The ink is still drying on the last round of state privacy bills that enacted comprehensive privacy legislation through governor signature and now it looks like Texas, with bipartisan approval of H.B.4, is next in line. Modeled after Virginia’s privacy law, the proposed Texas Data Privacy and Security Act imposes obligations on businesses regarding data protection, transparency, and accountability.
The Texas legislature is still considering elements that differ between the House and Senate versions of the bill while it awaits signature from Governor Greg Abbott. Truyo President Dan Clarke does not anticipate any major modifications saying, “My understanding is that of the five topics amended that differ between the House & Senate versions, only one related to obligations on small businesses is at issue. I suspect the appointed committee will find common ground and this will be resolved.”
Key Elements of Texas’ Privacy Law As Currently Written
- The Texas Data Privacy and Security Act will go into effect on
March 1, 2024 July 1, 2024.
- The Texas law would apply to all businesses that (1) conduct business in Texas (or produce goods or services consumed in Texas) and (2) process or sell personal data (both of which are defined broadly).
- The law includes a carve-out for “small businesses” as defined by the United States Small Business Administration rather than a threshold, as many laws contain. Other exclusions include state agencies or political subdivisions of Texas, financial institutions subject to Title V of the Gramm-Leach-Bliley Act, covered entities and business associates governed by HIPAA, nonprofit organizations, and institutions of higher education.
-
- The Senate version of the bill further excludes electric utilities, power generation companies, and retail electric providers, as defined under Section 31.002 of the Texas Utilities Code.
- The TDPSA requires businesses to comply with numerous data privacy and security requirements, including:
- Obtaining consent from individuals before collecting or processing their personal information. Consent can be obtained through a variety of methods, including opt-in, opt-out, and implied consent.
- Implementing reasonable security measures to protect personal information from unauthorized access, use, or disclosure.
- Companies must provide individuals with access to their personal information and the ability to correct or delete it, accommodating those requests within 45 days.
- Businesses must notify individuals within 72 hours of discovering a data breach.
- The law includes a private right of action, allowing consumers to sue for damages, injunctive relief, and other remedies while general enforcement will be spearheaded by the Texas Attorney General.
- The TDPSA defines personal information as information that can be used to identify an individual, including their name, address, phone number, email address, Social Security number, or biometric data.
- Data exclusions include:
- Health information protected by HIPAA or used in connection with human clinical trials
- Information covered by the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act of 1974, the Farm Credit Act of 1971
- Emergency contact information used for emergency contact purposes
- Data necessary to administer benefits
How Does it Compare
Texas joins California, Colorado, Connecticut, and Virginia in including a private right of action within their comprehensive privacy laws. This is yet another indication that lawmakers across the nation are working to give consumers as many rights as possible, and the opportunity to hold businesses accountable if those rights are infringed upon. The inclusion of a data breach notification requirement also points to a heightened focus on keeping information secure for consumers and an emphasis on transparency when crucial information is compromised.
As the amendments are still under consideration, the chair announced the establishment of the following conference committee on H.B. 4 on behalf of the House: Capriglione, chair; Burrows, Button, Longoria, and Meyer. Matthew Baker, Privacy & Cybersecurity Attorney, says, “Although the House has not yet accepted the Senate’s amendments (which both strengthen and weaken various aspects of the bill), it appears increasingly likely that the legislature will soon pass a privacy law for Governor Abbott’s signature.”
We will keep you abreast of any additional information including governor’s signature, as it is released.