Texas is one of the many states that looked to be following in the footsteps of California’s enactment of a broad consumer privacy law (the California Consumer Privacy Act), which has far-ranging implications for businesses and consumers. Two comprehensive data privacy bills, HB 4390 and HB 4518, were filed and heard at the last legislative session. HB 4518, also known as the Texas Consumer Privacy Act, proposed overarching consumer protection legislation that closely resembled the California Consumer Privacy Act. HB 4518 stalled in the Texas House of Representatives in favor of HB 4390. HB 4390, also known as the Texas Privacy Protection Act, was introduced as comprehensive data privacy legislation, but was significantly less detailed than HB 4518. HB 4390 went through several rounds of revisions in both the Texas House and Senate until it was whittled down to the final version, which revises the notification requirements of the Texas Identity Theft Enforcement and Protection Act and creates the Texas Privacy Protection Advisory Council in order to develop recommendations for future data privacy legislation. HB 4390 has passed both the Texas House and Senate and is awaiting signature from the governor to be enacted.
Updates to Texas breach notification requirements
HB 4390 updates the timing to provide individual notice of a breach and adds a requirement to notify the attorney general of a breach. Currently, the Texas Identity Theft Enforcement and Protection Act requires that notice be provided “as quickly as possible” to individuals whose sensitive personal information was or is reasonably believed to have been acquired by an unauthorized person. HB 4390 revises this timing requirement and states that the notification shall be made “without unreasonable delay and in each case not later than the 60th day after the date on which the person determined that the breach occurred” (emphasis added).
The bill also adds a requirement to notify the Texas attorney general of a breach affecting at least 250 Texas residents. The notification must similarly be provided “not later than the 60th day after the date on which the person determines that the breach occurred.” The notification to the Texas attorney general must include a description of the breach or use of sensitive personal information, number of Texas residents affected, measures taken and that will be taken by the entity reporting the incident, and whether law enforcement is involved. This portion of the bill goes into effect at the beginning of next year, Jan. 1, 2020.
Creation of the Texas Privacy Protection Advisory Council
Section 2 of HB 4390 creates a council to study, develop and propose recommendations for the Texas Legislature on data privacy laws. Within 60 days of the effective date of the act – Sept. 1, 2019, for this portion – 15 individuals shall be appointed to the Texas Privacy Protection Advisory Council by the speaker of the House of Representatives, the lieutenant governor and the governor. The purpose of the council is to study the data privacy laws of other states and foreign jurisdictions in order to propose recommended legislation by Sept. 1, 2020. The council will be made up of industry professionals, legislators, and either a representative of a nonprofit organization that studies data privacy laws or a professor at a Texas law school or other institute of higher education who is published on the topic.