16 common privacy provisions

In the past, we have discussed a growing trend in state legislation attempting to put control of personal information back into the hands of consumers. As we wait to see how Texas and eventually the Federal government will act, we can perhaps gain foresight into the future by examining provisions which commonly appear in privacy legislation both in Europe and the United States.

Consumer Rights Provisions

In total, we identified 16 of these privacy provisions. For better understanding we can divide them into two categories. We will begin by looking at the nine consumer rights provisions. These all offer consumers more control over how their personal information is collected, processed, and shared.

  1. Right to Access Collected: This refers to the right of individuals to access from a business the information or categories of information the business has collected on that individual. In some cases, this right may only exist if the information has been sold to a third party.
  2. Right to Access Shared: This allows costumers of a business access to a report on what personal information has been shared by a business with a third part.
  3. Right to Rectification: An individual can request that incorrect or outdated personal information held by a business by corrected.
  4. Right to Deletion: Under certain conditions, a consumer can request that a business delete their personal information from the business’ records.
  5. Right to Restriction: This allows people to limit how businesses can process their personal information.
  6. Right to Portability: Consumers would be allowed to request that their personal information be disclosed in a common file format. For instance, if a consumer wants to transfer their account to another business, they could easily transfer all of their personal information as well. This would be similar to how consumers can currently request and transfer medical records.
  7. Right to Opt-Out: Consumers would be allowed to opt-out of the their information being shared with third parties.
  8. Right Against Solely Animated Decision Making: This prohibits businesses from making decisions about a consumer without any human input.
  9. Private Right of Action: Consumers would have the right to seek civil damages for violations of any other provisions related to their consumers rights or a business’ obligations.

Business Obligations

Now let’s take a look at the seven privacy provisions related to expanding business obligations.

  1. Age Based Opt-In: This would prevent businesses from selling or sharing the personal information of consumers under a specified age (which varies by bill) without a clear opt-in by the individual or a guardian.
  2. Transparency Requirements: This would require businesses to provide notices to to consumers about certain data practices, privacy processes, or privacy programs.
  3. Data Breach Notifications: This obligates businesses to notify both consumers and relevant authorities about privacy and security breaches.
  4. Risk Assessment: Requires businesses conduct formal assessments of privacy and security projects and processes.
  5. Prohibition on Discrimination: Forbids a business from discriminating against a consumer for exercising a right.
  6. Purpose Limitation: This restricts a business in collecting personal information to a specific purpose.
  7. Processing Limitation: Similar to purpose limitation, the restricts a business from processing personal information of consumers except for a specific purpose.

Texas Bills

In Texas, legislators proposed two bills addressing privacy issues in 2019. One in particular, the Texas Consumer Privacy Act (H.B. 4518), seemed on track to be a comprehensive privacy bill, however, the Texas legislator decided to indefinitely table this bill. On the other hand, the Texas legislature passed the second bill, H.B. 4390, originally called the Texas Privacy Protection Act, into law. But, the version that was voted on did little to implement new privacy provisions. Instead, lawmakers changed the bill to expand the state’s breach notifications requirements. This did bring them more in line with other standards across the country, but failed to provide a major reform to privacy regulations.

As of now, in beginning of 2020, it seems unlikely that the Lone Star State will even attempt to tackle a comprehensive privacy law until 2021.


In summary, though we continue to wait for federal and state action, we will eventually have a comprehensive privacy policy. This has implications for both consumers and businesses.

As consumers, this means the legislators of the future will decide our rights. Specifically our ability to access, share, protect, and control our own information. It is important to stay informed and let our representatives know our concerns and needs.

For businesses, comprehensive privacy reform could very well change standard operating procedures. It will force the creation and implementation of new processes to fulfill new legal obligations. We should be discussing solutions now in order to stay ahead of the trend and maintain consumer confidence.

You can find more information on these provisions and their commonality in legislation across the United States here. Also, for a breakdown on current federal and state regulations check out our Laws & Compliance page.

Request a Quote