August 2023

1. RIGHT TO PRIVACY/ CONSTITUTIONAL PROTECTION 

The Texas Supreme Court ('the Supreme Court') has held that the Texas Constitution ('the Constitution') does not contain an express guarantee of a right to privacy in Texas State Employees Union v. Texas Dept. of Health and Mental Retardation, 746 S.W.2d 203, 205 (Tex. 1987) ('TSEU'). However, Article 1(19) of the Constitution protects personal privacy from unreasonable intrusion (TSEU at 860). The Constitution contains other provisions similar to those in the Constitution of the United States that are recognised as implicitly creating protected zones of privacy, including (Griswold v. Connecticut, 381 U.S. 479, 484 (1965)):

• protection against arbitrary deprivation of life and liberty (Article I(19) of the Constitution);
• freedom to speak, write, and publish (Article I(8) of the Constitution);
• protection against being compelled to give evidence against oneself (Article I(10) of the Constitution);
• protection against unreasonable intrusion into one's home and person (Article I(9) of the Constitution); and
• freedom of religion (Article I(6) of the Constitution).

2. KEY PRIVACY LAWS

On June 18, 2023, the Texas Governor signed a comprehensive privacy and data protection law – the Texas Data Privacy and Security Act (TDPSA)  (Tex. Bus. & Com. Code § 541.001 et seq.). The TDPSA broadly covers the processing of personal information pertaining to consumers by businesses that conduct business in Texas or produce a product or service consumed by residents in Texas, process or engage in the sale of personal data, and are not a small business as defined by the U.S. Small Business Administration, except to the extent that organizations are exempt as provided for under the TDPSA (Tex. Bus. & Com. Code § 541.002(a)). Similar to the other U.S. privacy laws, the TDPSA includes (Tex. Bus. & Com. Code § 541.001 et seq):

• privacy notice requirements;
• rights for Texas consumers (including the right to access, correct and delete personal information; portability rights; opt-out rights for automated profiling, targeted advertising, and sale of personal information; and a consent requirement for certain uses of sensitive personal information);
• required contractual and oversight measures for the use of data processors; and
• data protection assessments in certain circumstances.

The Texas Attorney General ('Texas AG’) has enforcement authority under the TDPSA and may assess civil penalties (of up to $7,500 per violation) and seek injunctions (Tex. Bus. & Com. Code §§ 541.151, 541.155), subject to a 30-day right to cure. There is no private right of action.

The TDPSA goes into effect on July 1, 2024, except that a requirement to honor opt-out requests from authorized agents (including opt-out preference signals from browsers) that goes into effect on January 1, 2025.

In addition, Texas recognizes common-law rights to privacy in Billings v. Atkinson, 489 S.W.2d 858, 859 (Tex. 1973) (‘Billings’). Texas has recognized three of the four common-law privacy torts, as set forth in the Restatement (Second) of Torts § 652B, C, and D:

• intrusion upon a person’s right to be left alone in his or her own affairs (Billings, 860);
• appropriation of some element of the person’s personality for commercial use (Cain v. Hearst Corp., 878 S.W.2d 577, 578-579 (Tex. 1994)); and
• publicity given to private information about a person (Industrial Found. Of the South v. Texas Indus. Accident Bd., 540 S.W.2d 668, 682 (Tex. 1976)).

In Cain v. Hearst Corp., the Supreme Court held that it does not recognize the fourth common-law privacy tort, the tort of false light. The Supreme Court found that the tort of false light is largely duplicative of defamation and lacks the procedural limitations that are found in defamation actions (Cain, 878 S.W.2d at 578-579. See Restatement (Second) of Torts § 652E).

Several Texas statutes impose civil penalties, injunctions, and criminal penalties for those who violate the privacy of another in a certain way. For example, Texas law specifically addresses identity theft. According to the Identity Theft Enforcement and Protection Act ('the Identity Theft Act'), under Chapter 521, Title 11 of the Business and Commerce Code, ('Tex. Bus. & Com. Code'), unless a person has consented, 'A person may not obtain, possess, transfer, or use personal identifying information […] to obtain a good, a service, insurance, an extension of credit, or any other thing of value in the other person's name' (Tex. Bus. & Com. Code § 521.051).

