Texas - Data Protection Overview
The Texas Supreme Court ('the Supreme Court') has held that the Texas Constitution ('the Constitution') does not contain an express guarantee of a right to privacy1. However, Article 1(19) of the Constitution protects personal privacy from unreasonable intrusion2. The Constitution contains other provisions similar to those in the Constitution of the United States that are recognised as implicitly creating protected zones of privacy, including3:
- protection against arbitrary deprivation of life and liberty (Article I(19) of the Constitution);
- freedom to speak, write, and publish (Article I(8) of the Constitution);
- protection against being compelled to give evidence against oneself (Article I(10) of the Constitution);
- protection against unreasonable intrusion into one's home and person (Article I(9) of the Constitution); and
- freedom of religion (Article I(6) of the Constitution).
Texas courts recognise common-law rights to privacy4. Texas has recognised three of the four common-law privacy torts set forth in the Restatement (Second) of Torts § 652B, C, and D:
- intrusion upon a person's right to be left alone in his or her own affairs5;
- appropriation of some element of the person's personality for commercial use6; and
- publicity given to private information about a person7.
In Cain v. Hearst Corp., the Supreme Court held that it does not recognise the fourth common-law privacy tort, the tort of false light. The Supreme Court found that the tort of false light is largely duplicative of defamation and lacks the procedural limitations that are found in defamation actions8.
Several Texas statutes impose civil penalties, injunctions, and criminal penalties for those who violate the privacy of another in a certain way. For example, Texas law specifically addresses identity theft. According to the Identity Theft Enforcement and Protection Act ('the Identity Theft Act'), under Chapter 521, Title 11 of the Business and Commerce Code, unless a person has consented, 'A person may not obtain, possess, transfer, or use personal identifying information […] to obtain a good, a service, insurance, an extension of credit, or any other thing of value in the other person's name' (Tex. Bus. & Com. Code § 521.051).
The Identity Theft Act is enforced by the Texas Attorney General ('AG'), who may assess civil penalties and seek injunctions (Tex. Bus. & Com. Code § 521.151). In addition, under Chapter 32, Title 7 of the Texas Penal Code, identity theft is a crime. It is a felony to use identifying information of another person without the other person's consent with the intent to harm or defraud another; violators may be required to reimburse the victim and pay attorneys' fees (Tex. Penal Code § 32.51). Furthermore, according to Chapter 33, Title 7 of the Penal Code, it is a felony to send, 'an electronic mail, instant message, text message, or similar communication that references a name, domain address, phone number, or other item of identifying information belonging to any person:
- without obtaining the other person's consent;
- with the intent to cause a recipient of the communication to reasonably believe that the other person authorised or transmitted the communication; and
- with the intent to harm or defraud any person' (Tex. Penal Code § 33.07).
Under Texas law, an individual is presumed to be a victim of identity theft, if the person charged with an offense under § 32.51 of the Penal Code, is convicted of the offense (Tex. Bus. & Com. Code § 521.102).
Like many states, Texas has a statute that specifically protects social security numbers. Under Chapter 501, Title 11 of the Business and Commerce Code, a person may not (Tex. Bus. & Com Code § 501.001-002):
- intentionally communicate or otherwise make available to the public an individual's social security number;
- display an individual's social security number on a card or other device required to access a product or service provided by the person;
- require an individual to transmit the individual's social security number over the internet unless:
- the internet connection is secure; or
- the social security number is encrypted;
- require an individual's social security number for access to an internet website unless a password or unique personal identification number or other authentication device is also required for access; or
- print an individual's social security number on any material sent by mail, unless certain exceptions apply.
In Texas' analogue to the federal Computer Fraud and Abuse Act of 1986, it is a crime for a person to knowingly access a computer, computer network, or computer system without the effective consent of the owner (Tex. Penal Code § 33.02). This type of crime is typically a misdemeanour, but a person is guilty of a felony if that person was previously convicted two or more times of an offense of this type or if the computer, computer network, or computer system is owned by the Government or a critical infrastructure facility (Tex. Penal Code § 33.02).
At the federal level, the U.S. Department of Health and Human Services ('HHS') has issued the Health Insurance Portability and Accountability Act of 1996 ('HIPAA') Privacy, Security and Breach Notification Rules, Parts 160 and 164 of Title 45 of the Code of Federal Regulations ('the HIPAA Rules'), as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 ('HITECH'). The HIPAA Rules set forth the national standards for protecting medical records, including the personal health information contained therein. States may enact stronger protections.
