Bill > HF2048

Introduced Session

This bill relates to personal data (data) processing practices for companies. The bill defines “automated decision making” as a process that uses data to make decisions, including but not limited to profiling, risk scoring, and determining eligibility, without human involvement. The bill defines “company” as a person conducting business in this state that processes the data of 5,000 or more individuals who reside in this state in a single calendar year. The bill defines “personal data” as any information that is linked or reasonably linkable to an identified or identifiable individual. “Personal data” does not include de-identified or aggregate data or publicly available information. The bill defines “process” as the act of performing an operation on data, including collecting, storing, using, analyzing, disclosing, or deleting data. The bill details several disclosures a company must make and acts the company must perform. The bill also prohibits a company from processing data in a manner that the individual to whom the personal data pertains has not consented, and prohibits a company from denying or downgrading an individual’s service solely because the individual exercised a right granted under the bill. The bill details several rights that each resident of this state shall have relating to data. The bill authorizes the attorney general to investigate violations and enforce the bill. A violation of the bill shall constitute an unlawful practice under Code section 714.16 (consumer frauds). A resident of this state is allowed to bring a private action against a company for injunctive relief, civil penalties, and actual damages caused by an unauthorized entity obtaining the resident’s personal data due to the company’s failure to implement or maintain sufficient administrative, technical, and physical practices to ensure the security of personal data the company processes, or for a violation of the bill the company committed that resulted in actual damages to the resident. A violation of the bill is punishable by a civil penalty of up to $7,500 per violation per affected resident of this state. Penalties awarded to the state shall be deposited into the general fund of the state. The bill exempts personal data processed in the course of obtaining, issuing, or executing a valid warrant or subpoena; personal data processed solely for national security or law enforcement purposes; and personal data that has been de-identified or made anonymous so that the data can no longer be reasonably linked to an individual from the bill’s provisions. The bill makes a conforming change to Code section 714.16.

AI Summary

Committee Categories

Jason Gearhart (R)*, 

Introduced, referred to Economic Growth and Technology. H.J. 77. (on 01/14/2026)

Official Document