On June 18, 2023, Texas’ Governor signed House Bill (HB) 4 which enacts the Texas Data Privacy and Security Act. Texas joins California, Colorado, Connecticut, Indiana, Iowa, Montana, Tennessee, Utah, and Virginia in enacting a comprehensive consumer privacy law. Most of the sections of the law are scheduled to take effect July 1, 2024.
When does the law apply?
In general, the law applies to businesses (referred to as “controllers”) that:
- Conduct business in the state of Texas or produce a product or service consumed by Texas residents; and
- Processes or engages in the sale of personal data.
The law does not apply to small businesses (as defined by the Small Business Administration) and along with several categories of personal data that are excluded from coverage under the law, the following entities are specifically exempted:
- State agencies or political subdivisions;
- Financial institutions subject to Title V of the Gramm-Leach-Bliley Act;
- Covered entities or business associates governed by the Health Insurance Portability and Accountability Act (HIPAA);
- Non-profit organizations;
- Institutions of higher education; and
- Electric utilities.
Who is protected by the law?
Consumers that are protected under the law are defined as an individual who is a resident of the state of Texas acting only in an individual or household context. A consumer does not include an individual acting in a commercial or employment context.
What data is protected by the law?
Personal data is protected under the legislation and defined as any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual, but does not include de-identified data or publicly available information.
Under the law, sensitive data includes any data revealing a consumer’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, citizenship or immigration status, as well as any genetic or biometric data used for identifying an individual, any personal data collected from a known child, or any precise geolocation data.
What are the rights of consumers?
Under the new legislation, consumers have the right to:
- Confirm whether a controller is processing the consumer’s personal data and to access the personal data;
- Correct inaccuracies in the consumer’s personal data;
- Delete personal data provided by or obtained about the consumer;
- Obtain a digital copy of the data the consumer previously provided, if available; and
- Opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.
What obligations do businesses have?
Limitations on Collection
Covered controllers must limit the collection of personal data to only what is adequate, relevant, and reasonably necessary for the purpose for which the personal data is being processed and disclosed to the consumer. They must also implement “reasonable” security practices to protect the confidentiality and integrity of the data.
In addition, controllers must obtain a consumer’s consent before (1) processing personal data for any other purpose than what was disclosed or (2) processing the sensitive data of a consumer. Controllers are barred from using the data to discriminate against consumers.
Notice to Consumers
Controllers must also provide consumers with a reasonably accessible and clear privacy notice that includes:
- The categories of personal data processed by the controller;
- The purpose of processing personal data;
- How consumers may exercise their rights;
- If applicable, the categories of personal data shared with third parties; and
- If applicable, the categories of third parties with whom the controller shares personal data
- A description of the methods through which consumers can submit requests to exercise rights.
In addition, controllers who engage in the sale of sensitive data or biometric personal data must give specific notices (posted in the same location and manner as the privacy notice):
- “NOTICE: We may sell your sensitive personal data.”
- “NOTICE: We may sell your biometric personal data.”
Data protection assessments
Whenever a controller processes any sensitive data or processes personal data for targeted advertising, the sale of personal data, specific forms of profiling, or any activity that presents a heightened risk of harm to consumers, the controller is required to prepare a detailed data protection assessment.
Controllers must also make available two or more secure and reliable methods to enable consumers to submit a request to exercise their rights under the legislation, as well as establish an appeal process that is “conspicuously available” and similar to the process established for initially exercising their rights. When a consumer seeks to exercise their rights, the controller must respond to the request without undue delay, but no later than 45 days after the receipt of the request (but may, in some circumstances, extend the response deadline once by an additional 45 days). If the controller declines the consumer’s request, it must provide justification for its decision and instructions on how to appeal the decision. If the controller denies the appeal, the controller must provide the consumer with the online mechanism to submit the complaint to the Attorney General.
How is the law enforced?
Under the law, there is no private cause of action for consumers. Instead, the Attorney General has exclusive authority to enforce the new restrictions and must establish an online mechanism through which a consumer may submit a complaint.
If the Attorney General has “reasonable cause” to believe someone has violated the law, it may issue a civil investigative demand and require a controller to disclose any relevant data protection assessment to facilitate its investigation. If the Attorney General identifies violations of the law, it must send a notice of violation to the controller at least 30 days before bringing the action and allow the controller an opportunity to cure. If the controller cures the violation within the 30-day period, the Attorney General may not bring an action against the controller.
If the Attorney General brings such an action, it may seek both civil penalties, injunctive relief, and recover attorney’s fees and expenses incurred both during the initial investigation and subsequent legal action.
Texas’ new consumer privacy law is comprehensive, and the summary above reflects only the highlights of the new obligations and risks presented to businesses operating in Texas.