Cross-Posted from The Global Privacy Watch Blog
Last month, Texas saw the introduction of not one, but TWO privacy bills in the Texas state legislature: The Texas Consumer Privacy Act (TXCPA) and the Texas Privacy Protection Act (TXPPA). With news of this likely meeting with a collective groan and shoulder shrug, we do have some good news for you.
Both bills’ foundations are set with familiar CA Consumer Privacy Act (“CCPA”) language. Unfortunately, this is also bad news because they both suffer from the same problems found in the CCPA – we’ll explain below. It’s also still early in the game, with the bills having just been filed in the state legislature. Given that there is time in the legislative session for amendments to be made and especially considering the ‘ring-side’ view Texas lawmakers have to the CA legislative and Attorney General rule/procedure process currently unfolding, it would be unreasonable not to expect changes. Finally, the bills are reactive responses to the national (or international) focus on privacy issues of late and may allow impacted businesses a grace period, as we’ve seen in the CCPA. In this blog, we shine the light on the first of these bills: The Texas Consumer Privacy Act.
First, what does the TXCPA do?
Well, it borrows (quite heavily) from the CCPA. It provides Texas consumers with rights to know what information is being collected, distributed and sold about them; to opt-out of sales; and to request deletion of unneeded data. The bill also requires businesses to be transparent in responses to consumers exercising their rights and by providing notice of information privacy operations. These are rights and obligations which we have seen most recently in the EU General Data Protection Regulation (“GDPR”)
Texas, like California, will have to take these concepts and fit them into a US and a Texas context. Broadly, the TXCPA will apply to a large swath of businesses ‘doing business’ in Texas because of the very same terms impacting the CCPA: (1) Consumer; (2) Personal Information (3) Business; and (4) Sale. Despite a different organizational structure, these terms play an integral part of how the TXCPA applies. Like the CCPA, the TXCPA suffers from flaws. Here are some examples:
- Definition of Consumer. Both the TXCPA and the CCPA define Consumer as resident—meaning that it can be interpreted to apply to a whole lot of people—like employees, business associates, and sales prospects, to name a few. Application to such a broad group, including employees, is one of the reasons why the most recent CA bill amending the CCPA, AB25, was written. The TXCPA, by contrast, doesn’t have this revision, so presently, Consumer is open to broad interpretation. In addition, ‘resident’ itself is not defined so it remains to be seen how it will be interpreted.
- Definition of Personal Information. As detailed above, the TXCPA provides a very broad and expansive scope in personal information indirectly expanding its application to not only consumers, but to households as well. Household is left undefined in the TXCPA. Without a restrictive definition, this could pose privacy challenges in a scenario where a consumer seeking to exercise privacy rights of disclosure to personal information that pertains to the household, gains access from a business to personal information belonging to inhabitants of the household bearing no relation to that consumer.
- Applicability of the TXCPA to a “business”. Fortunately, the TXCPA doesn’t apply to just any business. There are certain prerequisites, one being the collection of consumers’ personal information and one or more thresholds to meet. One of these thresholds includes ‘alone or in combination with others, annually buys, sells, or receives or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices.’ This provision also indirectly expands coverage to include consumer devices. Unfortunately, as written, it will be fairly easy to surpass this threshold.
- Meaning of Sale (or derivative). Despite not providing a definition of ‘Sale’, the TXCPA does explain that for purposes of the chapter, a business sells consumer personal information to another business or third party if it sells, rents, discloses, disseminates, makes available, transfers, or otherwise transfers information to another business or third party for monetary or other valuable consideration. Given how critical the term is to the subject matter of this chapter, a broad definition is problematic to businesses seeking to comply with the law.
Consequently, a Texas consumer (resident), expansively interpreted, applies to a lot of people. The TXCPA also applies to a large group of businesses with attendant responsibility to comply.
Differences between Texas and California
The TXCPA mirrors the CCPA to a great extent, but it is not a carbon copy. For example, the TXCPA neither establishes a business duty to implement and maintain reasonable security procedures and practices, nor authorizes a narrow private cause of action for Consumers in the event of a data breach. No class action authority is permitted (or even mentioned). Instead, the TXCPA relies on the Texas Attorney General to enforce TXCPA violations, set at an amount up to $2,500 per violation (with a $7,500 cap for intentional violations).
The TXCPA also clarifies (and simplifies) use of financial incentives for the collection, sale, or disclosure of a consumer’s personal information
What are the Takeaways?
The Texas Attorney General, just like his California counterpart, is delegated enforcement authority to adopt rules necessary to implement, administer, and enforce them. The TXCPA is far closer to the CCPA in form than the TXPPA. Yet, unlike the CCPA, the TXCPA does not mandate public stakeholder input in drafting those rules. Regardless, it is our strongest advice to not only watch and participate (if possible) in the Texas regulatory drafting process in the appropriate timeframe, but also monitor and review the CCPA rules the California Attorney General generates, due in Fall 2019. This, along with the reasonable expectation that the Texas Attorney General will follow basic privacy principles present in every other privacy system out there, provide the strongest indicators as to what Texas rules may look like.
Isn’t this a bit Premature?
In ordinary circumstances, yes—after all, these privacy bills have just been introduced to Texas lawmakers. However, these aren’t ordinary circumstances. Momentum continues to build for enactment of consumer privacy laws, whether on a national level or state by state. Both Texas consumer privacy bills are influenced by the CCPA, distinguished importantly by the degree of that influence.
Texas is just the latest state to follow California’s lead taking steps to adopt consumer privacy legislation. Texas is also the second largest economy in the United States and in the top 10 economies world-wide. If you aren’t doing business in Texas now, you’ll likely be doing business here in the future. One thing is virtually certain: privacy as an issue isn’t going away—in Texas or anywhere else.
Monitoring events as they occur in this space is smart, allowing your business the flexibility to act proactively and tactically, putting you steps ahead of your competition. We will look at the TXPPA in our next post—so stay tuned.