Texas has in turn enacted laws specifically applicable to health information, under Chapter 181, Title 2 of the Health and Safety Code, referred to as the Medical Records Privacy Act ('MRPA'), and statutes specific to the insurance industry. Chapter 20, Title 2 of the Business and Commerce Code also addresses the use of medical information for the purposes of consumer reports (Tex. Bus. & Com. Code § 20.05(c)).
Medical Records Privacy Act
The MRPA focuses on the privacy of protected health information ('PHI') (as defined by HIPAA) and does not include specific requirements for data security or breach notification (Tex. Health & Safety Code § 181.001 et seq.). In some cases, the MRPA creates stronger privacy protections.
The MRPA potentially regulates entities that are not regulated by HIPAA. HIPAA regulates covered entities (i.e. health plans, health care clearinghouses, and certain health care providers) and business associates (entities that assist covered entities in their health care activities and functions) (§160.103 of the HIPAA Rules). In contrast, the MRPA applies to any entity (and employee of such entity) that possesses PHI, regardless of whether it is involved in providing health care services (Tex. Health & Safety Code § 181.001). The MRPA also applies to any commercial entity that assembles, collects, analyses, uses, evaluates, stores, or transmits PHI, including information or computer management entities, schools, and entities that maintain an Internet website. Except for restrictions on re-identification of PHI, marketing with PHI, and selling PHI, the MRPA does not apply to insurance companies, which are covered under a separate Texas law, or employers in their role as employers (Tex. Health & Safety Code § 181.051). Therefore, entities that are not regulated by HIPAA may not necessarily be exempt from the MRPA.
The MRPA specifically focuses on employee training, providing patients with access to their PHI, and prohibiting certain data practices such as re-identifying individuals without consent, certain marketing with PHI without permission, and certain sales of PHI (Tex. Health & Safety Code § 181.101-102 & 181.151-153). Covered entities are also required to post privacy notices (Tex. Health & Safety Code § 181.154).
Texas also contains, under Chapter 611, Title 7 of the Health and Safety Code, specific confidentiality protections for communications and records of a patient, which is defined as, 'a person who consults or is interviewed by a professional for diagnosis, evaluation, or treatment of any mental or emotional condition or disorder, including alcoholism or drug addiction' (Tex. Health & Safety Code § 611.001). As discussed below, the MRPA does not have a private right of action; however, this Texas statute provides for a private right of action if a person is 'aggrieved by the improper disclosure of or failure to disclose confidential communications or records in violation of [Chapter 611 of the Health and Safety Code]' (Tex. Health & Safety Code § 611.005).
The AG has the authority to seek injunctive relief or civil penalties against a covered entity for its violations of the MRPA (Tex. Health & Safety Code § 181.201). Civil penalties for the violation of the MRPA range based on the intentionality and purpose of the violation, i.e., whether the violation was committed negligently, knowingly, or intentionally, and/or for financial gain. Monetary penalties could be up to $250,000 for each violation where PHI is used knowingly or intentionally for financial gain. Other potential penalties include excluding a covered entity 'from participating in any state-funded health care program if a court finds the covered entity engaged in a pattern or practice of violating' the MRPA (Tex. Health & Safety Code § 181.203).
The MRPA does not include a private right of action. Individuals can file a complaint with the AG or the Texas agency that licenses the covered entity (Tex. Health & Safety Code § 181.104). The MRPA provides licensing agencies with the authority to investigate and bring disciplinary proceedings against the covered entity, including probation and suspension (Tex. Health & Safety Code § 181.202). If the violations of the MRPA are 'egregious and constitute a pattern or practice,' the agency may revoke the covered entity's license or refer the covered entity's case to the AG.
The MRPA does not contain its own breach notification requirement. However, Texas' breach notification statute, which is discussed in section 9 of this note, applies to breaches of 'information that identifies an individual and relates to: (i) the physical or mental health or condition of the individual; (ii) the provision of health care to the individual; or (iii) payment for the provision of health care to the individual' (Tex. Bus. & Com. Code § 521.002).
Chapter 602, Title 5 of the Insurance Code includes privacy protections for nonpublic personal health information handled by the entities it regulates, which include insurance companies, health maintenance organisations and insurance agents (Tex. Ins. Code § 602.001(1)). These privacy requirements are applicable only to covered entities that are not regulated by HIPAA (Tex. Ins. Code § 602.002). Therefore, the law is intended to regulate insurance-related entities that otherwise may not have privacy obligations with respect to the personal health information they handle.
