Texas has joined the growing list of states enacting comprehensive consumer data privacy laws. On June 18, 2023, Governor Abbott (R) signed H.B.4, otherwise known as the Texas Data Privacy and Security Act (“TDPSA”). The TDPSA is another close cousin of the business-friendly Virginia statute, though Texas takes a different approach with applicability thresholds and gets tougher with regards to high-risk processing activities and consent requirements for using sensitive data. The compliance patchwork continues...
Just a few weeks before the TDPSA became law, the state also tightened the screws on its data breach notification requirements in order to require covered entities to report data breaches to the Texas Attorney General within 30 days (rather than 60 days) of discovering a breach. The amendment to Texas' data breach notification law (Tex. Bus. & Com. Code Ann. §§ 521.002 and 521.053) takes effect on September 1, 2023 and will also require that reporters of breaches use an electronic form available on the AG’s website. Look out on the blog later this month for a new release of our Mintz Matrix summarizing these and other developments affecting data breach notification requirements across the country.
As to the TDPSA, the following are some of the key elements:
The TDPSA does away with thresholds based on revenue thresholds or volume of data collected from in-state residents. Instead, the TDPSA applies to persons that (i) conduct business in Texas or produce products or services that are consumed by Texas residents, (ii) process or engage in the sale of personal data and (iii) do not qualify as a small business as defined by the United States Small Business Administration.
Texas and its lawmakers seem to be saying let’s keep it simple, largely exempt small business, and focus regulation (and presumably enforcement) on those engaged in the sale of personal data.
There are several exemptions in the TDPSA beyond the qualified carve-out for small businesses as defined by the SBA. For example, the TDPSA does not apply to a Texas state agency or political subdivision, nonprofits, higher educational institutions, financial institutions or non-public personal information subject to the federal GLBA, or entities, business associates, and protected health information covered by HIPAA.
The TDPSA also does not apply to personal information collected under a range of sectoral statutes, including information governed by the Fair Credit Reporting Act, Health Care Quality Improvement Act, Patient Safety and Quality Improvement Act, Driver's Privacy Protection Act, Family Educational Rights and Privacy Act and the Farm Credit Act. Other categories of data exempted from the TDPSA include:
- Employment-related data (but note in the context of hiring, controllers must honor any opt out request from a consumer concerning profiling activities used for the purpose of making a decision concerning employment opportunities);
- Emergency contact information; and
- Identifiable private information used for human research purposes under prescribed guidelines.
Consumers have the following rights under the TDPSA:
- Right to confirm whether or not their personal data is processed;
- Right to access their personal data;
- Right to correct inaccuracies in their personal data;
- Right to deletion of their personal data;
- Right to obtain a copy of their personal data if it is available in a digital format;
- Right to portability of their personal data; and
- Right to opt-out of the processing of their personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
Consumers are entitled to access their rights with respect to a broad range of data because the TDPSA uses a generous definition of personal data: “any information, including pseudonymous data and sensitive data, that is linked or reasonably linkable to an identified or identifiable individual.” Similarly, the statute’s definition of “sale of personal data” is likely to capture many types of commercial activities involving exchanges of personal data. Texas expands the scope of covered activities further than other states like Virginia by going beyond “the exchange of personal data for monetary consideration” and making any “sharing, disclosing or transferring” of personal data for “monetary or other valuable consideration” subject to the definition. This reach may require controllers to take a closer look at certain relationships and contracts with third parties to determine if any ongoing activities may be construed as a sale of personal data under the Texas law.
Business Obligations (including an Opt In!)
- Not process sensitive data concerning a consumer without obtaining the consumer's prior consent, or, in the case of the processing of sensitive data concerning a known child (in this case referring to instances when a controller knows or willfully disregards the age of a child under 13), the controller must process that data in accordance with the federal Children's Online Privacy Protection Act.
For purposes of the TDPSA, “sensitive data” includes (i) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, (ii) genetic or biometric data processed for identification purposes, (iii) personal data collected from a known child under 18, and (iv) precise geolocation data.
- Provide consumers with two methods of exercising consumer rights, including online mechanisms potentially if the controller maintains a website (this requirement does not take effect until January 1, 2025).
- Respond to consumer requests under the TDPSA within 45 days of receipt of the consumer’s request (which may be extended once for an additional 45 days when reasonably necessary, as long as the business informs the consumer of the extension and the reason for the extension).
- If the business declines to take action to the consumer’s request, inform the consumer within 45 days of receipt of the consumer’s request of the justification for declining to take action and provide instructions on how to appeal the decision.
- Provide required information to consumers free of charge, up to twice per year.
Notices and Opt-Outs for Consumers
- Covered entities must conspicuously disclose in a privacy notice any sale of personal data or processing of personal data for targeted advertising (and how to opt-out of such disclosure or processing).
Other Business Obligations
- Conduct and document data protection impact assessments when doing targeting advertising, selling personal data, processing sensitive data, processing personal data for many profiling activities, and processing that presents heightened risk to consumers. Assessments must be provided to the Attorney General upon a civil investigative demand.
- Honor data minimization principles: limit collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.
- Implement and maintain reasonable administrative, technical and physical data security practices that take into account volume and nature of personal data the business is processing.
- Process personal data only for disclosed purposes, or purposes compatible with such disclosures unless the business obtains the consumer’s consent.
- Ensure the processing of personal data does not violate state and federal laws that prohibit unlawful discrimination against consumers.
- Not discriminate against a consumer for exercising any consumer rights, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to consumers.
Impacts on Vendors/Data Processors
Vendors that process data for controllers have direct obligations under the TDPSA, such as adhering to instructions from data controllers and assisting data controllers in meeting or complying with their own compliance obligations and duties. Some of these obligations and duties can include assisting the controller in responding to consumer rights requests, assisting with data protection assessments and assisting the controller with notification of a breach of security.
The TDPSA also contains specific requirements that must be included in data processing agreements between data controllers and data processors. These contractual requirements track closely to the statutory guidelines in other states like Connecticut and Virginia (and states using them as models) so the Texas law should not require novel revisions to existing contracts that have already been calibrated to similar requirements being rolled out across the country (setting aside California where there are some different and more prescriptive requirements for an agreement between a covered business and its contractors).
Private Right of Action
Like other consumer data privacy laws outside of California, the TDPSA does not provide for a private right of action and instead grants exclusive enforcement and investigative authority to the Texas Attorney General.
Fines and Penalties Under the TDPSA
If a violation is not cured within 30 days (the cure period is a permanent feature of the Texas law, in contrast to a state like Montana that decided to sunset the cure period 18 months after the law takes effect), the violating business could face civil penalties up to $7500 per violation and/or injunctive relief to restrain the violating business from violating the TDPSA. Additionally, the Attorney General may recover reasonable attorney’s fees and other expenses incurred during the investigation and case preparation.
Effective Date for the TDPSA: March 1, 2024.