hunter.sundbeck

Texas Has Joined the Party!

YouTube Video and Spotify Episode

Episode Description:

Name: Texas Data Privacy and Securities Act (Amendment to Title 11 of the Business & Commerce Code)

A brief history of the bill

Introduced on 2/16 and read in the House on 2/23

Votes (most recent)

  1. Senate 31-0 on 5/27
  2. House 146-0 on 4/5

Signed by

  1. TX House on 5/29/2023
  2. TX Senate on 5/29/2023
  3. Gov. Abbot on 6/18/2023

Primary Author(s): Representative Giovanni Capriglione [District 23 in Tarrant Country, TX (Fort Worth]

Relevant Definitions (Sec. 541.001)

Personal data: any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual. The term does not include deidentified data or publicly available information.

Sensitive Data: personal data revealing racial or ethnic origin, religious beliefs, genetic/biometric data, data of a known child, or precise geolocation data.

Consumer: an individual who is a resident of this state acting only in an individual or household context. The term does not include an individual acting in a commercial or employment context.

Controller: an individual or other person that, alone or jointly with others, determines the purpose and means of processing personal data.

Dark Pattern: a user interface designed or manipulated with the effect of substantially subverting or impairing user autonomy, decision-making, or choice, and includes any practice the Federal Trade Commission refers to as a dark pattern.

State Agency: department, commission, board, office, council, authority, or other agency in any branch of state government that is created by the constitution or a statute of this state, including a university system or institution of higher education as defined by Section 61.003, Education Code

Trade Secret: all forms and types of information, including business, scientific, technical, economic, or engineering information, and any formula, design, prototype, pattern, plan, compilation, program device, program, code, device, method, technique, process, procedure, financial data, or list of actual or potential customers or suppliers, whether tangible or intangible and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing

Sale of PI: means the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party.

Pseudonymized data: any information that cannot be attributed to a specific individual without the use of additional information, provided that the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual.

de-identified data: data that cannot reasonably be linked to an identified or identifiable individual, or a device linked to that individual.

Applicability (Sec. 541.002(a)(1-3))

1 – Conducts business in the state or produces a product or service consumed by residents of this state.

2 – Processes or engages in the sale of personal data

3 – Is not a small business as defined by the US Small Business Administration.

DOES NOT APPLY TO:

  1. State agency or political subdivision of Texas
  3. An entity subject to HIPAAA financial institution subject to GLBA
  4. Non-profit org
  5. Institution of higher ed
  6. An electric utility, power generation, or retail electricity provider

A Consumer’s Rights (Sec. 541.051)

May exercise their rights at any time by submitting a request to the controller:

  1. Confirm if PI is being processed
  2. Correct inaccuracies
  4. Delete collected PI
  5. Obtain a copy of the consumer’s PI
  6. Opt-out of processing of their data for the purposes of Targeted advertising, The sale of PI, or Processing for profiling

Controller’s Response to Consumer Requests (Sec. 541.052)

Respond without undue delay within 45 days after receipt of the request.

May extend an additional 45 days when reasonably necessary, taking into account the complexity of the request. Consumer must be informed of the extension.

If declining to take action, must inform the consumer and allow them the opportunity to appeal the decision

Info is to be provided free of charge at least twice annually. The controller may charge a fee of the requests are excessive or repetitive.

Controller shall establish an appeal process for consumers (541.053) and develop methods to submit consumer requests (541.055)

Controller duties and transparency (541.101)

Limit the collection of PI to what is relevant to the processing purpose.

Establish administrative, physical, and technical safeguards to protect the confidentiality, integrity, and accessibility of PI.

Privacy Notice must include (541.102)

  1. Categories of PI processed
  2. Purpose for processing
  3. How consumers may exercise their rights
  4. Categories of PI shared with 3rd parties
  5. Categories of 3rd parties with whom data is shared
  6. The notice must be accessible by consumers

If engaging in the sale of PI, a controller shall include:

“We may sell your sensitive personal data” message.

Same, but changing “sensitive” to “biometric” with biometric data.

Duties of Processors (541.104)

Processors shall adhere to the instructions of the controller and assist the controller in meeting the obligations of the law.

Assist in providing the information for the DPIA.

A contract between a controller and processor must include:

  1. The clear instruction for processing data
  2. Type of data subject
  3. Nature of processing and purpose
  4. Duration of processing
  5. Rights and obligations of both parties

Requirements that the processor shall:

Each processor is subject to a duty of confidentiality, delete or return all PI upon consumer request, make information available to the controller.

Data Protection Impact Assessment (541.105)

Conducted by a controller for each processing activity involving PI:

  1. Processing PI for targeted advertising
  2. Sale of PI
  3. Processing PI for profiling if this presents a foreseeable risk of
  4. Unfair or deceptive treatment of consumers
  5. Financial, physical, or reputational injury to consumers
  6. A physical or other intrusion into the solitude or seclusion, or the private affairs of consumers if intrusion would be offensive to a reasonable person.
  7. The processing of sensitive data
  8. Any processing activities that present a risk of heightened harm to a consumer

An Assessment must ID and weigh the direct and/or indirect benefits and risks that may flow from processing to the controller, consumer, or other stakeholders, and the public

Factor into this assessment the use of de-identified data, reasonable expectations of consumers, the context of processing, the relationship between consumer and the controller.

The DPIA shall be made available to the AG, the DPIA is confidential and exempt from public inspection, a single DPIA may address several processing operations that include similar activities, and no need for a retroactive DPIA at all.

Enforcement Authority (541.151)

AG has exclusive enforcement authority

Notice of Violation and Opportunity to Cure (541.154)

Notification from the AG to the org should come 30 days before issuing the notice of violation

No action may be brought if the action is cured within 30 days of receiving the violation. Evidence of the cure must be provided by the org w/ supporting documentation.

Civil Penalties (541.155)

$7,500 per violation

There is no private right of action (541.156)

Effective Date: July 1, 2024

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.