Texas is the second-largest state to enact a comprehensive consumer data privacy law

The Texas Data Privacy and Security Act (TDPSA) became law on June 16, 2023. Texas becomes the 11th state to enact a comprehensive consumer data privacy law, joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, and Florida (with Oregon soon to be the 12th). Having a total population in excess of 30 million people, Texas will be the second-largest state, after California, to enact such legislation. Considering the number of residents in the 11 states with comprehensive privacy laws so far, close to 40 percent of the entire U.S. population will have access to new state consumer rights regarding their personal data. Companies need to be aware of the applicable state resident, data, and revenue thresholds and be ready to respond to a potential wave of data subject requests, while also effectively navigating the web of complex compliance and reporting obligations.

The TDPSA, which takes effect on July 1, 2024, except for global opt-out technology provisions that take effect on January 1, 2025,[1] is similar to the state privacy laws in Virginia, Utah, and Iowa (among others) that are generally more "business-friendly" relative to laws such as those in California and Colorado. Businesses that have prepared to comply with these other state privacy laws should be well-positioned to comply with the TDPSA. Even so, the TDPSA contains several notable provisions that companies should consider when developing their privacy compliance programs.

Notable Provisions

• "Small Business" Carveout: The TDPSA adopts a first-of-its-kind carveout for "small businesses" as defined by the U.S. Small Business Administration (SBA). As discussed in more detail below, whether a small business meets the SBA definition can be a complicated, fact-specific question. Even with a "small business" carveout, the lack of a revenue threshold or data processing threshold as found in other state privacy laws may mean that the TDPSA will apply broadly and impact a significant percentage of companies doing business in the state. Also, the TDPSA is unique among state privacy laws in prohibiting otherwise-exempt small businesses from selling sensitive personal data without consent.
• Consent Necessary to Process Sensitive Data: The law requires all covered businesses to obtain consent before processing "sensitive" personal data.[2] As noted above, even entities otherwise exempt from the TDPSA as a "small business" are prohibited from selling sensitive personal data without consumer consent.
• Notices for Sale of Sensitive Personal Data: As with Florida's privacy law, if a controller engages in the sale of sensitive personal data, the TDPSA requires the controller to include the following notice: "NOTICE: We may sell your sensitive personal data." Similarly, if a controller engages in the sale of biometric personal data, they must include the following notice: "NOTICE: We may sell your biometric personal data." These notices must be posted in the same location and in the same manner as a covered business's privacy notice. Exempt "small businesses" do not need to comply with these notice requirements.
• Requirement to Recognize Universal Opt-Out Mechanism: Like the laws in Colorado, Connecticut, California, and Montana, the TDPSA will require covered businesses to recognize universal opt-out mechanisms for the sale of personal data and targeted advertising in 2025.[3] Covered businesses will be obligated to process opt-out requests submitted by consumers via universal opt-out mechanisms that are "consumer-friendly and easy to use" and that "allow the controller to accurately determine whether the consumer is a resident of the state and whether the consumer has made a legitimate request to opt out of any sale of a consumer's personal data or targeted advertising."
• Cure Period with No Sunset: Following the Virginia law, the TDPSA provides covered businesses with 30 days to cure any violation of the law before the Texas attorney general can bring an enforcement action. Also like the Virginia law, this cure period does not "sunset" after a period of time.

Application Thresholds

The TDPSA applies to persons that:

1. conduct business in Texas or produce products or services consumed by Texas residents;
2. process or engage in the sale of personal data; and
3. are not "small businesses" as defined by the SBA.

Unlike the privacy laws in Virginia, Utah, Iowa, and elsewhere, the TDPSA has no specific thresholds based on annual revenue or volume of personal data processed.

Companies may find that determining whether they qualify as a "small business" under SBA regulations is surprisingly complicated. The SBA does not have a single definition for a "small business." Instead, definitions of "small business" by the SBA vary widely from one industry vertical to the next.[4]

Controller Obligations

Similar to other state privacy laws, the TDPSA imposes specific obligations on data "controllers"—those that determine the purposes and means of processing personal data—including:

• Data minimization – Controllers must limit collection of personal data to what is "adequate, relevant, and reasonably necessary" to achieve the purposes of collection as disclosed to the consumer.
• Non-discrimination – Controllers may not process personal data in violation of state and federal antidiscrimination laws or discriminate against a consumer for exercising any of the consumer's rights under the Act, including by denying goods or services, charging different prices or rates, or providing a different level of quality of goods or services.
• Opt-out right for sales, targeted advertising, and profiling – A controller that sells personal data to third parties or processes data for purposes of targeted advertising[5] or "profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer"[6] must clearly and conspicuously disclose consumers' right to opt out.
• Protections for sensitive personal data – Controllers may not process sensitive personal data without obtaining prior consent from the consumer. If a controller processes the sensitive personal data of a known child, the consumer must process that data in accordance with the Children's Online Privacy Protection Act of 1998 (COPPA).
• Privacy notice – A controller is required to provide consumers with a reasonably accessible and clear privacy notice containing the following information:
  • The categories of personal data processed by the controller, including the processing of any sensitive data;
  • The purpose for processing personal data;
  • The categories of personal data the controller shares with third parties (if applicable);
  • The categories of third parties with whom the controller shares personal data (if applicable); and
  • A description of the methods required for a consumer to submit a request to exercise their rights under the TDPSA, and how consumers may exercise their rights, including their appeal rights.
• Data security safeguards – Controllers must "establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue."

