BUSINESS AND COMMERCE CODE
TITLE 11. PERSONAL IDENTITY INFORMATION
SUBTITLE A. IDENTIFYING INFORMATION
Chapter 509, consisting of Secs. 509.001 to 509.010, was added by Acts 2023, 88th Leg., R.S., Ch. 963 (S.B. 2105), Sec. 1.
For another Chapter 509, consisting of Secs. 509.001 to 509.152, added by Acts 2023, 88th Leg., R.S., Ch. 795 (H.B. 18), Sec. 2.01, see Sec. 509.001 et seq., post.
CHAPTER 509. DATA BROKERS
Sec. 509.001. DEFINITIONS. In this chapter:
(1) "Biometric data" means data generated by automatic measurements of an individual's biological patterns or characteristics, including fingerprint, voiceprint, retina or iris scan, information pertaining to an individual's DNA, or another unique biological pattern or characteristic that is used to identify a specific individual.
(2) "Child" means an individual younger than 13 years of age.
(3) "Collect," in the context of data, means to obtain, receive, access, or otherwise acquire the data by any means, including by purchasing or renting the data.
(4) "Data broker" means a business entity whose principal source of revenue is derived from the collecting, processing, or transferring of personal data that the entity did not collect directly from the individual linked or linkable to the data.
(5) "Deidentified data" means data that cannot reasonably be linked to an identified or identifiable individual or to a device linked to that individual.
(6) "Employee" includes an individual who is a director, officer, staff member, trainee, volunteer, or intern of an employer or an individual working as an independent contractor for an employer, regardless of whether the individual is paid, unpaid, or employed on a temporary basis. The term does not include an individual contractor who is a service provider.
(7) "Employee data" means information collected, processed, or transferred by an employer if the information:
(A) is related to:
(i) a job applicant and was collected during the course of the hiring and application process;
(ii) an employee who is acting in a professional capacity for the employer, including the employee's business contact information such as the employee's name, position, title, business telephone number, business address, or business e-mail address;
(iii) an employee's emergency contact information; or
(iv) an employee or the employee's spouse, dependent, covered family member, or beneficiary; and
(B) was collected, processed, or transferred solely for:
(i) a purpose relating to the status of a person described by Paragraph (A)(i) as a current or former job applicant of the employer;
(ii) a purpose relating to the professional activities of an employee described by Paragraph (A)(ii) on behalf of the employer;
(iii) the purpose of having an emergency contact on file for an employee described by Paragraph (A)(iii) and for transferring the information in case of an emergency; and
(iv) the purpose of administering benefits to which an employee described by Paragraph (A)(iv) is entitled or to which another person described by that paragraph is entitled on the basis of the employee's position with the employer.
(8) "Genetic data" means any data, regardless of format, concerning an individual's genetic characteristics. The term includes:
(A) raw sequence data derived from sequencing all or a portion of an individual's extracted DNA; and
(B) genotypic and phenotypic information obtained from analyzing an individual's raw sequence data.
(9) "Individual" means a natural person residing in this state.
(10) "Known child" means a child under circumstances where a data broker has actual knowledge of, or wilfully disregards obtaining actual knowledge of, the child's age.
(11) "Personal data" means any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the information is used by a controller or processor in conjunction with additional information that reasonably links the information to an identified or identifiable individual. The term does not include deidentified data, employee data, or publicly available information.
(12) "Precise geolocation data" means information accessed on a device or technology that shows the past or present physical location of an individual or the individual's device with sufficient precision to identify street-level location information of the individual or device in a range of not more than 1,850 feet. The term does not include location information regarding an individual or device identifiable or derived solely from the visual content of a legally obtained image, including the location of a device that captured the image.
(13) "Process," in the context of data, means an operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.
(14) "Publicly available information" means information that:
(A) is lawfully made available through government records;
(B) a business has a reasonable basis to believe is lawfully available to the general public through widely distributed media; or
(C) is lawfully made available by a consumer, or by a person to whom a consumer has disclosed the information, unless the consumer has restricted access to the information to a specific audience.
(15) "Sensitive data" means:
(A) a government-issued identifier not required by law to be available publicly, including:
(i) a social security number;
(ii) a passport number; or
(iii) a driver's license number;
(B) information that describes or reveals an individual's mental or physical health diagnosis, condition, or treatment;
(C) an individual's financial information, except the last four digits of a debit or credit card number, including:
(i) a financial account number;
(ii) a credit or debit card number; or
(iii) information that describes or reveals the income level or bank account balances of the individual;
(D) biometric data;
(E) genetic data;
(F) precise geolocation data;
(G) an individual's private communication that:
(i) if made using a device, is not made using a device provided by the individual's employer that provides conspicuous notice to the individual that the employer may access communication made using the device; and
(ii) includes, unless the data broker is the sender or an intended recipient of the communication:
(a) the individual's voicemails, e-mails, texts, direct messages, or mail;
(b) information that identifies the parties involved in the communications; and
(c) information that relates to the transmission of the communications, including telephone numbers called, telephone numbers from which calls were placed, the time calls were made, call duration, and location information of the parties to the call;
(H) a log-in credential, security code, or access code for an account or device;
(I) information identifying the sexual behavior of the individual in a manner inconsistent with the individual's reasonable expectation regarding the collection, processing, or transfer of the information;
(J) calendar information, address book information, phone or text logs, photos, audio recordings, or videos:
(i) maintained for private use by an individual and stored on the individual's device or in another location; and
(ii) not communicated using a device provided by the individual's employer unless the employee was provided conspicuous notice that the employer may access communication made using the device;
(K) a photograph, film, video recording, or other similar medium that shows the individual or a part of the individual nude or wearing undergarments;
(L) information revealing the video content requested or selected by an individual that is not:
(i) collected by a provider of broadcast television service, cable service, satellite service, streaming media service, or other video programming, as that term is defined by 47 U.S.C. Section 613(h)(2); or
(ii) used solely for transfers for independent video measurement;
(M) information regarding a known child;
(N) information revealing an individual's racial or ethnic origin, color, religious beliefs, or union membership;
(O) information identifying an individual's online activities over time accessing multiple Internet websites or online services; or
(P) information collected, processed, or transferred for the purpose of identifying information described by this subdivision.
(16) "Service provider" means a person that receives, collects, processes, or transfers personal data on behalf of, and at the direction of, a business or governmental entity, including a business or governmental entity that is another service provider, in order for the person to perform a service or function with or on behalf of the business or governmental entity.
(17) "Transfer," in the context of data, means to disclose, release, share, disseminate, make available, sell, or license the data by any means or medium.
Added by Acts 2023, 88th Leg., R.S., Ch. 963 (S.B. 2105), Sec. 1, eff. September 1, 2023.