Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.


Did You Know?

  • Limited methods of notification delivery
  • Data owners are responsible for breach reporting and notifications
  • Notification to consumer reporting agencies may be required
  • TX has data protection and disposal laws
  • Other state laws, federal laws, industry regulations, and/or out-of-country laws may apply
  • TX provides that notifications to out-of-state residents to be sent under the corresponding state’s laws

Who Me?


Texas breach and notification laws may apply if you are a person that:

  • Conducts business in TX and owns or licenses computerized data that includes sensitive PII 
  • Maintains computerized data that includes sensitive PII, but you do not own the data 

 There are exemptions

What is PII?


Texas has an in-depth description of personal information.  Sensitive PII relevant to a breach in TX includes an individual’s name with one or more of the following:

  • Social Security Number
  • Driver license or government issues ID 
  • Account number or credit  or debit card number in combination any security code, access code or password, etc. permitting access to the person's account
  • Info that identifies an individual and relates to physical or mental health, or health care provision or payment



Business and Commerce Code / Title 11. Personal Identity Information / Subtitle B.  Identity Theft / Chapter 521. Unauthorized Use Of Identifying Information/ Subchapters A, B and D.


TX has data protection laws, including but not limited to: 

  • Business and Commerce Code / Title 11. Personal Identity Information /Subtitle B.  Identity Theft / Chapter 521 / Subchapters B and C
  • Business and Commerce Code / Title 5. Regulation Of Businesses And Services / Subtitle A.  General Practices / Chapter 72 / Subchapter A- Disposal Of Certain Business Records



Violations of Texas law can incur extensive penalties including a civil penalty of $2,000 to $50,000, $100 for each individual per day not notified, but not exceeding $250,000, the attorney general may take action, etc.



When considering reporting requirements, it would include, but not limited to:

  • The combination of personal information breached
  • If the data was computerized
  • If the data was encrypted or redacted
  • For encrypted data, if the key was compromised


Notification may be delayed if law enforcement advises the person it will interfere with an investigation, otherwise, the notification must be made as quickly as possible.


Requires detailed information and potential provision of services

Notification may be required to the consumer reporting agencies. There are specific instructions.

Disclosure may only be made by written notice or electronically, with stipulations. A substitute notice, with specific requirements, may be sent if the cost of the notice exceeds $250,000 or the persons to be notified exceeds 500,000 or they do not have sufficient contact information.

Privacy Prime
  • 22 Jan 2018

    Meticulous Equifax Timeline

    Data Breach timeline for Equifax's 2017 Data Breach. One of the most significant data breaches to date.

  • 22 Jan 2018

    2017 Year End Review

    Every year breaches are becoming more prevalent and have a much higher impact then years prior. Take a look at some of the breach reports that it made it on our list.