By: Capriglione H.B. No. 1709       A BILL TO BE ENTITLED   AN ACT   relating to the regulation and reporting on the use of artificial   intelligence systems by certain business entities and state   agencies; providing civil penalties.          BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:          SECTION 1.  This Act may be cited as the Texas Responsible   Artificial Intelligence Governance Act          SECTION 2.  Title 11, Business & Commerce Code, is amended by   adding Subtitle D to read as follows:   SUBTITLE D. ARTIFICIAL INTELLIGENCE PROTECTION   CHAPTER 551. ARTIFICIAL INTELLIGENCE PROTECTION   SUBCHAPTER A. GENERAL PROVISIONS          Sec. 551.001.  DEFINITIONS. In this chapter:                (1)  "Algorithmic discrimination" means any condition   in which an artificial intelligence system when deployed creates an   unlawful discrimination of a protected classification in violation   of the laws of this state or federal law.                      (A)  "Algorithmic discrimination" does not   include the offer, license, or use of a high-risk artificial   intelligence system by a developer or deployer for the sole purpose   of the developer's or deployer's self-testing, for a non-deployed   purpose, to identify, mitigate, or prevent discrimination or   otherwise ensure compliance with state and federal law.                (2)  "Artificial intelligence system" means the use of   machine learning and related technologies that use data to train   statistical models for the purpose of enabling computer systems to   perform tasks normally associated with human intelligence or   perception, such as computer vision, speech or natural language   processing, and content generation.                (3)  "Biometric identifier" means a retina or iris   scan, fingerprint, voiceprint, or record of hand or face geometry.                (4)  "Council" means the Artificial Intelligence   Council established under Chapter 553.                (5)  "Consequential decision" means any decision that   has a material, legal, or similarly significant, effect on a   consumer's access to, cost of, or terms or conditions of:                      (A)  a criminal case assessment, a sentencing or   plea agreement analysis, or a pardon, parole, probation, or release   decision;                      (B)  education enrollment or an education   opportunity;                      (C)  employment or an employment opportunity;                      (D)  a financial service;                      (E)  an essential government service;                      (F)  residential utility services;                      (G)  a health-care service or treatment;                      (H)  housing;                      (I)  insurance;                      (J)  a legal service;                      (K)  a transportation service;                      (L)  constitutionally protected services or   products; or                      (M)  elections or voting process.                (6)  "Consumer" means an individual who is a resident   of this state acting only in an individual or household context.   The term does not include an individual acting in a commercial or   employment context.                (7)  "Deploy" means to put into effect or   commercialize.                (8)  "Deployer" means a person doing business in this   state that deploys a high-risk artificial intelligence system.                (9)  "Developer" means a person doing business in this   state that develops a high-risk artificial intelligence system or   substantially or intentionally modifies an artificial intelligence   system.                (10)  "Digital service" means a website, an   application, a program, or software that collects or processes   personal identifying information with Internet connectivity.                (11)  "Digital service provider" means a person who:                      (A)  owns or operates a digital service;                      (B)  determines the purpose of collecting and   processing the personal identifying information of users of the   digital service; and                      (C)  determines the means used to collect and   process the personal identifying information of users of the   digital service.                (12)  "Distributor" means a person, other than the   Developer, that makes an artificial intelligence system available   in the market for a commercial purpose.                (13)  "Generative artificial intelligence" means   artificial intelligence models that can emulate the structure and   characteristics of input data in order to generate derived   synthetic content. This can include images, videos, audio, text,   and other digital content.                (14)  "High-risk artificial intelligence system" means   any artificial intelligence system that is a substantial factor to   a consequential decision. The term does not include:                      (A)  an artificial intelligence system if the   artificial intelligence system is intended to detect   decision-making patterns or deviations from prior decision-making   patterns and is not intended to replace or influence a previously   completed human assessment without sufficient human review;                      (B)  an artificial intelligence system that   violates a provision of Subchapter B; or                      (C)  the following technologies, unless the   technologies, when deployed, make, or are a substantial factor in   making, a consequential decision:                            (i)  anti-malware;                            (ii)  anti-virus;                            (iii)  calculators;                            (iv)  cybersecurity;                            (v)  databases;                            (vi)  data storage;                            (vii)  firewall;                            (viii)  fraud detection systems;                            (ix)  internet domain registration;                            (x)  internet website loading;                            (xi)  networking;                            (xii)  operational technology;                            (xiii)  spam- and robocall-filtering;                            (xiv)  spell-checking;                            (xv)  spreadsheets;                            (xvi)  web caching;                            (xvii)  web scraping;                            (xviii)  web hosting or any similar   technology; or                            (xviv)  any technology that solely   communicates in natural language for the sole purpose of providing   users with information, making referrals or recommendations   relating to customer service, and answering questions and is   subject to an acceptable use policy that prohibits generating   content that is discriminatory or harmful, as long as the system   does not violate any provision listed in Subchapter B.                (15)  "Open source artificial intelligence system"   means an artificial intelligence system that:                      (A)  can be used or modified for any purpose   without securing permission from the owner or creator of such an   artificial intelligence system;                      (B)  can be shared for any use with or without   modifications; and                      (C)  includes information about the data used to   train such system that is sufficiently detailed such that a person   skilled in artificial intelligence could create a substantially   equivalent system when the following are made available freely or   through a non-restrictive license:                            (i)  the same or similar data;                            (ii)  the source code used to train and run   such system; and                            (iii)  the model weights and parameters of   such system.                (16)  "Operational technology" means hardware and   software that detects or causes a change through the direct   monitoring or control of physical devices, processes, and events in   the enterprise.                (17)  "Personal data" has the meaning assigned to it by   Section 541.001, Business and Commerce Code.                (18)  "Risk" means the composite measure of an event's   probability of occurring and the magnitude or degree of the   consequences of the corresponding event.                (19)  "Sensitive personal attribute" means race,   political opinions, religious or philosophical beliefs, ethnic   orientation, mental health diagnosis, or sex. The term does not   include conduct that would be classified as an offense under   Chapter 21, Penal Code.                (20)  "Social media platform" has the meaning assigned   by Section 120.001, Business and Commerce Code.                (21)  "Substantial factor" means a factor that is:                      (A)  considered when making a consequential   decision;                      (B)  likely to alter the outcome of a   consequential decision; and                      (C)  weighed more heavily than any other factor   contributing to the consequential decision.                (22)  "Intentional and substantial modification" or   "Substantial modification" means a deliberate change made to an   artificial intelligence system that reasonably increases the risk   of algorithmic discrimination.          Sec. 551.002.  APPLICABILITY OF CHAPTER. This chapter   applies only to a person that is not a small business as defined by   the United States Small Business Administration, and:                (1)  conducts business, promotes, or advertises in this   state or produces a product or service consumed by residents of this   state; or                (2)  engages in the development, distribution, or   deployment of a high-risk artificial intelligence system in this   state.          Sec. 551.003.  DEVELOPER DUTIES. (a)  A developer of a   high-risk artificial intelligence system shall use reasonable care   to protect consumers from any known or reasonably foreseeable risks   of algorithmic discrimination arising from the intended and   contracted uses of the high-risk artificial intelligence system.          (b)  Prior to providing a high-risk artificial intelligence   system to a deployer, a developer shall provide to the deployer, in   writing, a High-Risk Report that consists of:                (1)  a statement describing how the high-risk   artificial intelligence system should be used or not be used;                (2)  any known limitations of the system that could   lead to algorithmic discrimination, the metrics used to measure the   system's performance, which shall include at a minimum, metrics   related to accuracy, explainability, transparency, reliability,   and security set forth in the most recent version of the "Artificial   Intelligence Risk Management Framework: Generative Artificial   Intelligence Profile" published by the National Institute of   Standards and Technology, and how the system performs under those   metrics in its intended use contexts;                (3)  any known or reasonably foreseeable risks of   algorithmic discrimination, arising from its intended or likely   use;                (4)  a high-level summary of the type of data used to   program or train the high-risk artificial intelligence system;                (5)  the data governance measures used to cover the   training datasets and their collection, and the measures used to   examine the suitability of data sources and prevent unlawful   discriminatory biases; and                (6)  appropriate principles, processes, and personnel   for the deployers' risk management policy.          (c)  If a high-risk artificial intelligence system is   intentionally or substantially modified after a developer provides   it to a deployer, a developer shall make necessary information in   subsection (b) available to deployers within 30 days of the   modification.          (d)  If a developer believes or has reason to believe, that   it deployed a high-risk artificial intelligence system that does   not comply with a requirement of this chapter, the developer shall   immediately take the necessary corrective actions to bring that   system into compliance, including by withdrawing it, disabling it,   and recalling it, as appropriate. Where applicable, the developer   shall inform the distributors or deployers of the high-risk   artificial intelligence system concerned.          (e)  Where the high-risk artificial intelligence system   presents risks of algorithmic discrimination, unlawful use or   disclosure of personal data, or deceptive manipulation or coercion   of human behavior and the developer knows or should reasonably know   of that risk, it shall immediately investigate the causes, in   collaboration with the deployer, where applicable, and inform the   attorney general in writing of the nature of the non-compliance and   of any relevant corrective action taken.          (f)  Developers shall keep detailed records of any   generative artificial intelligence training data used to develop a   generative artificial intelligence system or service, consistent   with the suggested actions under GV-1.2-007 of the "Artificial   Intelligence Risk Management Framework: Generative Artificial   Intelligence Profile" by the National Institute of Standards and   Technology, or any subsequent versions thereof.          Sec. 551.004.  DISTRIBUTOR DUTIES. A distributor of a   high-risk artificial intelligence system shall use reasonable care   to protect consumers from any known or reasonably foreseeable risks   of algorithmic discrimination.  If a distributor of a high-risk   artificial intelligence system knows or has reason to know that a   high-risk artificial intelligence system is not in compliance with   any requirement in this chapter, it shall immediately withdraw,   disable, or recall as appropriate, the high-risk artificial   intelligence system from the market until the system has been   brought into compliance with the requirements of this chapter.  The   distributor shall inform the developers of the high-risk artificial   intelligence system concerned and, where applicable, the   deployers.          Sec. 551.005.  DEPLOYER DUTIES. A deployer of a high-risk   artificial intelligence system shall use reasonable care to protect   consumers from any known or reasonably foreseeable risks of   algorithmic discrimination. If a deployer of a high-risk   artificial intelligence system knows or has reason to know that a   high-risk artificial intelligence system is not in compliance with   any requirement in this chapter, it shall immediately suspend the   use of the high-risk artificial intelligence system from the market   until the system has been brought into compliance with the   requirements of this chapter.  The deployer shall inform the   developers of the high-risk artificial intelligence system   concerned and, where applicable, the distributors.          Sec. 551.006.  IMPACT ASSESSMENTS. (a) A deployer that   deploys a high-risk artificial intelligence system shall complete   an impact assessment for the high-risk artificial intelligence   system. A deployer, or a third-party contracted by the deployer for   such purposes, shall complete an impact assessment annually and   within ninety days after any intentional and substantial   modification to the high-risk artificial intelligence system is   made available. An impact assessment must include, at a minimum,   and to the extent reasonably known by or available to the deployer:                (1)  a statement by the deployer disclosing the   purpose, intended use cases, and deployment context of, and   benefits afforded by, the high-risk artificial intelligence   system;                (2)  an analysis of whether the deployment of the   high-risk artificial intelligence system poses any known or   reasonably foreseeable risks of algorithmic discrimination and, if   so, the nature of the algorithmic discrimination and the steps that   have been taken to mitigate the risks;                (3)  a description of the categories of data the   high-risk artificial intelligence system processes as inputs and   the outputs the high-risk artificial intelligence system produces;                (4)  if the deployer used data to customize the   high-risk artificial intelligence system, an overview of the   categories of data the deployer used to customize the high-risk   artificial intelligence system;                (5)  any metrics used to evaluate the performance and   known limitations of the high-risk artificial intelligence system;                (6)  a description of any transparency measures taken   concerning the high-risk artificial intelligence system, including   any measures taken to disclose to a consumer that the high-risk   artificial intelligence system will be used;                (7)  a description of the post-deployment monitoring   and user safeguards provided concerning the high-risk artificial   intelligence system, including the oversight, use, and learning   process established by the deployer to address issues arising from   the deployment of the high-risk artificial intelligence system; and                (8)  a description of cybersecurity measures and threat   modeling conducted on the system.          (b)  Following an intentional and substantial modification   to a high-risk artificial intelligence system, a deployer must   disclose the extent to which the high-risk artificial intelligence   system was used in a manner that was consistent with, or varied   from, the developer's intended uses of the high-risk artificial   intelligence system.          (c)  A single impact assessment may address a comparable set   of high-risk artificial intelligence systems deployed by a   deployer.          (d)  A deployer shall maintain the most recently completed   impact assessment for a high-risk artificial intelligence system,   all records concerning each impact assessment, and all prior impact   assessments, if any, for at least three years following the final   deployment of the high-risk artificial intelligence system.          (e)  If a deployer, or a third party contracted by the   deployer, completes an impact assessment for the purpose of   complying with another applicable law or regulation, such impact   assessment shall be deemed to satisfy the requirements established   in this subsection if such impact assessment is reasonably similar   in scope and effect to the impact assessment that would otherwise be   completed pursuant to this subsection.          (f)  A deployer may redact any trade secrets as defined by   Section 541.001(33), Business & Commerce Code or information   protected from disclosure by state or federal law.          (g)  Except as provided in subsection (e) of this section, a   developer that makes a high-risk artificial intelligence system   available to a deployer shall make available to the deployer the   documentation and information necessary for a deployer to complete   an impact assessment pursuant to this section.          (h)  A developer that also serves as a deployer for a   high-risk artificial intelligence system is not required to   generate and store an impact assessment unless the high-risk   artificial intelligence system is provided to an unaffiliated   deployer.          Sec. 551.007.  DISCLOSURE OF A HIGH-RISK ARTIFICIAL   INTELLIGENCE SYSTEM TO CONSUMERS. (a) A deployer or developer that   deploys, offers, sells, leases, licenses, gives, or otherwise makes   available a high-risk artificial intelligence system that is   intended to interact with consumers shall disclose to each   consumer, before or at the time of interaction:                (1)  that the consumer is interacting with an   artificial intelligence system;                (2)  the purpose of the system;                (3)  that the system may or will make a consequential   decision affecting the consumer;                (4)  the nature of any consequential decision in which   the system is or may be a substantial factor;                (5)  the factors to be used in making any consequential   decisions;                (6)  contact information of the deployer;                (7)  a description of:                      (A)  any human components of the system;                      (B)  any automated components of the system; and                      (C)  how human and automated components are used   to inform a consequential decision; and                (8)  a declaration of the consumer's rights under   Section 551.108.          (b)  Disclosure is required under subsection (a) of this   section regardless of whether it would be obvious to a reasonable   person that the person is interacting with an artificial   intelligence system.          (c)  All disclosures under subsection (a) shall be clear and   conspicuous and written in plain language, and avoid the use of a   dark pattern as defined by 541.001, Business & Commerce Code.          (d)  All disclosures under subsection (a) may be linked to a   separate webpage of the developer or deployer.          (e)  Any requirement in this section that may conflict with   state or federal law may be exempt.          Sec. 551.008.  RISK IDENTIFICATION AND MANAGEMENT POLICY.   (a) A developer or deployer of a high-risk artificial intelligence   system shall, prior to deployment, assess potential risks of   algorithmic discrimination and implement a risk management policy   to govern the development or deployment of the high-risk artificial   intelligence system.  The risk management policy shall:                (1)  specify and incorporate the principles and   processes that the developer or deployer uses to identify,   document, and mitigate, in the development or deployment of a   high-risk artificial intelligence system:                      (A)  known or reasonably foreseeable risks of   algorithmic discrimination; and                      (B)  prohibited uses and unacceptable risks under   Subchapter B; and                (2)  be reasonable in size, scope, and breadth,   considering:                      (A)  guidance and standards set forth in the most   recent version of the "Artificial Intelligence Risk Management   Framework: Generative Artificial Intelligence Profile" published   by the National Institute of Standards and Technology;                      (B)  any existing risk management guidance,   standards or framework applicable to artificial intelligence   systems designated by the Banking Commissioner or Insurance   Commissioner, if the developer or deployer is regulated by the   Department of Banking or Department of Insurance;                      (C)  the size and complexity of the developer or   deployer;                      (D)  the nature, scope, and intended use of the   high-risk artificial intelligence systems developed or deployed;   and                      (E)  the sensitivity and volume of personal data   processed in connection with the high-risk artificial intelligence   systems.          (b)  A risk management policy implemented pursuant to this   section may apply to more than one high-risk artificial   intelligence system developed or deployed, so long as the developer   or deployer complies with all of the forgoing requirements and   considerations in adopting and implementing the risk management   policy with respect to each high-risk artificial intelligence   system covered by the policy.          (c)  A developer or deployer may redact or omit any trade   secrets as defined by Section 541.001(33), Business & Commerce Code   or information protected from disclosure by state or federal law.          Sec. 551.009.  RELATIONSHIPS BETWEEN ARTIFICIAL   INTELLIGENCE PARTIES. Any distributor or deployer, shall be   considered to be a developer of a high-risk artificial intelligence   system for the purposes of this chapter and shall be subject to the   obligations and duties of a developer under this chapter in any of   the following circumstances:                (1)  they put their name or trademark on a high-risk   artificial intelligence system already placed in the market or put   into service;                (2)  they intentionally and substantially modify a   high-risk artificial intelligence system that has already been   placed in the market or has already been put into service in such a   way that it remains a high-risk artificial intelligence system   under this chapter; or                (3)  they modify the intended purpose of an artificial   intelligence system which has not previously been classified as   high-risk and has already been placed in the market or put into   service in such a way that the artificial intelligence system   concerned becomes a high-risk artificial intelligence system in   accordance with this chapter of a high-risk artificial intelligence   system.          Sec. 551.010.  