The Identity Theft Act is enforced by the Texas AG, who may assess civil penalties and seek injunctions (Tex. Bus. & Com. Code § 521.151). In addition, under Chapter 32, Title 7 of the Texas Penal Code ('Tex. Penal Code'), identity theft is a crime. It is a felony to use identifying information of another person without the other person's consent with the intent to harm or defraud another; violators may be required to reimburse the victim and pay attorneys’ fees (Tex. Penal Code § 32.51). Furthermore, according to Chapter 33, Title 7 of the Penal Code, it is a felony to send, 'an electronic mail, instant message, text message, or similar communication that references a name, domain address, phone number, or other item of identifying information belonging to any person' (Tex. Penal Code § 33.07)

• without obtaining the other person’s consent;
• with the intent to cause a recipient of the communication to reasonably believe that the other person authorized or transmitted the communication; and
• with the intent to harm or defraud any person.

Under Texas law, an individual is presumed to be a victim of identity theft, if the person charged with an offense under Tex. Penal Code § 32.51, is convicted of the offense (Tex. Bus. & Com. Code § 521.102).

Like many states, Texas has a statute that specifically protects social security numbers. Under Chapter 501, Title 11 of the Business and Commerce Code, a person may not (Tex. Bus. & Com. Code § 501.001-002):

• intentionally communicate or otherwise make available to the public an individual's social security number;
• display an individual's social security number on a card or other device required to access a product or service provided by the person;
• require an individual to transmit the individual's social security number over the internet unless:
  • the internet connection is secure; or
  • the social security number is encrypted;
• require an individual's social security number for access to an internet website unless a password or unique personal identification number or other authentication device is also required for access; or
• print an individual's social security number on any material sent by mail, unless certain exceptions apply.

In Texas' analogue to the federal Computer Fraud and Abuse Act of 1986, it is a crime for a person to knowingly access a computer, computer network, or computer system without the effective consent of the owner (Tex. Penal Code § 33.02). This type of crime is typically a misdemeanor, but a person is guilty of a felony if that person was previously convicted two or more times of an offense of this type or if the computer, computer network, or computer system is owned by the government or a critical infrastructure facility (Tex. Penal Code § 33.02).

3. HEALTH DATA

At the federal level, the U.S. Department of Health and Human Services ('HHS') has issued the Health Insurance Portability and Accountability Act of 1996 ('HIPAA') Privacy, Security and Breach Notification Rules, Parts 160 and 164 of Title 45 of the Code of Federal Regulations ('the HIPAA Rules'), as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 ('HITECH'). The HIPAA Rules set forth the national standards for protecting medical records, including the personal health information contained therein. States may enact stronger protections.

Texas has in turn enacted laws specifically applicable to health information, under Chapter 181, Title 2 of the Health and Safety Code ('Tex. Health & Safety Code'), referred to as the Medical Records Privacy Act ('MRPA'), and statutes specific to the insurance industry. Chapter 20, Title 2 of the Business and Commerce Code also addresses the use of medical information for the purposes of consumer reports (Tex. Bus. & Com. Code § 20.05(c)).

The TDPSA specifically carves out and does not apply to a covered entity or business associate subject to the privacy, security, and breach notification rules issued under HIPAA (Tex. Bus. & Com. Code § 541.002(b)). Protected health information under HIPAA and health records are also exempted (Tex. Bus. & Com. Code § 541.003). However, to the extent a business is not a covered entity or business associate and is processing other types of personal information, the TDPSA will apply. Notably, the TDPSA includes 'mental or physical health diagnosis' within its definition of sensitive data; thus, if the HIPAA carve-out does not apply, the TDPSA requires that consent be obtained to access, collect, or otherwise process such information (Tex. Bus. & Com. Code §§ 541.001(29), 541.101(b)(4)).

Medical Records Privacy Act

The MRPA focuses on the privacy of protected health information ('PHI') (as defined by HIPAA) and does not include specific requirements for data security or breach notification (Tex. Health & Safety Code § 181.001 et seq.). In some cases, the MRPA creates stronger privacy protections.

The MRPA potentially regulates entities that are not regulated by HIPAA. HIPAA regulates covered entities (i.e. health plans, health care clearinghouses, and certain health care providers) and business associates (entities that assist covered entities in their health care activities and functions) (§ 160.103 of the HIPAA Rules). In contrast, the MRPA applies to any entity (and employee of such entity) that possesses PHI, regardless of whether it is involved in providing health care services (Tex. Health & Safety Code § 181.001). The MRPA also applies to any commercial entity that assembles, collects, analyses, uses, evaluates, stores, or transmits PHI, including information or computer management entities, schools, and entities that maintain an Internet website. Except for restrictions on re-identification of PHI, marketing with PHI, and selling PHI, the MRPA does not apply to insurance companies, which are covered under a separate Texas law, or employers in their role as employers (Tex. Health & Safety Code § 181.051). Therefore, entities that are not regulated by HIPAA may not necessarily be exempt from the MRPA.

