On June 18, 2023, Texas Governor Greg Abbott signed H.B. 4, otherwise known as the Texas Data Privacy and Security Act (TDPSA). Following substantive legislative action in Tennessee, Montana, and Indiana, Texas now becomes the tenth state to enact a comprehensive state privacy law. These regulations will become effective on July 1, 2024, a mere one year after enactment.
Despite possessing principles similar to its predecessors in California, Virginia, Colorado, and Connecticut, the TDPSA offers a range of unique elements that impact a broad scope of businesses which would likely be otherwise exempt from the stringent requirements set forth in states such as Virginia and California.
Applicability
Unlike most other state general privacy laws (such as California, Virginia, or Colorado), the TDPSA does not contain any monetary or volume thresholds for applicability and will therefore cover a much wider range of businesses. Subject to the exceptions described below, the TDPSA is applicable to all businesses that meet ALL of the following criteria:
- Conducts business in Texas or generates products or services consumed by Texas residents
- Processes or engages in the sale of personal data
- Is not a small business as defined by the U.S. Small Business Administration (small businesses have a limited set of requirements described below)
In addition, like many other state laws, TDPSA has both entity and information exclusions. The entity exclusions include state agencies, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), covered entities and business associates governed by the Health Insurance Portability and Accountability Act (HIPAA) privacy, security, and breach notification rules, non-profit entities, institutes of higher education, and electric utilities, power generation companies, and retail electric providers as defined under Texas law.
Like the other general privacy laws in states like California and Virginia, the TDPSA also excludes certain types of information from the scope of the TDPSA. These include: protected health information under HIPAA, heath records (as defined in the statute), patient identifying information, certain identifiable private information related to clinical trials, consumer report information under the Fair Credit Reporting Act, information governed by the Driver's Privacy Protection Act, Family Educational Rights and Privacy Act, or the Farm Credit Act, and employment information.
Consumer Rights
Much like the general privacy legislation in other states and subject to common limitations, Texas provides its residents with the following rights upon verification of the consumer’s identity:
- Right to Delete. Consumers have the right to have personal data provided by, or obtained about, the consumer deleted.
- Right to Data Portability. Consumers can get a copy of their personal data in a portable and readily usable format (to the extent technically feasible) so that the consumer can transmit the data to a third party.
- Right to Opt-Out. Consumers have the right to opt-out of the following uses of their personal information:
- Selling their personal data (which is defined as both for monetary and other valuable considerations)
- Processing of their personal data for the purposes of targeted advertising
- Use for automated decision making that produces a legal or other similar effect on the consumer.
- Right to Access. Consumers will have the right to confirm if the controller is processing personal information about that consumer and gain access to that personal data, unless the confirmation would reveal a trade secret of the controller.
- Right to Correct. Consumers have the right to correct incorrect personal data.
Under the TDPSA, controllers must provide at least two methods for submitting requests. The TDPSA also allows authorized agents to opt-out of the sale of a consumer’s personal information or its use for targeted advertising, but the authorized agent is not permitted to exercise the other consumer rights. Controllers are required to respond to consumer requests without undue delay, but in any event no later than 45 days after receipt of the request. This may be extended for an additional 45 days when necessary. Controllers are also required to provide consumers with a method to appeal refusals to comply with requests to exercise these rights.
Obligations
Further, the TDPSA also requires that controllers comply with key obligations when engaging with the processing of personal data as follows:
- Data Minimization. Controllers are required to limit the collection of personal data to only what is adequate, relevant, and reasonably necessary for the disclosed purposes for which the data is processed.
- Data Security. The TDPSA requires that controllers establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. These measures must be appropriate for the volume and nature of the personal data the controller processes.
- Nondiscrimination. Controllers are not permitted to deny goods or services, charge different prices or rates for goods or services, or provide a different level of quality of goods or services to the consumer because the consumer decided to exercise any of their rights.
- Use Limitation. Unless an exception applies (such as consent from the consumer), controllers generally must limit the use of personal data to the purposes for which it was collected, and not process it for any purposes that are not reasonably necessary or compatible with the disclosed purposes.
- Consent for Processing “Sensitive Data.” Controllers are prohibited from processing “sensitive data” without consent of the consumer. Sensitive data includes data that reveals racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, citizenship, or immigration status. Sensitive data also includes genetic or biometric data processed for the purpose of uniquely identifying the individual, personal data obtained from a consumer known to be a child, and precise geolocation data within a radius of 1,750 feet. Controllers must also provide an effective mechanism for consumers to revoke their consent that must be as easy as the method to obtain consent and must comply with any revocation of consent as soon as practical, no more than 15 days after receipt.
Privacy Notice
Like the some of the other state privacy laws, the TDPSA will require that controllers provide a reasonably acceptable and clear privacy notice to consumers. The privacy notice must include:
- The categories of personal data processed by the controller. However, unlike California, the categories of personal data are not defined under the TDPSA.
- The purposes of processing
- Information on how consumers can exercise their rights under the TDPSA, and how the consumer can appeal refusals to comply with a request
- The categories of personal data shared with third parties and the categories of third parties with whom the personal data is shared
- Any sale of personal data to third parties or use of personal data for targeted advertising, together with information on how the consumer can opt-out of such use
- If controller sells personal data that is sensitive data, they must include a notice that says “NOTICE: We may sell your sensitive data,” and if they sell biometric data, they must include a notice that says “NOTICE: We may sell your biometric personal data.” Each of these notices must be in the same location and manner described for the original notice. These are unique notice requirements for Texas, as it requires explicit notices for the sale of sensitive or biometric information. Business will want to make sure that current notices are updated to reflect the inclusion of these notices for sale of sensitive or biometric data where applicable.
Data Protection Assessments
Controllers must conduct a data protection assessment for each processing activity that has characteristics such as: heightened risk of harm to consumers, processing of personal data for the purpose of targeted advertising, selling personal data, processing for the purpose of profiling (where the profiling presents a reasonably foreseeable risk of substantial injury to the consumer), and processing of any sensitive data.
Data Protection Agreements
The TDPSA will also require that controllers enter into a data processing agreement (DPA) with each processor that processes personal information on behalf of controller which specifies each party’s rights, obligations, and limitations regarding the processors use of the personal information. The DPA must include clear instructions for processing the personal data, the nature and purpose of the processing, the categories of data subjects, the rights and responsibilities of the processor and controller, and the duration of the processing.
Enforcement
Texas does not provide for a private right of action. The Texas Attorney General is solely responsible for enforcement and can bring an enforcement action after a 30-day cure period. In addition, the Attorney General must establish an online process for receiving complaints from consumers. Statutory fines are up to US$7,500 for each violation, but also require that alleged offenders provide tangible evidence about how the issue was remedied to ensure that the violations do not reoccur.
Impact to Businesses
The TDPSA provide Texas consumers with additional rights that closely mirror the laws enacted in California, Virginia, Connecticut, and Indiana. Businesses that may not have been in scope under other state privacy laws should be mindful of the relatively low bar to be in scope under the TDPSA. As TDPSA takes effect next year, businesses will have work fast to familiarize themselves with the regulations.
[View source.]