Texas will likely become the 11th state to pass a consumer privacy law. H.B. 4, the Texas Data Privacy and Security Act (TDPSA), was passed by both houses of the Texas legislature last week, and the bill is now headed to Governor Greg Abbott for a final signature. The TDPSA has an effective date of March 1, 2024, which is less than a year away.
Below we provide an overview of some of the key aspects of this new Texas law.
What Businesses Are Subject to the TDPSA?
Unlike other state consumer privacy laws, the TDPSA does not include a revenue or other numerical threshold. The law applies broadly to any business or person that: (1) does business in Texas or produces a product or service consumed by a Texas resident; (2) processes or engages in the sale of personal data; and (3) is not considered a “small business” by the US Small Business Administration (except to the extent that the small business sells sensitive personal data).
Who Is a “Consumer”?
A “consumer” is a natural person who is a resident of Texas acting exclusively in a personal context. This means that employees and business-to-business contacts are expressly excluded from the definition of “consumer.”
What Is “Personal Data”?
“Personal data” is any information “that is linked or reasonably linkable to an identified or identifiable individual.” This includes pseudonymous data when the data is used in conjunction with information that reasonably links the data to an identified or identifiable individual. The term excludes deidentified data, aggregated data or publicly available information.
Reflective of Virginia, companies do not need to include pseudonymous data (under certain circumstances) when responding to consumer requests under the TDPSA.
Who Can Enforce?
The Texas Attorney General has exclusive enforcement authority. There is no private right of action. Before initiating any enforcement proceeding, the attorney general must give 30 days’ written notice and an opportunity to cure. If an enforcement action follows, violations of the TDPSA are subject to fines of up to $7,500 per violation.
Who Is Exempt?
The data-level and entity-level exemptions under the TDPSA closely mimic those of other state privacy laws. For example, personal information covered by laws such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), the Family Educational Rights and Privacy Act and a litany of other federal laws are exempt.
In addition, the TDPSA does not apply to financial institutions subject to GLBA, covered entities and business associates subject to HIPAA, government entities, nonprofit organizations or higher education institutions.
The TDPSA also exempts the use of personal data for certain specific purposes, such as compliance with law, preventing fraud or injury to others and defending legal claims (just as in various other state consumer privacy laws, including Virginia and Indiana).
What Obligations Are Imposed?
The TDPSA imposes what have become “standard” obligations on data controllers under state consumer privacy laws. Specifically, controllers must:
Limit the processing of personal data to that which is reasonably adequate, relevant and necessary for the purposes of the processing as disclosed to the consumer;
Take steps to implement reasonable safeguards to protect the personal data within their control;
Refrain from discriminating against consumers for exercising their rights, and retrain from processing personal data in violation of federal laws that prohibit discrimination;
Obtain freely given, specific, informed and unambiguous consent prior to processing sensitive data;
Provide a privacy notice that is transparent, reasonably accessible, clear and meaningful;
Somewhat unique compared to its peers, the TDPSA requires providing separate specific notices if you sell sensitive data and if you sell biometric data (the law includes details on specific titles and location of such notices); and
Ensure that contracts control relationships with their processors (the law itself includes the minimum necessary provisions of these contracts).
What Consumer Rights Are Created by the TDPSA?
Controllers must provide the following rights to Texas consumers:
Access rights, including a right to confirm whether a controller is processing any of the consumer’s personal data at all;
Correction rights, considering the nature of the personal data and the purposes for processing the personal data;
Deletion rights, with respect to the data provided by or about the consumer;
Opt-out rights related to the sale of personal data, targeted advertising and profiling (where profiling is being used to produce a legal or similarly significant effect);
Appeal rights; and
Data portability rights but limited to data the consumer previously provided.
Under the TDPSA, “sensitive data” is personal data that includes information revealing racial or ethnic origin, religious belief, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data that is processed to identify someone, personal data collected from a known child (under the age of 13) and precise geolocation (location within a radius of 1,750 feet). Under the TDPSA, controllers may not collect or process (including selling), and small businesses may not sell, sensitive data without first obtaining the consumer’s freely given, specific, informed and unambiguous consent or, in the case of a child, complying with the Children’s Online Privacy Protection Act.
Response to Consumer Inquiries
Controllers must respond to a consumer personal data request within 45 days of receipt of the request, with a 45-day extension available. If a consumer appeals a controller’s decision to deny the consumer’s request, the appeal response must be delivered within 60 days. Similar to Virginia, if the appeal is denied, controllers must provide the consumer with a method for contacting the attorney general.
Data Protection Impact Assessments
The TDPSA requires controllers to document impact assessments before engaging in certain processing activities, including the following:
Processing for targeted marketing;
Sale of personal data;
Processing of personal data for profiling if the profiling presents a reasonably foreseeable risk of legal, deceptive, discriminatory, financial, reputational or physical harms, or other substantial injury to consumers;
Processing sensitive data; and
A catch-all category of “any processing activities involving personal data that present a heightened risk of harm to consumers.”
As appearing throughout other state privacy laws (including Virginia, Colorado, Connecticut and Indiana), these impact assessments must analyze the benefits of the processing to the company, consumer and public, while weighing the harms and potential mitigants. The TDPSA allows for the use of impact assessments done under other state laws to count towards its own requirement, and it does not require retroactive impact assessments for processing activities occurring prior to the effective date of the law.
When Does the TDPSA Take Effect?
The TDPSA comes into effect on March 1, 2024.
Creating a successful, effective, and comprehensive privacy program for your organization requires a thorough understanding of both the relevant legal obligations and the personal data subject to compliance. Setting up a program that is prepared to respond to various state privacy laws as they come into effect will save organizations time in the long run, especially as many of these laws reflect one another.
If you have questions or need assistance in readiness work for the new state consumer laws, please contact your regular McDermott lawyer or reach out to Amy Pimentel or Allison M. Tassel.
Check out our additional coverage on new state consumer privacy laws: