The Texas House of Representatives saw two bills introduced in March pertaining to consumer privacy and data protection, following the trend of similar laws in jurisdictions such as California and Washington.
Texas Consumer Privacy Act
One of the bills is H.B. No. 4518, cited as the Texas Consumer Privacy Act (Texas CPA), introduced by Rep. Trey Martinez Fischer. This bill is very similar to California’s Consumer Privacy Act (CCPA).
The Texas CPA would apply to companies that do business and collect consumer data in Texas, and:
- Have a gross annual revenue that exceeds $25 million (this number to be adjusted by the Texas Attorney General every other year as needed); or
- Buy, sell, or receive the personal information of 50,000 or more consumers, households, or devices for commercial purposes; or
- Derive 50% or more of their annual revenue from selling consumer personal information.
Any business that is controlled by an entity that meets the above requirements is also subject to the proposed legislation.
Like the CCPA, this bill allows for the state’s Attorney General to adopt rules to implement, administer, and enforce the requirements. Some highlighted consumer rights in this proposed legislation include:
- A right to disclosure from the business of the personal information collected. Businesses must respond to such request with the source of the collected information, the business or commercial purpose of the collection or selling of this information, and with what third parties this information has been shared.
- A right to deletion of the consumer’s personal information collected by the business, with some exceptions.
- A right to disclosure of the type of personal information sold by the business and to whom it was sold.
- A right to opt out of the sale of personal information.
- A requirement for the business to provide a disclosure of the type of and purpose for personal information that is collected prior to collection.
If passed, the Texas CPA would go into effect on September 1, 2020. Civil penalties for violations would be $2,500 per violation or, if the violations are intentional, $7,500 per violation.
Texas Privacy Protection Act
The other bill is H.B. No. 4390, cited as the Texas Privacy Protection Act (TPPA), introduced by Rep. Giovanni Capriglione. While the Texas CPA provides consumers control over the collection and use of their data, the TPPA is concerned with processing and retention of personal identifying information.
The two laws differ in many ways, but contain some similarities, including:
- Types of businesses governed by the bill are almost identical.
- The state Attorney General is in charge of drafting and implementing rules for both proposed laws.
- Both contain a requirement to disclose the type of personal information collected/processed and how the information is used prior to collection of such information.
Some highlights of TPPA requirements include that it:
- Applies only to information that is collected electronically (over the internet, other digital network, or computing device used by an end user).
- Requires explicit consent for processing the personal identifying information from the individual whose information is being collected.
- Only allows a business to process personal identifying information if the business is required to do so by law.
- Requires the development and implementation of a data security program and accountability program to ensure compliance with the bill’s requirements.
- Requires that the business stop processing personal identifying information when the individual closes their account and delete such information within 30 days of account closure, unless a longer retention period is required by law.
If passed, this bill would take effect on September 1, 2019 and carry a civil penalty of $10,000 per violation, not to exceed a total amount of $1 million.
After the General Data Protection Regulation (GDPR) came into effect in the European Union, many were wondering when such consumer privacy laws would travel across the pond to the United States. Califronia led the way with its CCPA, and--as predicted--the wave of consumer privacy laws across the states continues.
As seen in the many public forums on the CCPA held by California's Attorney General's Office over the past several months, there is a lot of uncertainty about how to implement this new law. Since the CCPA and Texas CPA contain many similar requirements, will the Texas CPA see similar issues if it is passed? Will the two states' attorneys general implement similar interpretations/requirements? What will happen if an all-encompassing federal consumer privacy law goes into effect? These questions will become relevant--and crucial--if this wave continues. The best way forward is to encourage uniformity of state laws as they are in their infancy in order to prevent a patchwork quilt of requirements across the United States.