The bill for the Texas Consumer Privacy Act (HB 4518) (‘the Consumer Privacy Bill’), and the bill for the Texas Privacy Protection Act (HB 4390) (‘the Privacy Protection Bill’), were introduced, on 8 March 2019, to the Texas House of Representatives (‘the House’) by Representatives Trey Martinez Fischer and Giovanni Capriglione, respectively. In particular, the Consumer Privacy Bill introduces a number of rights for Texas consumers, including the right to disclosure and deletion of personal information collected by businesses. The Privacy Protection Bill requires businesses to implement, among other things, an accountability programme containing methods and procedures for responding to data breaches. Both bills are pending in the House Business and Industry Committee, following a hearing on 2 April 2019.
Bart W. Huffman, Partner at Reed Smith LLP, told DataGuidance, “Texas only holds legislative sessions every two years, so if neither of the bills makes it there will not be another chance for privacy legislation in Texas until 2021. The bills are similar in some respects. The Consumer Privacy Bill is clearly modelled closely on the California Consumer Privacy Act of 2018, because it incorporates some of the same […] ideas, such as a required ‘do not sell’ button on the homepage of websites, and a definition of ‘consumer’ that includes any resident of the state, thus rendering the consumer-oriented provisions of the bill technically applicable to non-consumer data such as employment data […] The Privacy Protection Bill is less detailed as to individual rights. It is focused on data collected online and includes requirements for a data security programme to protect privacy.”
The Consumer Privacy Bill applies to businesses that operate in Texas, collect consumers’ personal information or have it collected on their behalf, determine the purpose for and means of the processing of such personal information, and satisfy one of a number of established thresholds, namely in relation to gross annual revenue and the number of affected consumers, households, or devices. The Privacy Protection Bill applies to businesses that operate in Texas, have more than 50 employees, collect the personal identifying information (‘PII’) of more than 5,000 individuals, households, or devices, or have it collected on their behalf, and either have an annual gross revenue exceeding $25 million, or derive more than 50% of their annual revenue from the processing of PII.
These two bills ultimately seem to be another example of quickly drafted proposed legislation without substantial input from privacy professionals
Huffman continued, “There are other differences between the bills, including as to what constitutes the ‘personal information’ that would be covered by the legislation. However, in the absence of a comprehensive privacy scheme (such as the General Data Protection Regulation (Regulation (EU) 2016/679), which has 99 Articles and 173 Recitals) attempts at fine points in such a brief privacy law are generally as likely to cause confusion as to improve privacy. On a positive note, the bills do attempt to incorporate fundamental principles such as transparency and accountability, and the Privacy Protection Bill even includes a requirement for a data impact analysis as to automated processing of personal data. Neither bill includes a private right of action, which, in the US, mostly benefits plaintiff attorneys.”
Furthermore, both bills propose civil penalties for violations. The Consumer Privacy Bill would impose a civil penalty of not more than $2,500 for each violation, and $7,500 for each violation if it is intentional. On the other hand, the Privacy Protection Bill would impose a civil penalty of up to $10,000 for each violation, not to exceed a total amount of $1 million.
Huffman concluded, “These two bills ultimately seem to be another example of quickly drafted proposed legislation without substantial input from privacy professionals, computer and data scientists, knowledgeable policymakers, and stakeholders from other applicable fields. Hopefully, given more time, the federal government and/or states such as Texas will be able to do better. As a takeaway, Texas businesses who have not already implemented comprehensive privacy programmes should get working on it. In the absence of federal, preemptive legislation, some of these state laws are going to pass, and it will be very difficult to comply with each state’s unique requirements without a data processing inventory, documented controls, risk management, and appropriate policies and procedures in place as to the personal data […] that the business processes and maintains.”
If passed, the Consumer Privacy Bill would take effect on 1 September 2020, whilst the Privacy Protection Bill would take effect on 1 September 2019.
Rumer Ramsey Privacy Analyst