The MRPA specifically focuses on employee training, providing patients with access to their PHI, and prohibiting certain data practices such as re-identifying individuals without consent, certain marketing with PHI without permission, and certain sales of PHI (Tex. Health & Safety Code §§ 181.101-102 & §§ 181.151-153). Covered entities are also required to post privacy notices (Tex. Health & Safety Code §181.154).

Texas also contains, under Chapter 611, Title 7 of the Health and Safety Code, specific confidentiality protections for communications and records of a patient, which is defined as, 'a person who consults or is interviewed by a professional for diagnosis, evaluation, or treatment of any mental or emotional condition or disorder, including alcoholism or drug addiction' (Tex. Health & Safety Code § 611.001). As discussed below, the MRPA does not have a private right of action; however, this Texas statute provides for a private right of action if a person is 'aggrieved by the improper disclosure of or failure to disclose confidential communications or records in violation of [Chapter 611 of the Health and Safety Code]' (Tex. Health & Safety Code § 611.005).

The Texas AG has the authority to seek injunctive relief or civil penalties against a covered entity for its violations of the MRPA (Tex. Health & Safety Code § 181.201). Civil penalties for the violation of the MRPA range based on the intentionality and purpose of the violation, i.e., whether the violation was committed negligently, knowingly, or intentionally, and/or for financial gain. Monetary penalties could be up to $250,000 for each violation where PHI is used knowingly or intentionally for financial gain. Other potential penalties include excluding a covered entity 'from participating in any state-funded health care program if a court finds the covered entity engaged in a pattern or practice of violating' the MRPA (Tex. Health & Safety Code § 181.203).

The MRPA does not include a private right of action. Individuals can file a complaint with the Texas AG or the Texas agency that licenses the covered entity (Tex. Health & Safety Code § 181.104). The MRPA provides licensing agencies with the authority to investigate and bring disciplinary proceedings against the covered entity, including probation and suspension (Tex. Health & Safety Code § 181.202). If the violations of the MRPA are 'egregious and constitute a pattern or practice,' the agency may revoke the covered entity's license or refer the covered entity's case to the Texas AG.

The MRPA does not contain its own breach notification requirement. However, Texas' breach notification statute, which is discussed in section 9 below, applies to breaches of 'information that identifies an individual and relates to: (i) the physical or mental health or condition of the individual; (ii) the provision of health care to the individual; or (iii) payment for the provision of health care to the individual' (Tex. Bus. & Com. Code § 521.002).

Insurance Code

Chapter 602, Title 5 of the Insurance Code ('Tex. Ins. Code') includes privacy protections for non-public personal health information handled by the entities it regulates, which include insurance companies, health maintenance organisations, and insurance agents (Tex. Ins. Code § 602.001(1)). These privacy requirements are applicable only to covered entities that are not regulated by HIPAA (Tex. Ins. Code § 602.002). Therefore, the law is intended to regulate insurance-related entities that otherwise may not have privacy obligations with respect to the personal health information they handle.

Non-public personal health information regulated by the Insurance Code is health information that identifies or could reasonably be used to identify and individual and relates to (Tex. Ins. Code § 602.001(2)):

• the past, present, or future physical, mental, or behavioural health or condition of the individual;
• the provision of health care to the individual; or
• payment for the provision of health care to the individual.

Unless an exception applies, covered entities are prohibited from disclosing non-public personal health information without written or electronic authorisation that meets the requirements of the law from the individual about whom the information relates. Covered entities are permitted to make disclosures for certain purposes, including criminal investigations, underwriting, issuing a policy, and other typical insurance related functions and data analysis (Tex. Ins. Code § 602.051-053).

Similar to the MRPA, the Texas AG may bring an action for injunctive relief and civil penalties against a covered entity that violates Chapter 602 of the Insurance Code (Tex. Ins. Code §§ 602.102-103). A covered entity that does not meet its privacy obligations is 'subject to investigation, disciplinary proceedings, and probation or suspension of the covered entity's license or other form of authorization to engage in business' (Tex. Ins. Code § 602.104).

Consumer Credit Reporting Act

The federal Fair Credit Reporting Act of 1970 ('FCRA'), as amended by the Fair and Accurate Credit Transactions Act of 2003 ('FACTA'), pre-empts the application of most state laws applicable to consumer reporting agencies (See Walters v. Certegy Check Servs., Cause No. A-17-CV-1100-SS (W.D. Tex., Oct. 2, 2018), acknowledging that the FCRA pre-empts many claims under Texas state law). However, Texas has its own credit reporting statute, under Chapter 20, Title 2 of the Business and Commerce Code, referred to as the Consumer Credit Reporting Act ('CCRA').

