Texas will see changes to its breach notification law, but comprehensive privacy legislation at the state level will not occur until 2021 at the earliest. This year, two privacy bills were introduced in the Texas legislature. House Bill 4518 (modeled on the California Consumer Privacy Act) did not pass in any form. The other bill, House Bill 4390, did pass, but it was amended substantially before its passage. As passed, HB 4390 amends Texas’s data breach notification statute and creates a privacy council to provide privacy advice to the legislature to support possible future comprehensive privacy legislation.
HB 4390 was intended to apply to data collected online and originally included requirements for a data security program to protect privacy. As passed, though, HB 4390 merely amends the state’s breach notification requirements in the Texas Identity Theft Enforcement and Protection Act. Two primary changes will go into effect on January 1, 2020, both of which bring the Texas law more in-line with breach notification laws around the country. First, breach notices must now be made to affected individuals and the Texas Attorney General within 60 days following the determination that a breach of system security occurred that involved sensitive personal information. Second, organizations must now notify the Texas Attorney General following a breach that affects more than 250 Texas residents. Notice content requirements were also added. The statute requires that breach notifications to affected individuals include:
- a detailed description of the nature and circumstances of the breach, or the use of sensitive personal information acquired as a result of the breach;
- the number of residents of this state affected by the breach at the time of notification;
- the measures taken by the person regarding the breach;
- any measures the person intends to take regarding the breach after the notification under this subsection; and
- information regarding whether law enforcement is engaged in investigating the breach.
HB 4390 also creates a Texas Privacy Protection Advisory Council whose sole purpose is to study and report to the Texas legislature its findings before the next legislative session in 2021, after which it is abolished. The Council will be made up of 15 members across disciplines (e.g., technology and law) and industries (e.g., health care, Internet, banking, telecommunications, advertising, cloud data storage, and social media platforms). The Council will be tasked with studying laws from around the world that govern the privacy and protection of identifiable information connected to a specific individual, technological device, or household. Not later than September 1, 2020, the Council must report its recommendations for statutory changes to the Texas legislature. The report could be a significant factor in the Texas legislature’s efforts to regulate privacy when it reconvenes in 2021.
The breach notification provisions in the new law take effect on January 1, 2020, but the Advisory Council section of the law takes effect on September 1 of this year.