InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Texas enacts data broker requirements
The Texas governor recently signed SB 2105 (the “Act”) to regulate data brokers operating in the state. The Act defines a “data broker” as “a business entity whose principal source of revenue is derived from the collecting, processing, or transferring of personal data that the entity did not collect directly from the individual linked or linkable to the data.” The Act’s provisions apply to data brokers that derive, in a 12-month period, (i) more than 50 percent of their revenue from processing or transferring personal data, or (ii) revenue from processing or transferring the personal data of more than 50,000 individuals, that was not collected directly from the individuals to whom the data pertains. Among other things, the Act requires covered entities to post conspicuous notices on websites or mobile applications disclosing that they are a data broker. Data brokers must also register annually with the secretary of state and pay required fees. Additionally, data brokers must implement a comprehensive information security program to protect personal data under their control and conduct ongoing employee and contractor education and training. Data brokers are required to take measures to ensure third-party service providers maintain appropriate security measures as well.
The Act does not apply to deidentified data (provided certain conditions are met), employee data, publicly available information, inferences that do not reveal sensitive data that is derived from multiple independent sources of publicly available information, and data subject to the Gramm-Leach-Bliley Act. Additionally, the Act does not apply to service providers that process employee data for a third-party employer, persons or entities that collect personal data from another person or entity to which they are related by common ownership or control where it is assumed a reasonable consumer would expect the data to be shared, governmental entities, nonprofits, consumer reporting agencies, and financial institutions.
The Texas attorney general has authority to bring an action against a data broker that violates the Act and impose a civil penalty in an amount not less than the total of “$100 for each day the entity is in violation,” as well as the amount of unpaid registration fees for each year an entity fails to register. Penalties may not exceed $10,000 in a 12-month period. By December 1, the secretary of state is required to promulgate rules necessary to implement the Act. The Act is effective September 1.
Texas is most recent state to enact comprehensive privacy legislation
On June 18, the Texas governor signed HB 4 to enact the Texas Data Privacy and Security Act (TDPSA) and establish a framework for controlling and processing consumer personal data in the state. Texas follows California, Colorado, Connecticut, Virginia, Utah, Iowa, Indiana, Tennessee, and Montana in enacting comprehensive consumer privacy measures. Earlier this month, Florida also enacted privacy legislation, but the requirements focus on specific digital controllers with global gross annual revenues of more than $1 billion.
The TDPSA applies to a person that conducts business in the state or produces products or services consumed by state residents, processes or sells personal data, and is not a small business as defined by the U.S. Small Business Administration, except to the extent that it sells sensitive data which requires consumer consent. Unlike other states, there is no data-processing volume threshold. The TDPSA only protects consumers acting in an individual or household capacity and does not cover individuals acting in a commercial or employment context. Additionally, the TDPSA provides several exemptions, including financial institutions or data governed by the Gramm-Leach-Bliley Act and certain other federal laws, nonprofit organizations, higher education institutions, covered entities governed by the Health Insurance Portability and Accountability Act, and certain utility companies.
Highlights of the TDPSA include:
- Consumers’ rights. Under the TDPSA, consumers will be able to access their personal data; confirm whether their data is being processed; correct inaccuracies; request deletion of their data; obtain a copy of their data in a portable format; and opt out of the processing of their data for targeted advertising, the sale of their data, or certain profiling.
- Data controllers’ responsibilities. Data controllers under the TDPSA will be responsible for, among other things: (i) responding to consumer requests within 45 days (unless extenuating circumstances arise) and providing requested information free of charge; (ii) establishing a process to allow consumer appeals after a controller’s refusal to take action on a consumer’s request; (iii) providing at least two methods for consumers to exercise their rights; (iv) limiting the collection of data to what is adequate, relevant, and reasonably necessary for a specified purpose; (v) securing personal data from unauthorized access; (vi) establishing easy opt-out methods that require consumers to affirmatively and freely choose to opt out of any processing of their personal data; (vii) processing data in compliance with state and federal anti-discrimination laws; (viii) obtaining consumer consent in order to process sensitive data; (ix) providing clear and reasonably accessible privacy notices; and (x) conducting and retaining data protection assessments and ensuring deidentified data cannot be associated with a consumer. The TDPSA also sets forth obligations relating to contracts between a controller and a processor, including ensuring that contracts between a controller and a processor do not waive or limit consumer data rights.
- No private right of action. The TDPSA explicitly prohibits a private right of action. Instead, it grants the state attorney general excusive authority to enforce the law.
