354 | Texas Data Privacy and Security Act
AN ACT
relating to the regulation of the collection, use, processing, and treatment of
consumers ’ personal data by certain business entities; imposing a civil penalty.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTIONA1.AAThis Act may be cited as the Texas Data Privacy and Security Act.
SECTIONA2.AATitle 11, Business & Commerce Code, is amended by adding Subtitle C to read as follows:
SUBTITLE C. CONSUMER DATA PROTECTION
CHAPTER 541. CONSUMER DATA PROTECTION
SUBCHAPTER A. GENERAL PROVISIONS
Sec. 541.001. DEFINITIONS.
In this chapter, unless a different meaning is required by the context:
(1)  “Affiliate” means a legal entity that controls, is controlled by, or is under common control with another legal entity or shares
common branding with another legal entity. For purposes of this subdivision, “control” or “controlled” means:
(A)  the ownership of, or power to vote, more than 50 percent of the outstanding shares of any class of voting security of
a company;
(B) the control in any manner over the election of a majority of the directors or of individuals exercising similar functions; or
(C)  the power to exercise controlling influence over the management of a company.
(2)  “Authenticate” means to verify through reasonable means that the consumer who is entitled to exercise the consumer’s
rights under Subchapter B is the same consumer exercising those consumer rights with respect to the personal data at
issue.
(3)  “Biometric data” means data generated by automatic measurements of an individual ’s biological characteristics. The
term includes a fingerprint, voiceprint, eye retina or iris, or other unique biological pattern or characteristic that is used
to identify a specific individual. The term does not include a physical or digital photograph or data generated from a
physical or digital photograph, a video or audio recording or data generated from a video or audio recording, or information
collected, used, or stored for health care treatment, payment, or operations under the Health Insurance Portability and
Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.).
(4)  “Business associate” has the meaning assigned to the term by the Health Insurance Portability and Accountability Act of
1996 (42 U.S.C. Section 1320d et seq.).
(5) “Child” means an individual younger than 13 years of age.
(6)  “Consent,” when referring to a consumer, means a clear affirmative act signifying a consumer’s freely given, specific,
informed, and unambiguous agreement to process personal data relating to the consumer. The term includes a written
statement, including a statement written by electronic means, or any other unambiguous affirmative action. The term does
not include:
(A)  acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing
along with other, unrelated information;
(B) hovering over, muting, pausing, or closing a given piece of content; or
(C) agreement obtained through the use of dark patterns.