DIGITAL SERVICE PROVIDER AND SOCIAL MEDIA   PLATFORM DUTIES REGARDING ARTIFICIAL INTELLIGENCE SYSTEMS. A   digital service provider as defined by Section 509.001(2), Business &   Commerce Code or a social media platform as defined by Section   120.001(1), Business & Commerce Code, shall require advertisers on   the service or platform to agree to terms preventing the deployment   of a high-risk artificial intelligence system on the service or   platform that could expose the users of the service or platform to   algorithmic discrimination or prohibited uses under Subchapter B.          Sec. 551.011.  REPORTING REQUIREMENTS. (a) A deployer must   notify, in writing, the council, the attorney general, or the   director of the appropriate state agency that regulates the   deployer's industry, and affected consumers as soon as practicable   after the date on which the deployer discovers or is made aware that   a deployed high-risk artificial intelligence system has caused   algorithmic discrimination of an individual or group of   individuals.          (b)  If a developer discovers or is made aware that a   deployed high-risk artificial intelligence system is using inputs   or providing outputs that constitute a violation of Subchapter B,   the deployer must cease operation of the offending system as soon as   technically feasible and provide notice to the council and the   attorney general as soon as practicable and not later than the 10th   day after the date on which the developer discovers or is made aware   of the unacceptable risk.          Sec. 551.012.  SANDBOX PROGRAM EXCEPTION. (a) Excluding   violations of Subchapter B, this chapter does not apply to the   development of an artificial intelligence system that is used   exclusively for research, training, testing, or other   pre-deployment activities performed by active participants of the   sandbox program in compliance with Chapter 552.   SUBCHAPTER B. PROHIBITED USES AND UNACCEPTABLE RISK          Sec. 551.051.  MANIPULATION OF HUMAN BEHAVIOR TO CIRCUMVENT   INFORMED DECISION-MAKING. An artificial intelligence system shall   not be developed or deployed that uses subliminal techniques beyond   a person's consciousness, or purposefully manipulative or   deceptive techniques, with the objective or the effect of   materially distorting the behavior of a person or a group of persons   by appreciably impairing their ability to make an informed   decision, thereby causing a person to make a decision that the   person would not have otherwise made, in a manner that causes or is   likely to cause significant harm to that person or another person or   group of persons.          Sec. 551.052.  SOCIAL SCORING. An artificial intelligence   system shall not be developed or deployed for the evaluation or   classification of natural persons or groups of natural persons   based on their social behavior or known, inferred, or predicted   personal characteristics with the intent to determine a social   score or similar categorical estimation or valuation of a person or   groups of persons.          Sec. 551.053.  CAPTURE OF BIOMETRIC IDENTIFIERS USING   ARTIFICIAL INTELLIGENCE. An artificial intelligence system   developed with biometric identifiers of individuals and the   targeted or untargeted gathering of images or other media from the   internet or any other publicly available source shall not be   deployed for the purpose of uniquely identifying a specific   individual. An individual is not considered to be informed nor to   have provided consent for such purpose pursuant to Section 503.001,   Business and Commerce Code, based solely upon the existence on the   internet, or other publicly available source, of an image or other   media containing one or more biometric identifiers.          Sec. 551.054.  CATEGORIZATION BASED ON SENSITIVE   ATTRIBUTES. An artificial intelligence system shall not be   developed or deployed with the specific purpose of inferring or   interpreting, sensitive personal attributes of a person or group of   persons using biometric identifiers, except for the labeling or   filtering of lawfully acquired biometric identifier data.          Sec. 551.055.  UTILIZATION OF PERSONAL ATTRIBUTES FOR HARM.   An artificial intelligence system shall not utilize   characteristics of a person or a specific group of persons based on   their race, color, disability, religion, sex, national origin, age,   or a specific social or economic situation, with the objective, or   the effect, of materially distorting the behavior of that person or   a person belonging to that group in a manner that causes or is   reasonably likely to cause that person or another person harm.          Sec. 551.056.  CERTAIN SEXUALLY EXPLICIT VIDEOS, IMAGES, AND   CHILD PORNOGRAPHY. An artificial intelligence system shall not be   developed or deployed that produces, assists, or aids in producing,   or is capable of producing unlawful visual material in violation of   Section 43.26, Penal Code or an unlawful deep fake video or image in   violation of Section 21.165, Penal Code.   SUBCHAPTER C. ENFORCEMENT AND CONSUMER PROTECTIONS          Sec. 551.101.  CONSTRUCTION AND APPLICATION. (a) This   chapter shall be broadly construed and applied to promote its   underlying purposes, which are:                (1)  to facilitate and advance the responsible   development and use of artificial intelligence systems;                (2)  to protect individuals and groups of individuals   from known, and unknown but reasonably foreseeable, risks,   including unlawful algorithmic discrimination;                (3)  to provide transparency regarding those risks in   the development, deployment, or use of artificial intelligence   systems; and                (4)  to provide reasonable notice regarding the use or   considered use of artificial intelligence systems by state   agencies.          (b)  this chapter does not apply to the developer of an open   source artificial intelligence system, provided that:                (1)  the system is not deployed as a high-risk   artificial intelligence system and the developer has taken   reasonable steps to ensure that the system cannot be used as a   high-risk artificial intelligence system without substantial   modifications; and                (2)  the weights and technical architecture of the   system are made publicly available.          Sec. 551.102.  ENFORCEMENT AUTHORITY. The attorney general   has authority to enforce this chapter. Excluding violations of   Subchapter B, researching, training, testing, or the conducting of   other pre-deployment activities by active participants of the   sandbox program, in compliance with Chapter 552, does not subject a   developer or deployer to penalties or actions.          Sec. 551.103.  INTERNET WEBSITE AND COMPLAINT MECHANISM.   The attorney general shall post on the attorney general's Internet   website:                (1)  information relating to:                      (A)  the responsibilities of a developer,   distributor, and deployer under Subchapter A; and                      (B)  an online mechanism through which a consumer   may submit a complaint under this chapter to the attorney general.          Sec. 551.104.  INVESTIGATIVE AUTHORITY. (a) If the   attorney general has reasonable cause to believe that a person has   engaged in or is engaging in a violation of this chapter, the   attorney general may issue a civil investigative demand. The   attorney general shall issue such demands in accordance with and   under the procedures established under Section 15.10.          (b)  The attorney general may request, pursuant to a civil   investigative demand issued under Subsection (a), that a developer   or deployer of a high-risk artificial intelligence system disclose   their risk management policy and impact assessments required under   Subchapter A. The attorney general may evaluate the risk   management policy and impact assessments for compliance with the   requirements set forth in Subchapter A.          (c)  The attorney general may not institute an action for a   civil penalty against a developer or deployer for artificial   intelligence systems that remain isolated from customer   interaction in a pre-deployment environment.          Sec. 551.105.  