Cross-Posted from The Global Privacy Watch Blog
In Part 1 of our ‘Texas Joins the Privacy Fray’ series, we focused on the Texas Consumer Privacy Act. Here, we shine the light on the Texas Privacy Protection Act (HB 4390).
The TXPPA is distinguishable from both the TXCPA and the CCPA because the applicability threasholds are different. For the TXPPA to apply, a business must 1) be doing business in Texas; 2) have more than 50 employees; 3) collect personally identifiable information (“PII”) of more than 5,000 individuals, households, or devices (or has it collected on the business’s behalf); and 4) meet one of the following two criteria – the business’ annual gross revenue exceeds $25 million; or the business derives 50% or more of its annual revenue from processing PII.
Further, subject to certain ‘pipeline’ exceptions (i.e. merely processing PII to transmit it across a network), it only applies to collection of PII over the Internet or any other digital network, or through a computing device that is associated with or reasonably linked to a specific end user. Under the TXPPA, no processing is authorized without explicit permission received from the individual from whom the information pertains (or the processing is required by law). Already, this last statement makes compliance pretty challenging. A literal interpretation is that to process PII, a business will need either explicit permission or legal basis.
Additionally, a business may only process PII if it is relevant to accomplish the purposes for which it is to be processed; the purposes are specifically disclosed by the business in the notice, made prior to the collection, and processing is only to the extent necessary to achieve a purpose. Finally, processing is only authorized if it does not violate state or federal law, doesn’t infringe on another’s rights or privileges under the US Constitution, and the business follows the procedures should automated processing be used.
Contrary to the TXCPA (and more in line with the CCPA), the TXPPA requires an impacted business to establish and maintain a “comprehensive data security program that contains… safeguards for personal identifying information.” The TXPPA is light on specifics and does not provide for a private cause of action or class action for the breach of the duty to safeguard personal information.
While all of this seems to present a bit of a challenge to businesses, the TXPPA does establish a safe haven of sorts quite similar to the TXCPA. Unfortunately, it does not apply to violations made by a service provider. The safe harbor is limited to a third party (not service providers – they are different) violation of their processing authority, provided the business has no actual knowledge or reasonable belief that the third party intends to violate the TXPPA. It doesn’t cover a violation of the initial business’ processing authority. So, if a business has a service provider the makes a mistake, the business would still be on the hook for the service provide’s actions.
Finally, the TXPPA provides that the Texas Attorney General may bring an action against a business or third party for violations and recover civil penalties in an amount not more than $10,000 per violation, not to exceed a total of $1 million.
The Texas Attorney General, just like his California counterpart, is delegated enforcement authority under this Texas bill and must adopt rules necessary to implement, administer, and enforce it. Unlike the CCPA, the TXPPA does not mandate public stakeholder input in drafting those rules. What does that mean? It’s vital to not only watch and participate (if possible) in the Texas regulatory drafting process in the appropriate timeframe, but also monitor and review the CCPA rules the California Attorney General drafts, due in several months. This, along with the reasonable expectation that the Texas Attorney General will follow basic privacy principles present in every other privacy system out there, provide the strongest indicators as to what Texas rules may look like.
It should be noted, that both Texas bills have the usual carve outs to attempt to avoid a Federal preemption claim. Processing that is subject to HIPAA, GLB, FCRA, or FERPA is exempted from the scope of the TXPPA. However, those are fairly narrow exceptions.
Like we asked in Part 1, is writing about the Texas Privacy Protection Act premature? In a word, no. As of this writing, there have been privacy impacting bills introduced in 31 state legislatures and this doesn’t include attention at the federal level. Most of these state bills are influenced by the CCPA, distinguished importantly by the degree of that influence. Given the attention garnered by security and privacy issues the last two years and more importantly, legislative responses to those issues, one thing is virtually certain: there will be privacy regulation for Texas businesses to comply with and it will very likely share elements found in the CCPA. Monitoring developments on the front end is imperative given the nature of the subject matter, but equally important is to begin thinking strategically about how business compliance can be balanced with business operations – something which can benefit from sound legal counsel.