What Do California (and Other) Privacy Laws Mean for Texas Companies

By Jenifer McIntosh

The bottom-line summary for Texas companies is – You Have to Care. Why?

  1. Because the California Attorney General Is not targeting California companies first. Nope.
  2. Because your marketing team doesn’t understand what “personal information” is, or know where any of it actually is, or who has it. We know who pays for it.
  3. Because it’s the fourth largest economy in the world, and international growth requires California.

Let’s say, for example, your wellness company is a Texas LLC based in Fredericksburg. You have had outside investment and exponential growth that WeWork’s Adam Neumann would envy, including eleven locations in California, five in Colorado, two in Oklahoma and a new one in Dublin, Ireland. Your General Counsel says privacy regulations aren’t a “real issue,” nor is the security of your data to be of concern. The company does not technically collect HIPAA data and the consent forms used to collect and share personal information from your franchisees remove any regulatory issues that might pop up. Oh, and data from anything on the Internet isn’t personal information.

Sure.

Personal Information is Everything. And Everywhere.

First, Texas companies need to understand that the definition of what “personal information” is has changed, especially under the new California law (or the CCPA; there is also the Colorado, Connecticut, Utah and Virginia laws; plus maybe Oklahoma, Tennessee, New York, Oregon….). Under CCPA, personal information includes everything from a first initial and last name to an IP address or device identifier. Your daughter’s iPhone MAC ID is personal information. Her cell number is personal information, as is her Instagram account ID. These are data points used by Big Data, social media, and even your daughter’s SAT tutoring center, SoulCycle, Chick-Fil-A, Mi Día and the Frisco med-spa to send “personalized specials” to her (and you). Similarly, it is personal information that your Texas LLC is collecting and using from clients and franchisees to market new services, project expansion locations, and of course, target new customers. Consider how much personal information is collected from your websites and Instagram, TikTok and LinkedIn accounts on an hourly basis. Add to that the California employee data in Workday you just deployed, and you are trafficking more CCPA personal information in one day than Pablo Escobar moved “things” across the U.S.-Mexico border in a year.

Cybersecurity is Everything and Should be Everywhere.

Second, if your IT or security team is only using a user-name and password for access control, without a secondary layer of controls to your business platforms (Google Docs, the Cloud, your company’s Slack account), then you need either a new Managed Services Provider or IT/Security team. If “MFA” or “phishing campaigns” are not everyday lingo at your Texas company, you’re likely unaware anything is compromised, until it is too late. “According to one estimate, 5.9 billion accounts were targeted in data breaches last year.[1]” In fact, several notable breaches occurred last year in Texas alone: in April of 2022, a breach at the Texas Department of Insurance affected approximately 1.8 million Texans[2]; in June, 1,608,549 individuals were affected by a hacking incident at Baptist Medical Center and another 1,290,104 from Texas Tech’s Health Sciences Center; or the 1,656,569 individuals effected earlier in May through the breach at NEC Networks, LLC d/b/a CaptureRx. The last three entities were required to report breaches of protected health information to the Office of Civil Rights under HIPAA[3]. Again, these are merely the reported incidents we know of. We don’t know about unreported ones.

Imagine for a moment if 130,000 of those affected in any of the noted incidents above involved Californians’ non-HIPAA personal information, or their CCPA personal information. Imagine your Texas company had a security breach involving 130,000 California residents’ personal information (user name + password is all it takes) because the organization did not have or maintain reasonable security procedures and practices? If the California AG gets wind of it, or any California consumer rights firms, before you know it – you are facing the possibility of paying monetary damages for either actual damages suffered or $750 per incident. “Per incident” means 130,000 California clients. Times $750. Each.

That equals $97,500,000.

How much is that security consultant again?

Your Data is Everywhere, and Everyone Has Access.

Third (but certainly, this “ain’t” it), do you know where your data is? Where is all that personal information stored? What vendors do you share it with? As noted above, one of the most enlightening exercises is to ask your marketing and HR teams how many vendors, benefit providers, trackers, ad-tech and analytic platforms they have hired to tweak, enhance or “add value” to your HR processes or online marketing. The upshot here is all of marketing’s tracking or trapping of consumers into giving their email or cell number via crafty wording, sleight of hand, shading or other dark pattern is a prime target not only for CCPA regulators, but federal and international ones. If you are consistently selling into the UK, and your team is tracking behavior across the social media-mafia, you need to determine how worth the risk that is before you have to explain to London regulators why consent was never obtained, or why notice was not clear.

The above noted issues are a rough, 50,000 foot view of what the new CCPA law[4] means for Texas businesses with a real consumer, employee or growing customer base in the world’s fourth largest economy. If nothing else, Texas companies need to re-evaluate their security measures and risks, yesterday. They need to call in the IT, service provider or security team and get answers about what the risks are. That, and they can email Jenifer at jmcintosh@fbfk.law , and have us help.

 


[1] See Data Breaches That Have Happened in 2023 So Far – Updated List (tech.co)

[2] See Report: Texas Dept. of Insurance Data Breach Affected 1.8M People (insurancejournal.com)

[3] See U.S. Department of Health & Human Services – Office for Civil Rights (hhs.gov)

[4] Europe, the United Kingdom, Colorado, Utah, Virginia and Connecticut all have privacy laws as of today; Colorado, Utah and Connecticut’s laws go into effect later this year. Since January 1, 2023, privacy legislation in various forms is being presented in legislatures in Hawaii, Indiana, Iowa, Kentucky, Maryland, Massachusetts, Mississippi, New Jersey, New York, Oklahoma, Oregon, Tennessee, Texas, Virginia, Washington, and West Virginia.