NOTICE OF VIOLATION OF CHAPTER; OPPORTUNITY   TO CURE. Before bringing an action under Section 551.106, the   attorney general shall notify a developer, distributor, or deployer   in writing, not later than the 30th day before bringing the action,   identifying the specific provisions of this chapter the attorney   general alleges have been or are being violated. The attorney   general may not bring an action against the developer or deployer   if:                (1)  within the 30-day period, the developer or   deployer cures the identified violation; and                (2)  the developer or deployer provides the attorney   general a written statement that the developer or deployer:                      (A)  cured the alleged violation;                      (B)  notified the consumer, if technically   feasible, and the council that the developer or deployer's   violation was addressed, if the consumer's contact information has   been made available to the developer or deployer and the attorney   general;                      (C)  provided supportive documentation to show   how the violation was cured; and                      (D)  made changes to internal policies, if   necessary, to reasonably ensure that no such further violations are   likely to occur.          Sec. 551.106.  CIVIL PENALTY; INJUNCTION. (a) The attorney   general may bring an action in the name of this state to restrain or   enjoin the person from violating this chapter and seek injunctive   relief.          (b)  The attorney general may recover reasonable attorney's   fees and other reasonable expenses incurred in investigating and   bringing an action under this section.          (c)  The attorney general may assess and collect an   administrative fine against a developer or deployer who fails to   timely cure a violation or who breaches a written statement   provided to the attorney general, other than those for a prohibited   use, of not less than $50,000 and not more than $100,000 per uncured   violation.          (d)  The attorney general may assess and collect an   administrative fine against a developer or deployer who fails to   timely cure a violation of a prohibited use, or whose violation is   determined to be uncurable, of not less than $80,000 and not more   than $200,000 per violation.          (e)  A developer or deployer who was found in violation of   and continues to operate with the provisions of this chapter shall   be assessed an administrative fine of not less than $2,000 and not   more than $40,000 per day.          (f)  There is a rebuttable presumption that a developer,   distributor, or deployer used reasonable care as required under   this chapter if the developer, distributor, or deployer complied   with their duties under Subchapter A.          Sec. 551.107.  ENFORCEMENT ACTIONS BY STATE AGENCIES. A   state agency may sanction an individual licensed, registered, or   certified by that agency for violations of Subchapter B, including:                (1)  the suspension, probation, or revocation of a   license, registration, certificate, or other form of permission to   engage in an activity; and                (2)  monetary penalties up to $100,000.          Sec. 551.108.  CONSUMER RIGHTS AND REMEDIES. A consumer may   appeal a consequential decision made by a high-risk artificial   intelligence system which has an adverse impact on their health,   safety, or fundamental rights, and shall have the right to obtain   from the deployer clear and meaningful explanations of the role of   the high-risk artificial intelligence system in the   decision-making procedure and the main elements of the decision   taken.   SUBCHAPTER D. CONSTRUCTION OF CHAPTER; LOCAL PREEMPTION          Sec. 551.151.  CONSTRUCTION OF CHAPTER. This chapter may   not be construed as imposing a requirement on a developer, a   deployer, or other person that adversely affects the rights or   freedoms of any person, including the right of free speech.          Sec. 551.152.  LOCAL PREEMPTION. This chapter supersedes   and preempts any ordinance, resolution, rule, or other regulation   adopted by a political subdivision regarding the use of high-risk   artificial intelligence systems.   CHAPTER 552. ARTIFICIAL INTELLIGENCE REGULATORY SANDBOX PROGRAM   SUBCHAPTER A. GENERAL PROVISIONS          Sec. 552.001.  DEFINITIONS. In this chapter:                (1)  "Applicable agency" means a state agency   responsible for regulating a specific sector impacted by an   artificial intelligence system.                (2)  "Consumer" means a person who engages in   transactions involving an artificial intelligence system or is   directly affected by the use of such a system.                (3)  "Council" means the Artificial Intelligence   Council established by Chapter 553.                (4)  "Department" means the Texas Department of   Information Resources.                (5)  "Program participant" means a person or business   entity approved to participate in the sandbox program.                (6)  "Sandbox program" means the regulatory framework   established under this chapter that allows temporary testing of   artificial intelligence systems in a controlled, limited manner   without full regulatory compliance.   SUBCHAPTER B. SANDBOX PROGRAM FRAMEWORK          Sec. 552.051.  ESTABLISHMENT OF SANDBOX PROGRAM. (a) The   department, in coordination with the council, shall administer the   Artificial Intelligence Regulatory Sandbox Program to facilitate   the development, testing, and deployment of innovative artificial   intelligence systems in Texas.          (b)  The sandbox program is designed to:                (1)  promote the safe and innovative use of artificial   intelligence across various sectors including healthcare, finance,   education, and public services;                (2)  encourage the responsible deployment of   artificial intelligence systems while balancing the need for   consumer protection, privacy, and public safety; and                (3)  provide clear guidelines for artificial   intelligence developers to test systems while temporarily exempt   from certain regulatory requirements.          Sec. 552.052.  APPLICATION PROCESS. (a) A person or   business entity seeking to participate in the sandbox program must   submit an application to the council.          (b)  The application must include:                (1)  a detailed description of the artificial   intelligence system and its intended use;                (2)  a risk assessment that addresses potential impacts   on consumers, privacy, and public safety;                (3)  a plan for mitigating any adverse consequences   during the testing phase; and                (4)  proof of compliance with federal artificial   intelligence laws and regulations, where applicable.          Sec. 552.053.  DURATION AND SCOPE OF PARTICIPATION. A   participant may test an artificial intelligence system under the   sandbox program for a period of up to 36 months, unless extended by   the department for good cause.   SUBCHAPTER C. OVERSIGHT AND COMPLIANCE          Sec. 552.101.  AGENCY COORDINATION. (a) The department   shall coordinate with all relevant state regulatory agencies to   oversee the operations of the sandbox participants.          (b)  A relevant agency may recommend to the department that a   participant's sandbox privileges be revoked if the artificial   intelligence system:                (1)  poses undue risk to public safety or welfare;                (2)  violates any federal or state laws that the   sandbox program cannot override.          Sec. 552.102.  REPORTING REQUIREMENTS. (a) Each sandbox   participant must submit quarterly reports to the department, which   shall include:                (1)  system performance metrics;                (2)  updates on how the system mitigates any risks   associated with its operation; and                (3)  feedback from consumers and affected stakeholders   that are using a product that has been deployed from this section.          (b)  The department must submit an annual report to the   legislature detailing:                (1)  the number of participants in the sandbox program;                (2)  the overall performance and impact of artificial   intelligence systems tested within the program; and                (3)  recommendations for future legislative or   regulatory reforms.   