A Guide to the Data Privacy Laws Proposed by Texas

Data PrivacyData ProtectionState Laws
Written By Jason Shoup

Texas State Representative Giovani Capligrione has filed six bills related to “increasing the protection of consumer data by the private sector.”

This follows the recent passing of a state bill mandating data breaches involving more than 250 Texas residents must be reported to the Attorney General. Capligrione implies that this bill has been a step in the right direction as it shed light on the fact that over 31 million Texans were impacted by breaches in 2020 alone.

In an effort to “empower consumers to take back control of their sensitive personal information”, each of these bills tackles a unique range of data issues. Two of these bills (HB 3744 and HB 3745) prohibit specific data crimes including catfishing, doxxing, ticket scalping, retail hacking and extorting people by posting their mugshots online. The remaining four tackle data privacy issues and breaches. Here’s what you need to know about each of them.

HB 3741: Data Privacy Omnibus

The headlining act is a bill JD Supra describes as a “heavily modified version of the CCPA (California Consumer Privacy Act).” It’s the closest stab at a comprehensive data privacy bill of the six, and while it certainly is founded in principles established by CCPA, there are some elements that set it apart.

Applicability

The bill applies to for-profit businesses that do business in Texas, have over 50 employees and collects the identifiable personal information on over 5,000 individuals, households, or devices– if they fulfill one of the following criteria:

  • Earn over $25 million in annual gross revenue

  • Derive 50 percent or more of their revenue from processing personal data

The bill only applies to data that can reasonably be linked to a specific user and is collected through the Internet or any other digital network. The bill does not apply to publicly-available or protected health information. Likewise, data collected to generate a consumer report under the Fair Credit Reporting Act is exempt. Further exemptions include data activity in accordance with the Gramm-Leach-Bliley-Act and the Family Educational Rights and Privacy Act of 1974.

Three Categories of Data

One of the most unique things about this bill is that it divides data into three categories.

Category one encompasses personal information that may be used in a personal, civic or business setting such social security or driver’s license numbers, biometric information, mental health data or private messages.

Category two refers to personal information that may present a privacy risk to individuals if disclosed. This is similar to what has previously been defined as “sensitive personal information” including information on race, religion, age, or health issues, genetic information or precise geolocation tracking data.

Category three is simple specific facets of personal information, such as time of birth or political party affiliation.

This distinction comes into the play because businesses have special obligations depending on the category of data.

Category one

  • Can be collected and processed

  • Can be sold, transferred or disclosed to a third party

Category two

  • Can not be sold, transferred or disclosed to a third party

Category three

  • Can not be collected or processed

Specific restrictions apply for geolocation tracking data. Such data can not be sold or collected, even for the purposes of contact tracing, without express written consent from the subject.

Consumer Rights

The bill establishes a right to know, meaning consumers can request businesses to disclose what personal information they’ve collected (categories and specific items), the source of the information, the purpose of collection, and any third parties to which the data has been transferred or sold. Consumers will also have the right to have inaccurate information corrected without being charged a fee.

There is also the right to access and obtain information. This means that consumers can request copies of their personal information from the business. These requests should be fulfilled under the principle of data portability, meaning that individuals must be able to transfer the data to another business for their own purposes.

Finally, there is the right to deletion of sensitive personal information. In addition, businesses are obliged to stop processing the data of individuals who close their account with the business and permanently delete the information no later than a year after the account is closed.

All of these requests can be processed by the data subjects themselves and their legal representative or guardian.

Contracts With Individuals

The bill establishes that individuals may provide a “data stream” of their personal information as consideration under a contract. This means individuals can enter a contractual agreement with the business allowing the continuous transmission of their personal information for the businesses’ monetization, customer relationship management or identification purposes.

In short, this allows businesses to offer incentives to customers for the provision of their data. This is quite contrary to the anti-discrimination rights established by other data privacy laws in that it allows businesses to offer different prices or quality to consumers who give them their data.

Notice Requirements

Businesses are obligated to provide a notice that includes reasonably “full and complete” of the personal information processing practices, including:

  • Categories of information processed;

  • Details on the type of processing used by the business;

  • Purposes for processing;

  • Involvement of a third-party in processing;

This notice must be clear, drafted in plain language and easy to understand. It must be located in a prominent location on the business’s website, if it has one one.

Enforcement

Any violating organization is liable to pay a civil penalty no greater than $10,000 for each violation, at a maximum of $1 million in total. These charges can be brought forth by the attorney general, in which case violators must cover attorney fees, court costs and investigatory costs. There is no private right to action, meaning consumers can not seek damages if they are harmed by a violation.

HB 3742: Data Privacy – Genetic Testing

This much more specific bill prohibits long-term care benefit plan issuers or life insurance companies from using genetic information from direct-to-consumer genetic tests to set premiums. Likewise, such data may not be used to reject, cancel, deny, limit, refuse to renew, or affect eligibility for the subject’s coverage under an insurance plan.

HB 3743: Data Privacy – Educational Data & Ransomware Payments

This bill prohibits school districts from maintaining recordings of distance learning instructions for more than 30 days after the class. Additionally, it requires school districts that partner with outside companies for distance learning to ensure a base-level of cybersecurity and compliance and prohibits schools from making ransomware payments in response to cyber attacks.

HB 3746: Data Breaches – AG Portal Clean-Up

This bill mandates that, when reporting data breaches involving over 250 Texas residents to the Attorney General, organizations must do so within 60 days of identifying the breach. The notification will be posted on the Attorney General’s website and must include:

  • Description of the nature and circumstances of the breach;

  • Details regarding the use of the personal information compromised by the breach;

  • The number of affected residents that have been informed of the breach;

  • The measures taken and intended to be taken regarding the breach;

  • Whether law enforcement has investigated the breach.

Jason Shoup
Previous

At Last: US Proposes Federal Data Privacy Law
Next

A Guide to FINRA’s 2021 Compliance Goals