Generally, the CCRA is consistent with the FCRA in requiring that a consumer reporting agency not furnish medical information about a consumer in a consumer report that is being obtained for employment purposes or in connection with a credit, insurance, or direct marketing transaction unless the consumer consents to the furnishing of the medical information (Tex. Bus. & Com. Code § 20.05). The Texas AG may seek injunctive relief or civil penalties for a violation of the CCRA (Tex. Bus & Com. Code § 20.11).

The TDPSA does not apply to data processing activities that are regulated and authorized by the FCRA (Tex. Bus. & Com. Code § 541.003(11)).

4. FINANCIAL DATA

The Texas Department of Banking regulates banks in Texas under the Texas Banking Act, Chapter 31, Title 3 of the Finance Code ('Tex. Fin. Code').. The Texas Banking Act contains a number of provisions that address the confidentiality of information shared among Texas agencies and/or other financial regulators (Tex. Fin. Code §31.001 et seq.). Chapter 59, Title 3 of the Finance Code sets forth the exclusive method (subject to stated exceptions) for compelling discovery 'relating to one or more customers,' however, the statute does not in and of itself 'create a right of privacy in a record' (Tex. Fin. Code § 59.006).

In accordance with Chapter 601, Title 5 of the Insurance Code, entities that receive their license or certification from the Texas Department of Insurance are required to comply with rules of the Insurance Commissioner. The Insurance Commissioner is responsible for adopting rules that have privacy requirements consistent with the Gramm-Leach-Bliley Act of 1999 ('GLBA') (Tex. Ins. Code § 601.051).

The TDPSA does not apply to financial institutions and data subject to the GLBA (15 U.S.C. Section 6801 et seq.) (Tex. Bus. & Com. Code § 541.002(b)(2)).

5. EMPLOYMENT DATA

The TDPSA specifically carves out and does not apply to a business acting in the employment context or to employee data (Tex. Bus. & Com. Code §§ 541.001(7), 541.003(15)-(17)). However, Texas has several generally applicable laws that regulate the privacy and security of personal information in certain contexts, which would apply to employment. In most cases, the Texas AG can impose civil penalties for a failure to meet the following requirements:

• reasonable data security practices. Businesses are required to implement and maintain reasonable security procedures to protect personal information (Tex. Bus. & Com. Code § 521.052);
• restrict the use and disclosure of social security numbers. Chapter 501, Title 11 of the Business and Commerce Code provides that businesses may not display or communicate social security numbers in certain ways (Tex. Bus. & Com. Code § 501.001-002). For example, a business cannot require an individual to transmit a social security number over the internet unless the connection is secure and the data is encrypted. This requirement may apply to a job application website;
• provide notice of breach of personal information. Like all other states, Texas requires businesses that experience a compromise of personal information to notify affected Texas residents (Tex. Bus. & Com. Code § 521.053);
• restrict the collection, use, and disclosure of biometric information. Chapter 503, Title 11 of the Business and Commerce Code prohibits the capture of biometric identifiers for commercial purposes without informed consent (Tex. Bus. & Com. Code § 503.001). In addition, Texas law prohibits disclosing biometric identifiers except in limited circumstances. It also requires the secure retention and the timely deletion of biometric identifiers. Employers that collect biometric identifiers from employees may have obligations under this law;
• abide by requirements applicable to health benefit plans. While employers are not regulated by the MRPA when they handle employees' protected health information as an employer, employers may be required to comply with the MRPA and HIPAA with respect to an employee health benefit plan (Tex. Health & Safety Code § 181.051);
• maintain genetic information confidential. Chapter 21, Title 2 of the Labor Code requires any business that has genetic information to keep it confidential and not disclose it unless specifically authorized by law (Tex. Lab. Code § 21.403); and
• provide consumer protections. Consumer-related privacy laws also likely apply when employees are acting as consumers in relation to their employer; for example, when an employee purchases a product from the employer's store.

6. ONLINE PRIVACY

The TDPSA covers online (and offline) collection, use, sharing, and other processing of personal information (Tex. Bus. & Com. Code § 541.001 et seq.). As outlined throughout this Overview, the TDPSA covers a business' online privacy practices. Notably, personal information is broadly defined under the TDPSA and covers data collected automatically through websites, including through the use of cookies and similar technologies. The notice requirements and the rights to opt-out of selling and targeted advertising apply to such data that is collected in an automated manner.