CHAPTER 553. TEXAS ARTIFICIAL INTELLIGENCE COUNCIL   SUBCHAPTER A. CREATION AND ORGANIZATION OF COUNCIL          Sec. 553.001.  CREATION OF COUNCIL. (a) The Artificial   Intelligence Council is administratively attached to the office of   the governor, and the office of the governor shall provide   administrative support to the council as provided by this section.          (b)  The office of the governor and the council shall enter   into a memorandum of understanding detailing:                (1)  the administrative support the council requires   from the office of the governor to fulfill the purposes of this   chapter;                (2)  the reimbursement of administrative expenses to   the office of the governor; and                (3)  any other provisions available by law to ensure   the efficient operation of the council as attached to the office of   the governor.          (c)  The purpose of the council is to:                (1)  ensure artificial intelligence systems are   ethical and in the public's best interest and do not harm public   safety or undermine individual freedoms by finding gaps in the   Penal Code and Chapter 82, Civil Practice and Remedies Code and   making recommendations to the Legislature.                (2)  identify existing laws and regulations that impede   innovation in artificial intelligence development and recommend   appropriate reforms;                (3)  analyze opportunities to improve the efficiency   and effectiveness of state government operations through the use of   artificial intelligence systems;                (4)  investigate and evaluate potential instances of   regulatory capture, including undue influence by technology   companies or disproportionate burdens on smaller innovators;                (5)  investigate and evaluate the influence of   technology companies on other companies and determine the existence   or use of tools or processes designed to censor competitors or   users; and                (6)  offer guidance and recommendations to state   agencies including advisory opinions on the ethical and legal use   of artificial intelligence;          Sec. 553.002.  COUNCIL MEMBERSHIP. (a) The council is   composed of 10 members as follows:                (1)  four members of the public appointed by the   governor;                (2)  two members of the public appointed by the   lieutenant governor;                (3)  two members of the public appointed by the speaker   of the house of representatives;                (4)  one senator appointed by the lieutenant governor   as a nonvoting member; and                (5)  one member of the house of representatives   appointed by the speaker of the house of representatives as a   nonvoting member.          (b)  Voting members of the council serve staggered four-year   terms, with the terms of four members expiring every two years.          (c)  The governor shall appoint a chair from among the   members, and the council shall elect a vice chair from its   membership.          (d)  The council may establish an advisory board composed of   individuals from the public who possess expertise directly related   to the council's functions, including technical, ethical,   regulatory, and other relevant areas.          Sec. 553.003.  QUALIFICATIONS. (a) Members of the council   must be Texas residents and have knowledge or expertise in one or   more of the following areas:                (1)  artificial intelligence technologies;                (2)  data privacy and security;                (3)  ethics in technology or law;                (4)  public policy and regulation; or                (5)  risk management or safety related to artificial   intelligence systems.          (b)  Members must not hold an office or profit under the   state or federal government at the time of appointment.          Sec. 553.004.  STAFF AND ADMINISTRATION. The council may   employ an executive director and other personnel as necessary to   perform its duties.   SUBCHAPTER B. POWERS AND DUTIES OF THE COUNCIL          Sec. 553.101.  ISSUANCE OF ADVISORY OPINIONS. (a) A state   agency may request a written advisory opinion from the council   regarding the use of artificial intelligence systems in the state.          (b)  The council may issue advisory opinions on state use of   artificial intelligence systems regarding:                (1)  the compliance of artificial intelligence systems   with Texas law;                (2)  the ethical implications of artificial   intelligence deployments in the state;                (3)  data privacy and security concerns related to   artificial intelligence systems; or                (4)  potential liability or legal risks associated with   the use of AI.          Sec. 553.102.  RULEMAKING AUTHORITY. (a) The council may   adopt rules necessary to administer its duties under this chapter,   including:                (1)  procedures for requesting advisory opinions;                (2)  standards for ethical artificial intelligence   development and deployment;                (3)  guidelines for evaluating the safety, privacy, and   fairness of artificial intelligence systems.          (b)  The council's rules shall align with state laws on   artificial intelligence, technology, data security, and consumer   protection.          Sec. 553.103.  TRAINING AND EDUCATIONAL OUTREACH. The   council shall conduct training programs for state agencies and   local governments on the ethical use of artificial intelligence   systems.          SECTION 3.  Section 503.001, Business & Commerce Code is   amended by adding Subsection (c-3) to read as follows:          (c-3)  This section does not apply to the training,   processing, or storage of biometric identifiers involved in machine   learning or artificial intelligence systems, unless performed for   the purpose of uniquely identifying a specific individual. If a   biometric identifier captured for the purpose of training an   artificial intelligence system is subsequently used for a   commercial purpose, the person possessing the biometric identifier   is subject to this section's provisions for the possession and   destruction of a biometric identifier and the associated penalties.          SECTION 4.  Sections 541.051(b), 541.101(a), 541.102(a),   and Sec.541.104(a), Business & Commerce Code, are amended to read   as follows:          Sec. 541.051.  CONSUMER'S PERSONAL DATA RIGHTS; REQUEST TO   EXERCISE RIGHTS. (a) A consumer is entitled to exercise the   consumer rights authorized by this section at any time by   submitting a request to a controller specifying the consumer rights   the consumer wishes to exercise. With respect to the processing of   personal data belonging to a known child, a parent or legal guardian   of the child may exercise the consumer rights on behalf of the   child.          (b)  A controller shall comply with an authenticated   consumer request to exercise the right to:                (1)  confirm whether a controller is processing the   consumer's personal data and to access the personal data;                (2)  correct inaccuracies in the consumer's personal   data, taking into account the nature of the personal data and the   purposes of the processing of the consumer's personal data;                (3)  delete personal data provided by or obtained about   the consumer;                (4)  if the data is available in a digital format,   obtain a copy of the consumer's personal data that the consumer   previously provided to the controller in a portable and, to the   extent technically feasible, readily usable format that allows the   consumer to transmit the data to another controller without   hindrance; [or]                (5)  know if the consumer's personal data is or will be   used in any artificial intelligence system and for what purposes;   or                ([5]6)  opt out of the processing of the personal data   for purposes of:                      (A)  targeted advertising;                      (B)  the sale of personal data; [or]                      (C)  the sale of personal data for use in   artificial intelligence systems prior to being collected; or                      ([C]D)  profiling in furtherance of a decision   that produces a legal or similarly significant effect concerning   the consumer.          