Skip to content

Texas Legislature Punts on Privacy Act…For Now

AOL - CyberSecurity

The Texas State Legislature ended its regular session on May 27, 2019, without passing the Texas Consumer Protection Act (TCPA) or the Texas Privacy Protection Act (TPPA). Both acts would have required businesses to comply with various privacy-related requirements as early as September 1, 2019. Instead, the Texas Legislature amended the current data breach notification law by adding requirements for what the notice should include and changing “as quickly as possible” for notice to affected individuals to “without unreasonable delay” and no later than 60 days after the date a breach was determined to have occurred. In addition, the Texas Legislature formed the Texas Privacy Protection Advisory Council. The Council is charged with evaluating national and international privacy laws and making recommendations to the Texas Legislature by September 2020 regarding the appropriate level of privacy protection needed in Texas. The Council and any future legislation will likely draw from the TCPA and the TPPA. Thus, businesses can use these two acts and monitor the Council’s activities to prepare for the eventual passage of a more comprehensive Texas privacy act.

TCPA and TPPA Applicability, Obligations, and Enforcement

The TCPA resembled the California Consumer Privacy Act (CCPA), whereas the TPPA applied to more businesses and described consumer rights in the context of a business’s privacy obligations. Both bills required a business to notify and post public policies detailing the personal information it collected, processed, sold, and disclosed. In addition, the Texas Attorney General was the only person who could enforce both bills; neither act granted a private right of action. These were the major similarities, but the table below illustrates the main differences between the two acts that may influence future Texas privacy legislation.

Applicability Applies to a business that:

  • does business in Texas;
  • collects and determines the purpose and means for processing personal information; and
  • satisfies one of the following:
    • has annual gross revenue exceeding $25 million;
    • alone or in combination with others, buys, sells, receives, or shares for commercial purposes personal information of 50,000 or more consumers, households, or devices; or
    • derives 50% or more of its annual revenue from selling consumers’ personal information.
Applies to a business that:

  • does business in Texas;
  • has more than 50 employees;
  • collects personal identifying information of more than 5,000 individuals, households, or devices, or has that information collected on the business’s behalf; and
  • satisfies one of the following:
    • has annual gross revenue exceeding $25 million; or
    • derives 50% or more of its annual revenue from processing consumers’ personal identifying information.
  • Provide a clear and conspicuous link titled “DO NOT SELL MY PERSONAL INFORMATION” that gives individuals the right to opt out of the sale of personal information.
  • Facilitate consumer verified requests to: o disclose categories of personal information collected;
    • delete personal information, subject to certain exceptions; and
    • disclose categories of personal information sold or disclosed to third parties, and identify the third parties.
  • Cease the collection and processing of personal identifying information if the consumer closes an account with the business and delete the personal identifying information within 30 days from the date the account was closed.
    • Require third parties with the same personal information to comply with this requirement.
  • Permit an individual to obtain a description and provide access to the individual of the categories of the personal identifying information collected and processed.
  • Implement an accountability program and maintain internal policies and procedures to implement the program.
  • Implement and maintain a data security program that includes administrative, technical, and physical safeguards.
  • Use due diligence when selecting a third-party processor and annually verify that the third party is complying with the TPPA.
  • Uncapped civil penalty not to exceed $2,500 for each violation or $7,500 for each intentional violation.
  • Temporary restraining order or permanent or temporary injunction.
  • Business has opportunity to cure within 30 days for alleged violations.
  • Civil penalty of $10,000 for each violation, not to exceed a total of $1 million.

What This Means for You

Although a Texas “privacy act” may not be passed until 2021 (or a special session in 2020), the Texas Legislature has signaled its intent to eventually pass privacy laws that are more comprehensive than Texas’ current data breach notification law1 and Medical Records Privacy Act.2 Thus, businesses should monitor the Council’s activities, evaluate the Council’s recommendations, and use the TCPA and TPPA as guides to prepare for additional Texas privacy laws. In particular, if they have not done so already, businesses that process personal information of Texas residents should start thinking about how they plan to:

  • design, build, and implement infrastructure and procedures to identify and manage personal information throughout its life cycle, from collection through disposal;
  • verify consumer requests, establish a means for consumers to submit requests, and make the requested information easily accessible to the consumer;
  • implement internal policies and procedures to protect, identify, and properly process personal information of consumers; and
  • ensure that vendors processing personal information on its behalf are complying with privacy laws.

Visit our website to learn more about V&E’s Cybersecurity & Data Privacy practices. For more information, please contact Vinson & Elkins lawyers Devika Kornbacher or Sean Belding.

1 TEX. BUS. & COM. CODE ANN. § 521.052-053.


This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.