Press "Enter" to skip to content

Texas Data Privacy and Security Act Moving Forward

Texas Data Privacy and Security ActThe Texas House of Representatives on April 4 voted unanimously in favor of Texas House Bill 4, the Texas Data Privacy and Security Act.  The Texas legislature remains in session through May 29, so there is ample time for the legislation to continue its course.

APPLICABILITY

The Act applies to a person that:

  1. conducts business in Texas or produces a product or service consumed by residents of Texas;
  2. processes or engages in the sale of personal data; and
  3. is not a small business as defined by the U.S. Small Business Administration, except a small business may not engage in the sale of personal data that is sensitive data without receiving prior consent from the consumer.
EXEMPTIONS

Exemptions include:

  1. financial institutions or data subject to the Gramm-Leach-Bliley Act;
  2. covered entities or business associates governed by the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act;
  3. nonprofit organizations;
  4. institutions of higher education;
  5. protected health information under the Health Insurance Portability and Accountability Act;
  6. personal information to the extent its collection, maintenance, disclosure, sale, communication, or use is regulated and authorized by the Fair Credit Reporting Act.
CONSUMER RIGHTS

Consumers have the right to:

  1. confirm processing of their personal data and access such data;
  2. correct inaccuracies;
  3. delete personal data;
  4. obtain personal data provided by the consumer in a portable and readily usable format, if stored digitally;
  5. opt out of processing if for the purpose of targeted advertising, sale, or profiling.
SENSITIVE PERSONAL INFORMATION

Sensitive personal data may not be processed without the consumer’s consent or, in the case of a known child, pursuant to the Children’s Online Privacy Protection Act.

Sensitive Data includes:

  1. personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
  2. genetic or biometric data that is processed for the purpose of uniquely identifying an individual;
  3. personal data collected from a known child; or
  4. precise geolocation data.
CONTRACT REQUIREMENTS

A contract between a controller and processor must include:

  1. clear instructions for processing data;
  2. the nature and purpose of processing;
  3. the type of data subject to processing;
  4. the duration of processing;
  5. the rights and obligations of both parties;
  6. a requirement the processor will ensure the confidentiality of the data;
  7. a requirement the processor delete or return all personal data to the controller as requested after the provision of the service is completed;
  8. a requirement the processor make available all information in the processor’s possession necessary to demonstrate compliance;
  9. a requirement the processor will allow and cooperate with reasonable assessments by the controller; and
  10. a requirement subcontractors be engaged pursuant to a written contract mirroring the processor’s requirements.
DATA ASSESSMENTS

Controllers must conduct and document a data protection assessment of each of the following processing activities:

  1. the processing of personal data for purposes of targeted advertising;
  2. the sale of personal data;
  3. the processing of personal data for purposes of certain profiling;
  4. the processing of sensitive data; and
  5. any processing that presents a heightened risk of harm.
ENFORCEMENT

There is no private right of action. Provided a person cannot cure a violation within 30 days, the attorney general may seek injunctive relief and a civil penalty not to exceed $7,500 for each violation.

IMPRESSIONS

This legislation is similar to the consumer data privacy laws enacted in Virginia, Colorado, UtahConnecticut and Iowa.  Note however, that this legislation is more friendly to small businesses that are exempt except to the extent they sell sensitive data, in which case they must obtain consumer consent. For more information and insight from Maurice Wutscher on data privacy and security laws and legislation, click here.

Photo: JAMES/stock.adobe.com

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, and is focused on advising clients with respect to federal and state consumer financial protection laws and data privacy and security, and he is a Certified Information Privacy Professional though the International Association of Privacy Professionals. He also brings to the table experience as a litigator, chief compliance and ethics officer, director of legislative affairs, federal lobbyist, and administrative hearings officer. Eric earned his Juris Doctor from Washington University School of Law, and his Bachelor of Business Administration from Southern Methodist University. He is a member of the International Association of Privacy Professionals, the Receivables Management Association International (RMAI), and ACA International. He is admitted to practice law in Texas and Missouri and in the U.S. District Courts for the Northern, Southern, Eastern, and Western Districts of Texas. For more information, see https://mauricewutscher.com/attorneys/eric-rosenkoetter/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.