Sec. 541.101.  CONTROLLER DUTIES; TRANSPARENCY. (a) A   controller:                (1)  shall limit the collection of personal data to   what is adequate, relevant, and reasonably necessary in relation to   the purposes for which that personal data is processed, as   disclosed to the consumer; [and]                (2)  for purposes of protecting the confidentiality,   integrity, and accessibility of personal data, shall establish,   implement, and maintain reasonable administrative, technical, and   physical data security practices that are appropriate to the volume   and nature of the personal data at issue.; and                (3)  for purposes of protecting the unauthorized   access, disclosure, alteration, or destruction of data collected,   stored, and processed by artificial intelligence systems, shall   establish, implement, and maintain, reasonable administrative,   technical, and physical data security practices that are   appropriate to the volume and nature of the data collected, stored,   and processed by artificial intelligence systems.          Sec.541.102.  PRIVACY NOTICE. (a) A controller shall   provide consumers with a reasonably accessible and clear privacy   notice that includes:                (1)  the categories of personal data processed by the   controller, including, if applicable, any sensitive data processed   by the controller;                (2)  the purpose for processing personal data;                (3)  how consumers may exercise their consumer rights   under Subchapter B, including the process by which a consumer may   appeal a controller's decision with regard to the consumer's   request;                (4)  if applicable, the categories of personal data   that the controller shares with third parties;                (5)  if applicable, the categories of third parties   with whom the controller shares personal data; [and]                (6)  if applicable, an acknowledgement of the   collection, use, and sharing of personal data for artificial   intelligence purposes; and                ([6]7)  a description of the methods required under   Section 541.055 through which consumers can submit requests to   exercise their consumer rights under this chapter.          Sec. 541.104.  DUTIES OF PROCESSOR. (a) A processor shall   adhere to the instructions of a controller and shall assist the   controller in meeting or complying with the controller's duties or   requirements under this chapter, including:                (1)  assisting the controller in responding to consumer   rights requests submitted under Section 541.051 by using   appropriate technical and organizational measures, as reasonably   practicable, taking into account the nature of processing and the   information available to the processor;                (2)  assisting the controller with regard to complying   with the [requirement]requirements relating to the security of   processing personal data, and if applicable, the data collected,   stored, and processed by artificial intelligence systems and to the   notification of a breach of security of the processor's system   under Chapter 521, taking into account the nature of processing and   the information available to the processor; and                (3)  providing necessary information to enable the   controller to conduct and document data protection assessments   under Section 541.105.          SECTION 5.  Subtitle E, Title 4, Labor Code, is amended by   adding Chapter 319 to read as follows:   CHAPTER 319. TEXAS ARTIFICIAL INTELLIGENCE WORKFORCE DEVELOPMENT   GRANT PROGRAM   SUBCHAPTER A. GENERAL PROVISIONS          Sec. 319.001.  DEFINITIONS. In this chapter:                (1)  "Artificial intelligence industry" means   businesses, research organizations, governmental entities, and   educational institutions engaged in the development, deployment,   or use of artificial intelligence technologies in Texas.                (2)  "Commission" means the Texas Workforce   Commission.                (3)  "Eligible entity" means Texas-based businesses in   the artificial intelligence industry, public school districts,   community colleges, public technical institutes, and workforce   development organizations.                (4)  "Program" means the Texas Artificial Intelligence   Workforce Development Grant Program established under this   chapter.   SUBCHAPTER B. ARTIFICIAL INTELLIGENCE WORKFORCE DEVELOPMENT GRANT   PROGRAM          Sec. 319.051.  ESTABLISHMENT OF GRANT PROGRAM. (a) The   commission shall establish the Texas Artificial Intelligence   Workforce Development Grant Program to:                (1)  support and assist Texas-based artificial   intelligence companies in developing a skilled workforce;                (2)  provide grants to local community colleges and   public high schools to implement or expand career and technical   education programs focused on artificial intelligence readiness   and skill development; and                (3)  offer opportunities to retrain and reskill workers   through partnerships with the artificial intelligence industry and   workforce development programs.          (b)  The program is intended to:                (1)  prepare Texas workers and students for employment   in the rapidly growing artificial intelligence industry;                (2)  support the creation of postsecondary programs and   certifications relevant to current artificial intelligence   opportunities;                (3)  ensure that Texas maintains a competitive edge in   artificial intelligence innovation and workforce development; and                (4)  address workforce gaps in artificial   intelligence-related fields, including data science,   cybersecurity, machine learning, robotics, and automation.          (c)  The commission shall adopt rules necessary to implement   this subchapter.          Sec. 319.052.  FEDERAL FUNDS AND GIFTS, GRANTS, AND   DONATIONS.          In addition to other money appropriated by the legislature,   for the purpose of providing artificial intelligence workforce   opportunities under the program established under this subchapter   the commission may:                (1)  seek and apply for any available federal funds;   and                (2)  solicit and accept gifts, grants, and donations   from any other source, public or private, as necessary to ensure   effective implementation of the program.          Sec. 319.053.  ELIGIBILITY FOR GRANTS. (a) The following   entities are eligible to apply for grants under this program:                (1)  Texas-based businesses engaged in the development   or deployment of artificial intelligence technologies;                (2)  public school districts and charter schools   offering or seeking to offer career and technical education   programs in artificial intelligence-related fields or to update   existing curricula to address these fields;                (3)  public community colleges and technical   institutes that develop artificial intelligence-related curricula   or training programs or update existing curricula or training   programs to incorporate artificial intelligence training; and                (4)  workforce development organizations in   partnership with artificial intelligence companies to reskill and   retrain workers in artificial intelligence competencies.          (b)  To be eligible, the entity must:                (1)  submit an application to the commission in the   form and manner prescribed by the commission; and                (2)  demonstrate the capacity to develop and implement   training, educational, or workforce development programs that   align with the needs of the artificial intelligence industry in   Texas and lead to knowledge, skills, and work-based experiences   that are transferable to similar employment opportunities in the   artificial intelligence industry.          Sec. 319.054.  