Current with legislation from the 2023 Regular and Special Sessions signed by the Governor as of November 21, 2023.
Section 541.001 - Definitions In this chapter, unless a different meaning is required by the context:
(1) "Affiliate" means a legal entity that controls, is controlled by, or is under common control with another legal entity or shares common branding with another legal entity. For purposes of this subdivision, "control" or "controlled" means: (A) the ownership of, or power to vote, more than 50 percent of the outstanding shares of any class of voting security of a company; (B) the control in any manner over the election of a majority of the directors or of individuals exercising similar functions; or (C) the power to exercise controlling influence over the management of a company. (2) "Authenticate" means to verify through reasonable means that the consumer who is entitled to exercise the consumer's rights under Subchapter B is the same consumer exercising those consumer rights with respect to the personal data at issue. (3) "Biometric data" means data generated by automatic measurements of an individual's biological characteristics. The term includes a fingerprint, voiceprint, eye retina or iris, or other unique biological pattern or characteristic that is used to identify a specific individual. The term does not include a physical or digital photograph or data generated from a physical or digital photograph, a video or audio recording or data generated from a video or audio recording, or information collected, used, or stored for health care treatment, payment, or operations under the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.). (4) "Business associate" has the meaning assigned to the term by the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.). (5) "Child" means an individual younger than 13 years of age. (6) "Consent," when referring to a consumer, means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. The term includes a written statement, including a statement written by electronic means, or any other unambiguous affirmative action. The term does not include: (A) acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information; (B) hovering over, muting, pausing, or closing a given piece of content; or (C) agreement obtained through the use of dark patterns. (7) "Consumer" means an individual who is a resident of this state acting only in an individual or household context. The term does not include an individual acting in a commercial or employment context. (8) "Controller" means an individual or other person that, alone or jointly with others, determines the purpose and means of processing personal data. (9) "Covered entity" has the meaning assigned to the term by the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.). (10) "Dark pattern" means a user interface designed or manipulated with the effect of substantially subverting or impairing user autonomy, decision-making, or choice, and includes any practice the Federal Trade Commission refers to as a dark pattern. (11) "Decision that produces a legal or similarly significant effect concerning a consumer" means a decision made by the controller that results in the provision or denial by the controller of: (A) financial and lending services; (B) housing, insurance, or health care services; (C) education enrollment; (D) employment opportunities; (F) access to basic necessities, such as food and water. (12) "Deidentified data" means data that cannot reasonably be linked to an identified or identifiable individual, or a device linked to that individual. (13) "Health care provider" has the meaning assigned to the term by the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.). (14) "Health record" means any written, printed, or electronically recorded material maintained by a health care provider in the course of providing health care services to an individual that concerns the individual and the services provided. The term includes: (A) the substance of any communication made by an individual to a health care provider in confidence during or in connection with the provision of health care services; or (B) information otherwise acquired by the health care provider about an individual in confidence and in connection with health care services provided to the individual. (15) "Identified or identifiable individual" means a consumer who can be readily identified, directly or indirectly. (16) "Institution of higher education" means: (A) an institution of higher education as defined by Section 61.003, Education Code; or (B) a private or independent institution of higher education as defined by Section 61.003, Education Code. (17) "Known child" means a child under circumstances where a controller has actual knowledge of, or wilfully disregards, the child's age. (18) "Nonprofit organization" means: (A) a corporation organized under Chapters 20 and 22, Business Organizations Code, and the provisions of Title 1, Business Organizations Code, to the extent applicable to nonprofit corporations; (B) an organization exempt from federal taxation under Section 501(a), Internal Revenue Code of 1986, by being listed as an exempt organization under Section 501(c)(3), 501(c)(6), 501(c)(12), or 501(c)(19) of that code; (C) a political organization; or (D) an organization that: (i) is exempt from federal taxation under Section 501(a), Internal Revenue Code of 1986, by being listed as an exempt organization under Section 501(c)(4) of that code; and (ii) is described by Section 701.052(a), Insurance Code. (19) "Personal data" means any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual. The term does not include deidentified data or publicly available information. (20) "Political organization" means a party, committee, association, fund, or other organization, regardless of whether incorporated, that is organized and operated primarily for the purpose of influencing or attempting to influence: (A) the selection, nomination, election, or appointment of an individual to a federal, state, or local public office or an office in a political organization, regardless of whether the individual is selected, nominated, elected, or appointed; or (B) the election of a presidential/vice-presidential elector, regardless of whether the elector is selected, nominated, elected, or appointed. (21) "Precise geolocation data" means information derived from technology, including global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of an individual with precision and accuracy within a radius of 1,750 feet. The term does not include the content of communications or any data generated by or connected to an advanced utility metering infrastructure system or to equipment for use by a utility. (22) "Process" or "processing" means an operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data. (23) "Processor" means a person that processes personal data on behalf of a controller. (24) "Profiling" means any form of solely automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. (25) "Protected health information" has the meaning assigned to the term by the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.). (26) "Pseudonymous data" means any information that cannot be attributed to a specific individual without the use of additional information, provided that the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual. (27) "Publicly available information" means information that is lawfully made available through government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by a consumer, or by a person to whom a consumer has disclosed the information, unless the consumer has restricted the information to a specific audience. (28) "Sale of personal data" means the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party. The term does not include: (A) the disclosure of personal data to a processor that processes the personal data on the controller's behalf; (B) the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer; (C) the disclosure or transfer of personal data to an affiliate of the controller; (D) the disclosure of information that the consumer: (i) intentionally made available to the general public through a mass media channel; and (ii) did not restrict to a specific audience; or (E) the disclosure or transfer of personal data to a third party as an asset that is part of a merger or acquisition. (29) "Sensitive data" means a category of personal data. The term includes: (A) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status; (B) genetic or biometric data that is processed for the purpose of uniquely identifying an individual; (C) personal data collected from a known child; or (D) precise geolocation data. (30) "State agency" means a department, commission, board, office, council, authority, or other agency in any branch of state government that is created by the constitution or a statute of this state, including a university system or institution of higher education as defined by Section 61.003, Education Code. (31) "Targeted advertising" means displaying to a consumer an advertisement that is selected based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict the consumer's preferences or interests. The term does not include: (A) an advertisement that: (i) is based on activities within a controller's own websites or online applications; (ii) is based on the context of a consumer's current search query, visit to a website, or online application; or (iii) is directed to a consumer in response to the consumer's request for information or feedback; or (B) the processing of personal data solely for measuring or reporting advertising performance, reach, or frequency. (32) "Third party" means a person, other than the consumer, the controller, the processor, or an affiliate of the controller or processor. (33) "Trade secret" means all forms and types of information, including business, scientific, technical, economic, or engineering information, and any formula, design, prototype, pattern, plan, compilation, program device, program, code, device, method, technique, process, procedure, financial data, or list of actual or potential customers or suppliers, whether tangible or intangible and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if: (A) the owner of the trade secret has taken reasonable measures under the circumstances to keep the information secret; and (B) the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, another person who can obtain economic value from the disclosure or use of the information. Tex. Bus. and Comm. Code § 541.001
Added by Acts 2023 , Texas Acts of the 88th Leg.- Regular Session , ch. 995, Sec. 2, eff. 7/1/2024.