Recently, legislators in Texas introduced two bills relating to consumer privacy and data protection: H.B. No. 4518, the Texas Consumer Privacy Act (“Texas CPA”) and H.B. No. 4390, the Texas Privacy Protection Act (“TPPA”). These bills bear a strong resemblance to the California Consumer Privacy Act (the “California CPA”), and would lay the groundwork for extensive administrative schemes protecting consumers’ rights to their personal information.
The Texas CPA bears strong similarity to California CPA. The Texas CPA, which, if adopted, would take effect September 1, 2020, applies to companies that do business and collect consumer data and:
- Derive at least 50% of their annual revenue selling consumers’ personal information; or
- Exceed $25 million in gross annual revenue (with that amount subject to adjustment by the Texas Attorney General every two years); or
- Buy, sell, or receive the personal information of at least 50,000 consumers, households, or devices for commercial purposes
- The Texas CPA would also apply to entities owned by companies that would be subject to the law. Similar to the California CPA, the Texas CPA contains express provisions governing rulemaking, implementation, and enforcement of the law. Notably, the legislation highlights various consumer rights, including (but not limited to):
- A consumer’s right to disclosure, from the business, of the personal information the business collected.
- A consumer’s right to deletion of the personal information that the business collected (with some limited, specific exceptions).
- A consumer’s right to opt out of the sale of his or her personal information.
The TPPA, which (if passed) would go into effect September 1, 2019, proposes regulations on how a business processes and retains (or destroys) personal identifying information. It covers nearly identical businesses as the Texas CPA, provides the Texas Attorney General with similar rulemaking and enforcement powers, and it requires a similar disclosure of the type of personal information a business collects/processes, as well as how that information is used. Notably, this disclosure must be made before the business collects the information.
Other notable aspects of the proposed legislation include:
- The Texas CPA would punish violations of the law with civil penalties of $2,500 per violation ($7,500 for intentional violations).
- The bill applies only to information collected electronically (including over the internet or another network) or through a computing device associated with or routinely used by a customer/user and linked (or reasonably linked) to a specific customer/user.
- The business must obtain the customer’s explicit consent for processing that customer’s personal identifying information.
- The bill requires a business to develop and implement a data security program and accountability program to ensure compliance with the TPPA.
- The bill also only allows a business to process a customer’s personal identifying information if it is required to do so by law.
Like the Texas CPA, the TPPA would provide for civil penalties for violations. However, violations of the TPPA would be punishable by a fine of $10,000 per violation, up to a maximum amount of $1 million.