Non-public personal health information regulated by the Insurance Code is health information that identifies or could reasonably be used to identify and individual and relates to (Tex. Ins. Code § 602.001(2)):
- the past, present, or future physical, mental, or behavioural health or condition of the individual;
- the provision of health care to the individual; or
- payment for the provision of health care to the individual.
Unless an exception applies, covered entities are prohibited from disclosing non-public personal health information without written or electronic authorisation that meets the requirements of the law from the individual about whom the information relates. Covered entities are permitted to make disclosures for certain purposes, including criminal investigations, underwriting, issuing a policy, and other typical insurance related functions and data analysis (Tex. Ins. Code § 602.051-053).
Similar to the MRPA, the AG may bring an action for injunctive relief and civil penalties against a covered entity that violates Chapter 602 of the Insurance Code (Tex. Ins. Code § 602.102-103). A covered entity that does not meet its privacy obligations is 'subject to investigation, disciplinary proceedings, and probation or suspension of the covered entity's license or other form of authorisation to engage in business' (Tex. Ins. Code § 602.104).
Consumer Credit Reporting Act
The federal Fair Credit Reporting Act of 1970 ('FCRA'), as amended by the Fair and Accurate Credit Transactions Act of 2003 ('FACTA'), pre-empts the application of most state laws applicable to consumer reporting agencies9. However, Texas has its own credit reporting statute, under Chapter 20, Title 2 of the Business and Commerce Code, referred to as the Consumer Credit Reporting Act ('CCRA').
Generally, the CCRA is consistent with the FCRA in requiring that a consumer reporting agency not furnish medical information about a consumer in a consumer report that is being obtained for employment purposes or in connection with a credit, insurance, or direct marketing transaction unless the consumer consents to the furnishing of the medical information (Tex. Bus. & Com. Code § 20.05). The AG may seek injunctive relief or civil penalties for a violation of the CCRA (Tex. Bus & Com. Code § 20.11).
The Texas Department of Banking regulates banks in Texas under the Texas Banking Act, Chapter 31, Title 3 of the Finance Code. The Texas Banking Act contains a number of provisions that address the confidentiality of information shared among Texas agencies and/or other financial regulators (Tex. Fin. Code §31.001 et seq.). Chapter 59, Title 3 of the Finance Code sets forth the exclusive method (subject to stated exceptions) for compelling discovery 'relating to one or more customers,' however, the statute does not in and of itself 'create a right of privacy in a record' (Tex. Fin. Code § 59.006).
In accordance with Chapter 601, Title 5 of the Insurance Code, entities that receive their license or certification from the Texas Department of Insurance are required to comply with rules of the Insurance Commissioner. The Insurance Commissioner is responsible for adopting rules that have privacy requirements consistent with the Gramm-Leach-Bliley Act of 1999 (Tex. Ins. Code § 601.051).
Texas has several generally applicable laws that regulate the privacy and security of personal information in certain contexts, which would apply to employment. In most cases, the AG can impose civil penalties for a failure to meet the following requirements:
- reasonable data security practices. Businesses are required to implement and maintain reasonable security procedures to protect personal information (Tex. Bus. & Com. Code § 521.052);
- restrict the use and disclosure of social security numbers. Chapter 501, Title 11 of the Business and Commerce Code provides that businesses may not display or communicate social security numbers in certain ways (Tex. Bus. & Com. Code § 501.001-002). For example, a business cannot require an individual to transmit a social security number over the internet unless the connection is secure and the data is encrypted. This requirement may apply to a job application website;
- provide notice of breach of personal information. Like all other states, Texas requires businesses that experience a compromise of personal information to notify affected Texas residents (Tex. Bus. & Com. Code § 521.053);
- restrict the collection, use, and disclosure of biometric information. Chapter 503, Title 11 of the Business and Commerce Code prohibits the capture of biometric identifiers for commercial purposes without informed consent (Tex. Bus. & Com. Code § 503.001). In addition, Texas law prohibits disclosing biometric identifiers except in limited circumstances. It also requires the secure retention and the timely deletion of biometric identifiers. Employers that collect biometric identifiers from employees may have obligations under this law;
- abide by requirements applicable to health benefit plans. While employers are not regulated by the MRPA when they handle employees' protected health information as an employer, employers may be required to comply with the MRPA and HIPAA with respect to an employee health benefit plan (Tex. Health & Safety Code § 181.051);
- maintain genetic information confidential. Chapter 21, Title 2 of the Labor Code requires any business that has genetic information to keep it confidential and not disclose it unless specifically authorised by law (Tex. Lab. Code § 21.403); and
- provide consumer protections. Consumer-related privacy laws also likely apply when employees are acting as consumers in relation to their employer; for example, when an employee purchases a product from the employer's store.
