Texas recently became the tenth state to pass a comprehensive consumer data privacy law when its legislature voted in favor of the Texas Data Privacy and Security Act (TDPSA). The bill was signed by Governor Greg Abbott on June 18, 2023, and will go into effect on July 1, 2024. While the Texas law is similar in many respects to the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCDPA) that we have previously written about, it notably varies from those and other similar US data protection laws due to its broad applicability.
The TDPSA has no minimum revenue or number of consumers served threshold for applicability. As a result, companies doing business in Texas will need to determine what their obligations are under the new law. This alert examines essential components of the legislation that are central to understanding those obligations.
Who has to comply with the TDPSA?
The TDPSA applies to anyone that: (1) conducts business in Texas or produces products or services consumed by Texas residents; (2) processes or engages in the sale of personal data; and (3) is not a small business as defined by the United States Small Business Administration (SBA).
This casts a wide net, even for smaller companies, because the SBA definition of “small business” fluctuates across different industries and due to changes in the economy. Moreover, the reference to products or services consumed in the state is a noticeable change from other similar laws that speak in terms of products or services targeted to residents of the state. This modification eliminates the need to inquire into a business’ intentions, instead honing in on a potentially stricter, objective standard of actual use.
The TDPSA contains a list of carveouts for financial instructions, healthcare covered entities and business associates subject to HIPAA, state agencies, nonprofits and other similar and now-standard entities.
What is “Personal Data” under the TDPSA?
The TDPSA defines “personal data” in a broad fashion. It includes “any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual.” This includes pseudonymous data when the data is “used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.”
There are a number of exemptions from this definition. The most important of these includes deidentified data, publicly available information, data subject to the GLBA, information governed by the Fair Credit Reporting Act, information governed by the Family Educational Rights and Privacy Act (FERPA), protected information under HIPAA, and health records.
How does the TDPSA protect consumer personal data?
Similar to many other data privacy laws, the TDPSA gives consumers a number of rights relating to their personal data, with some noticeable expansions on prior foundations. Controllers must answer requests from consumers that confirm whether they are processing a consumer’s personal data and access to that data, correct inaccuracies to the data, delete a consumer’s personal data, obtain a copy of personal data previously provided to the controller, and opt out of processing of the personal data for the purposes of (1) targeted advertising, (2) the sale of personal data, and (3) profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.
The statute defines the “sale of personal data” expansively as “the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party.” This broad language is meant to prohibit controllers from escaping compliance by making semantic arguments about what it means to sale data. Moreover, covered controllers are required to establish two or more methods that enable a consumer to submit a request to exercise any of their rights under the act.
Controllers must respond to a consumer’s request regarding the rights outlined above within 45 days, absent special circumstances. They must also disclose the collection of sensitive data, which includes personal data revealing racial or ethnic origin, religious beliefs, health diagnosis, sexuality, citizen and immigration status, genetic or biometric data processed for the purpose of identifying an individual, personal data collected from a known child, and precise geolocation data. Sensitive data cannot be processed for any reason without a consumer’s consent.
Companies that sell data or process personal data for targeted advertising, along with companies that process certain types of sensitive data, must also undertake and document a data protection assessment to weigh the risks presented to the consumer related to the processing against the benefits to the controller, the consumer or other stakeholder from use of the data.
How is the TDPSA going to be enforced?
The TDPSA will be exclusively enforced by the Texas Attorney General. There is no private right of action under the TDPSA. However, the attorney general must notify controllers of alleged violations at least 30 days before bringing an action. A controller who receives notice of a violation has a 30-day cure period during which they can remedy the alleged violation and notify the attorney general that: (1) the violation has been cured, (2) the consumer was notified of the remedy, (3) supportive documentation has been provided to show how the violation was cured; and (4) internal policies have been changed to prevent further violations.
What should businesses do to comply?
Companies that believe the TDPSA may apply to them should start to take steps to comply now. The broad applicability of this law will affect a number of businesses who may have thought they were in the clear based on revenue generation and consumer served thresholds in other similar laws. July 1, 2024, will be here soon and compliance with privacy regimes is often costlier and more time-intensive than anticipated, particularly where a company is subject to requirements for conducting and documenting a data protection assessment. Determining what standards a company will need to meet early on prevents the rush to comply at the last minute.
Brooks Pierce summer associate Sarah Morehouse, UVA School of Law Class of 2024, contributed to this article.
