On May 28, the Texas legislature passed the Texas Data Privacy and Security Act (TDPSA), also known as H.B. 4. The TDPSA was sent to Governor Greg Abbott on May 30. If signed into law, the TDPSA will take effect on July 1, 2024. Below is a summary of some the key takeaways from the TDSPA.
Applicability and Scope
TDPSA is unique to the other nine U.S. state privacy laws that have passed to date in that there is no threshold revenue requirement for covered entities or threshold requirements for the amount of personal data that is processed. Accordingly, TDPSA has a much broader reach and applies to entities that: (1) conduct business in Texas; and (2) process or engage in the sale of personal data.
TDPSA has a carve-out for entities that are considered a small business as defined by the United States Small Business Administration. However, the law still requires all covered entities regardless of size to obtain opt-in consent before processing sensitive personal data (which includes, personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, citizenship or immigration status, genetic or biometric data processed for purposes of uniquely identifying an individual; personal data collected from a known child under 13, and precise geolocation data).
TDPSA excludes state agencies or political subdivisions of Texas, financial institutions or data subject to Title V of the Gramm-Leach-Bliley Act (GLBA), covered entities and business associates governed by Health Insurance Portability and Accountability Act (HIPAA), nonprofit organizations, institutions of higher education and certain utility providers.
The TDPSA uses the terms “controller” and “processor” and requires controllers to conduct data protection assessments of processing activities that involve targeted advertising, the sale of personal data, profiling (in limited circumstances), sensitive data, or otherwise present a heightened risk of harm to "consumers" (Texas residents). In addition, controllers and processors must agree to certain contractual terms. Furthermore, processors must assist controllers in meeting their obligations, including responding to consumer requests and conducting data protection assessments. TDPSA also requires controllers to implement opt-out preference signals by January 1, 2025.
TDSPA provides consumers with a suite of consumer rights, including, but not limited to, the right to know whether a controller is processing the consumer’s personal data; the right to access personal data being processed by the controller; the right to correct inaccuracies in the consumer’s personal data; the right to delete personal data provided by or otherwise obtained from the consumer; the right to request a copy of personal data in certain circumstances if such personal data is in a digital format and it is technically feasible to provide a copy; and right to allow the consumer to opt out of the processing of the consumer’s personal data for purposes of targeted advertising, sale of personal data, or certain profiling-related activities.
The Texas Attorney General has the exclusive authority to enforce TDSPA and provides controllers and processors with a 30-day cure period for violations. If a violation is not cured within 30 days, then civil penalties of up to $7,500 per violation and/or injunctive relief may be imposed on the violating party.