Not a CCPA Clone: Understanding Texas’s Proposed Data Privacy Law, H.R. 3741

On March 11th, Texas State Representative Giovanni Capriglione filed six bills that address consumer privacy, with H.R. 3741 serving as the Data Privacy Omnibus. The bill defies easy comparison to the CCPA or other rights-based data protection laws currently in force, so instead of a side-by-side analysis, I’m going to highlight its most noteworthy aspects. I interviewed Representative Capriglione on the six bills.

Three categories of Personal Identifying Information

While creating a distinct category of “special” personal information has been a hallmark of the EU GDPR, H.R. 3741 takes this approach a bit further by creating three categories of Personal Identifying Information (PII) and denoting what processing cannot be done with a given category:

Category Processing Limitations

Category One. PII identifying information that an individual may use in a personal, civic, or business setting, and includes:

A. Government-issued identity documents (an SSN; a driver’s license number, passport number, etc.);

B. A financial account number or any access code to an individual’s financial account;

C. Unique biometric information;

D. Physical or mental health information; and

E. The private communications or other user-created content of an individual that is not publicly available.

No special limitations.

Category Two. PII identifying information that may present a privacy risk to an individual, including members of a constitutionally protected class, and includes:

A. Racial or ethnic origin information;

B. Religious affiliation or practice information;

C. Age;

D. Physical or mental impairment;

E. Precise geolocation tracking data; and

F. Unique genetic information.

[emphasis added; see analysis below]

A business may not sell, transfer, or communicate Category Two information to any third party.

Without the express written consent of the individual, a business may not:

  1. Perform geolocation tracking of an individual, including for purposes of contact tracing; or
  2. Sell data relating to an individual that is collected from geolocation tracking.

Category Three. Specific facets of personal identifying information and includes:

A. Time of birth; and

B. Political party or association.

A business may not collect or process Category Three information.

The bill introduces the idea of privacy risk, which is defined as “potential adverse consequences to an individual or society at large arising from the processing of personal identifying information,” and then is illustrated with a long list of potential harms. Examples include physical harm, stigmatization or reputational harm, and “[a]dverse outcomes or decisions with respect to an individual’s eligibility for a right, benefit, or privilege in employment, including hiring, firing, promotion, demotion, or compensation.” This idea closely resembles the commonly cited “risk to rights and freedoms” in GDPR jurisprudence. It may be the first time that it has appeared in U.S.-based privacy legislation, at least at the state level.

A jurisdictional scope that exempts small businesses

A frequent discussion point of proposed data protection laws is their potential impact on small businesses. The Texas bill addresses this by setting the following thresholds (in addition to requiring the conduct of businesses within the state) for a business to be subject to the law:

  • It must have more than 50 employees;
  • It collects the PII of more than 5,000 individuals, households, or devices or has that information collected on the business’s behalf; and satisfies one or more of the following thresholds:
    • It has annual gross revenue in an amount that exceeds $25 million; or
    • It derives 50 percent or more of the business’s annual revenue by processing personal identifying information.

Also, these thresholds only apply to PII “that is (1) collected over the Internet or any other digital network or through a computing device that is associated with or routinely used by an end user; and (2) linked or reasonably linkable to a specific end user.” This “electronic only” limitation seems to be calculated to further protect small businesses by exempting data collection and processing that is paper centric or is merely to expediate order processing (perhaps at a restaurant or other retail establishment).

Consumer rights

H.R. 3741 grants rights to consumers over their PII that is reminiscent of other rights-based data protection laws, including rights to:

  • Disclosure. Individuals may request that businesses disclose (1) the PII that is being collected; (2) the sources of the PII; (3) business’s purpose for the collecting; and (4) the names of third parties to whom the PII has been sold or transferred.
  • Access. Individuals may obtain their PII held by a business and transfer that information from one business to another.
  • Amendment. A business in possession of an individual’s PII must correct any inaccurate information upon request.
  • Deletion. A business must delete an individual’s “sensitive personal information” upon request. It’s unclear if this is a reference to a particular Category of PII, or something else.

Business responsibilities

The bill mandates certain business practices, many of which mirror certain individual rights:

  • Provide notice of privacy practices. Before collecting PII, a business must conspicuously provide notice about its practices with respect to PII processing.
  • Maintain accurate information. Businesses must publish a means for individuals to contact them and dispute incorrect information. Once a dispute occurs, those businesses must investigate and (assuming there’s merit to the request) promptly make corrections.
  • Provide data access and portability. When a business provides to a requesting individual a copy of his/her PII, that information must be delivered “in a portable, readily usable format that may be transferred … by the individual to another business.”
  • Delete PII upon account closure. If an individual who maintains an account with a business closes that account, then the business must stop processing that individual’s PII and within one year, permanently delete that PII. Third parties that in possession of account data must likewise delete that data after one year.

Enforcement

H.R. 3741 does not offer a private right of action; the state’s Attorney General has exclusive authority to bring enforcement actions against businesses or third-party processors that violate the law. Businesses in violation will be subject to a civil penalty of $10,000 per violation, up to $1 million in total. Third parties that violate the requirement to delete the account holder’s PII after the 1-year hold period will also be subject to the same penalty. Much like with the CPRA, this is a “safe harbor” immunity from liability for businesses that do not know (or have a reasonable belief) about their third-party processor’s violation of the law.

In summary

H.R 3741 illustrates the notion that every state has its approach to balancing residents’ privacy rights with the regulatory burdens placed on businesses. In this case, Texas has gone to greater lengths than other states to protect small businesses (using the 50-employee threshold) while offering enhanced protection to certain kinds of personal information and introducing the concept of privacy risk. I suspect that if the bill becomes law, the state will build on this concept over time; it seems too big a foundation not to do so.

If passed into law, the bill will take effect on September 1, 2021. Two sections that address the right to deletion take effect on January 1, 2022. This is a particularly short runway for businesses to come into compliance, and they should prioritize (1) updates to their respective data inventories; (2) review of agreements with third parties; and (3) efforts to meet individual requests for access and correction to, and deletion of, PII.

1