HB 4 (Capriglione) Relating to the regulation of the collection, use, processing, and treatment of consumers’ personal data by certain business entities; imposing a civil penalty.
From the press release of Rep. Capriglione:
In the absence of federal regulations, HB 4 is part of a larger movement by state legislatures to set standards for the collection and use of consumer data. This bill attempts to build on the successes and short falls of past data privacy bills, most notably the Virginia Consumer Data Protection Act (VCDPA) passed in March 2021. The goal of the bill is to maximize both the utility of the rights provided to consumers and interoperability with other states to minimize compliance costs for businesses.
Rights for Consumers
HB 4 aims to ensure Texas residents have the same rights and abilities to control their personal data as do citizens of other states. The bill provides Texas residents with the following rights:
- Right to know when personal data is being collected,
- Right to access personal data and receive that data in a readable format,
- Right to correct and delete personal data,
- Right to opt out of the collection and sale of personal data, and
- Right to not face retaliation or discrimination for exercising these rights.
Exercising Rights
The bill stipulates that companies must provide at least two secure means for consumers to exercise their rights. These will generally take the form of online portals, forms, email-addresses, and toll-free numbers. The means of communication must be easily accessible, take a form in which consumers normally interact with the company, and must be posted on the company’s privacy notice. Generally, the company must respond to the consumer within 45 days. If the company believes the consumer’s request is not valid, they must establish a process for the consumer to appeal the decision. If the appeal is denied, the company must provide the consumer with the contact information of the Attorney General to submit a complaint.
Enforcement
The Attorney General has sole jurisdiction over the enforcement of this bill. The Attorney General may issue a civil investigative demand at the request of a consumer or if they have reasonable cause to believe any person has engaged in, is engaging in, or is about to engage in any violation of this bill. Civil penalties are limited to $7,500 per violation, and the Attorney General must provide companies with a 30-day cure period. There is no private right of action provided under this bill.
Clear Definitions of Applicability
This bill forgoes arbitrary definitions included in other states such as a revenue cutoff or a minimum number of consumers. Instead, the bill will apply to any company that produces products or services that are consumed by Texas residents and engages in the sale of personal data, unless they are classified as a small business by the U.S. Small Business Administration.
Exemptions
The bill does not apply to any state agency or political subdivision in Texas, financial institutions that comply with the Gramm-Leach-Bliley Act, entities covered by the federal Health Insurance Portability and Accountability Act (HIPAA), non-profit organizations, and institutes of higher education. The bill also exempts data that is related to health records, emergency contact information, and personal data regulated by the federal Family Education Rights and Privacy Act (FERPA), Fair Credit Reporting Act, Driver’s Privacy Protection Act, Farm Credit Act, and HIPAA. The “Sale of Personal Data” does not include disclosing personal data to a processor of the company, a third-party performing a service requested by the consumer, an affiliate of the company, or to a third-party for the purposes of a merger, acquisition, or bankruptcy. The bill also exempts data that is available to the general public through mass media.
Inclusive Definition of Personal Data
The bill defines personal data as “any information including pseudonymous data and sensitive data, that that is linked or reasonably linkable to an identified or identifiable natural person.” This definition means if a company uses indirect identifiers (ex. username, demographics) layered with direct identifiers (ex. name, address) they are subject to the provisions under this bill. The bill includes language to ensure de-identified and publicly available information are not considered personal data, and that a company will never be required to re-identify pseudonymous data that had been de-identified.
Apolitical Review
The bill asks the Chief Privacy Officer, housed in the Department of Information Resources, to conduct a review and solicit public feedback about the new law after passage and implementation. The Chief Privacy Officer will then provide a report to the Texas Legislature recommending any changes to the bill before the 89th Legislative Session begins. This will give businesses an opportunity to provide feedback about the bill’s enforcement away from the political eye.
FAQ:
Q: How do I know if I am a small business?
A: The Small Business Administration assigns a size standard to each NAICS code. Most non-manufacturing businesses with average annual receipts under $7.5 million, will qualify as a small business. However, there are exceptions by industry. You can view these in Title 13 Part 121.201 of the Code of Federal Regulations (CFR) or in the SBA’s table of small business size standards.
Q: Does this bill include the Right to Delete changes that were added the VCDPA after passage?
A: Yes.
Q: What fund are civil penalties deposited into?
A: The state’s general fund. There is no Litigation Fund or Enforcement Trust.
Q: Does the bill include rulemaking authority for any state agency or other entity?
A: No.
Q: Is there a requirement for a company to operate a toll-free number as in CCPA?
A: No, a company must only maintain two secure and accessible means for consumers to exercise their rights.
Q: Who is the Chief Privacy Officer?
A: Currently, the Chief Privacy Officer is an internal title at DIR focused on ensuring the agency is following data privacy guidelines. HB 984 expands the position’s scope to cover all state agencies, but the position will exist regardless of the passage of that bill. Outside of the review of this bill, the Chief Privacy Officer will solely focus on state agencies and not private companies.
Q: How does the bill differ from VCDPA?
A: Please refer to the ” Texas Data Privacy and Security Act vs. Virginia Consumer Data Protection Act Comparison” document provided by Rep. Capriglione’s Office. If you do not have access to this document, please contact the office.