June 4, 2023

Volume XIII, Number 155


June 03, 2023

Subscribe to Latest Legal News and Analysis

June 02, 2023

Subscribe to Latest Legal News and Analysis

Texas Legislature Weighing Proposed New Privacy Laws

Recently, legislators in Texas introduced two bills relating to consumer privacy and data protection: H.B. No. 4518, the Texas Consumer Privacy Act (“Texas CPA”) and H.B. No. 4390, the Texas Privacy Protection Act (“TPPA”). These bills bear a strong resemblance to the California Consumer Privacy Act (the “California CPA”), and would lay the groundwork for extensive administrative schemes protecting consumers’ rights to their personal information.

Texas CPA

The Texas CPA bears strong similarity to California CPA. The Texas CPA, which, if adopted, would take effect September 1, 2020, applies to companies that do business and collect consumer data and:

  • Derive at least 50% of their annual revenue selling consumers’ personal information; or

  • Exceed $25 million in gross annual revenue (with that amount subject to adjustment by the Texas Attorney General every two years); or

  • Buy, sell, or receive the personal information of at least 50,000 consumers, households, or devices for commercial purposes

  • The Texas CPA would also apply to entities owned by companies that would be subject to the law. Similar to the California CPA, the Texas CPA contains express provisions governing rulemaking, implementation, and enforcement of the law. Notably, the legislation highlights various consumer rights, including (but not limited to):

  • A consumer’s right to disclosure, from the business, of the personal information the business collected.

  • A consumer’s right to deletion of the personal information that the business collected (with some limited, specific exceptions).

  • A consumer’s right to opt out of the sale of his or her personal information.


The TPPA, which (if passed) would go into effect September 1, 2019, proposes regulations on how a business processes and retains (or destroys) personal identifying information. It covers nearly identical businesses as the Texas CPA, provides the Texas Attorney General with similar rulemaking and enforcement powers, and it requires a similar disclosure of the type of personal information a business collects/processes, as well as how that information is used. Notably, this disclosure must be made before the business collects the information.

Other notable aspects of the proposed legislation include:

  • The Texas CPA would punish violations of the law with civil penalties of $2,500 per violation ($7,500 for intentional violations).

  • The bill applies only to information collected electronically (including over the internet or another network) or through a computing device associated with or routinely used by a customer/user and linked (or reasonably linked) to a specific customer/user.

  • The business must obtain the customer’s explicit consent for processing that customer’s personal identifying information.

  • The bill requires a business to develop and implement a data security program and accountability program to ensure compliance with the TPPA.

  • The bill also only allows a business to process a customer’s personal identifying information if it is required to do so by law.

Like the Texas CPA, the TPPA would provide for civil penalties for violations. However, violations of the TPPA would be punishable by a fine of $10,000 per violation, up to a maximum amount of $1 million.

Copyright © by Ballard Spahr LLPNational Law Review, Volume IX, Number 100

About this Author

Justin Shiroff, Ballard Spahr Law Firm, Las Vegas, Commercial Litigation and Healthcare Law Attorney

Justin A. Shiroff’s practice is concentrated in commercial litigation (with an emphasis on consumer financial services litigation), as well as healthcare law and data privacy/cybersecurity. His experience also extends to disputes involving employment law. Mr. Shiroff has represented a range of clients that include information security providers, banks and other lending institutions, hospitals and gaming companies/resorts. In addition to his commercial litigation practice, in the health care services field, he has assisted clients in a variety of issues including...

Joel Tasca financial institutions lawyer,  consumer class action attorney Ballard Spahr

Joel E. Tasca has defended banks and other financial institutions in consumer class and individual actions for over twenty years. These cases have arisen out of residential mortgage loans, credit card accounts, and an array of other consumer financial services.  Many of these suits have been brought under federal consumer protection laws such as the Fair Credit Reporting Act, the Telephone Consumer Protection Act, the Truth in Lending Act, and the Real Estate Settlement Procedures Act, as well as under state unfair, deceptive, or abusive acts and practices statutes....