Also, under Chapter 2054, Title 10 of the Government Code ('Tex. Govt. Code'), Texas state agencies are required to comply with multiple requirements relating to online privacy if they process any sensitive personally identifiable or confidential information, including, preparing a data security plan, subjecting their websites to penetration testing, and posting a website privacy policy (Tex. Govt. Code § 2054.126). Also, the Texas AG has filed enforcement actions under the federal Children's Online Privacy Protection Act of 1998 ('COPPA').

7. UNSOLICITED COMMERCIAL COMMUNICATIONS

Federal law regulates most commercial communications. With respect to commercial email, the federal Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 ('CAN-SPAM') pre-empts state laws. However, telephone-based commercial communications can be regulated at the state level when they provide greater protection for individuals.

Texas regulates telemarketing calls, text messages, and faxes with the Texas Telemarketing Disclosure and Privacy Act ('TTDPA'), under Chapter 304, Title 10 of the Business and Commerce Code. A telemarketing call is an unsolicited telephone call (including an SMS or MMS text message) made to (Tex. Bus. & Com. Code § 304.002):

• solicit a sale of a consumer good or service;
• solicit an extension of credit for a consumer good or service; or
• obtain information that may be used to solicit a sale of a consumer good or service or to extend credit for the sale.

The TTDPA prohibits telemarketing calls to telephone numbers published on the Texas no-call list more than 60 days after the date the telephone number appears on the current list (Tex. Bus. & Com. Code § 304.052). There are certain exceptions, such as when there is an established business relationship between the caller and recipient or when the call is intended to collect a debt (Tex. Bus. &Com. Code § 304.004(2) and (5)). Telemarketers also may not interfere with or fail to provide caller identification information (Tex. Bus. & Com. Code § 304.151).

A business that sends fax solicitations must meet applicable federal laws and also include certain content on the fax, including a telephone number that permits the fax recipient to opt-out of future fax solicitations (Tex. Bus. & Com. Code § 304.101). A business is required to comply with such opt-out request (Tex. Bus. & Com. Code § 304.102).

The AG and the Public Utility Commission of Texas both enforce and may assess administrative penalties for violations of the TTDPA. Consumers have a private right of action when they receive telemarketing calls to telephone numbers listed on the Texas no-call list and can be awarded damages up to $500 per violation for wilful or knowing violations. Similarly, a person has a private right of action for violations of the fax solicitations and can be awarded damages up to the greater of actual monetary losses from the violations or $500 per violation (treble damages for wilful or knowing violations).

In addition, Chapter 305, Title 10 of the Business and Commerce Code prohibits a person from calling or using an auto-dialler to call mobile phones for the purpose of making a sale without the recipient's consent, if the caller knew or should have known the number called was associated with a mobile device (Tex. Bus. & Com. Code § 305.001). A person also may not transmit to a fax machine without consent a message for the purpose of a solicitation or sale when the recipient will be charged for receiving the fax (Tex. Bus. & Com. Code § 305.002). Fax transmissions for the purpose of a solicitation or sale may only be made between 7 AM and 11 PM (Tex. Bus. & Com. Code § 305.003). Failure to comply with these requirements are criminal misdemeanour offenses (Tex. Bus. & Com. Code § 305.052). The recipient also has a private right of action and may be awarded the greater of actual damages or $500 per violation (and triple damages for knowing or intentional violations) (Tex. Bus. & Com. Code § 305.053).

8. PRIVACY POLICIES

The TDPSA requires that a business' privacy policy be reasonably accessible and clear (Tex. Bus. & Com. Code § 541.102). Under the TDPSA, a privacy policy must also contain certain information, including:

• the categories of personal information processed, including any sensitive personal information;
• the purpose of processing;
• how a consumer can exercise their rights and the methods they can use;
• categories of personal information shared with third parties and the categories of such third parties; and
• if the business sells personal information, a notice regarding such selling (with specific language for sales of biometric or sensitive information).

In addition, Texas state law addresses the privacy policies of state agency websites (Tex. Govt. Code § 2054.126). Moreover, it is a best practice (and a Federal Trade Commission ('FTC') expectation) that companies that collect personal information online should post and abide by a privacy policy that is clear and conspicuous.

9. DATA DISPOSAL/CYBERSECURITY/DATA SECURITY

Under the TDPSA, a business is required to 'establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal [information] at issue.' (Tex. Bus. & Com. Code § 541.101(a)(2)).

