Texas is one of the many states that looked to be following in the footsteps of California’s enactment of a broad consumer privacy law (the California Consumer Privacy Act), which has far-ranging implications for businesses and consumers. Two comprehensive data privacy bills, HB 4390 and HB 4518, were filed and heard at the last legislative session. HB 4518, also known as the Texas Consumer Privacy Act, proposed overarching consumer protection legislation that closely resembled the California Consumer Privacy Act. HB 4518 stalled in the Texas House of Representatives in favor of HB 4390. HB 4390, also known as the Texas Privacy Protection Act, was introduced as comprehensive data privacy legislation, but was significantly less detailed than HB 4518. HB 4390 went through several rounds of revisions in both the Texas House and Senate until it was whittled down to the final version, which revises the notification requirements of the Texas Identity Theft Enforcement and Protection Act and creates the Texas Privacy Protection Advisory Council in order to develop recommendations for future data privacy legislation. HB 4390 has passed both the Texas House and Senate and is awaiting signature from the governor to be enacted.

In Oregon, the legislature expanded its data breach notification statute (ORS §§ 646A.600 et seq.). Oregon’s updated data breach law, which was signed by Governor Kate Brown on May 24, 2019 and goes into effect on January 1, 2020, expands breach notification requirements to cover “vendors,” which it defines as “a person with which a covered entity contracts to maintain, store, manage, process or otherwise access personal information for the purpose of, or in connection with, providing services to or on behalf of the covered entity.” Under the new law, a vendor must notify Oregon’s Attorney General when subject to a security breach affecting the personal information of over 250 Oregon consumers, or when the number cannot be determined. Vendors do not need to notify the Attorney General if the covered entity has already made the notification. Vendors must also notify their business customers of the breach within 10 days – a change from previous language mandating notification “as soon as practicable.” The law also expands Oregon’s definition of personal information to include usernames, but only when combined with authentication factors.

The Massachusetts State Senate has recently referred a new consumer data privacy bill, S.120, to the Joint Committee on Consumer Protection and Professional Licensure. The Massachusetts law would protect any information relating to an identified or identifiable customer, and would explicitly include biometric information of all kinds into the definition of that protected information. Like the GDPR and CCPA, the Massachusetts law, if enacted, would impose notice requirements relating to the collection and disclosure of personally identifying information, including biometrics. In addition, S.120 includes a proposed private right of action that allows for up to $750 per violation, plus attorneys’ fees, for failure to abide by the law’s notice and collection requirements.