Texas Makes 10: Texas Governor Signs Newest U.S. State Privacy Law

On June 18, 2023, Texas Governor Greg Abbott signed the Texas Data Privacy and Security Act (the “TDPSA”). Texas is now the tenth state to enact a comprehensive privacy law and the sixth state this year alone. The TDPSA will take effect July 1, 2024, giving subject businesses a little over a year to comply. While the TDPSA contains similarities to the other state comprehensive privacy laws, it also contains its own nuances.

Applicability

The TDPSA takes a unique approach to applicability. Generally, the TDPSA will apply to persons that:

  1. conduct business in Texas or produce a product or service consumed by Texas residents;
  2. process or engage in the sale of personal data; and
  3. are not a small business (as defined by the U.S. Small Business Administration (“SBA”)).

These applicability standards are broad and deviate from those in other state comprehensive privacy laws that limit their application by thresholds based on monetary amounts, the number of consumers, or both.

Instead of expressly including those types of thresholds, the TDPSA indirectly addresses them by carving out businesses that qualify as a “small businesses” according to the U.S. Small Business Administration (“SBA”). SBA uses industry-level definitions that include employee thresholds and revenue thresholds. While these applicability standards may in practice operate similarly as those contained within other state comprehensive privacy laws, SBA’s small business size standards are detailed and vary by industry, and each entity must factor in its affiliates under SBA’s affiliation rules in determining whether it meets the applicable size standard.  Because of SBA’s affiliation rules, it is likely that some entities that are exempted under other state comprehensive privacy laws will not be exempted under the TDPSA.

Additionally, like the other state comprehensive privacy laws, the TDPSA contains exemptions for certain types of entities, such as governmental entities, financial institutions governed by the Gramm-Leach-Bliley Act, covered entities and business associates subject to HIPAA and HITECH, non-profit organizations, institutions of higher education, electric utility companies, power generation companies, and retail electric providers. The TDPSA also exempts certain types of information and data, such as protected health information under HIPAA; information that is intermingled with protected health information under HIPAA; personal data regulated by the Family Educational Rights and Privacy Act, Driver’s Privacy Protection Act, Farm Credit Act, and Fair Credit Reporting Act; emergency contact information; and data  processed to administer benefits.

Key Definitions

Unlike California’s comprehensive state privacy law, the TDPSA narrowly defines “consumer” to mean an individual who is a Texas resident acting only in an individual or household context. The definition expressly excludes an individual acting in commercial or employment context.

With respect to these consumers, the TDPSA regulates their “personal data” as well as a special category of personal data known as “sensitive data,” which it defines as (i) personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (ii) genetic or biometric data processed for the purpose of uniquely identifying an individual; (iii) personal data collected from a known child (i.e., an individual under thirteen); or (iv) precise geolocation data. The TDPSA’s definition of “sensitive data” is similar to the definitions used in the other state comprehensive privacy laws, except for California’s law, which uses a broader definition.

Similar to California, Connecticut, Colorado and Florida, the TDPSA defines “sale” as sharing, disclosing, or transferring personal data to a third party for monetary or other valuable consideration . Additionally, the TDPSA provides broad exceptions to the definition of “sale” that are similar to exceptions in other state privacy laws and should cover many ordinary business activities, such as disclosure of personal data to a processor who processes the personal data on behalf of a controller, to a third party for the purpose of providing a product or service requested by a consumer, and to an affiliate of the controller.

Compliance

Some of the compliance obligations found in the TDPSA are substantially similar to those found in the other state comprehensive privacy laws, such as requiring controllers to provide a compliant privacy notice to consumers and to enter into contracts with processors that process personal data for the controller. Further, like the privacy laws in Colorado, Connecticut, Indiana, Virginia, Tennessee, Montana, and Florida, the TDPSA requires controllers to undertake data protection impact assessments of any processing activities that involve personal data used in targeting advertising, the sale of personal data, profiling (in certain instances), sensitive data, and data that presents a heightened risk of harm to consumers.

Additionally, like Florida’s recently-enacted privacy law (discussed here), the TDPSA requires a controller that sells sensitive personal data to provide the following statement on its website: “NOTICE: We may sell your sensitive personal data.” Similarly, if a controller sells biometric data, it must provide the following statement on its website: “NOTICE: We may sell your biometric personal data.”

Consumer Rights and Requests

One common and critical component of the state comprehensive privacy laws is the granting of rights to individuals regarding their own personal data. Specifically, the TDPSA grants consumers the right to make requests to (1) know and access their personal data; (2) correct inaccuracies in their personal data; (3) delete their personal data; (4) obtain a copy of their personal data; and (5) opt out of the processing of their personal information for targeted advertising, the sale of personal data, and certain types of profiling. These rights align with the rights granted to consumers under Colorado’s, Connecticut’s, Indiana’s, Virginia’s, Tennessee’s and Montana’s laws.

Additionally, with respect to sensitive data, the TDPSA requires controllers to obtain prior consent from the consumer (or from a parent or legal guardian in accordance with the Children’s Online Privacy Protection Act if the consumer is under age 13). Further, the TDPSA provides that a business qualifying as a “small businesses” according to SBA may not engage in the sale of sensitive data without receiving prior consent from the consumer.

A consumer’s authorized agent may opt out of the processing of personal data for targeted advertising or the sale of personal data on the consumer’s behalf. A consumer may authorize such an agent using technology, such as internet browser setting, global settings on an electronic device, or a link to an internet website that indicates a consumer’s intent to opt out. However, this part of the TDPSA will not take effect until January 1, 2025.

Under the TDPSA, a controller has 45 days to respond to a consumer request, which may be extended once by an additional 45 days when reasonably necessary upon considering the complexity and number of the consumer’s requests. The TDPSA requires a controller to provide consumers with an appeals process if it denies a consumer’s request, and a controller has 60 days to respond to an appeal. The privacy laws in California or Utah are the only comprehensive privacy laws without an appeal right.

Enforcement

The TDPSA, like most other state comprehensive privacy laws, does not allow a private right of action. Rather, the TDPSA grants enforcement exclusively to the Texas Attorney General, who can seek civil penalties of up to $7,500 for each violation of the law, which is the same amount under Virginia’s, Utah’s, Tennessee’s and Iowa’s privacy laws. However, violators first receive an opportunity to cure violations within 30 days of receiving notice of a violation from the Texas Attorney General. Notably, this cure right does not contain a sunset provision and would be a permanent right for businesses.

Conclusion

The TDPSA will take effect July 1, 2024, the same year as the recently-enacted Montana Consumer Data Privacy Act and the Florida Digital Bill of Rights. The frequency at which state comprehensive privacy laws have been passed this year is yet another reminder to act now to prepare a privacy program that complies with the laws currently in effect and the ones set to take effect soon. Creating such a privacy program will make it easier on your business as the number of privacy laws continues to rise.

If you would like assistance with, or have any questions about, complying with the TDPSA or other data privacy laws, or need assistance reviewing your data privacy practices, please contact one of our Cybersecurity & Data Privacy attorneys. Check out our U.S. Privacy Laws page for more information.