Even under older law, businesses in Texas are required to maintain and update reasonable procedures to protect sensitive personal information from unlawful use or disclosure (Tex. Bus. & Com. Code § 521.052(a)). The same law requires secure shredding or other destruction of records containing sensitive personal information 'to make the information unreadable or indecipherable through any means (Tex. Bus. & Com. Code § 521.052(b)).

Businesses that experience a breach of personal information have faced claims by Texas consumers and businesses that reasonable procedures were not in place to protect their data. Data breach-related lawsuits, which are commonly consumer class actions, usually include allegations of negligence (e.g. for failure to implement reasonable security measures), failure to disclose (e.g. not disclosing that the business did not have adequate security measures), and invasion of privacy (e.g. for improper disclosure).

Local government employees and elected and appointed officials in Texas are required to comply with certain cybersecurity training requirements or they may be denied access to the government's computer system or database (Tex. Govt. Code § 2054.5191 (as amended)). In some cases, such as when the local government is applying for a grant, it must submit a written certification of its compliance with the cybersecurity training requirements (Tex. Govt. Code § 772.012).

Data breach notification requirements

Consistent with other states, Texas has a data breach notification statute. The Identity Theft Act obligates an organization that conducts business in Texas to provide notice of a breach of system security where sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person, unless an exception applies (Tex. Bus. & Com. Code § 521.053(b)). 'Sensitive personal information' under this statute includes a person's name along with his or her social security number, driver's license number, or financial account number in combination with an access code. Sensitive personal information also includes health information (Tex. Bus. & Com. Code § 521.002(a)(2)).

Notice must be provided to affected individuals no later than 60 days unless delayed at the request of law enforcement (Tex. Bus. & Com. Code §§ 521.053(b), (d)). Notice to consumer reporting agencies is required if more than 10,000 individuals are notified pursuant to this law (Tex. Bus. & Com. Code § 521.053(h)). Businesses are required to notify the Texas AG (if more than 250 Texas residents were affected) no later than 60 days after a determination that a breach of system security has occurred (Tex. Bus. & Com. Code § 521.053(i)). However, effective September 1, 2023, this time period will be shortened. Businesses will be required to notify the Texas AG no later than 30 days after a determination that a breach of system security has occurred, and they will be required to do so electronically using a form accessed through the Texas AG's website (Tex. Bus. & Com. Code § 521.053(i), as amended).

The Texas AG must post on its website a list of breach notifications it receives. Unlike other state regulators that publish breach notices, the Texas AG must publish only the most recent notice received from a business and remove a business from the list within one year if the business has not notified the Texas AG of any additional breaches during that year. (Tex. Bus. & Com. Code § 521.053(j)).

Notice may be provided in writing, electronically, or in compliance with the substitute notice provision (Tex. Bus. & Com. Code § 521.053(e)). Data breach notices to the Texas AG must also include certain content (Tex. Bus. & Com. Code § 521.053(i)).

In addition, a business that maintains sensitive personal information for another business is required to immediately notify that business if it discovers a breach of system security (Tex. Bus. & Com. Code § 521.053(c)).

The Texas AG can impose a civil penalty up to $50,000 for each violation (Tex. Bus. & Com. Code § 521.151(a)). In addition, failing to notify affected individuals can result in being liable to the state for a civil penalty up to $100 per affected individual and up to $250,000 for a single breach (Tex. Bus. & Com. Code § 521.151(a-1)). The Texas AG can also enjoin violations of the statute (Tex. Bus. & Com. Code § 521.151(b)).

10. CONSUMER PROTECTION

The TDPSA is a fairly comprehensive consumer protection law. Notably, it carves out information concerning employees and individuals acting in a business-to-business context (Tex. Bus. & Com. Code § 541.001(7)). Under the TDPSA, Texas consumers have specific rights (Tex. Bus. & Com. Code §§ 541.051, 541.101(b)(3)), including the right to:

• confirm whether the business is processing their personal information and to access such personal information;
• correct inaccuracies in their personal information;
• delete their personal information (with exceptions);
• obtain a copy of their personal information;
• opt-out of the processing of their personal information for the purposes of: selling, targeted advertising, or profiling; and
• not be discriminated against for exercising of any of their rights.

