-issued identifier not required | ||
by law to be available publicly, including: | ||
(i) a social security number; | ||
(ii) a passport number; or | ||
(iii) a driver's license number; | ||
(B) information that describes or reveals an | ||
individual's mental or physical health diagnosis, condition, or | ||
treatment; | ||
(C) an individual's financial information, | ||
except the last four digits of a debit or credit card number, | ||
including: | ||
(i) a financial account number; | ||
(ii) a credit or debit card number; or | ||
(iii) information that describes or reveals | ||
the income level or bank account balances of the individual; | ||
(D) a biometric identifier; | ||
(E) genetic data; | ||
(F) precise geolocation data; | ||
(G) an individual's private communication that: | ||
(i) if made using a device, is not made | ||
using a device provided by the individual's employer that provides | ||
conspicuous notice to the individual that the employer may access | ||
communication made using the device; and | ||
(ii) includes, unless the third-party data | ||
collection entity is the sender or an intended recipient of the | ||
communication: | ||
(a) the individual's voicemails, | ||
e-mails, texts, direct messages, or mail; | ||
(b) information that identifies the | ||
parties involved in the communications; and | ||
(c) information that relates to the | ||
transmission of the communications, including telephone numbers | ||
called, telephone numbers from which calls were placed, the time | ||
calls were made, call duration, and location information of the | ||
parties to the call; | ||
(H) a log-in credential, security code, or access | ||
code for an account or device; | ||
(I) information identifying the sexual behavior | ||
of the individual in a manner inconsistent with the individual's | ||
reasonable expectation regarding the collection, processing, or | ||
transfer of the information; | ||
(J) calendar information, address book | ||
information, phone or text logs, photos, audio recordings, or | ||
videos: | ||
(i) maintained for private use by an | ||
individual and stored on the individual's device or in another | ||
location; and | ||
(ii) not communicated using a device | ||
provided by the individual's employer unless the employee was | ||
provided conspicuous notice that the employer may access | ||
communication made using the device; | ||
(K) a photograph, film, video recording, or other | ||
similar medium that shows the individual or a part of the individual | ||
nude or wearing undergarments; | ||
(L) information revealing the video content | ||
requested or selected by an individual that is not: | ||
(i) collected by a provider of broadcast | ||
television service, cable service, satellite service, streaming | ||
media service, or other video programming, as that term is defined | ||
by 47 U.S.C. Section 613(h)(2); or | ||
(ii) used solely for transfers for | ||
independent video measurement; | ||
(M) information regarding a known child; | ||
(N) information revealing an individual's racial | ||
or ethnic origin, color, religious beliefs, or union membership; | ||
(O) information identifying an individual's | ||
online activities over time accessing multiple Internet websites or | ||
online services; or | ||
(P) information collected, processed, or | ||
transferred for the purpose of identifying information described by | ||
this subdivision. | ||
(14) "Service provider" means a person that receives, | ||
collects, processes, or transfers personal identifying information | ||
on behalf of, and at the direction of, a business or governmental | ||
entity, including a business or governmental entity that is another | ||
service provider, in order for the person to perform a service or | ||
function with or on behalf of the business or governmental entity. | ||
(15) "Third-party data collection entity" means a | ||
business entity that collects, processes, or transfers covered data | ||
that the entity did not collect directly from the individual linked | ||
or linkable to the data. | ||
(16) "Transfer," in the context of data, means to | ||
disclose, release, share, disseminate, make available, or license | ||
the data by any means or medium. | ||
Sec. 509.002. APPLICABILITY TO CERTAIN DATA. (a) Except as | ||
provided by Subsection (b), this chapter applies to personal | ||
identifying information from an individual who resides in this | ||
state that is collected, transferred, or processed by a third-party | ||
data collection entity. | ||
(b) This chapter does not apply to the following data: | ||
(1) deidentified data, if the third-party data | ||
collection entity: | ||
(A) takes reasonable technical measures to | ||
ensure that the data is not able to be used to identify an | ||
individual with whom the data is associated; | ||
(B) publicly commits in a clear and conspicuous | ||
manner: | ||
(i) to process and transfer the data solely | ||
in a deidentified form without any reasonable means for | ||
reidentification; and | ||
(ii) to not attempt to identify the | ||
information to an individual with whom the data is associated; and | ||
(C) contractually obligates a person that | ||
receives the information from the provider: | ||
(i) to comply with this subsection with | ||
respect to the information; and | ||
(ii) to require that those contractual | ||
obligations be included in any subsequent transfer of the data to | ||
another person; | ||
(2) employee data; | ||
(3) publicly available information; or | ||
(4) inferences made exclusively from multiple | ||
independent sources of publicly available information that do not | ||
reveal sensitive covered data with respect to an individual. | ||
Sec. 509.003. APPLICABILITY OF CHAPTER TO CERTAIN BUSINESS | ||
ENTITIES. (a) Except as provided by Subsection (b), this chapter | ||
applies to a third-party data collection entity, which is a | ||