Exemptions

Consistent with most other state data privacy laws, the TDPSA contains entity-level, data-specific, and employment-related exemptions. Additionally, the TDPSA only protects consumers acting in an individual or household capacity, meaning it is also not applicable in business-to-business (B2B) contexts. Other exempted entities and data types are summarized below.

Entity-level exemptions:

• Electric utilities, power generation companies, and retail electric providers;[7]
• Financial institutions subject to Title V of the Gramm-Leach-Bliley Act;
• Covered entities and business associates governed by HIPAA (which would include many professional services firms and cloud service providers);
• State agencies and political subdivisions;
• Nonprofit organizations; and
• Institutions of higher education.

Data-specific exemptions:

• Protected Health Information subject to HIPAA, health records, patient identifying information for the purposes of 42 U.S.C. § 290dd–2, information and documents created for purposes of the Health Care Quality Improvement Act of 1986, patient safety work product for purposes of the Patient Safety and Quality Improvement Act of 2005, or identifiable private information used in connection with human clinical trials and research.
• Information originating from, and "intermingled to be indistinguishable with, or information treated in the same manner as, information exempt under this section" that is maintained by a HIPAA-covered entity or HIPAA-defined business associate.
• Personal information covered by and/or processed in accordance with the Fair Credit Reporting Act, Driver's Privacy Protection Act, Family Educational Rights and Privacy Act of 1974, the Farm Credit Act of 1971, and several others.
• Personal data processed by a person in the course of a purely personal or household activity.
• Emergency contact information.

Employment-related exemption:

• Data processed or maintained in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent such data is collected and used within the context of that role.

Processing-related exemptions:

The TDPSA does not restrict a controller's or processor's ability to:

• Comply with federal, state, or local laws, rules, or regulations;
• Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons, by federal, state, municipal, or other governmental authorities;
• Protect an interest that is essential for the life or physical safety of the consumer or of another individual and in which the processing cannot be manifestly based on another legal basis;
• Investigate, establish, exercise, prepare for, or defend legal claims;
• Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, and to preserve the integrity or security of systems or investigate, report, or prosecute those responsible for breaches of system security;
• Provide a product or service specifically requested by a consumer;
• Fulfill the terms of a written warranty;
• Conduct internal research to develop, improve, or repair products, services, or technology;
• Effectuate a product recall;
• Identify and repair technical errors that impair existing or intended product functionality; or
• Perform internal operations that are reasonable based on consumer expectations or the consumer relationship, or are compatible with the provision of a requested product or service or the performance of a consumer contract.

Additionally, the statutory requirements imposed on a controller or processor under the TDPSA do not apply if compliance would require violating an evidentiary privilege under Texas law or the disclosure of a trade secret, or "adversely affect[ ] the rights or freedoms of any person, including the right of free speech."

Consent Defined

The TDPSA narrowly defines "consent" as a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. The term includes a written statement, including a statement written by electronic means, or any other unambiguous affirmative action. The Texas law expressly does not recognize the following as viable forms of consent:

• Acceptance of a general terms of use or similar document containing descriptions of personal data processing in combination with other, unrelated information;
• Hovering over, muting, pausing or closing a given piece of content; or
• Any agreement obtained via "dark patterns."[8]

Biometric Data

Like other state privacy laws, the TDPSA defines the term "biometric data" as data generated by automatic measurements of an individual's biological characteristics, such as fingerprint, voiceprint, eye retina or iris, or other unique biological patterns or characteristics (perhaps including "faceprints," although they are not mentioned explicitly). The term expressly excludes physical and digital photographs as well as video or audio recordings, and any data generated therefrom. This exclusion is similar to ones found in other state privacy laws' definitions of biometric data. However, this exclusion distinguishes the TDPSA from the Illinois biometrics law,[9] which, while generally exempting photographs and video and audio recordings, applies to scans of facial geometry created from photographs.[10] Biometric data is characterized as "sensitive data" under the TDPSA (see below) only when "processed for the purpose of uniquely identifying an individual."

Sensitive Data

Like most other state privacy laws, the TDPSA prohibits businesses from collecting and processing "sensitive data" without obtaining the consumer's consent (or the parent's consent if under 13). The TDPSA defines "sensitive data" as personal data revealing:

• Racial or ethnic origin;
• Religious beliefs;
• Mental or physical health diagnosis;
• Sexual orientation; or
• Citizenship and immigration status;

  and also includes:

• Genetic and biometric data that is processed to uniquely identify an individual;
• Precise geolocation data (location within a radius of 1,750 feet); and
• Personal data collected from a known child (i.e., someone under the age of 13).

As noted above, if the sensitive data pertains to a known child, compliance with the COPPA (verifiable parental consent) is required.

