Saddle Up: Texas Makes Another Push to Join States With Comprehensive Consumer Privacy Laws

On March 24, 2023, Texas House Representative Giovanni Capriglione participated in a virtual interview with the Dallas chapter of the International Association of Privacy Professionals (IAPP) about his recently introduced bill, HB 4, also known as the Texas Data Privacy and Security Act (TDPSA). The interview was moderated by Samantha V. Ettari, Perkins Coie LLP senior counsel and co-chair of the IAPP KnowledgeNet Dallas Chapter, and Justin L. Koplow, AT&T senior legal counsel and also a co-chair of the IAPP Dallas Chapter. The conversation focused on a variety of subjects, including Rep. Capriglione's professional technology background and subsequent journey into privacy issues, the development of the TDPSA, its specific provisions, and how the bill compares to privacy regimes in other states, including the Virginia Consumer Data Protection Act (VCDPA), on which it was modeled. This is the third comprehensive consumer privacy bill Rep. Capriglione has advanced, and this one appears to be channeling the momentum of six states' comprehensive privacy laws, Texas denizens' apparent interest in consumer privacy, and a significant national conversation around consumers' and children's privacy. 

Per Rep. Capriglioni, the TDPSA is drafted to be business-friendly, exempts small businesses, and does not include employee and enterprise/business-to-business (B2B) data. Enforcement is solely vested in the Texas Attorney General's Office and there is no private right of action, even in the event of a security breach. The TDPSA has a 30-day cure period that does not sunset. Like other comprehensive state privacy laws, the TDPSA provides consumers the rights to delete, correct, and access their personal data and to opt out of sales, targeted advertising, and certain profiling activities. It also provides a right to appeal a denial of a data subject request and further establishes controller and processor obligations on personal information and a narrower category of sensitive information. And, while the TDPSA includes biometric information in the definition of sensitive information, there is no near-term plan to phase out the state's biometric law—the Texas Capture or Use of Biometric Identifiers (CUBI). If passed, the TDPSA would be effective and enforced early next year, with little tolerance for delayed compliance apart from the 30-day cure period. This short runway for businesses in scope to come into compliance is based on an expectation that those businesses will already be in compliance with the majority of their obligations given the significant reach of consumer privacy laws in other states.

The interview concluded with Rep. Capriglione's thoughts on how, if enacted, the TDPSA might intersect with emerging artificial intelligence (AI) and machine learning (ML) technologies, as well as potential future lawmaking concerning automated decision-making. The high-priority number assigned to the TDPSA suggests that it will move quickly through the legislature and may be passed soon, making the Texas legislature one to watch in 2023 on privacy and other intersecting areas of technology.