business entity that, in a 12-month period, derives: | ||
(1) more than 50 percent of the entity's revenue from | ||
processing or transferring covered data that the entity did not | ||
collect directly from the individuals to whom the data pertains; or | ||
(2) revenue from processing or transferring the | ||
covered data of more than 50,000 individuals that the entity did not | ||
collect directly from the individuals to whom the data pertains. | ||
(b) This chapter does not apply to: | ||
(1) a business entity that: | ||
(A) is engaging in the business of processing | ||
employee data for a third party for the sole purpose of providing | ||
benefits to the third party's employees; or | ||
(B) is collecting covered data from another | ||
entity to which the entity is related by common ownership or | ||
corporate control if a reasonable consumer would expect the | ||
entities to share the relevant data; | ||
(2) a business entity that is a service provider with | ||
respect to the entity's use of covered data; | ||
(3) a governmental entity or an entity that is | ||
collecting, processing, or transferring covered data as a service | ||
provider for a governmental entity; or | ||
(4) an entity that serves as a congressionally | ||
designated nonprofit, national resource center, or clearinghouse | ||
to provide assistance to victims, families, child-serving | ||
professionals, and the general public on missing and exploited | ||
children issues. | ||
Sec. 509.004. NOTICE ON WEBSITE OR MOBILE APPLICATION. A | ||
third-party data collection entity that maintains an Internet | ||
website or mobile application shall post a conspicuous notice on | ||
the website or application that: | ||
(1) states that the entity maintaining the website or | ||
application is a third-party data collection entity; | ||
(2) must be clear, not misleading, and be readily | ||
accessible by the general public, including individuals with a | ||
disability; | ||
(3) contains language provided by rule of the | ||
secretary of state for inclusion in the notice; and | ||
(4) provides a link to the "do not collect" online | ||
registry established under Section 509.006. | ||
Sec. 509.005. REGISTRATION. (a) To conduct business in | ||
this state, a third-party data collection entity to which this | ||
chapter applies that collects, processes, or transfers the covered | ||
date of individuals residing in this state shall register with the | ||
secretary of state by filing a registration statement and paying a | ||
registration fee of $300. | ||
(b) The registration statement must include: | ||
(1) the legal name of the third-party data collection | ||
entity; | ||
(2) a contact person and the primary physical address, | ||
e-mail address, telephone number, and Internet website address for | ||
the entity; | ||
(3) a description of the categories of data the entity | ||
processes and transfers; | ||
(4) a statement of whether or not the entity | ||
implements a purchaser credentialing process that includes taking | ||
reasonable steps to confirm that: | ||
(A) the actual identity of the entity's customer | ||
and the customer's use of the data matches the identity and intended | ||
use provided to the entity by the customer; and | ||
(B) the entity's customers will not use the data | ||
for a nefarious purpose; | ||
(5) if the entity has actual knowledge that the entity | ||
possesses personal identifying information of a child: | ||
(A) a statement detailing the data collection | ||
practices, databases, sales activities, and opt-out policies that | ||
are applicable to the personal identifying information of a child; | ||
and | ||
(B) a statement on how the entity complies with | ||
applicable federal and state law regarding the collection, use, or | ||
disclosure of personal identifying information from and about a | ||
child on the Internet; | ||
(6) the number of security breaches the entity has | ||
experienced during the year immediately preceding the year in which | ||
the registration is filed, and if known, the total number of | ||
consumers affected by each breach; | ||
(7) any litigation or unresolved complaints related to | ||
the operation of the entity; and | ||
(8) any Internet website link the entity provides to | ||
allow individuals to easily access the "do not collect" online | ||
registry established under Section 509.006. | ||
(c) A registration of a third-party data collection entity | ||
may include any additional information or explanation the | ||
third-party data collection entity chooses to provide to the | ||
secretary of state concerning the entity's data collection | ||
practices. | ||
(d) A registration certificate expires on the first | ||
anniversary of its date of issuance. A third-party data collection | ||
entity may renew a registration certificate by filing a renewal | ||
application, in the form prescribed by the secretary of state, and | ||
paying a renewal fee in the amount of $300. | ||
Sec. 509.006. REGISTRY OF THIRD-PARTY COLLECTING ENTITIES; | ||
DO NOT COLLECT REQUESTS. (a) The secretary of state shall | ||
establish and maintain, on its Internet website, a searchable, | ||
central registry of third-party data collection entities | ||
registered under Section 509.005. | ||
(b) The registry must include: | ||
(1) a search feature that allows a person searching | ||
the registry to identify a specific third-party data collection | ||
entity; | ||
(2) for each third-party data collection entity, the | ||
information filed under Section 509.005(b); and | ||
(3) a link and mechanism by which individuals may | ||
submit do not collect requests to third-party collection entities, | ||
other than consumer reporting agencies, as provided by Subsection | ||
(c). | ||
(c) The secretary of state shall ensure that under the | ||
mechanism described by Subsection (b) an individual has the | ||
