Consistent with the cliché that “everything’s bigger in Texas,” the Texas legislature has introduced not one, but two separate bills relating to the privacy of personal information. Although still in their nascent stages, both bills are following California’s lead in creating enhanced and stringent privacy protections for individual consumers.
House Bill 4390, dubbed the Texas Privacy Protection Act (TPPA) is arguably the less onerous of the two bills, although you might not necessarily realize it at first blush, given the broad way it defines “personal identifying information” (PII). In addition to the traditional categories of information protected by privacy statutes (social security number, driver’s license numbers, credit card or financial account information, etc.), PII includes biometric information (fingerprint, voice print, retina or iris image, or any other unique physical representation), religious affiliation or practice information, racial or ethnic origin information, unique genetic information, physical or mental health information, precise geolocation data and the private communications or other user-created content of an individual that is not publicly available. This alone will considerably expand the scope of entities that will likely have to comply with the law.
In terms of who must comply with the law, the TPPA would only apply to for profit businesses that: (1) do business in Texas, (2) have more than 50 employees [but the employees do not have to reside or work in Texas], (3) collects the personal identifying information of more than 5,000 individuals, households, or devices or has that information collected on the business’s behalf, and (4) either (A) has annual gross revenue in an amount that exceeds $25 million; or (B) derives 50 percent or more of the business’s annual revenue by processing personal identifying information. Note that requirement (3) above refers to “individuals, households, or devices,” not to “Texas residents.” This means that if an Internet business has only a handful of customers in Texas, but numerous customers elsewhere, it could still theoretically be subject to the requirements of this law.
Most categories of PII are covered under the TPPA, but there are exemptions for publicly available information, information covered under certain federal or Texas statutes (HIPAA, the Texas Medical Records Privacy Act, GLBA, the Fair Credit Reporting Act and FERPA), information collected solely to facilitate the transmission/routing of PII between or amongst businesses, and PII transmitted to and from the individual to whom the PII relates if the collector of the information does not access, review, or modify the content of the information, or otherwise perform or conduct any analytical, algorithmic, or machine learning processes on the information.
The TPPA includes most of the requirements/restrictions on the collection and processing of PII that we have come to expect from expanded privacy laws. Generally, the purpose for the collection/processing needs to be properly disclosed to the consumer and the information must be relevant to accomplish that purpose and used only for that purpose. If a third party is involved in the processing of the PII, the individual must be provided with the name of that third party and the scope of their involvement with the processing. The relevant notification must be clear, drafted in plain language and easy to understand and must be located in a prominent location at the business and on the business’s website, if it has one. For special categories of PII (geolocation data, biometric information, genetic information, racial or ethnic origin information, religious affiliation or practice information, physical or mental health information, or other personal identifying information that when processed is likely to create a significant privacy risk), the business must also specify the categories or items of special PII being processed and the purposes for processing that information.
The TPPA gives individuals the right to access their PII. Businesses must allow an individual to promptly and reasonably obtain (1) confirmation of whether PII concerning the individual is processed by the business, (2) a description of the categories of PII processed by the business, (3) an explanation in plain language of the specific types of PII collected by the business, and (4) access to the individual’s PII. The proposed law also includes a default right to be forgotten. If an individual maintains an account with a business, the business must not only stop processing the individual’s PII on the date the account closes but must also delete all of that individual’s PII within thirty days of account closure. Any third-parties that process the account holder’s PII must be notified of the closure of the account.
The term “third-party” is defined in the TPPA as “[a] person engaged by a business to process, on behalf of the business, personal identifying information collected by the business.” If a business engages a third party to process PII collected by the business, the business must use due diligence in selecting the third party and ensure that the third party complies with the requirements of this law that apply to the third party. The business must also annually obtain from the third party verification that the third party is complying with the requirements. Third parties may only process PII to the extent the business is authorized to do so, and a business may not share an individual’s biometric, health, or genetic information with a third-party unless the individual consents to the sharing of that information. Third-parties are also required to implement data security and accountability programs consistent with the requirements described above and must comply with the TPPA’s cessation of processing and deletion requirements for account holders. If a third party violates any of the provisions of the TPPA, the business that hired the third party may not be held liable for those violations if the business did not have actual knowledge or a reasonable belief that the third party intended to violate these provisions.
Although the bill does not provide for a private cause of action, it does give the attorney general the power to bring an action against a business or third-party and collect a civil penalty as well as reasonable attorney’s fees, court costs and investigative costs incurred in bringing the action. The maximum civil penalty for each violation is $10,000, not to exceed a total amount of $1,000,000.
If passed and signed into law, the TPPA would go into effect on September 1, 2019. However, given that there is only about a month before the Texas legislature adjourns and the fact that the bill has not yet cleared the House much less made it into the Senate, that date seems unrealistic. The bill will likely be taken up again next year.
Tune in again next week, when we will look at the second, and far more pervasive, privacy bill making its way through the Texas legislature – the Texas Consumer Privacy Act.