The Texas Data Privacy & Security Act Becomes Law
On Sunday, June 18, 2023, Governor Abbott signed the Texas Data Privacy and Security Act (“TDPSA”) into law, making Texas the tenth state to enact comprehensive data privacy protections for its residents. The TDPSA was modeled after the Virginia Consumer Data Protection Act but contains some updates and Texas-specific provisions. The TDPSA will take effect July 1, 2024, giving Texas businesses a year to prepare for compliance with the new law. In general, the TDPSA regulates the collection, use, processing, and treatment of Texas consumers’ personal data by certain business entities.
Which businesses are covered by the TDPSA?
The TDPSA applies broadly to individuals and entities who: (1) conduct business in Texas or produce a product or service consumed by Texas residents; (2) process or engage in the sale of personal data; and (3) are not considered a “small business” as defined by the U.S. Small Business Administration—unless the small business participates in the transaction of sensitive personal data (discussed further below).[1] The SBA’s definitions of “small business” vary by NAICS industry and depend on number of employees or annual receipts. Using the SBA’s small business definition was intended to provide clarity on which businesses are covered and mitigate the additional compliance costs in determining the laws applicability, a challenge faced in several other states enacting data privacy laws. However, the inquiry may be complicated for companies that have more than one NAICS industry code or for companies that are subject to another entity’s control, implicating the SBA’s “affiliation” rules. Certain entities are expressly excluded from the TDPSA’s coverage, including state agency and political subdivisions, financial institutions, entities covered by HIPAA, non-profits, higher education institutes, and electric utilities, power generators, and retail electric providers.
Who has rights under the TDPSA, and what information is covered?
The TDPSA only protects residents of Texas acting in an individual or household context. The new law specifically excludes individuals acting in a commercial or employment context.
“Personal data” is defined broadly to include more than just information linked or reasonably linkable to an identified or identifiable individual. “Personal data” also includes pseudonymous data when such data is used by a controller or processor in conjunction with other information that reasonably links the data to an identified or identifiable individual. “Personal data” does not include publicly-available information or deidentified data, and the law also exempts certain categories of information from the Act.[2]
The TDPSA also recognizes a category of “sensitive data” that requires additional protections and consent from consumers before being processed. “Sensitive data” includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, citizenship or immigration status; genetic or biometric data; personal data collected from a known child; and precise geolocation data.
What are consumers’ rights under the TDPSA?
The TDPSA introduces several rights for Texas consumers, echoing standards commonly seen in data privacy legislation. Generally, these rights are:
- The right to be informed: consumers have the right to know what personal data is collected about them and whether it is being processed.
- The right to access: consumers have the right to obtain a copy of their personal data in a portable and readily usable format.
- The right to correct: consumers have the right to request the correction of any inaccurate personal data.
- The right to delete: consumers have the right to request the deletion of their personal data, subject to certain exceptions and requirements.
- The right to opt out: consumers have the right to opt out of the processing of their personal data for targeted advertising, the sale of personal data, or profiling that produces legal or significant effects.
The law stipulates timelines for exercising these rights, including an initial 45-day deadline for the controller to respond to a consumer request. If a business declines the request, the TDPSA mandates the business implement an appeal process.
What are businesses’ obligations under the law?
As with most data privacy laws, under the TDPSA businesses are classified into two main categories, each with its own responsibilities: controllers and processors.
“Controllers” are those who determine the purpose and means of processing personal data, and the TDPSA imposes an obligation on controllers to restrict data collection to what is pertinent, adequate, and necessary, or otherwise obtain consent for such collection. They are prohibited from discriminating against individuals for exercising their rights under the law, for example, by offering goods or services on unequal terms or denying them altogether. Controllers must also obtain consent to process “sensitive data.” Borrowing from the Colorado and Connecticut data privacy laws, the TDPSA specifically states that obtaining consent through the use of “dark patterns” is invalid. Dark patterns generally refer to interfaces that intentionally steer consumers toward the option that provides the most personal information.
“Processors” are entities who carry out operations on personal data, and they must conform to a controller’s instructions about personal data and support the controller in adhering to the law's requirements. The TDPSA also outlines contractual requirements that must be in place between any controller and processor.
As part of their obligations, controllers are required to provide a privacy notice or policy disclosing what data is collected, the purpose of processing such data, and the consumer’s rights and how to exercise those rights. Controllers who sell personal data for targeted advertising or sell sensitive personal data must also provide specific additional disclosures.
Under the TDPSA, one of the more demanding obligations imposed on controllers involves conducting “data protection assessments.” These assessments are mandatory for controllers engaged in the following activities:
- processing personal data for targeted advertising;
- selling personal data;
- profiling data, particularly if such profiling poses a predictable risk of causing unfair or deceptive treatment, or inflicting disparate impact on consumers;
- processing sensitive data; and
- engaging in any other processing activity that could potentially escalate risk of harm to consumers.
This would include activities that risk infringing on consumer privacy, causing harm to consumers, or intruding upon the solitude, seclusion, or private affairs of a consumer in a manner likely to offend a reasonable person.
What are the consequences for non-compliance?
The TDPSA does not provide for a private right of action to consumers for violations of the law, and expressly states no such right is provided. Instead, the Texas Attorney General will be tasked with enforcing the law, including civil penalties of up to $7,500 per violation. However, businesses will receive a 30-day notice and opportunity to cure any alleged violations. The TDPSA directs the Texas Attorney General to provide consumers: (1) information outlining consumer rights and the responsibilities of controllers and processors under the TDPSA and (2) an online portal for submitting consumer complaints by July 1, 2024.
The TDPSA is a significant development in the evolving landscape of state data privacy laws in the U.S. Texas businesses should monitor the implementation and interpretation of the new law and stay abreast of any guidance or regulations issued by the Texas Attorney General. As always, if you have any questions or concerns about this or other data privacy legislation or need assistance in preparing for compliance, please do not hesitate to contact us. Our experienced attorneys are here to help you navigate the complex landscape of data privacy law.
[1] The “small business exception” does not apply to the sale of sensitive data. See Tex. Bus. & Comm. Code § 541.107.
[2] Exempted information includes healthcare-related information covered by HIPAA, Health Care Quality Improvement Act, and Patient Safety and Quality Improvement Act, information covered by the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, and the Farm Credit Act, emergency contact information, and information necessary to administer benefits.