Earlier today Rep. Giovanni Capriglione (R-Southlake) introduced consumer data privacy legislation (HB 1844) that gives consumers certain rights that may be exercised at any time upon specific request to a controller of the data.
These rights include: (1) to confirm whether the controller is processing the consumer’s personal data and to access that data; (2) to correct inaccuracies in the data; (3) to delete personal data provided by or obtained about the consumer; (4) to obtain a copy in digital form of that the consumer previously provided to the controller; or (5) to opt out of the processing of personal data for purposes of targeted advertising, the sale of the data, or profiling in furtherance of a decision that produces a legal or similarly significant affect concerning the consumer. The bill specifies procedures and time deadlines for controllers to respond to and execute the consumer’s request, as well as an appeal process. It further prohibits waiver of the rights by contract or agreement, rendering such agreements void.
In addition, the legislation imposes significant new duties on controllers, new requirements for privacy notices, new disclosures if the controller processes personal data for sale for targeted advertising, and new data assessment requirements that must be reported to the attorney general. Enforcement authority is vested exclusively in the attorney general, to whom the bill grants the authority to issue civil investigative demands. If the attorney general discovers violations and seeks to file an enforcement action, he or she must give the violator 30 days’ notice and a right to cure within that time. Otherwise, the attorney general may file suit for civil penalties and injunctive relief, including recovery of costs and attorney’s fees. The bill explicitly states that it does not create a private cause of action. Finally, it pre-empts local ordinances.
This is an extremely complex piece of legislation and a work in progress. It is laden with additional obligations for businesses that possess, process, use, or sell consumer personal data. Our very brief overview doesn’t scratch the surface or reveal the intricacies of the legislation’s definitions and standards, its broad scope and applicability, and the many compliance pitfalls that could befall a business, even when acting in good faith. We urge all of our members who handle this kind of data to get their compliance lawyers to review this bill. In our view, it may create a significant risk of liability exposure, so any feedback we can get will be very welcome indeed.
