The Texas State Legislature ended its regular session on May 27, 2019, without passing the Texas Consumer Protection Act (TCPA) or the Texas Privacy Protection Act (TPPA). Both acts would have required businesses to comply with various privacy-related requirements as early as September 1, 2019. Instead, the Texas Legislature amended the current data breach notification law by adding requirements for what the notice should include and changing “as quickly as possible” for notice to affected individuals to “without unreasonable delay” and no later than 60 days after the date a breach was determined to have occurred. In addition, the Texas Legislature formed the Texas Privacy Protection Advisory Council. The Council is charged with evaluating national and international privacy laws and making recommendations to the Texas Legislature by September 2020 regarding the appropriate level of privacy protection needed in Texas. The Council and any future legislation will likely draw from the TCPA and the TPPA. Thus, businesses can use these two acts and monitor the Council’s activities to prepare for the eventual passage of a more comprehensive Texas privacy act.
TCPA and TPPA Applicability, Obligations, and Enforcement
The TCPA resembled the California Consumer Privacy Act (CCPA), whereas the TPPA applied to more businesses and described consumer rights in the context of a business’s privacy obligations. Both bills required a business to notify and post public policies detailing the personal information it collected, processed, sold, and disclosed. In addition, the Texas Attorney General was the only person who could enforce both bills; neither act granted a private right of action. These were the major similarities, but the table below illustrates the main differences between the two acts that may influence future Texas privacy legislation.
What This Means for You
Although a Texas “privacy act” may not be passed until 2021 (or a special session in 2020), the Texas Legislature has signaled its intent to eventually pass privacy laws that are more comprehensive than Texas’ current data breach notification law and Medical Records Privacy Act. Thus, businesses should monitor the Council’s activities, evaluate the Council’s recommendations, and use the TCPA and TPPA as guides to prepare for additional Texas privacy laws. In particular, if they have not done so already, businesses that process personal information of Texas residents should start thinking about how they plan to:
- design, build, and implement infrastructure and procedures to identify and manage personal information throughout its life cycle, from collection through disposal;
- verify consumer requests, establish a means for consumers to submit requests, and make the requested information easily accessible to the consumer;
- implement internal policies and procedures to protect, identify, and properly process personal information of consumers; and
- ensure that vendors processing personal information on its behalf are complying with privacy laws.