Federal law regulates most commercial communications. With respect to commercial email, the federal Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 ('CAN-SPAM') pre-empts state laws. However, telephone-based commercial communications can be regulated at the state level when they provide greater protection for individuals.
Texas regulates telemarketing calls, text messages, and faxes with the Texas Telemarketing Disclosure and Privacy Act ('TTDPA'), under Chapter 304, Title 10 of the Business and Commerce Code. A telemarketing call is an unsolicited telephone call (including an SMS or MMS text message) made to (Tex. Bus. & Com. Code § 304.002):
- solicit a sale of a consumer good or service;
- solicit an extension of credit for a consumer good or service; or
- obtain information that may be used to solicit a sale of a consumer good or service or to extend credit for the sale.
The TTDPA prohibits telemarketing calls to telephone numbers published on the Texas no-call list more than 60 days after the date the telephone number appears on the current list (Tex. Bus. & Com. Code § 304.052). There are certain exceptions, such as when there is an established business relationship between the caller and recipient or when the call is intended to collect a debt (Tex. Bus. &Com. Code § 304.004(2) and (5)). Telemarketers also may not interfere with or fail to provide caller identification information (Tex. Bus. & Com. Code § 304.151).
A business that sends fax solicitations must meet applicable federal laws and also include certain content on the fax, including a telephone number that permits the fax recipient to opt-out of future fax solicitations (Tex. Bus. & Com. Code § 304.101). A business is required to comply with such opt-out request (Tex. Bus. & Com. Code § 304.102).
The AG and the Public Utility Commission of Texas both enforce and may assess administrative penalties for violations of the TTDPA. Consumers have a private right of action when they receive telemarketing calls to telephone numbers listed on the Texas no-call list and can be awarded damages up to $500 per violation for wilful or knowing violations. Similarly, a person has a private right of action for violations of the fax solicitations and can be awarded damages up to the greater of actual monetary losses from the violations or $500 per violation (treble damages for wilful or knowing violations).
In addition, Chapter 305, Title 10 of the Business and Commerce Code prohibits a person from calling or using an auto-dialer to call mobile phones for the purpose of making a sale without the recipient's consent, if the caller knew or should have known the number called was associated with a mobile device (Tex. Bus. & Com. Code § 305.001). A person also may not transmit to a fax machine without consent a message for the purpose of a solicitation or sale when the recipient will be charged for receiving the fax (Tex. Bus. & Com. Code § 305.002). Fax transmissions for the purpose of a solicitation or sale may only be made between 7 AM and 11 PM (Tex. Bus. & Com. Code § 305.003). Failure to comply with these requirements are criminal misdemeanor offences (Tex. Bus. & Com. Code § 305.052). The recipient also has a private right of action and may be awarded the greater of actual damages or $500 per violation (and triple damages for knowing or intentional violations) (Tex. Bus. & Com. Code § 305.053).
Businesses in Texas are required to maintain and update reasonable procedures to protect sensitive personal information from unlawful use or disclosure (Tex. Bus. & Com. Code § 521.052(a)). The same law requires secure shredding or other destruction of records containing sensitive personal information 'to make the information unreadable or indecipherable through any means' (Tex. Bus. & Com. Code § 521.052(b)).
Data breach notification requirements
Consistent with other states, Texas has a data breach notification statute. The Identity Theft Act obligates an organisation that conducts business in Texas to provide notice of a breach of system security where sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorised person, unless an exception applies (Tex. Bus. & Com. Code § 521.053(b)). 'Sensitive personal information' includes a person's name along with his or her social security number, driver's license number, or financial account number in combination with an access code. Sensitive personal information also includes health information (Tex. Bus. & Com. Code § 521.002(a)(2)).
Notice must be provided to affected individuals no later than 60 days unless delayed at the request of law enforcement (Tex. Bus. & Com. Code § 521.053(b), (d)). Notice to consumer reporting agencies is required if more than 10,000 individuals are notified pursuant to this law (Tex. Bus. & Com. Code § 521.053(h)). Businesses are required to notify the AG (if more than 250 Texas residents were affected) no later than 60 days after a determination that a breach of system security has occurred (Tex. Bus. & Com. Code § 521.053(i)).
Notice may be provided in writing, electronically, or in compliance with the substitute notice provision (Tex. Bus. & Com. Code § 521.053(e)). Data breach notices to the AG must also include certain content (Tex. Bus. & Com. Code § 521.053(i)).
In addition, a business that maintains sensitive personal information for another business is required to immediately notify that business if it discovers a breach of system security (Tex. Bus. & Com. Code § 521.053(c)).
