On Friday, March 8, 2019, two Texas State Representatives each filed a consumer privacy bill: Rep. Giovanni Capriglione filed House Bill 4390, and Rep. Trey Martinez Fischer filed HB 4518. Both bills have since been referred to the House Business & Industry Committee and await a committee hearing. While both bills address the privacy of a consumer’s personal information collected by certain businesses, they do differ in multiple ways.

Overview of HB 4518, aka the Texas Consumer Privacy Act

HB 4518, also known as the Texas Consumer Privacy Act, closely mirrors provisions of the California Consumer Privacy Act. Similar to the CCPA, the TCPA would grant a set of rights to consumers, including:

1.) The right to disclosure of personal information collected by a business.

2.) The right to deletion of certain personal information collected by a business.

3.) The right to disclosure of certain personal information sold or disclosed by a business.

4.) The right to opt out of the sale of the consumer’s information — inclusive of the requirement that businesses include a “do not sell my information” link on their website.

In alignment with the consumer rights laid out in the bill, the TCPA would also require businesses subject to the Act to (1) provide notification to the consumer of each category of personal information collected and the purposes for which the category of information will be used; (2) provide an online privacy policy or privacy notice; (3) provide methods for consumers to submit verified consumer requests, and actually verify those requests; and (4) disclose certain information in response to a verifiable consumer request.

Important definitions

In addition to these consumer rights and business requirements, the TCPA would include new definitions on terms including, but not limited to, aggregate consumer information, biometric information, business, business purpose, collect, commercial purpose, consumer, de-identified information, personal information, processing information, service provider, third party, and verifiable consumer request.

Of important note is that the TCPA regulates “personal information,” which is defined as “information that identifies, relates to, describes, can be associated with, or can reasonably be linked to, directly or indirectly, a particular consumer or household.” The bill also goes on to provide lengthy examples and exclusions for the definition.

Additionally, the bill defines a “business” as “a for-profit entity, including a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of the entity’s shareholders or other owners.”

Implementation and enforcement

The TCPA would also clarify how the Act (1) affects other rights and obligations, (2) affects compliance with other laws and legal proceedings, and (3) relates to other state and federal laws – including preemption of local laws relating to the collection or sale by a business of a consumer’s personal information.

The TCPA would require the Texas Attorney General to adopt rules necessary to implement, administer, and enforce the Act. The bill would also permit businesses or third parties to seek an opinion from the Attorney General for guidance on how to comply with the Act.

As for enforcement, the TCPA would impose civil penalties in the amount of $2,500 for each violation or $7,500 for each intentional violation. The Act also gives the Attorney General the ability to restrain an alleged violation of the Act, after a 30-day notice period, by filing a temporary restraining order or a permanent or temporary injunction. The bill would not provide for a private cause of action.

As currently drafted, the bill would take effect on September 1, 2020.

Overview of HB 4390, aka the Texas Privacy Protection Act

HB 4390, also known as the Texas Privacy Protection Act, does not go into the same level of detail as the TCPA, but still addresses several similar privacy topics. While the bill does not lay out enumerated consumer rights, as the TCPA does, it still provides several regulations on businesses that collect personal identifying information on consumers.

Important definitions

The TPPA would include fewer definitions than the TCPA, including terms such as business, collect, device, personal identifying information, privacy risk, processing, and third party.

Unlike the TCPA, which regulates “personal information,” the TPPA regulates “personal identifying information,” which the bill defines as “a category of information relating to an identified or identifiable individual.” The bill also goes on to provide examples and exclusions for the definition. The TPPA also adopts the same definition of “business” as the TCPA. (see above)

Implementation and regulation

Similar to the TCPA, the TPPA would require the Attorney General to adopt rules necessary to implement, administer, and enforce the Act. The TPPA would also regulate businesses that collect personal identifying information on consumers by:

1.) Regulating the collection and processing of personal identifying information.

2.) Requiring businesses to implement a data security program.

3.) Requiring businesses to post a notice that includes information on how the business collects, processes, and discloses personal identifying information.

4.) Requiring businesses to make their privacy policy publicly available.

5.) Requiring businesses to allow consumers access to their personal identifying information.

6.) Requiring businesses to delete consumers’ personal identifying information.

7.) Requiring businesses to create an accountability program to ensure compliance with the TPPA.

8.) Regulating consumer information that businesses share with third parties.

As for enforcement, the TPPA would impose civil penalties of not more than $10,000 for each violation, not to exceed a total amount of $1 million. Similar to the TCPA, the TPPA would not provide a private cause of action. As currently drafted, the bill would take effect on September 1, 2019.

Bonus material: Prohibitions on governmental entities

In addition to regulating business practices, the TPPA would also prohibit governmental entities from selling personal identifying information that is unique genetic information, precise geolocation data, or unique biometric information.

Next legislative steps

With both bills now referred to committee, they await a public hearing. After committee hearings, the bills would move to the House Floor, before heading to the Texas Senate, wherein the bills would again move through the committee and floor votes before heading to the Governor’s desk. However, the Texas Legislature meets for only 140 days every other year. Therefore, if neither bill makes it to the finish line by the end of this legislative session, this issue may not be considered again until 2021.

Top image courtesy of @glencarrie via Unsplash