By Jessica C. Engler, CIPP/US [1]

In the wake of sweeping privacy law reforms both in and outside of the United States, Texas has become the latest state of many to makes changes to its existing data privacy laws. This summer, Texas Governor Greg Abbott signed into law HB 4390, christened the Texas Privacy Protection Act, which amendments the Texas Identity Theft Enforcement and Protection Act (“TITEPA”), Tex. Bus. & Com. Code § 521.002, 521.053.[2] Though significantly rewritten since its introduction, HB 4390 amends the data breach notification statute and creates a privacy council to advise the Texas legislature regarding potential future privacy legislation.

New Breach Notification Requirements

HB 4390’s amendments of the data breach notification requirements are common to those found elsewhere in the United States, bringing Texas more in-line with other states’ requirements. These changes will go into effect on January 1, 2020.

First, HB 4390 adds a deadline for notification of the breach to individuals affected by the breach. Currently, the TITEPA requires that notifications be made “as quickly as possible.” The amendments will now require that the notification be made “without unreasonable delay” and in any case no later than 60 days from the date of discovery of the breach.

Second, once in effect in 2020, the TITEPA will require that notification of the breach also be made to the Attorney General of Texas if the breach affected 250 or more Texas residents. This notification must be made within the 60 day period for reporting to affected individuals, and must contain the following information:

  1. a detailed description of the nature and circumstances of the breach, or the use of sensitive personal information acquired as a result of the breach;
  2. the number of Texas residents affected by the breach at the time of notification;
  3. any measures taken by the reporting party as a result of the breach;
  4. any measure that the reporting party intends to take regarding the breach after notification; and
  5. information as to whether law enforcement is involved in investigation of the breach.

Both of these updates are similar to those found in other states. At least 17 other states currently require notification within a specific time frame, ranging from 30 to 90 days from discovery of the breach. Several states—including the neighboring states of Louisiana and New Mexico—similarly require notification to state authorities when notification is made to a threshold number of state residents.


As originally filed in the beginning of the 86th Texas Legislative Session, HB 4390 was a comprehensive consumer privacy bill. During the session, it was amended and diluted multiple times. Rather than pass comprehensive privacy legislation, the legislature passed the amended HB 4390 including the creation of the Texas Privacy Protection Advisory Council (“TPPAC”) to study data privacy laws in advance of the next legislative session. As a result of the study, the TPPAC will make recommendations to the Texas legislature on specific statutory changes regarding data privacy, including necessary further amendments to the TITEPA or to the Texas Penal Code.

The Council will be composed of 15 Texas residents who are appointed by the Speaker of the House, Lieutenant Governor, and Governor no later than November 1, 2019. Of those 15 members:

  • Three members will be members of the Texas House of Representatives;
  • Three members will be Texas senators;
  • Nine members will be industry representatives from several industries, including the medical profession, technology, internet, retail and electronic transactions, consumer banking, telecommunications, consumer data analytics, advertising, internet service providers, social media platforms, cloud data storage, virtual private networks, or retail electric; and
  • Two members comprising either: (i) a representative of a nonprofit organization that studies or evaluates data privacy laws from a consumer perspective; or (ii) a professor who teaches at a Texas law school or other higher education institution who has been published on the subject of data privacy.

The Council will meet on a regular basis until it reports its findings and makes recommendations to the Texas legislature no later than September 1, 2020. It is anticipated that the Council’s recommendations will form the basis for comprehensive consumer privacy legislation when the Texas Legislature reconvenes in January 2021.


[1] Special thanks to Dara Mouhot, Tulane University Law School Class of 2021, for her assistance with this article.

[2] House Bill 4390 is available at