Consistent with the cliché that “everything's bigger in Texas,” the Texas legislature has introduced not one, but two separate bills relating to the privacy of personal information. Although still in their nascent stages, both bills are following California's lead in creating enhanced and stringent privacy protections for individual consumers.

House Bill 4390, dubbed the Texas Privacy Protection Act (TPPA) is arguably the less onerous of the two bills, although you might not necessarily realize it at first blush, given the broad way it defines “personal identifying information” (PII). In addition to the traditional categories of information protected by privacy statutes (social security number, driver's license numbers, credit card or financial account information, etc.), PII includes biometric information (fingerprint, voice print, retina or iris image, or any other unique physical representation), religious affiliation or practice information, racial or ethnic origin information, unique genetic information, physical or mental health information, precise geolocation data and the private communications or other user-created content of an individual that is not publicly available. This alone will considerably expand the scope of entities that will likely have to comply with the law.

In terms of who must comply with the law, the TPPA would only apply to for profit businesses that: (1) do business in Texas, (2) have more than 50 employees (but the employees do not have to reside or work in Texas), (3) collects the personal identifying information of more than 5,000 individuals, households, or devices or has that information collected on the business's behalf, and (4) either (A) has annual gross revenue in an amount that exceeds $25 million; or (B) derives 50 percent or more of the business's annual revenue by processing personal identifying information. Note that requirement (3) above refers to “individuals, households, or devices,” not to “Texas residents.” This means that if an Internet business has only a handful of customers in Texas, but numerous customers elsewhere, it could still theoretically be subject to the requirements of this law.

Most categories of PII are covered under the TPPA, but there are exemptions for publicly available information, information covered under certain federal or Texas statutes (HIPAA, the Texas Medical Records Privacy Act, GLBA, the Fair Credit Reporting Act and FERPA), information collected solely to facilitate the transmission/routing of PII between or amongst businesses, and PII transmitted to and from the individual to whom the PII relates if the collector of the information does not access, review, or modify the content of the information, or otherwise perform or conduct any analytical, algorithmic, or machine learning processes on the information.

The TPPA includes most of the requirements/restrictions on the collection and processing of PII that we have come to expect from expanded privacy laws. Generally, the purpose for the collection/processing needs to be properly disclosed to the consumer and the information must be relevant to accomplish that purpose and used only for that purpose. If a third party is involved in the processing of the PII, the individual must be provided with the name of that third party and the scope of their involvement with the processing. The relevant notification must be clear, drafted in plain language and easy to understand and must be located in a prominent location at the business and on the business's website, if it has one. For special categories of PII (geolocation data, biometric information, genetic information, racial or ethnic origin information, religious affiliation or practice information, physical or mental health information, or other personal identifying information that when processed is likely to create a significant privacy risk), the business must also specify the categories or items of special PII being processed and the purposes for processing that information.

The TPPA also contains certain “paperwork” requirements. All covered businesses must develop, implement, and maintain a comprehensive data security program that contains administrative, technical and physical safeguards for PII. The safeguards must be documented by the business and appropriate considering the size and complexity of the business, the nature and scope of the businesses activities and the sensitivity of the PII processed by the business. Covered businesses must also implement an accountability program that includes a process to identify, assess, and mitigate any reasonably foreseeable privacy risk, procedures to provide remedies for privacy risk, an annual assessment of the program and supporting policies and procedures, methods and procedures for responding to data breaches and for addressing inquiries and complaints concerning personal identifying information, and procedures for internal enforcement of the business's policies and discipline for noncompliance. Finally, covered businesses must maintain a privacy policy that articulates the processing practices of the business for PII, including any analysis or predictions made by the business based on the processing of PII by the business. The policy must provide an accurate and easy mechanism for individuals to access the PII collected about them and notify individuals of the business's obligations to discontinue the processing of and delete PII under certain circumstances.

The TPPA gives individuals the right to access their PII. Businesses must allow an individual to promptly and reasonably obtain (1) confirmation of whether PII concerning the individual is processed by the business, (2) a description of the categories of PII processed by the business, (3) an explanation in plain language of the specific types of PII collected by the business, and (4) access to the individual's PII. The proposed law also includes a default right to be forgotten. If an individual maintains an account with a business, the business must not only stop processing the individual's PII on the date the account closes but must also delete all of that individual's PII within thirty days of account closure. Any third parties that process the account holder's PII must be notified of the closure of the account.

The term “third party” is defined in the TPPA as “[a] person engaged by a business to process, on behalf of the business, personal identifying information collected by the business.” If a business engages a third party to process PII collected by the business, the business must use due diligence in selecting the third party and ensure that the third party complies with the requirements of this law that apply to the third party. The business must also annually obtain from the third party verification that the third party is complying with the requirements. Third parties may only process PII to the extent the business is authorized to do so, and a business may not share an individual's biometric, health, or genetic information with a third party unless the individual consents to the sharing of that information. Third parties are also required to implement data security and accountability programs consistent with the requirements described above and must comply with the TPPA's cessation of processing and deletion requirements for account holders. If a third party violates any of the provisions of the TPPA, the business that hired the third party may not be held liable for those violations if the business did not have actual knowledge or a reasonable belief that the third party intended to violate these provisions.

Although the bill does not provide for a private cause of action, it does give the attorney general the power to bring an action against a business or third party and collect a civil penalty as well as reasonable attorney's fees, court costs and investigative costs incurred in bringing the action. The maximum civil penalty for each violation is $10,000, not to exceed a total amount of $1,000,000.

If passed and signed into law, the TPPA would go into effect Sept. 1. However, given that there is only about a month before the Texas legislature adjourns and the fact that the bill has not yet cleared the House much less made it into the Senate, that date seems unrealistic. The bill will likely be taken up again next year.

Eric Levy is senior counsel in Husch Blackwell's Dallas office and belongs to the firm's Financial Services & Capital Markets industry group. He counsels on cybersecurity risks including drafting privacy policies and notices and negotiating contracts allocating data protection and data gathering risks.