Legislative Update

Computer and Technology

By Shelby B. Menard, Jeremy Rucker and Shawn Tuma

HB 18, also known as the Securing Children Online through Parental Empowerment, or SCOPE, Act, restricts a digital service provider’s processing of personal identifying information of a known minor.1

The law also prohibits the digital service provider from allowing a minor to make purchases, collecting precise geolocation data, or displaying targeted advertisements to the minor.2 Digital service providers are also required to implement strategies to prevent a minor’s exposure to harmful content.3 The law also provides rights to parents or guardians of known minors, including the right to access, obtain, and delete any personal identifying information of a known minor that is in the possession of the digital service provider.4 A violation of this law is a deceptive trade practice actionable by the consumer protection division of the attorney general’s office.5

HB 18 also amends the Texas Education Code by requiring the Texas Education Agency to adopt a set of standards for permissible electronic device and software applications used by certain charter and public schools.6 Specifically, the agency must, among other obligations, require: (1) the minimization of the collection of student data; (2) direct informed parental consent for student use of certain software applications; (3) a prohibition of software applications from conducting certain mental health assessments without direct and informed parental consent; (4) the consideration of appropriate restrictions on student access to social media websites or applications; and (5) the consideration of use of internet filters capable of notifying school administrators if a student accesses inappropriate content.7

HB 18 is effective September 1, 2024, with the exception that the provisions which amend the Texas Education Code and relate to the use of electronic devices by students became effective immediately upon passage of the SCOPE Act.8

Unlawful Disclosure of Residence Address or Telephone Number
Effective September 1, 2023, HB 611 makes it a Class B criminal misdemeanor if a person posts the residence address or telephone number of an individual on a publicly accessible website with the intent to cause harm or threat of harm to the individual or a member of the individual’s family or household.9 The offense becomes a Class A misdemeanor if the offense results in bodily injury.10

Individual Rights in Commercial Genetic Testing Data
Effective September 1, 2023, HB 2545 codifies the confidentiality of, and a property right in, an individual’s biological material and results of genetic testing that are provided to or used by a direct-to-consumer genetic testing company.11 The new law requires an individual’s express consent prior to disclosing genetic testing results.12 Additionally, the law requires direct-to-consumer genetic testing companies to implement a comprehensive security program to safeguard genetic testing data and provide privacy notices to individuals.13 Violators may be liable to the state for a civil penalty up to $2,500 per violation.14

Texas Enacts Comprehensive Data Privacy Law
Under HB 4, Texas joins the expanding list of states that have passed comprehensive data privacy and security laws regulating the collection, use, processing, and treatment of consumer personal data of a data controller.15 A data controller means any individual or other person that, alone or jointly with others, determines the purpose and means of processing personal data.16 The Texas Data Privacy and Security Act provides Texas residents (consumers) with the rights: (1) to know whether a controller processes, and has the right to access, the consumer’s personal data; (2) to correct or delete the consumer’s personal data; (3) to obtain a copy of the consumer’s data collected by the controller; and (4) opt out of the processing of personal data for certain purposes.17 Additionally, the law imposes notice, transparency, data security, and contracting obligations on controllers. A person in continued violation of this law beyond a 30-day cure period may be subject to a civil penalty up to $7,500 per violation.18 The majority of the provisions in the act become effective July 1, 2024.19

Notification to the Attorney General of a Breach of Security
SB 768 amends the attorney general notification requirements of individuals and businesses in Texas that experience a qualifying security breach. Effective September 1, 2023, an individual or business required to disclose or provide notification of a breach of security system to at least 250 Texas citizens must also notify the attorney general as soon as practicable and not later than 30 days following discovery of the breach.20 This information must be submitted electronically using the form accessed on the attorney general’s website.21

Disclosure of Customer Information by Government-Operated Utilities
The Texas Utilities Code protects the disclosure of certain customer personal information by government-operated utilities, subject to certain exemptions.22 Effective May 19, 2023, HB 2664 amends the Texas Utilities Code to add two exemptions to allow disclosure of personal information in a customer’s account record to: (1) another entity as necessary to facilitate the transition of customers among retail electric providers under Section 40.053 or to comply with rules, guidelines, and procedures established by an independent organization certified under Section 39.151; and (2) to a retail electric provider, as defined by Section 31.002(17) of the Utilities Code.23

State Agency and Local Government Security Incident Procedures
SB 271 has amended Section 2054.1125 of the Texas Government Code and redesignated it Section 2054.603, effective September 1, 2023. This amendment now requires local governments and state agencies that own, license, or maintain computerized sensitive, confidential, or regulated information to comply with the notification requirements of Section 521.053 of the Business and Commerce Code within 48 hours of the discovery of the security incident.24 This amendment also expands the notification obligation by imposing obligations in the event of a breach, suspected breach, or upon the introduction of ransomware into a computer environment.25

