LEGISLATIVE BUDGET BOARD
Austin, Texas
 
FISCAL NOTE, 88TH LEGISLATIVE REGULAR SESSION
 
May 7, 2023

TO:
Honorable Bryan Hughes, Chair, Senate Committee on State Affairs
 
FROM:
Jerry McGinty, Director, Legislative Budget Board
 
IN RE:
HB4 by Capriglione (relating to the regulation of the collection, use, processing, and treatment of consumers' personal data by certain business entities; imposing a civil penalty.), Committee Report 2nd House, Substituted


Estimated Two-year Net Impact to General Revenue Related Funds for HB4, Committee Report 2nd House, Substituted : a negative impact of ($7,536,192) through the biennium ending August 31, 2025.

The bill would make no appropriation but could provide the legal basis for an appropriation of funds to implement the provisions of the bill.

 


General Revenue-Related Funds, Five- Year Impact:

Fiscal Year Probable Net Positive/(Negative) Impact to
General Revenue Related Funds
2024($5,580,216)
2025($1,955,976)
2026($1,705,976)
2027($1,705,976)
2028($1,705,976)

All Funds, Five-Year Impact:

Fiscal Year Probable Savings/(Cost) from
General Revenue Fund
1

Change in Number of State Employees from FY 2023
2024($5,580,216)12.0
2025($1,955,976)12.0
2026($1,705,976)12.0
2027($1,705,976)12.0
2028($1,705,976)12.0


Fiscal Analysis

The bill amends the Business & Commerce Code by adding Chapter 541, The Texas Data Privacy and Security Act (TDPSA), to address the regulation of the collection, use, processing, and treatment of consumers' personal data by certain business entities. TDPSA provides consumers residing in Texas with certain rights regarding personal data. These include: the right to request confirmation of whether a controller is processing the consumer's personal data; the right to correct inaccuracies in personal data; the right to delete personal data provided by or obtained about the consumer; the right to obtain data (if feasible) in a portable, readily usable format so that the consumer may transmit it to another controller; and the right to opt out of the processing of personal data for purposes of targeted advertising, sale of personal data, or profiling "in furtherance of a decision that produces a legal or similarly significant effect."

TDPSA would require that controllers provide consumers with notice when they decline to act regarding a consumer's request and to provide justification for declining to act and additionally, to provide instructions on how to appeal the decision. Controllers must provide information in response to a consumer request free of charge, up to twice annually per consumer - unless the request is unfounded, excessive, or repetitive, in which case the consumer may be charged a reasonable fee to cover administrative costs. Controllers must establish a process for consumers to appeal their decisions. If the controller denies an appeal, the controller must provide the consumer with an online mechanism, if available, or another method to contact the OAG to submit a complaint.

The bill would require that certain specific provisions be included in contracts between controllers and processors. The Office of the Attorney General (OAG) has exclusive authority to enforce the provisions of this bill and may obtain injunctive relief, civil penalties of up to $7,500 per violation, and reasonable attorneys' fees and investigative expenses. Penalties recovered are to be deposited in the general revenue fund.

If the OAG has "reasonable cause to believe" that a person has engaged in, is engaging in, or is about to engage in a violation of this bill, the OAG may issue a civil investigative demand (CID). The bill specifically authorizes the OAG to issue CIDs to controllers requesting relevant data protection assessments and requires controllers to provide those to the OAG. These assessments are confidential and exempt from the Texas Public Information Act, and disclosure to the OAG is not waiver of attorney client or work product privilege regarding information in the assessment. The procedure for CIDs is those established under Texas Business & Commerce Code, Section 15.10.

The bill would require that the OAG post on its website information relating to the responsibilities of a controller and a processor, as well as an online mechanism through which a consumer can submit a complaint TDSPA to the OAG.

Before bringing an action, the OAG is required to provide written notice of specific violations. If the person cures the identified violation within 30 days and provides a written statement that the person cured the violation, notified the consumer that the consumer's privacy violation was addressed, provided supportive documentation to show how the privacy violation was cured, and made changes to internal policies to ensure no further violations will occur, the OAG may not bring an action. Violations of the bill following the 30-day cure period and breaches of the written statement provided to the OAG are subject to enforcement actions including a civil penalty of up to $7,500 per violation.

Methodology

The OAG estimates that enactment of the bill will generate an increased number of inquiries from lawmakers, business and legal communities, privacy advocates, the general public, and the media regarding the implementation and enforcement of this bill.  The OAG indicates that additional resources would be needed to undertake enforcement efforts and would require additional resources for receiving and processing privacy rights complaints and for the investigation and litigation of cases including the retention of consulting experts. Enforcement would require analyzing complaints; identifying issues and alleged violations of the law; issuing civil investigative demands; reviewing and evaluating data protection assessments; conducting factual and legal research to assess violations and viability of potential claims and defenses; retaining and conferring with consulting experts; and litigation activities including discovery, motions practice, preparing for trial, trial, and appeal.

OAG staff would need to devote time to provide feedback to DIR as it prepares a legislatively mandated report regarding the implementation of this bill and recommendations regarding the changes to the law.

The OAG indicates that they would need twelve additional FTEs to handle the anticipated increase in workload resulting from this bill. These additional FTEs include two Assistant Attorney General (AAG) II, two AAG IV, one AAG VI, one Compliance Analyst II, one Data Analyst II, one Data Analyst V, one Legal Assistant I, one Legal Assistant III, one Programmer VI, and one System Administrator V to handle the increased workload. The FTE costs are $1,520,760 in fiscal year 2024 and $1,460,370 each fiscal year thereafter. Costs include salary, general operating, travel, capital equipment (technology related and furniture), and benefits.

The Office of Court Administration, Commission on Judicial Conduct, Comptroller of Public Accounts, Department of Information Resources, Bond Review Board, Texas Medical Board, Health & Human Services Commission, Department of Transportation, Texas A&M University System, UT University System, Higher Education Coordinating Board, and Alamo Community College all anticipate no significant fiscal impact from the provisions of the bill. The Comptroller of Public Accounts indicates that the amounts and timing of any penalty revenue are unknown, but is unlikely to be significant.

Technology

The technology impact includes one-time costs of $3,563,850 in fiscal year 2024 for the creation of the system, project management costs of $250,000 each year in fiscal years 2024 and 2025, and a recurring cost in each fiscal year of $245,606. One-time costs include system development, project management costs, standard laptop, software, printer, and telecom/voicemail. Annual recurring charges cover consulting costs for technology experts, data center services, and voice line.

Local Government Impact

No significant fiscal implication to units of local government is anticipated.


Source Agencies:
212 Office of Court Administration, Texas Judicial Council, 242 State Commission on Judicial Conduct, 302 Office of the Attorney General, 304 Comptroller of Public Accounts, 313 Department of Information Resources, 352 Bond Review Board, 503 Texas Medical Board, 529 Health and Human Services Commission, 601 Department of Transportation, 710 Texas A&M University System Administrative and General Offices, 720 The University of Texas System Administration, 781 Higher Education Coordinating Board
LBB Staff:
JMc, SMAT, HGR, SZ, LCO