Texas Considers Consumer Privacy Act and Privacy Protection Act
Texas has joined the states considering privacy legislation. There are two bills under consideration – the Texas Consumer Privacy Act (Texas CPA) and the Texas Privacy Protection Act (TPPA). Below is a summary of the bills with high level highlights:
Texas Consumer Privacy Act
The Texas Consumer Privacy Act replicates many of the rights and business requirements of the California Consumer Privacy Act. The consumer rights include:
Right to Disclosure of Personal Information Collected – This is the right to access. A consumer that submits a verifiable consumer request can get the categories and specific items of personal information the business has collected. The business must also disclose the categories of sources, the business purpose for collecting or selling the information, the categories of third parties with whom the information is shared.
Right to Disclosure of Personal Information Sold or Disclosed – A consumer that submits a verifiable consumer request is entitled to the category of personal information the business collected, the categories sold or disclosed for a business purpose, and the categories of third parties to whom the personal information was sold or disclosed.
Right to Deletion – Businesses shall delete records of any personal information collected from the consumer, and direct a service provider to do the same, after a consumer submits a verifiable consumer request. A business is not required to delete information that qualifies for one of the nine exemptions specified by the law.
Right to Opt Out of the Sale of Personal Information – A consumer is entitled to opt out of the sale of personal information to third-parties at any time. The business must disclose a notice on their home page that information may be sold and consumers have the right to opt out, along with a clear and conspicuous link titled “DO NOT SELL MY PERSONAL INFORMATION” which enables a consumer to opt out. A third party may not resell personal information unless the consumer receives explicit notice of the potential sale and is provided the opportunity to opt out. For consumers under the age of 16, the bill creates a consent requirement called the “right to opt in” before a company can sell their personal information.
The bill also requires certain privacy disclosures from businesses that collect, sell, or disclose for a business purpose a consumer’s personal information. These include a description of the consumer’s rights; the categories of personal information collected, sold, or disclosed for a business purpose during the preceding 12 months; the purposes for collecting personal information; the categories of third parties to whom the business sells or discloses personal information; and several other disclosures.
The bill has the same threshold requirements for covering businesses as the CCPA – gross revenue exceeding $25 million; personal information on 50,000 or more consumers households or devices; or derive 50+ percent of annual revenue from selling personal information.
If the bill passes, it will currently have an effective date of September 1, 2020. Similar to the CCPA, it provides for enforcement by the Attorney General, a thirty day cure provision, and maximum civil penalties of $7,500 per intentional violation or $2,500 per non-intentional violation. It does not provide for any private right of action – either for data breaches similar to the CCPA or for more extended civil enforcement as the California Attorney General supports in SB 561.
Texas Privacy Protection Act
The TPPA (HB 4390) governs the processing of personal identifying information (PII) by certain businesses over the internet. It applies to businesses with more than 50 employees, collecting PII on more than 5,000 individuals, and either annual gross revenue over $25 million or 50% of annual revenue by processing PII.
It prohibits the collection of PII unless the collection is necessary and the purpose is specifically disclosed. The required privacy disclosures include a conspicuous notice that is reasonably full and complete before collecting PII.
It also places restriction on processing, including a requirement for explicit consent (unless required by law), and that the processing be relevant and necessary to accomplish the purpose. Sharing of an individual’s biometric, health or genetic information to a third-party is also restricted unless consent is given.
For automated processing such as machine learning or artificial intelligence, the bill would require a conclusion that automated processing is not likely to cause a substantial privacy risk, including an objective and documented assessment that determines it is reasonably free from bias and error, and an analysis of the privacy risk and reasonable steps to mitigate the risk.
The bill provides for the deletion of PII in a different manner than the CCPA. Following account closure, businesses must stop processing PII and then delete the information within 30 days, unless otherwise required by law.
Businesses must have an ongoing accountability program to ensure compliance with the terms of the law. It also requires development, implementation and maintenance of a comprehensive data security program. There is also a vendor management requirement, including the use of due diligence in selecting the third party and to annually obtain third party verification of its compliance with the law.
Violations carry a civil penalty of $10,000 per violation with a penalty cap of $1 million. The law would be enforced by the Texas Attorney General. It currently has an effective date of September 1, 2019.
Other Relevant Posts:
Maine Considering LD 946 to Protect Privacy of ISP Customers
Illinois House Passes Data Transparency and Privacy Act; Senate Passes KIDS Act
Update: Special Session of Appropriations Committee Saves Washington Privacy Act for Another Week
No Washington Privacy Act This Year?
Washington Privacy Act – Initial Look at the Current House Version
Summary of Connecticut SB 1108 on Data Privacy
Summary of Public Hearings on Maryland Online Consumer Protection Act
Summary of Washington Privacy Act After State Senate Passes
Florida Legislature Considers Biometric Information Privacy Act
Maryland Considering SB613 / HB0901 – Online Consumer Protection Act
With SD341, Massachusetts Joins States Considering CCPA-like Data Privacy Laws
Public Hearing on Washington Privacy Act (SSB 5376) in Senate Ways & Means – More Work to Be Done?
State CCPA Privacy Bills in Rhode Island, Hawaii and New Jersey
North Dakota Considers Study on Privacy Practices of Data Brokers