Texas: A tale of two Acts on the road to Consumer Privacy law.

Texas House of Representatives.jpg

Back in March of this year, not one, but two consumer privacy bills were filed in the Texas House of Representatives. Republican Rep. Giovanni Capriglione filed House Bill 4390 a.k.a. Texas Privacy Protection Act, while Democrat Rep. Trey Martinez Fischer filed HB 4518 a.k.a. the Texas Consumer Privacy Act.

Unsurprisingly, both bills are modeled on California’s Consumer Privacy Act (CCPA). But that’s where the similarity ends, as there are a number of differences between the two bills.

Brief synopsis of HB 4390 - Texas Privacy Protection Act (TPPA)

While HB 4390 (TPPA) lacks the level of detail offered by the TCPA, it still addresses several similar areas of privacy. And, although the bill doesn’t specifically list consumer rights, like the TCPA does, it provides a number of regulations on businesses that collect and process consumers’ personal information.

Differences of focus are also apparent when examining the two bills. The TCPA regulates “personal information,” whereas the TPPA regulates “personal identifying information,” (PII) which the bill defines as “a category of information relating to an identified or identifiable individual.”

However, while there are some differences, the TPPA is similar to the TCPA, in that it requires the Attorney General to adopt an appropriate set of rules to ensure the Act can be correctly implemented, administered, and enforced. The TPPA would also regulate businesses that collect PII on consumers by:

  1. Regulating the collection and processing of personal identifying information.

  2. Requiring businesses to implement a data security program.

  3. Requiring businesses to post a notice that includes information on how the business collects, processes, and discloses personal identifying information.

  4. Requiring businesses to make their privacy policy publicly available.

  5. Requiring businesses to allow consumers access to their personal identifying information.

  6. Requiring businesses to delete consumers’ personal identifying information.

  7. Requiring businesses to create an accountability program to ensure compliance with the TPPA.

  8. Regulating consumer information that businesses share with third parties.

Enforcement measures

To enforce the law, the TPPA would impose civil penalties of up to $10,000 for each violation, with a maximum total amount of $1 million. As with the TCPA, the TPPA would not provide for private suits.

Brief synopsis of HB 4518 - the Texas Consumer Privacy Act (TCPA)

It is immediately apparent that HB 4518 closely mirrors the provisions of the California Consumer Privacy Act (CCPA). Just like the CCPA, the TCPA provides an array of consumer rights, including:

  1. The right of access to their personal information collected by a business.

  2. The right to know the purpose of collection and categories of personal data collected.

  3. The right to request deletion of their personal information collected by a business.

  4. The right to know whether their personal information is sold or disclosed by a business.

  5. The right to opt out of the sale of their personal.

Businesses would also be required to:

  • provide a privacy notice on their website;

  • provide methods for consumers to submit a verifiable consumer request, and;

  • disclose certain information in response to a verifiable consumer request.

It is important note how the TCPA differs from the TPPA in its definition of “personal information”, which is defined as “information that identifies, relates to, describes, can be associated with, or can reasonably be linked to, directly or indirectly, a particular consumer or household.”

Both bills provide comprehensive examples and exclusions for this definition.

Enforcement measures

Enforcement of the TCPA would involve a civil penalty of $2,500 for each violation and $7,500 for each intentional violation. TCPA also provides for the Attorney General to elect to restrain an alleged violation of the Act, after a 30-day notice period, by filing a temporary restraining order or a permanent or temporary injunction. The bill would not provide for a private cause of action.

 But, three months is a long time in politics (and law), as we fast-forward again to June 3, 2019. When the Texas House Committee on Business and Industry held a public hearing on the two bills last week, several testimonies in support and opposition were heard. However, only HB 4390 survived to the end of the legislative session and is now awaiting the governor’s signature.

Now, HB 4390 was originally filed as a comprehensive consumer privacy bill known as the Texas Privacy Protection Act, but after numerous amendments in the Texas House and Senate, the Act was eventually diluted down, into a bill that simply updates the breach notification requirements of the Texas Identity Theft Enforcement and Protection Act. And, in doing so, it creates the Texas Privacy Protection Advisory Council - a body set up to study data privacy laws in advance of the next legislative session.

Texas Identity Theft Enforcement & Protection Act (TITEPA):

The Updates

HB 4390 provides updates for breach notification requirements in TITEPA by:

  1. further defining the timeline to disclose a breach of system security, and;

  2. requiring disclosure of certain information to the Texas attorney general for breaches affecting at least 250 Texas residents.

The TITEPA requires that a “person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information” to disclose a “breach of system security.”

“Sensitive personal information” includes:

  • an individual’s first name, or;

  • first initial and last name, plus any one or more of the following, (if the name and the items are not encrypted):

  • Social Security number;

  • driver’s license number or government-issued ID number, or;

  • government-issued ID number.

The definition also includes information that identifies an individual and relates to their provision or payment of physical or mental health.

The term “breach of system security” means the unauthorized access and acquisition of computerized data that compromises the security, confidentiality or integrity of sensitive personal information maintained by a person, including encrypted data, if the person accessing the data has the key required to decrypt the data.

In the event of a system security breach prior to HB 4390, a person was required to disclose the breach “as quickly as possible”. HB 4390 replaces “quickly-as-possible” by requiring that the disclosure is made “without unreasonable delay and in each case not later than the 60th day after the date on which the person determines that the breach occurred.”

The bill also adds requirements to disclose certain information to the Texas attorney general in the event of a breach affecting at least 250 Texas residents. The notification must include:

  • A detailed description of the nature and circumstances of the breach or the use of sensitive personal information acquired as the result of the breach.

  • The number of Texas residents affected by the breach at the time of notification.

  • The measures taken by the person regarding the breach.

  • Any measures the person intends to take regarding the breach after the notification under this subsection.

  • Information regarding whether law enforcement is engaged in investigating the breach.

 Formation of the Texas Privacy Protection Advisory Council (TPPAC)

Instead of passing a completely new and comprehensive consumer privacy bill, Texas will now establish the TPPAC. The Council’s main responsibilities are two-fold:

  1. Study and evaluate laws in Texas and other states, as well as relevant foreign jurisdictions that govern the privacy and protection of information that alone, or in conjunction with other information identifies, or is linked or can be reasonably linked to a specific individual, technological device or household.

  2. Make recommendations to the Texas legislature on specific statutory changes regarding the privacy and protection of that information, including changes to the Texas Identity Theft Enforcement and Protection Act (as amended by HB 4390) or to the Penal Code that appear necessary from the results of the council’s study.

Conclusion

Texas may not have got the comprehensive consumer privacy legislation it started with, but it did succeed in passing some essential updates to its breach notification law and also created the TPPAC. The council will be selected by November this year and will meet regularly until it reports its recommendations to the Texas Legislature by September 1, 2020. It is likely that these recommendations will form the basis for consumer privacy legislation when the Legislature reconvenes in January 2021.

This article is provided for information purposes only. The Data Privacy Group strongly recommends that you engage the services of an experience data privacy practitioner when preparing for compliance with any data protection and privacy legislation.

Sources, credits & further reading: Texas House of Representatives (video), Texas AG, IAPP