On
February
6,
2023,
Texas
State
Representative
Giovanni
Capriglione
submitted
H.B.
1844,
a
comprehensive
privacy
bill
modeled
after
the
Virginia
Consumer
Data
Protection
Act
(“VCDPA”).
The
bill
could
make
Texas
the
sixth
U.S.
state
to
enact
major
privacy
legislation,
following
California,
Virginia,
Colorado,
Utah,
and
Connecticut.
Although
the
bill
closely
follows
the
VCDPA,
it
departs
from
the
Virginia
law
in
several
key
areas,
most
notably
in
the
definition
of
“personal
data”
and
its
applicability.
H.B.
1844
would
establish
a
comprehensive
framework
for
controlling
and
processing
the
personal
data
of
Texas
residents
and
would
become
effective
September
1,
2023.
Similar
to
the
VCDPA,
H.B.
1844
would
provide
Texas
residents
with
certain
rights
with
respect
to
their
personal
data,
including
rights
of
access,
correction,
deletion,
portability,
the
right
to
opt
out
of
certain
processing,
and
the
right
to
appeal
a
controller’s
decision
regarding
a
rights
request.
The
bill
also
would
include
requirements
relating
to
data
minimization,
processing
limitations,
data
security,
non-discrimination,
third-party
contracting
and
data
protection
assessments,
as
well
as
impose
certain
requirements
directly
on
entities
who
process
data
on
behalf
of
a
controller.
H.B.
1844
would
grant
the
Texas
Attorney
General
exclusive
jurisdiction
to
enforce
the
bill.
The
draft
bill
does
not
provide
for
a
private
right
of
action,
although
it
would
allow
the
Attorney
General
to
issue
a
civil
investigative
demand
following
a
consumer
request.
The
Attorney
General’s
office
would
need
to
provide
30
days’
notice
of
any
violation
and
allow
an
opportunity
to
cure.
For
uncured
violations,
the
Attorney
General
would
be
able
to
file
an
action
seeking
$7,500
per
violation.
Although
the
draft
bill’s
key
provisions
follow
the
VCDPA,
it
departs
from
the
Virginia
law
in
several
areas.
The
Texas
draft
bill
expands
the
VCDPA’s
definitions
of
“personal
data”
and
“pseudonymous
data”
to
cover
the
typical
data
processing
and
cataloging
activities
of
ad
tech
companies.
Pseudonymous
data
layered
with
personal
data
and
data
that
is
not
adequately
deidentified
would
be
considered
personal
data
under
the
draft
bill.
The
bill
would
not,
however,
require
controllers
to
reidentify
data
that
has
been
deidentified.
Similarly,
the
draft
bill
broadens
the
VCDPA’s
definition
of
“sale
of
personal
data,”
adding
a
reference
to
“other
valuable
consideration”
to
cover
quid
pro
quo
arrangements
that
do
not
feature
a
direct
monetary
transaction.
H.B.
1844
broadens
the
VCDPA’s
applicability
provisions
dramatically.
First,
the
draft
bill
replaces
the
requirement
that
a
business
to
which
the
law
applies
must
“target”
the
state’s
residents
with
its
products
or
services.
Instead,
H.B.
1844
would
apply
to
persons
whose
products
and
services
are
“consumed”
by
residents
of
the
state.
Second,
the
draft
bill
removes
the
VCDPA’s
revenue
threshold,
relying
on
a
formulation
that
excludes
small
businesses
that
do
not
process
or
sell
data
instead.
The
bill
would
rely
on
the
United
States
Small
Business
Administration’s
classifications
to
define
which
entities
qualify
as
small
businesses.
The
draft
bill
modifies
the
VCDPA’s
exemption
for
the
Children’s
Online
Privacy
Protection
Act
(“COPPA”).
The
VCDPA
provides
that
controllers
and
processors
in
compliance
with
COPPA
automatically
meet
the
VCDPA’s
requirement
to
obtain
parental
consent
before
collecting
data
from
children.
The
analogous
section
in
the
Texas
draft
bill
would
clarify
that
the
COPPA
exception
only
applies
to
online
data
in
an
attempt
to
close
a
possible
loophole
that
would
exclude
offline
children’s
data
from
the
bill’s
scope.
Further,
the
draft
bill
clarifies
the
VCDPA’s
data
portability
provision
to
ensure
that
the
consumer
can
access
all
digitally
available
consumer
personal
data.
The
clarification
seeks
to
prevent
an
interpretation
that
the
data
portability
right
only
applies
to
data
that
is
subject
to
automated
processing.
H.B.
1844
also
adapts
the
VCDPA’s
list
of
methods
for
submitting
consumer
requests
to
the
requirements
of
the
CCPA
by
specifying
that
the
controller
must
have
two
or
more
secure
and
reliable
means
for
consumers
to
submit
requests.
Unlike
the
CCPA,
however,
H.B.
1844
does
not
require
a
toll-free
number.
Finally,
the
Texas
draft
bill
would
designate
the
Texas
Department
of
Information
Resources
to
monitor
the
implementation
of
the
bill.
About Author
