May 25, 2018 and the shockwaves of the European Union's General Data Protection Regulation ("GDPR") set off intrigue and reflection all over the world. And in every jurisdiction--from the smallest to the largest, from cities and counties to states--a wave of consumer privacy laws has followed in the United States. First California in June 2018 with the California Consumer Privacy Act ("California CPA" or "CCPA"), closely followed by Colorado, Washington, New Jersey, Utah and others. And now Texas has become the latest state to introduce not one, but two simultaneous bills relating to consumer privacy and data protection. On March 8, 2019, legislators in Texas introduced: (1) H.B. No. 4518, cited as the Texas Consumer Privacy Act ("Texas CPA"), and (2) H.B. No. 4390, cited as the Texas Privacy Protection Act ("TPPA").
And as is often the case, the leader inspires and sets the tone for the others who follow. Several aspects of the Texas CPA bear strong similarity to the California CPA, such as the right to know what data is being collected, the right to opt out of that collection, and the right to disclosure of personal information collected by a business. The TPPA addresses similar privacy subjects, but instead of laying out enumerated consumer rights like the Texas CPA, the TPPA would regulate how businesses process, retain and destroy consumers' personal identifying information.
A key difference between the two bills is how each defines personal information. The Texas CPA regulates "personal information," which includes any information that identifies, relates to, describes, or could reasonably be linked to an individual consumer or consumer household. Whereas, the TPPA regulates "personal identifying information," which the bill defines as "a category of information relating to an identified or identifiable individual." In either case, it is notable that the definition of personal information is largely inspired by the GDPR.
Individual Rights. The Texas CPA, closely mirroring provisions of the California CPA, would grant a set of rights to consumers, including:
- Right to disclosure of personal information collected by a business.
- Right to deletion of certain personal information collected by a business.
- Right to disclosure of certain personal information sold or disclosed by a business.
- Right to opt out of the sale of consumer's information, inclusive of the requirement that businesses include a "do not sell my information" link on their website.
Enforcement. The Attorney General will adopt the rules necessary to implement, administer and enforce the Texas CPA. The bill also allows for a business or third party to seek an opinion from the Attorney General for guidance on how to comply with the Texas CPA. The Texas CPA would impose civil penalties in the amount of $2,500 per violation or, if the violation(s) are intentional, $7,500 per violation.
Applicability and Scope. The Texas CPA would apply to any entity that does business in Texas and that collects consumer data, and that meets one of the following thresholds: (1) annual gross revenue exceeding $25 million; (2) collects information from at least 50,000 consumers, households or devices; or (3) derives at least half of its revenue from the sale of consumer personal information. Any business that is controlled by an entity that meets the above requirements would also be subject to the proposed legislation. The Texas CPA does not include any restrictions on the sale of data in the aggregate –where information cannot be linked to any individual.
If passed, the Texas CPA goes into effect on September 1, 2020.
Business Regulations. The TPPA would regulate businesses that collect personal information on consumers by:
- Regulating the collection and processing of personal identifying information. A business may process personal identifying information only if the business (A) receives explicit consent from the individual whose information is being processed, or (B) is required to do so by law.
- Requiring businesses to implement a data security program.
- Requiring businesses to post a notice that includes how the business collects, processes, and discloses personal identifying information.
- Requiring businesses to allow consumers access to their personal identifying information.
- Requiring businesses to delete consumers' personal identifying information. Businesses must stop processing personal identifying information on the date an individual closes their account with the business and delete such information within 30 days of closing the account, unless a longer retention period is required by law.
- Requiring businesses to create an accountability program to ensure compliance with the TPPA.
- Regulating consumer information that businesses share with third parties.
Enforcement. The Attorney General will adopt the rules necessary to implement, administer and enforce the TPPA. Under the TPPA, the Attorney General may bring an action in the name of the state against the entity to recover civil penalties in the amount of $10,000 per violation, not to exceed a total amount of $1 million.
Applicability and Scope. The TPPA would apply to any entity that does business in Texas, has more than 50 employees, and that collects personal identifying information of more than 5,000 individuals, households, or devices, and that meets one of the following thresholds: (1) annual gross revenue exceeding $25 million; or (2) derives at least half of its revenue by processing personal identifying information. The TPPA includes no restrictions to the sale of data in the aggregate or anonymized –where information cannot be linked to any individual.
If passed, the TPPA takes effect on September 1, 2019.
US consumers are increasingly interested in where their personal information lies--how it is captured, where it is stored and who is profiting from it. Federal lawmakers have taken up the charge and are considering where to go next, while local jurisdictions are quickly passing laws to protect consumers and discourage once commonplace behaviors. US Companies need to be increasingly vigilant about how the data privacy playing field is changing and adapt quickly or better yet, move ahead proactively with the rising tide of consumer privacy and data protection.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm of approximately 700 lawyers practicing throughout a network of 13 offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology, and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.