Intent of Texas’ New Privacy Law

As of June 2024, seventeen (17) states have passed privacy laws that are either currently effective or will become effective by January 1, 2025, inclusive of TSDPA, which becomes enforceable July 1, 2024. It is a comprehensive privacy law that regulates how businesses and individuals engage in the collection, use, processing, sale and sharing of Texan’s personal data. The Act also directs businesses to comply with consumer data subject requests, conduct regular data protection assessments, provide privacy notices to consumers, and have a contractual relationship in place with their third-party data processors. To understand better the specific mandates outlined in the TDPSA, Gray Reed Advisory has published two prior blogs in a series that delve into the requirements and how to implement some of them. Click here for Part 1 and here for Part 2.

Determining TDPSA’s Applicable

Unlike the California Consumer Privacy Act (CCPA), TDPSA does not have qualifying thresholds for when TDPSA is applicable. This means that it has no minimum revenue or number of consumers served for when business must comply with the law. As mentioned above, TDPSA applies to entities whose business models engage with personal data of Texas consumers. In this context, consumer personal data includes, but is not limited to, the following types:

Examples of when TDPSA is Applicable

There are myriad scenarios of when TDPSA is applicable to a company, presuming the prior criteria apply, but the following are illustrative examples for context:

• A company uses cookies or other tracking technologies to collect data on Texas residents visiting its website such as their IP addresses, device identifiers, website uses, and data regarding network-connected hardware (e.g., computers, mobile devices).

• A company’s website enables users to enter their personal data to receive more information about the company’s services or products.

• A professional services firm that provides services to individuals and collects personal client data.

• A manufacturer of consumer goods that collects personal data through online registrations and shares the personal data of registrants from that list (versus selling it) with a non- affiliate who then provides discounts to the manufacturer for sharing its consumer list.

Data Exclusions and Entity Exemptions

TDPSA provides exclusions for types of data in which compliance of the law does not apply such as data collected, used, or processed for employment purposes such as personal data related to potential, existing, and past employees. Business-related data is also excluded from compliance when used in the course of communications or for business activities such as business contact names and their office phone numbers, business postal addresses, and business email addresses; generally, it is data that is publicly available or business data that is not classified as confidential, restricted, or private.

Additionally, there are exemptions from the law for certain types of organizations called out in the law:

• A state agency or political subdivision of Texas;

• Financial institutions or whereby data is subject to the Gramm-Leach Bliley Act (GLBA);

• Entities subject to the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH);

• Non-profit organizations; Institutions of higher education; or

• Electric utilities, power generation companies and retail electric providers.

However, if an exempt entity processes or engages in the sale of consumer personal data, then TDPSA may become applicable. To ascertain if an organization’s exempt-status has changed, companies are encouraged to engage with in-house (or outside) counsel to help validate assumptions and perform additional due diligence when making a determination.

How TDPSA Defines the Sale of Personal Data

The “sale of personal data” means the sharing, disclosing, or transferring of personal data for monetary – or for some other value or benefit – to the controller, which is an individual or company that determines the purpose and means of processing personal data to a third party.

However, the term does not include the disclosure of personal data with third parties for business purposes. This includes:

• The disclosure of personal data to a processor that processes the personal data on the controller's behalf;

• The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;

• The disclosure or transfer of personal data to an affiliate of the controller;

• The disclosure of information that the consumer:

• The disclosure or transfer of personal data to a third party as an asset that is part of a merger or acquisition.

To further demystify the concept of selling personal data – even when there is no exchange of currency – below are some examples that may resonate with your own business processes:

• A retail conglomerate has a membership program in which personal data is collected. The information collected is shared with an insurance company that is wholly owned by the retail conglomerate. The insurance company advertises directly to the member, resulting in the member purchasing insurance coverage.

• A residential builder sells homes and shares the homebuyer’s information with a homeowner’s warranty company and receives money for sharing the information.

• A non-profit rescues animals and receives donations. Upon obtaining the donator’s personal information, it is provided to third parties that directly advertise pet related products. If purchases are made at the third-party store, the non-profit receives kickbacks in the form of pet products (e.g., blankets, dog food).

Enforcement and Penalties for Non-Compliance

The Texas Attorney General (AG) will post on their website an online mechanism through which a consumer may submit a complaint under this law. If the AG has reasonable cause to believe that a person has engaged in or is engaging in a violation of this law, the AG may issue a civil investigative demand. Businesses and individuals who violate the TDPSA following the cure (up to a 30-days) to remediate non-compliance, or who breach a written statement provided to the AG, are liable to a civil penalty that shall not exceed $7,500 for each violation.

The exercise of drafting or updating policies, establishing news procedures to activate the policies, and implementing a compliance roadmap to comply with the new law and mitigate potential risks can seem overwhelming or deemed cost-prohibitive. However, with the right strategic approach and correct methodologies, it doesn’t have to be. It simply requires access to the appropriate subject matter expert with the relevant years of experience to guide a company thoughtfully and economically through the process.