- Right to cure. Upon discovering a potential violation of the TDPSA, the attorney general must give the data controller notice. The data controller then has 30 days to cure the alleged violation before the attorney general can file suit and seek up to $7,500 for each violation, as well as injunctive relief, attorney’s fees, and other expenses.
The TDPSA takes effect July 1, 2024, except for certain provisions relating to methods for submitting consumer requests, which shall take effect January 1, 2025.
Texas has new licensing requirements for digital-asset platforms
In June, the Texas governor signed HB 1666 (the “Act”) to add practice restrictions to digital asset service providers, defined as electronic platforms that facilitate the trading of digital assets on behalf of a digital asset customer and maintain custody of the customer’s digital assets. The Act applies to a digital asset service provider conducting business in Texas that holds a money transmission license and either services more than 500 digital asset customer in the state or has at least $10 million in customer funds. Digital asset service providers are required to comply with certain provisions in order to obtain and maintain a money transmission license including provisions relating to the commingling of funds, customer access to funds, accounting requirements, annual reporting requirements. The Texas Department of Banking has the authority to suspend and revoke a license if these requirements are not met and may impose a penalty for violations of the Act. The commissioner also has examination authority and may promulgate rules to administer and enforce the Act’s provisions. The Act is effective September 1. Certain financial institutions and entities not required to hold a money transmission license are exempt.
Texas enacts digital services bill to protect minors
On June 13, the Texas governor signed HB 18 to enact the Securing Children Online through Parental Empowerment (SCOPE) Act. The Act will require digital service providers to register a person’s age and, if the user is determined to be a minor (younger than 18 years of age), the provider is required to: (i) limit the collection of personal identifying information (PII) to what is reasonably necessary to provide the service; (ii) limit use of PII to the purpose for which it was collected; (iii) prevent the user from engaging in financial transactions through the digital service; (iv) prevent the user’s PII from being shared, disclosed, or sold; (v) not use the digital service to collect precise geolocation data on the user; or (vi) not use the digital service for targeted advertising. Digital service providers are also required to create tools for parents to control their minor children’s accounts and privacy settings and should reasonably attempt to limit advertising and algorithms that direct minors to harmful content.
SCOPE applies only to those who provide a digital service that enables minor users to socially interact with other users on the digital service and create, post, or share content. SCOPE outlines numerous exemptions, including exemptions for financial institutions, certain covered entities governed by the Health Insurance Portability and Accountability Act, certain persons subject to the Family Educational Rights and Privacy Act, and certain affiliates or subsidiaries of an internet service provider.
While the Act explicitly prohibits its use as a basis for a private right of action, it does grant the state attorney general exclusive authority to enforce the law (a violation of the Act is considered a deceptive act or practice). The Act takes effect September 1, 2024.
Texas enacts Money Services Modernization Act
On May 29, the Texas governor signed SB 895 (the “Act”) to enact the Money Services Modernization Act, the money transmitter model law created by industry and state experts. The goal of the Act is to create a set of consistent and coordinated standards relating to the regulation of money service businesses. Among other things, the Act outlines networked supervision criteria to allow the commissioner to participate in multistate supervisory processes coordinated through the Conference of State Bank Supervisors, the Money Transmitter Regulators Association, and other related affiliates and successors for all money services licenses that hold licenses in Texas and other states. To efficiently minimize regulatory burden, the commissioner may, among other things, coordinate and share information with other state and federal regulators, enter into information-sharing contracts or agreements, conduct joint examinations or investigations, and accept examination or investigation reports made by other states. Texas now joins several other states in adopting common licensing and regulatory standards to add efficiencies to the multi-state process (continuing InfoBytes coverage here).
Additionally, the commissioner has enforcement, examination, and supervision authority, may adopt implementing regulations, and may recover costs and fees associated with applications, examinations, investigations, and other related actions. The Act also includes additional consumer protection provisions. The Act includes in the definition of “money” or “monetary value” a stablecoin that “(i) is pegged to a sovereign currency; (ii) is fully backed by assets held in reserve; and (iii) grants a holder of the stablecoin the right to redeem the stablecoin for sovereign currency from the issuer.” Among the various exemptions, the Act provides for an exemption for an agent of the payee to collect and process a payment from a payor to the payee for goods or services, other than money transmission services. The amendments also outline numerous licensing application and renewal procedures including net worth, surety bond, and permissible investment requirements. The Act is effective September 1.
Texas amends breach notification requirements
On May 27, the Texas governor signed SB 768 to amend the state’s data breach notification statutes. The Act requires entities to notify the attorney general “as soon as practicable” and not later than 30 days after the date a computerized security system breach occurs involving at least 250 Texas residents. The Act now details that notification must be submitted electronically using a form accessible through the attorney general’s website. No substantive changes were made to the required information within the form. The Act is effective September 1.
