Texas has recently joined the list of states providing its citizens a bit more protection when it comes to their personal information. On June 14, 2019, the Texas legislature passed the Texas Privacy Protection Act (the “Act”), the text of which may read here. Although the Act was passed in June, it will not go into effect until September 1, 2019. See below for a summary of some of the more prominent provisions of the new Texas Privacy Protection Act:
Texas Privacy Protection Act Summary
1. What businesses are covered by the Texas Privacy Protection Act?
The Act applies only to businesses that do business in Texas, have more than 50 employees, collect the personal identifying information (“PII”) of more than 5,000 individuals, households, or devices, AND have gross annual revenue in an amount $25 million or more, or that derives 50% or more of its annual revenue by processing PII (note, the Act does not say that the processed PII must come from Texas individuals, households, or devices).
In addition, the Act applies only to PII that is collected over the Internet, or any digital network or computing device, and that is associated with or routinely used by an end user.
2. How is PII defined under the Texas Privacy Protection Act?
There is a broad definition of PII under the Act, which includes that expected items, such as a social security number, passport number, financial account number, credit or debit card number, etc. In addition, there are some less common elements that are included in the definition, including physical or mental health information, retina or iris images, voice prints, “the private communications or other user-created content of an individual that is not publicly available,” and religious affiliation or practice information.
3. What PII collection limits are placed on a business under the Texas Privacy Protection Act?
The Act provides that a business may not collect PII unless the collection of the PII is relevant and necessary to accomplish the purpose for which the information was collected, and that purpose is specifically disclosed by the business in the notice required under the Act.
4. Are there limitations on processing PII under the Texas Privacy Protection Act?
Yes. In addition to including a broad definition of “processing,” the Act provides that a business may only process PII if:
• the information is relevant to accomplish the purpose for which is information is to be processed,
• those purposes are specifically disclosed by the business in the notice required under the Act, and
• the information is processed only to the extent necessary to achieve one or more of those purposes.
In addition, the Act states that a business may not process PII unless the individual whose PII is collected “explicitly” consents to the process of the information, or the business is required to do so by law.
5. What notices must a business provide under the Texas Privacy Protection Act?
The Act provides that a business must, in a “conspicuous” manner, provide a notice that includes a “reasonably full and complete description of the business’s practices governing the processing” of PII. The notice must include the categories of PII that are processed, details of the types of processing, the purpose for the processing, and the involvement of any third parties in the processing.
6. Are there other requirements under the Texas Privacy Protection Act?
Yes, there are several other requirements for businesses under the Act. For instance, covered businesses must create an “accountability program” and use due diligence in engaging a third party to processes PII. In addition, if an individual has an account with a covered business, and the individual closes that account, the business shall stop processing that individual’s PII ON THE DATE the individual closes that account, delete the PII within 30 days (unless required by law), and notify any third parties that are processing that PII of the account closure.
7. Are there penalties for violating the Texas Privacy Protection Act?
Yes. A business that violates the Act is liable to the State of Texas for a civil penalty in an amount of not more than $10,000 for each violation, which shall not exceed a total amount of $1,000,000. The State Attorney General may bring an action of the name of the state against the business to recover the civil penalties imposed under the Act. If that occurs, the Attorney General is also entitled to recover reasonable expenses, including reasonable attorney’s fees.
Please remember that this brief post does not cover every provision of the Texas Privacy Protection Act – please read it carefully of speak with knowledgeable counsel on the subject! If you are interested in our Privacy and Information Security practice, you may read more here.