In lieu of federal action, Texas lawmakers prep data privacy bills

Register now

The Texas legislature is considering several bills to strengthen data privacy and security laws, including one modeled on recent California legislation that some observers have said could set a de facto national standard on the issue.

HB 4518, the Texas Consumer Privacy Act, shares similarities with the California Consumer Privacy Act with respect to how businesses based in the state must deal with obtained, shared or sold information as well as consumers’ right to opt out of having that information sold and deleting specific personal information. Under the legislation, which would take effect Sept. 1, 2020, any business found to have violated the rule would face a $2,500 civil penalty for each violation or $7,500 for each intentional violation.

Information collected by banks and credit unions in accord to the Gramm-Leach-Bliley Act would be exempt from HB 4518's requirements.

The Texas Credit Union Association, a division of the Cornerstone Credit Union League, has been working with lawmakers to move the bill forward. TCUA President Jeff Huffman said the legislation is needed in lieu of meaningful action at the federal level.

“We’d like to see Congress deal with data privacy and data breaches so that there's one uniform standard across all 50 states rather than a patchwork across the states,” he said.

Another bill, the Texas Privacy Protection Act, HB 4390, focuses on regulating personally identifiable information as opposed to the TCPA's regulation of personal information. The TPPA defines personally identifiable information as "a category of information relating to an identified or identifiable individual."

How several recent state-level developments could impact credit unions
From new legislation to mergers and more, here's a look at measures from across the country that could change how credit unions do business.

Businesses that violate the TPPA would be subject to “not more than $10,000 for each violation, not to exceed a total amount of $1 million.” Besides businesses, the TPPA would also apply to governmental entities and would prohibit the sale of PII unique to genetic information, specific geolocation data or unique biometric information.

Banks and credit unions would still be subject to the requirements of the new data privacy requirements within 4390, according to Huffman.

Both bills have had a hearing before the state’s House Business and Industry Committee, but Huffman said the legislation still has “a ways to go.” And the clock is ticking since the legislature’s current session wraps up at the end of May and lawmakers won’t reconvene until January 2021.

The Texas legislature meets for 140 days every other year.

Lastly, lawmakers in the Lone Star State are also considering a series of bills targeting fraud committed through skimming devices.

The package of bills encompass HB 2624, HB 2625 and HB 2945, all of which would allow credit and debit card fraud cases to be brought in the county where they occurred, outline penalties for possession of multiple fraudulent cards and structure a clear framework on how to manage fraud respectively.

“In the testimony [last week] it was indicated 40% of the fraud and theft associated with skimmers is occurring in Texas, with Houston being ground zero for this theft,” Huffman said. “Many of the groups that engage in skimmer theft are based in Houston and it is estimated [that] hundreds of people are part of the gangs engaged in skimmer fraud.”

For reprint and licensing requests for this article, click here.
Data and information management Data privacy rules Data privacy Customer data Data security Data management Data storage Personally identifiable information Law and regulation Compliance Texas