5th Circuit remands nonjudicial foreclosure suit back to state court
On June 16, the U.S. Court of Appeals for the Fifth Circuit held that a plaintiff borrower’s requested damages in a foreclosure lawsuit did not exceed the federal jurisdictional threshold amount of $75,000, and sent the case back to Texas state court. The plaintiff sued the financial institution in state court after it sought a nonjudicial foreclosure on his house, asserting violations of the Texas Debt Collection Act, breach of the common-law duty of cooperation, fraud, and negligent misrepresentation. The suit was removed to the U.S. District Court for the Northern District of Texas, with the defendant arguing that the suit automatically stayed its nonjudicial foreclosure sale, thus putting the value of the house ($427,662) as the amount in dispute, instead of the plaintiff’s requested relief of $74,500. The plaintiff moved to remand the case to state court on the premise “that the amount in controversy could not exceed the stipulated maximum of $74,500.” The district court denied the plaintiff’s motion, ruling that it “had to measure the amount in controversy ‘by the value of the object of the litigation,’” and not by what the plaintiff’s complaint says the damages were not to exceed.
In reversing and remanding the case to state court, the 5th Circuit concluded that, because the defendant did not show that the automatic stay brought the house’s value into controversy, it “failed to establish by a preponderance of the evidence that the amount in controversy exceeded $75,000.” The appellate court agreed with the plaintiff’s assertion that the house was simply collateral and “thus irrelevant to the amount in controversy,” writing that “[i]t is well-settled that neither the collateral effect of a suit nor the collateral effect of a judgment may count toward the amount in controversy.” The 5th Circuit also determined that the plaintiff expressly stipulated in both his original state-court petition and in a declaration “that he is seeking total damages not to exceed $74,500,” and that this stipulation is legally binding.
OCC launches Dallas REACh
On March 28, the OCC announced the launch of Dallas REACh, which expands the OCC’s Project REACh (Roundtable for Economic Access and Change) efforts to Dallas, Texas, representing the agency’s fourth regional effort. As previously covered by InfoBytes, in 2020, the OCC launched this initiative to promote greater financial inclusion of underserved populations. According to the OCC, Project REACh brings together leaders from the banking industry, national civil rights organizations, and various businesses and technology organizations who will identify and reduce barriers to accessing capital and credit. The OCC further noted that Dallas REACh “will organize and initiate formal efforts to reduce financial barriers that include low rates of affordable homeownership, poor access to capital for minority-owned and small businesses, and underinvestment into trusted community institutions, such as minority depository institutions.” According to remarks by acting Comptroller of the Currency Michael J. Hsu at the launch of Dallas REACh, the agency is “excited to expand our efforts into the Dallas community, supporting local leaders, banks, and businesses as they discuss needs and work to address impediments to financial inclusion.”
District Court preliminarily approves $4.75 million data breach settlement
On March 3, the U.S. District Court for the Western District of Texas preliminarily approved a $4.75 million class action settlement resolving claims between a pharmacy benefits manager and consumers in six different proposed class actions filed in Texas and California. The court also conditionally certified a nationwide settlement class and a California settlement subclass. According to the memorandum in support of the plaintiffs’ motion for preliminary approval of the settlement, plaintiffs claimed the company acted negligently by failing to implement reasonable safeguards for protecting customers’ personally identifiable information and preventing a 2021 data breach, which exposed their sensitive, protected health information. The plaintiffs also alleged that the company breached California privacy and consumer protection laws. If the settlement is granted final approval, the company will be required to create a $4.75 million settlement, and “develop, implement, and maintain a comprehensive information security program that is reasonably designed to protect the security, integrity and confidentiality” of customers’ personal data. The company may also be responsible for a portion of attorneys’ fees, costs, and service awards.
Texas AG issues CID to video streaming company
On February 18, the Texas attorney general issued two Civil Investigative Demands (CIDs) to a video streaming company that focus on the company’s potential facilitation of human trafficking and child privacy violations, as well as other potential unlawful conduct. According to the CIDs, the company allegedly violated section 140A.002, Civil Racketeering Related to Trafficking of Persons, of the Texas Civil Practice and Remedies Code. The CID orders to company to: (i) provide answers and documents in response to the CID; (ii) preserve documents and/or other data which relate to the subject matter or requests of the CID; and (iii) consult the AG prior to processing or making copies of hard-copy documents or electronically stored information in response the CID.