Confidentiality of Certain Personal Information of Applicant for or a Person Protected by a Protective Order
SB 578 amends Section 82.011 and 85.007(a) of the Family Code to expand the protection of the personal information of an applicant or person protected by a protective order. Effective September 1, 2023, such person may request that the court protect and make confidential the applicant’s county of residence.26 An individual or family or household member of a person protected by a protective order may also request exclusion of (1) the address, county of residence, and telephone number of the protected person; or (2) the address and telephone number of the place of employment or business of the protected person, or the child-care facility or school in which a protected child attends or resides.27

Prohibitions in Connection With the Online Sale of Goods
Effective September 1, 2023, SB 58 amends the Texas Business and Commerce Code to include Chapter 328 governing the online sale of goods.28 Goods as defined under the Texas Deceptive Trade Practices Act means tangible chattels or real property purchased or leased for use.29 This chapter will prohibit a person from selling, using, or causing to be used any technology, device, or software in the sale of goods on an internet website that: (1) functions as a bypass in the purchasing process; (2) disguises the identity of the purchaser; (3) permits the purchase of goods in a quantity that exceeds the maximum amount that may be sold to one purchaser as specified by the seller or website operator; (4) allows for unauthorized access to or identification of gift card information (including card numbers and PINs); or (5) circumvents a security measure, access a control system, or other methods of control, authorization, or measure in the purchasing process.30 These amendments will not apply to the seller of goods on a website or the operator of the website.31 The Texas Attorney General will have the authority to investigate any violation of this chapter.32

NOTES
1. Tex. Bus. & Comm. Code §§ 509.001-509.152.
2. Tex. Bus. & Comm. Code § 509.052(2).
3. Tex. Bus. & Comm. Code § 509.053.
4. Tex. Bus. & Comm. Code § 5509.103(a).
5. Tex. Bus. & Comm. Code § 509.151.
6. Tex. Education Code § 32.1021.
7. Tex. Education Code § 32.1021.
8. See 2023 Texas H.B. 18, Texas 88th Legislature.
9. Tex. Penal Code § 42.074(a).
10. Tex. Penal Code § 42.074(b).
11. Tex. Bus. & Comm. Code §§ 503A.001-503A.008.
12. Tex. Bus. & Comm. Code §§ 503A.006.
13. Tex. Bus. & Comm. Code §§ 503A.005.
14. Tex. Bus. & Comm. Code §§ 503A.008.
15. Tex. Bus. & Comm. Code §§ 541.001-541.205.
16. Tex. Bus. & Comm. Code §§ 541.001(8).
17. Tex. Bus. & Comm. Code §§ 541.051.
18. Tex. Bus. & Comm. Code §§ 541.155.
19. Tex. Bus. & Comm. Code § 509.151.
20. Tex. Bus. & Comm. Code § 521.053(I).
21. Tex. Bus. & Comm. Code § 521.053(a).
22. Tex. Util. Code § 182.054(1)-(8).
23. Tex. Util. Code § 182.054(7)(8).
24. Tex. Gov’t Code § 2054.1125(b)(1)-(3).
25. Tex. Gov’t Code § 2054.1125(a)(1)(a)(b).
26. Tex. Fam. Code § 82.011.
27. Tex. Fam. Code § 85.007(a)(1)-(2).
28. Tex. Bus. & Comm. Code § 328.
29. Tex. Bus. & Comm. Code § 328.001; Tex. Bus. & Comm. Code § 17.46(1).
30. Tex. Bus. & Comm. Code § 328.002(a)(1)-(5).
31. Tex. Bus. & Comm. Code § 328.002(b).
32. Tex. Bus. & Comm. Code § 328.003(a)-(c).

Headshot of Shelby MenardSHELBY B. MENARD is an associate of Spencer Fane and member of the Data Privacy and Cybersecurity Practice Group, where she works primarily in the firm’s Collin County office.

Headshot of Shawn TumaJEREMY RUCKER is a certified privacy law specialist by the International Association of Privacy Professionals (CIPP/US, CIPP/E, CIPM) and a member of the Data Privacy and Cybersecurity Practice Group at Spencer Fane, where he is an associate and works primarily in the firm’s Collin County office.

Headshot of Shawn TumaSHAWN TUMA is an attorney widely recognized in data privacy and cybersecurity law, areas in which he has practiced for well over two decades. He is a past chair of the State Bar of Texas Computer & Technology Section and co-chair of the Data Privacy and Cybersecurity Practice Group at Spencer Fane, where he works primarily in the firm’s Collin County office.is a shareholder in the Grapevine firm of Adams, Lynch & Loftin. He is certified in civil appellate law by the Texas Board of Legal Specialization and is a past chair of the State Bar of Texas Appellate Section. Since 2004, Bullard has monitored legislation impacting the judiciary and the civil justice system and provided updates to interested members of the bench and bar. He is a graduate of Baylor University and the University of Texas School of Law.

We use cookies to analyze our traffic and enhance functionality. More Information agree