The AG can impose a civil penalty up to $50,000 for each violation (Tex. Bus. & Com. Code § 521.151(a)). In addition, failing to notify affected individuals can result in being liable to the state for a civil penalty up to $100 per affected individual and up to $250,000 for a single breach (Tex. Bus. & Com. Code § 521.151(a-1)). The AG can also enjoin violations of the statute (Tex. Bus. & Com. Code § 521.151(b)).
Chapter 32, Title 2 of the Education Code, referred to as the Texas' Student Privacy Act limits the use and disclosure of student personal information by a website, online service, online application or mobile application (collectively 'Site') that are used primarily for a school purpose and are designed and marketed for a school purpose (Tex. Educ. Code § 32.151 et seq.). Site operators may use or disclose student personal information to further a school purpose, maintain and improve operability and functionality, and secure the Site, and for other listed purposes (Tex. Educ. Code § 32.153-154). The law expressly prohibits knowingly implementing interest-based/behavioural advertising on such Sites, creating profiles about student users of the Sites (unless the profile is created for a school purpose), and selling or renting student personal information collected on Sites except in certain limited circumstances (Tex. Educ. Code § 32.152).
A Site operator also 'must implement and maintain reasonable security procedures and practices designed to protect covered information from unauthorised access, deletion, use, modification, or disclosure' (Tex. Educ. Code § 32.155). A school district may also require the Site operator to delete student personal information that is collected in association with that school district within 60 days of the request, unless the parent consents otherwise (Tex. Educ. Code § 32.156).
Credit and debit card data
Unless an exception applies, Texas prohibits, under Chapter 502, Title 11 of the Business and Commerce Code, a transaction receipt from including more than the last four digits of a payment card or the payment card expiration date (Tex. Bus. & Com. Code § 502.002). These requirements are consistent with the federal FACTA/FCRA requirements. The AG may impose a civil penalty up to $500 for each month a violation occurs. Furthermore, the statute prohibits private lawsuits through class actions (Tex. Bus. & Com. Code § 502.002).
In Texas, a restaurant or bar owner must prominently display a sign for its employees that meets the requirements of the law with the intent of warning employees that it is a felony to obtain, possess, or use a customer's debit or credit card number without the customer's consent (Tex. Bus. & Com. Code § 502.001).
Texas law prohibits the capture of biometric identifiers for commercial purposes without informed consent (Tex. Bus. & Com. Code § 503.001 et seq.). A 'biometric identifier' is defined as 'a retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry' (Tex. Bus. & Com. Code § 503.001(a)).
Further, the law (i) generally prohibits the sale, lease, or other disclosure of biometric identifiers that have been obtained for commercial purposes; (ii) requires reasonable care in protecting biometric identifiers; and (iii) requires deletion of biometric identifiers after a 'reasonable time, but not later than the first anniversary of the purpose for collecting the identifier expires,' unless otherwise required by another law to keep such identifiers (Tex. Bus. & Com. Code § 503.001(c), (c-1)). The AG may bring an action and impose civil penalties up to $25,000 for each violation.
Data of government employees
In addition to the laws that govern state agencies as discussed in other sections of this guidance note, Texas protects the privacy of government employees' personal information in connection with open records laws. . For example, Chapter 552, Title 5 of the Government Code includes an exception where 'information in a personnel file, the disclosure of which would constitute a clearly unwarranted invasion of personal privacy' is not included in response to public access requests (Tex. Govt. Code § 552.102)10.
1. Texas State Employees Union v. Texas Dept. of Health and Mental Retardation, 746 S.W.2d 203, 205 (Tex. 1987).
2. Ibid, 860.
4. Billings v. Atkinson, 489 S.W.2d 858, 859 (Tex. 1973).
5. Ibid, 860.
6. Cain v. Hearst Corp., 878 S.W.2d 577, 578-579 (Tex. 1994).
7. Industrial Found. Of the South v. Texas Indus. Accident Bd., 540 S.W.2d 668, 682 (Tex. 1976).
8. Cain, 878 S.W.2d at 578-579. See Restatement (Second) of Torts § 652E.
9. See Walters v. Certegy Check Servs., Cause No. A-17-CV-1100-SS (W.D. Tex., Oct. 2, 2018), acknowledging that the FCRA pre-empts many claims under Texas state law.
10. See also Tex. Comptroller of Pub. Accounts v. AG of Tex., 354 S.W.3d 336 (Tex. 2010), holding that the provision of government employee birth dates was an unwarranted invasion of personal privacy.