capability to easily submit a single request requiring all | ||
registered third-party data collection entities to: | ||
(1) delete, not later than the 30th day after | ||
receiving the request, all covered data related to the requesting | ||
individual that is in their possession and was not collected from | ||
the individual directly; and | ||
(2) cease collecting, processing, or transferring | ||
covered data related to the requesting individual, unless the | ||
entity receives the individual's affirmative express consent to | ||
continue to collect, process, or transfer data, as applicable, in | ||
accordance with Subsection (e). | ||
(d) Notwithstanding Subsection (c), a third-party data | ||
collection entity may decline to comply with a request under that | ||
subsection if the entity: | ||
(1) knows that the individual has been convicted of a | ||
crime related to the abduction or sexual exploitation of a child, | ||
and that the data the entity is collecting is necessary to | ||
effectuate the purposes of a federal or state sex offender registry | ||
or of an entity described by Section 509.003(b)(4); or | ||
(2) is a consumer reporting agency governed by the | ||
Fair Credit Reporting Act (15 U.S.C. Section 1681 et seq.). | ||
(e) For purposes of Subsection (c)(2), an individual is | ||
considered to have given the individual's affirmative express | ||
consent if the individual, by an affirmative act, clearly | ||
communicates the individual's specific and unambiguous | ||
authorization for the act or practice in response to a specific | ||
request by a third-party data collection entity that: | ||
(1) is provided to the individual in a clear, | ||
conspicuous, and separate disclosure presented through: | ||
(A) the primary medium by which the entity offers | ||
its products or services; or | ||
(B) another medium regularly used in conjunction | ||
with the entity's products or services; | ||
(2) includes a description of the processing purpose | ||
for which the individual's consent is sought, that: | ||
(A) clearly states the specific categories of | ||
personal identifying information the business will collect, | ||
process, or transfer for that purpose; | ||
(B) includes a prominent heading; and | ||
(C) is written in easily understood language | ||
intended to enable a reasonable individual to identify and | ||
understand the processing purpose for which consent is sought; | ||
(3) explains the individual's right to give and revoke | ||
consent under this section; | ||
(4) is made in a manner reasonably accessible to and | ||
usable by an individual with a disability; | ||
(5) is made available in each language in which the | ||
business provides a product or service for which consent is sought; | ||
(6) presents the option to refuse consent at least as | ||
prominently as the option to accept; and | ||
(7) ensures that refusing to consent takes not more | ||
than the same amount of steps to complete as the option to accept | ||
consent. | ||
(f) If the processing purpose disclosed to an individual in | ||
a request made under Subsection (e) changes, a third-party data | ||
collection entity must request and receive a new consent that meets | ||
the requirements of that subsection before the entity is able to | ||
collect, transfer, or process any further information pursuant to | ||
that consent. | ||
(g) An individual's inaction or continued use of a service | ||
or product provided by a third-party data collection entity does | ||
not constitute an individual's affirmative express consent for | ||
purposes of Subsection (e). | ||
(h) A third-party data collection entity may not obtain or | ||
attempt to obtain an individual's affirmative express consent under | ||
Subsection (b) through: | ||
(1) the use of a false, fraudulent, or materially | ||
misleading statement or representation; or | ||
(2) the design, modification, or manipulation of a | ||
user interface to impair a reasonable individual's autonomy to | ||
consent or to withhold certain personal identifying information. | ||
Sec. 509.007. CIVIL PENALTY. (a) A third-party data | ||
collection entity that violates Section 509.004, 509.005, or | ||
509.006 is liable to this state for a civil penalty as prescribed by | ||
this section. | ||
(b) A civil penalty imposed against a third-party data | ||
collection entity under this section: | ||
(1) subject to Subdivision (2), may not be in an amount | ||
less than the total of: | ||
(A) $100 for each day the entity is in violation | ||
of Section 509.004 or 509.005; and | ||
(B) the amount of unpaid registration fees for | ||
each year the entity failed to register in violation of Section | ||
509.005; and | ||
(2) may not exceed $10,000 assessed against the same | ||
entity in a 12-month period. | ||
(c) The attorney general may bring an action to recover a | ||
civil penalty imposed under this section. The attorney general may | ||
recover reasonable attorney's fees and court costs incurred in | ||
bringing the action. | ||
Sec. 509.008. DECEPTIVE TRADE PRACTICE. A violation of | ||
this chapter constitutes a deceptive trade practice in addition to | ||
the practices described by Subchapter E, Chapter 17, and is | ||
actionable under that subchapter. | ||
Sec. 509.009. RULES. The secretary of state shall adopt | ||
rules as necessary to implement this chapter. | ||
SECTION 2. Not later than December 1, 2023, the secretary of | ||
state shall adopt rules necessary to facilitate registration by a | ||
third-party data collection entity under Section 509.005, Business & | ||
Commerce Code, as added by this Act. | ||
SECTION 3. Chapter 509, Business & Commerce Code, as added | ||
by this Act, applies only to the collection, processing, or | ||
transfer of personal identifying information by a third-party data | ||
collection entity on or after the effective date of this Act. | ||
SECTION 4. This Act takes effect September 1, 2023. |