At the beginning of the 86th Texas Legislative Session, not one but two consumer privacy bills were filed in the Texas House of Representatives. Republican Rep. Giovanni Capriglione filed House Bill 4390, and Democrat Rep. Trey Martinez Fischer filed HB 4518. Both bills received a committee hearing, but only HB 4390 survived to the end of the legislative session and is now headed to the governor’s desk for signature. HB 4518 was left pending in the Texas House Business & Industry Committee April 2, 2019.

HB 4390, originally filed as a comprehensive consumer privacy bill known as the Texas Privacy Protection Act, was amended multiple times in the Texas House and Senate, and eventually diluted into a bill that updates the breach notification requirements in the Texas Identity Theft Enforcement and Protection Act. It creates the Texas Privacy Protection Advisory Council to study data privacy laws in advance of the next legislative session.

Updates to the Texas Identity Theft Enforcement and Protection Act

HB 4390 updates Texas’ breach notification requirements in TITEPA by further defining the timeline to disclose a breach of system security and requiring disclosure of certain information to the Texas attorney general for breaches affecting at least 250 Texas residents. For reference, TITEPA requires a “person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information” to disclose a “breach of system security.”

“Sensitive personal information” includes an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted: Social Security number, driver’s license number or government-issued ID number, or certain financial information. The definition also includes information that identifies an individual and relates to their provision or payment of physical or mental health.

A “breach of system security” means unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data.

In the event of a breach of system security before the passage of HB 4390, a person was required to disclose such a breach “as quickly as possible” with certain exceptions. HB 4390 replaces the “quickly-as-possible” standard by requiring that the disclosure shall be made “without unreasonable delay and in each case not later than the 60th day after the date on which the person determines that the breach occurred.”

The bill also adds requirements to disclose certain information to the Texas attorney general in the event of a breach affecting at least 250 Texas residents. The notification must include:

  • A detailed description of the nature and circumstances of the breach or the use of sensitive personal information acquired as the result of the breach.
  • The number of Texas residents affected by the breach at the time of notification.
  • The measures taken by the person regarding the breach.
  • Any measures the person intends to take regarding the breach after the notification under this subsection.
  • Information regarding whether law enforcement is engaged in investigating the breach.

While the remainder of the legislation takes effect Sept. 1, 2019, this provision takes effect January 1, 2020.

Creation of the Texas Privacy Protection Advisory Council

In lieu of passing a comprehensive consumer privacy bill, Texas will now establish the Texas Privacy Protection Advisory Council to:

  • Study and evaluate laws in Texas, other states and relevant foreign jurisdictions that govern the privacy and protection of information that alone or in conjunction with other information identifies or is linked or reasonably linkable to a specific individual, technological device or household.
  • Make recommendations to the Texas legislature on specific statutory changes regarding the privacy and protection of that information, including changes to the Texas Identity Theft Enforcement and Protection Act (as amended by HB 4390) or to the Penal Code that appear necessary from the results of the council’s study.

The governor, lieutenant governor and speaker of the house will appoint both legislative members and public members to the council and will include representation from multiple industries, including “medical profession, technology, internet, retail and electronic transactions, consumer banking, telecommunications, consumer data analytics, advertising, internet service providers, social media platforms, cloud data storage, virtual private networks, or retail electric.”

In addition to this pool of candidates, the governor will also appoint two members that must be either a representative of a nonprofit organization that studies or evaluates data privacy laws from the perspective of individuals whose information is collected or processed by businesses or a professor who teaches at a law school in Texas or other institution of higher learning and whose books or scholarly articles on the topic of data privacy have been published.

Next steps

While Texas did not get the comprehensive consumer privacy legislation it started with, it did pass much-needed updates to its breach notification law and created the Texas Privacy Protection Advisory Council. The council will be selected by November 2019 and will meet on a regular basis until it reports its findings and recommendations to the Texas Legislature on or before Sept. 1, 2020. These recommendations will likely form the basis for consumer privacy legislation when the Texas Legislature reconvenes in January 2021.

Photo by David Hertle on Unsplash