Per our earlier blog post, Texas was ambitious this legislative session when it proposed two consumer data privacy bills. Both bills made it through committee hearings, but only one made it to the governor’s desk for signature: HB 4390. However, even it arrived there very different than originally drafted.
HB 4390, dubbed the Texas Privacy Protection Act, started as a comprehensive consumer privacy bill, with parts similar to the European Union’s GDPR and California’s Consumer Protection Act. However, through multiple amendments and dilutions, what was left were essentially two things:
- Updates to the breach notification requirements in the Texas Identity Theft Enforcement and Protection Act (the “TITEPA”); and
- The creation of the Texas Privacy Protection Advisory Council (the “Council”).
The general updates to the TITEPA include:
- Requirement that affected individuals be notified within 60 days after the breach. This replaces the current language in the statute “as quickly as possible”; and
- Requirement that the business experiencing the breach notify the state Attorney General if the breach affected at least 250 Texas residents.
These provisions will become effective January 1, 2020.
The Council will study other state and global data privacy laws in advance of the next legislative session and make recommendations. They will present their findings on or before September 1, 2020, and these recommendations will likely form the basis for consumer privacy legislation when the Texas Legislature reconvenes in January 2021.