The 86th Texas legislative session saw the introduction of two competing bills seeking to regulate the use of personal information in the same vein as the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
While neither bill became law, they did promulgate the creation of the Texas Privacy Protection Advisory Council, tasked with studying data privacy laws and advising the Legislature on “specific statutory changes” regarding privacy in advance of the 87th legislative session.
Pursuant to its charge, the Advisory Council submitted a report to the Legislature last September, a report which provided fairly detailed information on current privacy laws and practices but offered only a short list of high-level recommendations.
To further guide the 87th Legislature and prepare Texas businesses for what is likely to come, here are four key considerations that the Legislature will likely take into account in drafting a comprehensive Texas privacy law.
Scope of Personal Information
Privacy law in the United States, particularly at the state level, has long provided certain protection for the type of information that could be used to steal one’s identity (known under Texas law as “personal identifying information”). But such construction of personal information may not fully capture the panoply of data points that Texans may consider to warrant protection in 2021.
Most jurisdictions that have enacted comprehensive privacy laws in recent years have modeled the GDPR, which broadly defines personal information as “information related to an identified or identifiable natural person.” The CCPA definition is even more expansive, encompassing information that “is reasonably capable of being associated with” an individual or household.
While the Legislature may have little choice but to follow global trends and generally embrace the wide net cast by the GDPR and CCPA, it should bear in mind that an overly broad or vague definition will risk capturing information types that sit on the margins of what should reasonably be deemed “personal.”
Specifically, the Legislature should carefully consider whether and to what extent the definition should encompass or exclude various categories of information that have been treated differently across the privacy law landscape or have otherwise proven controversial, including:
- business contact information, which is primarily used in a professional, not personal, capacity;
- employee personal information, which is collected and used in a particular context with its own set of expectations;
- IP addresses, which may or may not be linkable to an individual user;
- publicly available information, which may be simultaneously highly personal and widely accessible;
- information that is already protected by robust US sector-specific privacy laws, such as health or financial data; and
- sensitive information (e.g., religious beliefs, race, biometric identifiers, sexual orientation, etc.) which may require heightened protection.
Lastly, while most comprehensive privacy laws exclude “deidentified information” from the scope of personal information, they vary widely in how they define this term and the degree to which they spell-out clear standards for determining whether such information is truly rendered anonymous.
The Legislature will need to approach the subject with precision, but also with an appreciation for the evolving and somewhat nebulous nature of deidentification methods.
Privacy Rights
Underlying every comprehensive privacy law is the desire to give individuals more control over their personal information.
To that end, the GDPR and many laws made in its image grant individuals explicit rights with respect to their personal information, such as the right to access the information, the right to receive a copy of the information and the right to request the deletion of the information.
If the Legislature aims to enact a law that is at least somewhat consistent with existing privacy regulations, the question will not be whether it should grant Texans such rights at all, but what those rights should be and what limitations and exceptions should apply.
For example, both the GDPR and the CCPA grant individuals the right to request deletion. But whereas the GDPR provides businesses with a fairly narrow list of exceptions they could rely upon in declining to delete, the CCPA gives businesses substantially more latitude in this regard.
Likewise, the GDPR broadly provides individuals with the right to restrict the processing of their personal information, while the CCPA only grants the right to restrict a particular form of processing, namely, the sale of personal information.
In establishing privacy rights for Texans, the Legislature must also weigh the burden that such rights will impose on Texas businesses.
Notably, both the GDPR and CCPA require businesses to respond to requests within certain timeframes but do not clearly articulate the lengths to which businesses must go in fulfilling requests, leading some well-intentioned businesses to undertake disproportionately extensive efforts to comply with the law. In some jurisdictions, businesses must also contend with individuals who use their privacy rights for punitive purposes or as a discovery tool in anticipation of litigation.
The challenge for the Legislature will be to establish privacy rights that give Texans meaningful control over their personal information, while also giving businesses clear parameters and guidelines for how to respond to and fulfill requests.
Legal Basis for Processing
As a practical matter, the most immediate impact of the CCPA was that most in-scope businesses needed to update their website privacy policies in order to fulfill the “notice at collection” obligations under the CCPA. Once these notice obligations are met, however, the CCPA puts very few restrictions on what businesses can actually do with the personal information they collect.
By design, therefore, the “notice and consent” model adopted by the CCPA puts the onus on individuals to read privacy notices and decide for themselves whether or not to hand over their information. While the GDPR similarly requires businesses to provide notice, it is not the provision of notice that greenlights the business’s collection and use of the information; rather, the business must separately determine its “lawful basis” for processing the information (which may or may not be the individual’s express consent) and then must adhere to various principles in processing that information that largely shift the burden away from the individual and toward the business.
Meanwhile, the New York Legislature is considering a bill that adopts an entirely different (and somewhat controversial) approach that would be substantially more burdensome for businesses than both the CCPA and the GDPR.
Under the proposed New York Privacy Act, not only would businesses have to obtain opt-in consent before processing personal information, the businesses would then be under a fiduciary obligation to act in the best interests of the individual, without regard for the interests of the business.
The Texas Legislature should evaluate the strengths and weaknesses of each of these approaches to legally justifying the processing of personal information, or even consider a novel approach that make sense for Texans and Texas businesses.
Enforcement
Ultimately, whether or not privacy regulation succeeds at improving privacy protection turns on how effectively the law is enforced. To that end, the Legislature will need to grapple with three enforcement-related questions.
First, the Legislature will need to decide whether an existing state agency can be sufficiently resourced to enforce the law or if a new agency should be established, similar to the data protection authorities that exist in the EU and other international jurisdictions.
Such a standalone agency is no longer without precedent in the U.S. – as a result of the California Privacy Rights Act, which substantially amends the CCPA, California will soon establish a California Privacy Protection Agency to enforce the CCPA, largely taking that responsibility away from the Office of the Attorney General.
Second, the Legislature will need to determine the appropriate fine structure. Under the CCPA, noncompliance can result in civil penalties of up to $2,500 per violation or $7,500 per intentional violation, with no set maximum amount.
The GDPR, on the other hand, allows for administrative fines of up to the higher of 4% of global annual revenue or 20 million euros. While in theory, liability under the CCPA could actually eclipse liability under the GDPR, the sticker-shock of the GDPR’s fine structure has garnered far more attention. One often overlooked component of the GDPR fine structure, however, is that fines must be “proportionate,” and indeed, enforcement actions so far have generally fallen fall short of the potential ceiling.
Finally, the Legislature will need to consider whether to allow for a private right of action with respect to any component of the law or leave enforcement entirely up to the relevant state agency.
Proponents of a private right of action argue that without giving individuals this enforcement tool, a comprehensive privacy law offers only the illusion of control. But others caution that a private right of action could prove to be a gift to the plaintiffs’ bar, opening the floodgates for litigation over trivial violations that may undermine the general intent of the law.
In an attempt to split the baby, the CCPA largely leaves enforcement up to the state but does allow for a private right of action in connection with data breaches. Meanwhile, efforts to enact a privacy law in Washington state have been consistently ensnared by the debate over whether to include a private right of action.
In crafting a Texas privacy law, the Legislature will need to consider the possible merits of such a right, while also recognizing the practical implications, including the possibility that it may hinder the law’s passage.
Randi Singer, a litigation partner based in Weil’s New York and Silicon Valley offices, is a member of the Firm’s Intellectual Property & Media practice and Co-Head of its Privacy & Cybersecurity group.
Robert Brown, based in Weil’s Houston office, is an associate in the Technology & IP Transactions practice and a member of the Firm’s Privacy & Cybersecurity group.