At the federal level, the FTC regulates privacy and the protection of personal information through its authority under Section 5 of the Federal Trade Commission Act 1914, which prohibits unfair or deceptive practices in or affecting commerce. Like most states, Texas has its own Deceptive Trade Practices Act ('DTPA') under Chapter 17. Title 2. of the Business and Commerce Code which 'protects consumers against false, misleading, and deceptive business practices, unconscionable actions, and breaches of warranty and is intended to provide efficient and economical procedures to secure such protection' (Tex. Bus. & Com. Code § 17.44). The DTPA has also been used as a basis for privacy-related claims against businesses, including claims based on allegations of:

• representing that goods or services have certain characteristics, uses, or benefits which they do not have or that a person has a certain approval, status, affiliation, or connection which they do not have;
• representing that an agreement provides or involves certain rights, remedies, or obligations which it does not have or which are prohibited by law;
• representing that goods or services are of a particular standard or quality, if they are of another; and
• failing to disclose information concerning goods or services which was known at the time of the transaction to induce the consumer into the transaction when they otherwise would not have entered into it.

The DTPA provides for a private right of action and allows for class action claims and the tripling of certain damages, such as economic damages and mental anguish (Tex. Bus. & Com. Code § 17.46(b)). The DTPA is enforced by the Texas AG who may bring an action against a business for violating the DTPA and has the authority to seek a temporary restraining order or a temporary or permanent injunction (Tex. Bus. & Com. Code § 17.47(c)). In addition, the Texas AG may request that a court award a civil penalty of up to $10,000 per violation, and up to $250,000 under certain circumstances (Tex. Bus. & Com. Code § 17.47(c)).

Notable DTPA enforcement by the Texas AG in 2022

In January 2022, the Texas AG sued Google LLC., for allegedly deceptively tracking users' location without consent in violation of the DTPA. According to the Texas AG, the business 'employed and continues to employ a number of deceptive practices to make it nearly impossible for users to stop [the company] from collecting their location data. These practices include privacy-intrusive default location settings, hard-to-find location settings, misleading descriptions of location settings, repeated nudging to enable location settings, and incomplete or imbalanced disclosures of Google's location-data collection and processing.'

Among other allegations, the Texas AG alleged a violation of Tex. Com. Code § 17.46(b)(24), including allegations such as a failure to disclose facts about device settings and a failure to allow users to prevent the retention and use of their information by adjusting settings. The Texas AG's complaint stated that the business failed to disclose information concerning goods or services which was known by the business at the time of the transaction with the intent to induce the consumer into a transaction into which the consumer would not have entered had the information been disclosed.

The Texas AG is requesting temporary and permanent injunctions and is seeking a) restitution payments to restore all money or other property taken from identifiable persons, b) payment of the Texas AG's reasonable attorney's fees, c) a civil penalty of $10,000 per violation, and d) pre-judgment and post-judgment interest on all awards of restitution, damages or civil penalties as a result of the suit.

11. OTHER SPECIFIC JURISDICTIONAL REQUIREMENTS

Student data

Chapter 32, Title 2 of the Education Code, referred to as the Texas' Student Privacy Act limits the use and disclosure of student personal information by a website, online service, online application or mobile application (collectively 'Site') that are used primarily for a school purpose and are designed and marketed for a school purpose (Tex. Educ. Code § 32.151 et seq.). Site operators may use or disclose student personal information to further a school purpose, maintain and improve operability and functionality, and secure the Site, and for other listed purposes (Tex. Educ. Code § 32.153-154). The law expressly prohibits knowingly implementing interest-based/behavioural advertising on such Sites, creating profiles about student users of the Sites (unless the profile is created for a school purpose), and selling or renting student personal information collected on Sites except in certain limited circumstances (Tex. Educ. Code § 32.152).

A Site operator also 'must implement and maintain reasonable security procedures and practices designed to protect covered information from unauthorised access, deletion, use, modification, or disclosure' (Tex. Educ. Code § 32.155). A school district may also require the Site operator to delete student personal information that is collected in association with that school district within 60 days of the request, unless the parent consents otherwise (Tex. Educ. Code § 32.156).

The TDPSA does not apply to state agencies or data regulated by the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g) (Tex. Bus. & Com. Code § 541.003(13)).

Credit and debit card data

Unless an exception applies, Texas prohibits, under Chapter 502, Title 11 of the Business and Commerce Code, including more than the last four digits of a payment card or the payment card expiration date on a transaction receipt (Tex. Bus. & Com. Code § 502.002). These requirements are consistent with the federal FACTA/FCRA requirements. The Texas AG may impose a civil penalty up to $500 for each month a violation occurs. The statute does not permit private lawsuits through class actions (Tex. Bus. & Com. Code § 502.002).

In Texas, a restaurant or bar owner must prominently display a sign for its employees that meets the requirements of the law with the intent of warning employees that it is a felony to obtain, possess, or use a customer's debit or credit card number without the customer's consent (Tex. Bus. & Com. Code § 502.001).

