Texas Privacy Protection Act – HB 4390
data privacy law | Personal Information | Texas Privacy Protection Act

By Michelle Johnston, CIPM, CIPP/US – Compliance Privacy Officer at CSR Privacy Solutions, Inc.

After several rounds of revisions Texas finally passes HB 4390.  The legislation revises the notification requirements of the Texas Identity Theft Enforcement and Protection Act § 521.053, Business & Commerce Code and creates the Texas Privacy Protection Advisory Council.


The Texas Privacy Protection Act’s (HB 4360) amendments apply to:

  • “A person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose any breach of system security, …”, and
  • The Texas Privacy Protection Advisory, Council which is composed of fifteen members appointed by the speaker of the House of Representatives, the lieutenant governor and the governor.

Requirements for businesses in the event of a breach

Texas businesses must be aware of the updated disclosure time frame and low threshold for reporting to the Attorney General.

Currently, the Texas Identity Theft Enforcement and Protection Act requires that notice be provided “as quickly as possible” to individuals whose sensitive personal information was or is reasonably believed to have been acquired by an unauthorized person.

HB 4390 revises this timing requirement and states that persons conducting business in Texas and owns computerized data are required to provide consumer notification, after discovering or receiving notification of the breach, where the individual’s sensitive personal information is reasonably believed to have been acquired by an unauthorized person without unreasonable delay and no later than the 60th day after the date it is determined a breach has occurred.

Furthermore, notification of the breach must be provided to the attorney general if the breach involves at least 250 Texas residents and no later than the 60th day after the date it is determined a breach has occurred.  The contents of the notification to the attorney general must include:

  • a detailed description of the nature and circumstances of the breach or the use of sensitive personal information acquired as a result of the breach;
  • the number of residents of this state affected by the breach at the time of notification;
  • the measures taken by the person regarding the breach;
  • any measures the person intends to take regarding the breach after the notification under this subsection; and
  • information regarding whether law enforcement is engaged in investigating the breach.

This portion of the bill goes into effect January 1, 2020.

Texas Privacy Protection Advisory Council

Under section 2 of HB 4390, the Texas Privacy Protection Advisory Council is created to study and develop recommendations for future Texas data privacy laws, as well as study and evaluate privacy laws of other states and foreign jurisdictions.  The Council’s purpose is to make recommendations to members of the legislature relating to changes in Texas’ laws governing privacy and protection of information including Chapter 521, Business & Commerce Code or to the Penal Code, by September 1, 2020.

The fifteen members of the Council must be selected by September 1, 2019.  The Council will consist of appointed industry representatives who live in Texas, members of the Texas House of Representatives, senators, and a representative of a nonprofit organization that studies or evaluates data privacy laws or a professor who has published writings on data privacy.  The Council will be abolished and this section will expire on December 31, 2020.

Become a Partner – Contact CSR

I understand CSR will use this information for the purpose of responding to my query or request. I have reviewed their Privacy Policy. I understand I can withdraw consent or make a Data Access Request at any time.