In a state where everything is bigger, sometimes it helps to be small. The Texas Data Privacy and Security Act (TDPSA), which takes effect on July 1, 2024, includes one of the broadest standards for applicability of any U.S. state privacy law, covering any for-profit entity that (1) conducts business in Texas or produces a product or service consumed by Texas residents; (2) processes or sells personal data; and (3) “is not a small business as defined by the United States Small Business Administration.” A company that qualifies as a small business is generally outside the scope of most provisions of the TDPSA, with the exception of the requirement to obtain prior consent before engaging in sales of sensitive personal data.[1] While many companies are already familiar with the criteria for qualifying as a small business under the U.S. Small Business Administration’s (SBA) standards, for those that have not been through the process, conducting this analysis may be one of the most important steps toward preparing for the TDPSA.

SBA’s Size Standards

Whether a business qualifies as small under the SBA’s size standards depends on either its average annual receipts or its average number of employees. The maximum number of employees or annual receipts a business can have while still qualifying as a small business vary based on its industry classification under the North American Industry Classification System (NAICS). Thus, the first step for determining if your company qualifies as a small business is to identify the NAICS code that applies to your business. Once you know your NAICS code, the SBA’s table of small business size standards may be used to find the relevant maximum number of employees and annual receipts. The SBA also has an online tool to help businesses assess whether they qualify as small.

Depending on the applicable NAICS code, the qualifying threshold for average annual receipts ranges from $2.25 million to $47 million, while the maximum number of employees ranges from 100 to 1,500.[2] As a quick rule of thumb, under the current SBA size standards, a U.S. business with annual average receipts of less than $2.25 million and fewer than 100 employees will likely be small, and therefore exempt from the TDPSA’s primary requirements. Businesses that exceed either of these thresholds would need to conduct a careful analysis to determine the specific thresholds applicable to their industry before concluding they qualify as a small business for purposes of the TDPSA.

Counting Employees and Receipts

While additional nuanced rules may apply, in general under the SBA’s size standards, the “average number of employees” is the average number of people employed by a business (plus its domestic and foreign affiliates), full or part time, for each pay period during the preceding 24 calendar months.[3] If a company has been in business for fewer than 24 months, the average number of employees is based on each pay period during which it has been in business.[4] All employees on payroll must be included regardless of hours worked or temporary status.[5]

While the calculation of average annual receipts is also subject to a host of detailed rules, it is generally intended to cover total or gross income plus cost of goods sold, as reported on the business’s tax returns for the period in question.[6] In most circumstances, receipts are averaged over a business’s most recently completed five fiscal years to determine the average annual receipts.[7] If the company has been in business less than five complete fiscal years, then the total of its receipts across the available period is divided by the number of weeks in business, multiplied by 52.[8] Capital gains and losses, as well as certain other taxes and proceeds, typically will not be counted for purposes of calculating average annual receipts.[9] The company’s federal income tax returns and any amendments filed with the IRS on or before the date of self-certification must be used to determine the average annual receipts of a company.

Key Risks

Determining whether your business counts as small is important in that small businesses are not subject to most of the TDPSA’s requirements (except those applicable to sales of sensitive personal data). On the other hand, incorrectly concluding that a business counts as “small” can carry significant risk. In addition to risks associated with non-compliance with the TDPSA, there are significant penalties associated with misrepresentation of size status under the SBA’s rules.[10] These penalties include suspension and debarment of a person or business for misrepresenting a firm’s size status, as well as civil and criminal penalties depending on the culpability associated with the misclassification.[11] While assessing whether a business qualifies as small can be highly beneficial in terms of simplifying compliance with the TDPSA and in other ways, businesses should approach this analysis with caution, make sure they are relying on accurate information relating to their annual receipts and number of employees, and consult with counsel to confirm they are correctly applying the analysis.

Lastly, companies should be aware that the SBA’s size standards are subject to change. For example, the SBA recently proposed several updates to the size standards, so companies should ensure they not only select the correct NAICS code but also reference the most current table. SBA’s proposed new rules were published in the Federal Register on Dec. 11, 2023, and the comment period ended Feb. 9, 2024, marking the conclusion of the SBA’s five-year review of the size standards. In light of this, it is expected that the SBA will issue new rules pertaining to size standards that may need to be factored into analyzing whether your business is small.

[1] Additional exceptions apply to (1) state agencies and political subdivisions; (2) financial institutions subject to the Gramm-Leach-Bliley Act; (3) covered entities and business associates subject to the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act; (4) nonprofit organizations; (5) institutions of higher education; and (6) electric utilities, power generation companies and retail electric providers.

[2] 13 CFR §121.201.

[3] Id.

[4] 13 CFR §121.106.

[5] Id.

[6] 13 CFR §121.104.

[7] Id.

[8] Id.

[9] Id.

[10] 13 CFR § 121.108.

[11] Id.

[View source.]