USE OF GRANTS. (a) Grants awarded under the   program may be used for:                (1)  developing or expanding workforce training   programs for artificial intelligence-related skills, including but   not limited to machine learning, data analysis, software   development, and robotics;                (2)  creating or enhancing career and technical   education programs in artificial intelligence for high school   students, with a focus on preparing them for careers in artificial   intelligence or related fields;                (3)  providing financial support for instructors,   equipment, and technology necessary for artificial   intelligence-related workforce training;                (4)  partnering with local businesses to develop   internship programs, on-the-job training opportunities, instructor   externships, and apprenticeships in the artificial intelligence   industry;                (5)  funding scholarships or stipends for students,   instructors, and workers participating in artificial intelligence   training programs, particularly for individuals from underserved   or underrepresented communities; or                (6)  reskilling and retraining workers displaced by   technological changes or job automation, with an emphasis on   artificial intelligence-related job roles.          (b)  The commission shall prioritize funding for:                (1)  initiatives that partner with rural and   underserved communities to promote artificial intelligence   education and career pathways;                (2)  programs that lead to credentials of value in   artificial intelligence or related fields; and                (3)  proposals that include partnerships between the   artificial intelligence industry, a public or private institution   of higher education in this state, and workforce development   organizations.          SECTION 6.  Section 325.011, Government Code, is amended to   read as follows:          Sec. 325.011.  CRITERIA FOR REVIEW. The commission and its   staff shall consider the following criteria in determining whether   a public need exists for the continuation of a state agency or its   advisory committees or for the performance of the functions of the   agency or its advisory committees:                (1)  the efficiency and effectiveness with which the   agency or the advisory committee operates;                (2)(A)  an identification of the mission, goals, and   objectives intended for the agency or advisory committee and of the   problem or need that the agency or advisory committee was intended   to address; and                      (B)  the extent to which the mission, goals, and   objectives have been achieved and the problem or need has been   addressed;                (3)(A)  an identification of any activities of the   agency in addition to those granted by statute and of the authority   for those activities; and                      (B)  the extent to which those activities are   needed;                (4)  an assessment of authority of the agency relating   to fees, inspections, enforcement, and penalties;                (5)  whether less restrictive or alternative methods of   performing any function that the agency performs could adequately   protect or provide service to the public;                (6)  the extent to which the jurisdiction of the agency   and the programs administered by the agency overlap or duplicate   those of other agencies, the extent to which the agency coordinates   with those agencies, and the extent to which the programs   administered by the agency can be consolidated with the programs of   other state agencies;                (7)  the promptness and effectiveness with which the   agency addresses complaints concerning entities or other persons   affected by the agency, including an assessment of the agency's   administrative hearings process;                (8)  an assessment of the agency's rulemaking process   and the extent to which the agency has encouraged participation by   the public in making its rules and decisions and the extent to which   the public participation has resulted in rules that benefit the   public;                (9)  the extent to which the agency has complied with:                      (A)  federal and state laws and applicable rules   regarding equality of employment opportunity and the rights and   privacy of individuals; and                      (B)  state law and applicable rules of any state   agency regarding purchasing guidelines and programs for   historically underutilized businesses;                (10)  the extent to which the agency issues and   enforces rules relating to potential conflicts of interest of its   employees;                (11)  the extent to which the agency complies with   Chapters 551 and 552 and follows records management practices that   enable the agency to respond efficiently to requests for public   information;                (12)  the effect of federal intervention or loss of   federal funds if the agency is abolished;                (13)  the extent to which the purpose and effectiveness   of reporting requirements imposed on the agency justifies the   continuation of the requirement; [and]                (14)  an assessment of the agency's cybersecurity   practices using confidential information available from the   Department of Information Resources or any other appropriate state   agency; and                (15)  an assessment, using information available from   the Department of Information Resources, the Attorney General, or   any other appropriate state agency, of the agency's use of   artificial intelligence systems, high-risk artificial intelligence   systems, in its operations and its oversight of the use of   artificial intelligence systems by entities or persons under the   agency's jurisdiction, and any related impact on the agency's   ability to achieve its mission, goals, and objectives.          SECTION 7.  Section 2054.068(b), Government Code, is amended   to read as follows:          (b)  The department shall collect from each state agency   information on the status and condition of the agency's information   technology infrastructure, including information regarding:                (1)  the agency's information security program;                (2)  an inventory of the agency's servers, mainframes,   cloud services, and other information technology equipment;                (3)  identification of vendors that operate and manage   the agency's information technology infrastructure; [and]                (4)  any additional related information requested by   the department; and                (5)  an evaluation of the use, or considered use, of   artificial intelligence systems and high-risk artificial   intelligence systems by each state agency.          SECTION 8.  Section 2054.0965(b), Government Code, is   amended to read as follows:          Sec. 2054.0965.  INFORMATION RESOURCES DEPLOYMENT REVIEW.          (b)  Except as otherwise modified by rules adopted by the   department, the review must include:                (1)  an inventory of the agency's major information   systems, as defined by Section 2054.008, and other operational or   logistical components related to deployment of information   resources as prescribed by the department;                (2)  an inventory of the agency's major databases,   artificial intelligence systems, and applications;                (3)  a description of the agency's existing and planned   telecommunications network configuration;                (4)  an analysis of how information systems,   components, databases, applications, and other information   resources have been deployed by the agency in support of:                      (A)  applicable achievement goals established   under Section 2056.006 and the state strategic plan adopted under   Section 2056.009;                      (B)  the state strategic plan for information   resources; and                      (C)  the agency's business objectives, mission,   and goals;                (5)  agency information necessary to support the state   goals for interoperability and reuse; and                (6)  confirmation by the agency of compliance with   state statutes, rules, and standards relating to information   resources.          SECTION 9.  Not later than September 1, 2025, the attorney   general shall post on the attorney general's Internet website the   information and online mechanism required by Section 551.041,   Business & Commerce Code, as added by this Act.          SECTION 10.  This Act takes effect September 1, 2025.