Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I sell personal information without obtaining consent in Texas? What are the requirements?

Selling Personal Information in Texas

In Texas, private entities may not sell an individual’s sensitive personal information without affirmative express consent from the individual [Tex. Bus. & Com. Code § 521.002]. Sensitive personal information includes an individual’s social security number, driver’s license number, government-issued identification number, financial account number, and health information.

Requirements for Selling Personal Information

If a person wants to sell an individual’s sensitive personal information, they must provide the individual with a clear and conspicuous notice that:

  • informs the individual that their sensitive personal information will be sold;
  • identifies the categories of information that will be sold;
  • identifies each category of third party to whom the information will be sold; and
  • provides the individual with a method to opt-out of the sale [Tex. Bus. & Com. Code § 521.053].

The individual must affirmatively opt-in to the sale of their sensitive personal information if they are under the age of 16 [Tex. Bus. & Com. Code § 521.053].

Unauthorized Use or Possession of Personal Identifying Information

In Texas, a person may not obtain, possess, transfer, or use personal identifying information of another person without the other person’s consent or effective consent and with intent to obtain a good, a service, insurance, an extension of credit, or any other thing of value in the other person’s name [Tex. Bus. & Com. Code § 521.051]. Personal identifying information includes an individual’s name, address, date of birth, social security number, driver’s license number, government-issued identification number, financial account number, and health information [Tex. Bus. & Com. Code § 521.002].

Business Duty to Protect Sensitive Personal Information

In Texas, a business shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business [Tex. Bus. & Com. Code § 521.052]. A business shall destroy or arrange for the destruction of customer records containing sensitive personal information within the business’s custody or control that are not to be retained by the business [Tex. Bus. & Com. Code § 521.052(b)].

Disposal of Business Records Containing Personal Identifying Information

When a business disposes of a business record that contains personal identifying information of a customer of the business, the business shall modify, by shredding, erasing, or other means, the personal identifying information so as to make the information unreadable or undecipherable [Tex. Bus. & Com. Code § 72.004(b)]. A business that disposes of a business record without complying with this requirement is liable for a civil penalty in an amount not to exceed $500 for each business record [Tex. Bus. & Com. Code § 72.004(d)].

Conclusion

In Texas, private entities may not sell an individual’s sensitive personal information without affirmative express consent from the individual. If a person wants to sell an individual’s sensitive personal information, they must provide the individual with a clear and conspicuous notice and a method to opt-out of the sale. Additionally, a person may not obtain, possess, transfer, or use personal identifying information of another person without the other person’s consent or effective consent and with intent to obtain a good, a service, insurance, an extension of credit, or any other thing of value in the other person’s name. A business shall implement and maintain reasonable procedures to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business and shall destroy or arrange for the destruction of customer records containing sensitive personal information within the business’s custody or control that are not to be retained by the business. When a business disposes of a business record that contains personal identifying information of a customer of the business, the business shall modify the personal identifying information so as to make the information unreadable or undecipherable.

Jurisdiction

Texas