Privacy Law Update: Texas To Study Entering The Fray

The 2019 Texas legislative session recently passed a new bill on the consumer privacy front that strengthens the breach notification obligations under the Texas Identity Theft Enforcement and Protection Act (TITEPA, located in Section 521.053 of the Texas Business and Commerce Code) and creates the Texas Privacy Protection Advisory Council (TPPAC). HB 4390 has been signed by Governor Abbott and will become effective on January 1, 2020.

HB 4390 provides for two amendments to TITEPA that bring it more in line with many other states’ data breach notification laws. First, HB 4390 adds a deadline for the notification of individuals after discovery of a breach. Businesses must notify individuals whose sensitive personal information was breached without unreasonable delay and no later than 60 days after determination that a breach occurred, subject to the existing exception allowing for delayed notice at the request of a law enforcement agency. Second, HB 4390 adds a new Attorney General notification requirement for breaches in which at least 250 Texas residents were affected. The notification to the Texas Attorney General must include, among other things, a description of the breach, the number of affected residents, and the measures taken regarding the breach.

The newly created TPPAC will be a 15-member council that is charged with studying current data privacy laws and making statutory recommendations regarding the privacy and protection of information. The council will be appointed and will consist mostly of representatives of specified industries, including medical, retail, banking, and several internet-related industries. HB 4390’s creation of the TPPAC is a significant signal that Texas is focused on consumer privacy and more onerous legislation may come in the future. The TPPAC will be getting to work with a first official reporting deadline of September 1, 2020.

Another bill that had businesses concerned this year was HB 4518 (also known as the Texas Consumer Privacy Act), which was essentially a copy and paste version of the California Consumer Privacy Act (CCPA), the comprehensive data privacy statute that will soon become effective in California. HB 4518 was left pending in committee, but it would have given consumers a number of new individual rights with respect to businesses that collect their personal information, including: the rights to disclosure and deletion of personal information collected; the right to disclosure of personal information sold or disclosed; the right to opt out of the sale of personal information; and the right to receive notice when personal information will be collected and used. Although HB 4518 ultimately failed, that type of bill may be the direction the TPPAC will be heading. Since the passing of the CCPA, a number of state legislatures – including Massachusetts, Nevada, New Mexico, New York, and more – have considered comprehensive data privacy bills that would grant consumers individual rights similar to those granted by the CCPA.

Prior to January 1, 2020, businesses that maintain sensitive personal information of Texas residents (such as Social Security numbers, drivers’ license numbers, credit/debit card numbers, or health care related information) should review their incident response plans and update as needed to reflect the changes to TITEPA.