Biometric data

Texas law prohibits the capture of biometric identifiers for commercial purposes without informed consent (Tex. Bus. & Com. Code § 503.001 et seq.). A 'biometric identifier' is defined as 'a retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry' (Tex. Bus. & Com. Code § 503.001(a)).

Further, the law (i) generally prohibits the sale, lease, or other disclosure of biometric identifiers that have been obtained for commercial purposes; (ii) requires reasonable care in protecting biometric identifiers; and (iii) requires deletion of biometric identifiers after a 'reasonable time, but not later than the first anniversary of the purpose for collecting the identifier expires,' unless otherwise required by another law to keep such identifiers (Tex. Bus. & Com. Code § 503.001(c), (c-1)). The Texas AG may bring an action and impose civil penalties up to $25,000 for each violation.

The TDPSA also applies to biometric data and requires that a business obtain consent in order to access, collect or otherwise process biometric data (Tex. Bus. & Com. Code §§ 541.001(3), 541.001(29); 541.101(b)(4)). A specific notice is required in the business's privacy policy if it sells any biometric data (Tex. Bus. & Com. Code § 541.102(c)).

Notable biometric data enforcement action in 2022

In February 2022, the Texas AG sued Google LLC, alleging Google captured the biometric identifiers of Texas consumers without their informed consent and for a commercial purpose and that the business failed to destroy the biometric identifiers within a reasonable time. The Texas AG contends Google was capturing facial geometry from photographs and continually training its artificial intelligence ('AI') and, over the course of 10 years, captured this information without requiring users and non-users to consent to its capture. According to the Texas AG, 'The company repeatedly captured biometric identifiers without consent billions of times, in knowing violation of Texas' Capture or Use of Biometric Identifier Act and the Deceptive Trade Practices Act.'

The Texas AG is seeking a civil penalty of up to $25,000 for each unlawful capture and alleges the amount of unlawful captures is in the millions.

Similarly, in February 2022, the Texas AG sued Facebook (now Meta Platforms, Inc.), alleging Facebook captured and used the biometric data of millions of Texans without properly obtaining their informed consent to do so. The Texas AG contends that 'Facebook knowingly captured biometric information for its own commercial benefit, to train and improve its facial-recognition technology, and thereby create a powerful artificial intelligence (‘AI’) apparatus that reaches all corners of the world and ensnares even those who have intentionally avoided using Facebook services.'

The Texas AG is seeking a civil penalty of up to $25,000 for each violation and alleges an estimated 20 million Texas users were impacted.

As of June 2023, these enforcement actions are still pending.

Data of government employees

In addition to the laws that govern state agencies as discussed in other sections of this Guidance Note, Texas protects the privacy of government employees' personal information in connection with open records laws. For example, Chapter 552, Title 5 of the Government Code includes an exception from disclosure in response to public access requests, for 'information in a personnel file, the disclosure of which would constitute a clearly unwarranted invasion of personal privacy' (Tex. Govt. Code § 552.102) (see also Tex. Comptroller of Pub. Accounts v. AG of Tex., 354 S.W.3d 336 (Tex. 2010), holding that the provision of government employee birth dates was an unwarranted invasion of personal privacy).

12. OTHER RECENT LEGISLATION

In addition to the laws discussed above, Texas passed An Act relating to the registration of and certain other requirements relating to data brokers which establishes regulations for data brokers in Texas and takes effect September 1, 2023. It will apply to data brokers whose primary revenue comes from collecting, processing, or transferring personal information that they did not directly collect from the individuals. It establishes registration requirements, imposes civil penalties for non-compliance, and authorizes the collection of fees.

Texas also recently passed the Securing the Children Online through Parental Empowerment Act ('SCOPE Act') which becomes effective on September 1, 2024 (Tex. Bus. & Com. Code § 509.001 et seq.). The SCOPE Act is directed at social media service providers, although it also applies to certain online service providers that publish or distribute harmful or obscene material. Under the SCOPE Act, covered digital service providers must register the age of users and take special measures for 'known minors.' Such measures include limited collection and use of the minor's personal information, a prohibition against financial transactions or the delivery of targeted advertising to the minor, and the development and implementation of a comprehensive strategy to prevent exposure to material that promotes harmful behavior. Verified parents have the power to modify the duties of digital service providers with respect to their child, may exercise access and deletion rights with respect to the child's personal information, and are entitled to use supervisory tools that must be provided by the digital service providers. Algorithms used to prioritize or filter content delivered to known minors must be explained in the digital service provider's privacy policy.