Definition of "Sale"

The TDPSA defines "sale of personal data" as the "sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party." As a result, the Texas definition tracks with California's broader definition of "sale," as compared to the narrower definition under Virginia's privacy law, which only applies to disclosures of personal data "for monetary consideration" and not "other valuable" consideration.

TDPSA's definition of a "sale" excludes any disclosure to an affiliate of the controller, the controller's processor, for the purpose of providing a requested product or service, in a merger or acquisition of the controller's business or assets, or of information that the consumer intentionally made public via mass media.

Consumer Rights

As with other state privacy laws, the TDPSA provides consumers the right to confirm the processing of and obtain access to the consumer's personal data; request that a controller correct inaccuracies in the consumer's personal data; delete personal data about the consumer; and if available in digital format, obtain a copy of the data "the consumer previously provided to the controller" in a portable and readily usable format "that allows the consumer to transmit the data to another controller without hindrance."

The TDPSA requires covered businesses to establish two or more secure and accessible methods (through the website or by email in specified circumstances) for consumers to submit authenticated requests to exercise their rights with respect to their personal data. Responses to consumer requests are due within 45 days of receipt, subject to a 45-day extension, when reasonably necessary. Controllers must provide information in response to a consumer's request "at least twice annually per consumer" and free of charge, unless the request is "manifestly unfounded, excessive, or repetitive."

The TDPSA also provides that any provision of a contract or agreement that waives or limits consumer rights is void and unenforceable.

Data Protection Assessments

The TDPSA requires controllers to conduct and document data protection assessments for certain types of processing that pose heightened risks to consumers. The assessments must identify and weigh the benefits of the processing to the controller, consumer, other stakeholders, and the public, against the potential risks to the consumer (while also taking into consideration any mitigating safeguards that could reduce those risks).[11] The categories that require assessments are identical to those required by Connecticut's privacy law, including:

• Processing personal data for targeted advertising;
• The sale of personal data;
• Processing personal data for profiling consumers, if such profiling presents a reasonably foreseeable risk to consumers of unfair or deceptive treatment, disparate impact, financial, physical or reputational injury, physical or other intrusion upon seclusion of private affairs, or "other substantial injury";
• Processing of sensitive data; and
• Any processing activities involving personal data that present a "heightened risk of harm to consumers."

Data protection assessments conducted to comply with comparable requirements of other laws or regulations (such as other states' privacy laws) will satisfy the requirements of the TDPSA. Data protection assessments must cover processing activities occurring only after the law's effective date and do not need to be retroactive (some state privacy laws require such assessments to cover processing activities occurring for a period prior to the law's effective date).

Data Governance Principles

The TDPSA incorporates data governance principles, including purpose limitation and reasonable security practices. Furthermore, controllers are prohibited from collecting additional categories of personal information or using collected information for additional purposes, unless they've obtained a consumer's consent.

Processor Contracts

The TDPSA uses a controller-processor framework and requires that controllers and processors—those that process personal data on a controller's behalf—enter into agreements that include terms that are standard under other state privacy laws, including clear instructions for processing data, the nature and purpose of processing, the type of data processed, the duration of processing, and the rights and obligations of both parties, including confidentiality of personal information, contracts with sub-processors, deletion or return of personal data upon termination of the agreement, and cooperation with reasonable assessments by the controller.

Enforcement – Private Right of Action?

The Texas attorney general has exclusive authority to enforce the TDPSA, though – in contrast to California, Colorado, and Florida – Texas does not provide any rulemaking authority. The Texas attorney general may levy civil penalties of up to $7,500 per violation and seek injunctive relief as well as attorney's fees and other expenses incurred in investigating and bringing an action for violations.

There is no private right of action afforded to consumers for violations under the TDPSA or "any other law."

Cure Period

Before commencing an action to enforce the TDPSA, the Texas attorney general must notify the person of the specific provisions alleged to have been violated. Following that notice, there will be a 30-day "cure" period within which the person can correct the violation. If the violation is cured, no enforcement action can be brought.

To properly "cure" under the TDPSA, the person must provide the attorney general a written statement within the 30-day period that the person: cured the alleged violation; notified the consumer that the consumer's privacy violation was addressed, if the consumer's contact information has been made available to the person; provided supporting documentation to show how the privacy violation was cured; and made changes to internal policies, if necessary, to ensure that no such further violations will occur.

The right to cure has no sunset provision and would remain a permanent part of the law, which is in contrast to states such as Colorado, Connecticut, Montana, and others where the cure period sunsets after a number of years.

Looking Ahead

The TDPSA will go into effect the same time as the recently enacted Florida Digital Bill of Rights (which is actually prior to four other states that recently passed consumer data privacy laws earlier in 2023).

The seven state privacy laws enacted so far in 2023 are slated to go into effect as follows:

• July 1, 2024 – Texas
• July 1, 2024 – Florida
• October 1, 2024 – Montana
• January 1, 2025 – Iowa
• July 1, 2025 – Tennessee
• January 1, 2026 – Indiana

Laws in Oregon and Delaware, if signed as currently presented to their governors, would be effective July 1, 2024, and January 1, 2025, respectively.

[View source.]