Texas Passes Comprehensive Data Privacy Law
On June 18, 2023, Texas passed the Texas Data Privacy and Security Act (TDPSA), joining the growing number of U.S. states with comprehensive data privacy laws. The law will be effective starting July 1, 2024, with the provision allowing consumer-designated agents to submit requests becoming active on January 1, 2025. While the TDPSA stands out among state privacy laws, it incorporates aspects from Virginia’s Consumer Data Protection Act (VCDPA) and California’s Consumer Privacy Act (CCPA) as modified by the California Privacy Rights Act (CPRA).
Key Provisions:
- Very Broad Scope: Unlike other states that use revenue thresholds and data volume to determine applicability, the TDPSA applies to nearly anyone conducting business in Texas or providing products or services to Texans, if they process or sell personal data.
- Expanded Definition of Personal Data: Uniquely, the TDPSA includes pseudonymous data in its definition of personal data when it can be reasonably linked to an identified or identifiable individual when combined with other information.
- Prohibition of Dark Patterns: Similar to privacy laws in California, Connecticut, and Colorado, the TDPSA bans the use of dark patterns, which are user interfaces designed to manipulate users and undermine their autonomy.
- Exemptions for Small Businesses: Small businesses are mostly exempt from the TDPSA, except if they sell sensitive data, in which case they must obtain consumer consent beforehand.
- Specific Privacy Policy Disclosure: Controllers that sell biometric or sensitive data are required to include specific, verbatim disclosures in their privacy notices.
- Data Protection Assessments (DPAs): The law mandates that controllers conduct DPAs for certain processing activities, outlining factors to balance the benefits and risks of the activity.
Who Must Comply with the TDPSA?
Similar to other state laws and the EU’s General Data Protection Regulation (GDPR), the TDPSA applies to "controllers" who decide the purpose and means of processing personal data, and "processors" who handle data on behalf of the controller. The TDPSA is notably broad, covering any entity that:
- Conducts business in Texas or offers a product or service used by Texas residents.
- Processes or sells personal data.
- Is not classified as a small business by the United States Small Business Administration.
What Are the Notable Exemptions?
The TDPSA includes several data-level exemptions typical of such laws, including:
- Protected health information under the Health Insurance Portability and Accountability Act (HIPAA).
- Health records.
- Certain patient-identifying information and other data for research, health improvement, or patient safety purposes.
- Personal data covered by the Fair Credit Reporting Act (FCRA).
- Data regulated by the Family Educational Rights and Privacy Act (FERPA).
- Data subject to the Gramm-Leach-Bliley Act (GLBA).
- Data processed or maintained as emergency contact information.
Additionally, the law exempts personal data used in employment contexts, such as job applications and benefits.
The TDPSA also provides entity-level exemptions for:
- Nonprofits.
- State agencies and political subdivisions.
- Financial institutions regulated by the GLBA.
- Covered entities and business associates under HIPAA.
- Institutions of higher education.
Furthermore, the TDPSA specifically exempts electric utilities, power generation companies, and retail electric providers.
What Is ‘Personal Data' Under the TDPSA?
Texas has adopted a distinctive approach to defining personal data, setting itself apart from other states with a more comprehensive definition. The TDPSA defines personal data as any information linked or reasonably linkable to an identified or identifiable individual, including sensitive data. This includes pseudonymous data when it is used by a controller or processor along with other information that reasonably links it to an identified or identifiable individual. This broader definition aligns with the GDPR’s standards. However, certain consumer rights and controller duties do not apply to pseudonymous data if the controller can demonstrate that any identifying information is kept separately and is subject to effective technical and organizational controls preventing access.
What rights does the TDPSA vest in consumers?
The TDPSA provides Texas residents, acting in an individual or household context ("consumers"), with specific rights regarding their personal data. Consumers can submit verified requests to a controller to:
- Confirm if the controller is processing their personal data and gain access to it.
- Correct inaccuracies in their personal data.
- Delete personal data provided by or obtained about them.
- Obtain a copy of their personal data previously provided to the controller (data portability).
- Opt-out of the processing of their personal data for targeted advertising, selling personal data, or profiling.
What Obligations Do Controllers and Processors Have?
The TDPSA outlines requirements for controllers and processors, similar to other state privacy laws but with some unique elements.
Controller Requirements:
- Data Minimization: Controllers must limit personal data collection to what is relevant and reasonably necessary for the purposes disclosed to the consumer.
- Data Security: Controllers must implement and maintain reasonable administrative, technical, and physical safeguards to protect the confidentiality and integrity of personal data.
- Nondiscrimination: Controllers must not process personal data in violation of state or federal laws prohibiting unlawful discrimination and cannot discriminate against consumers who exercise their rights under the TDPSA.
- Sensitive Data: Controllers must obtain a consumer’s opt-in consent before processing sensitive data, which includes: Data on racial or ethnic origin, religious beliefs, health diagnoses, sexuality, or citizenship/immigration status. Genetic or biometric data used to uniquely identify an individual. Personal data collected from a known child (under 13 years old). Precise geolocation data.
- The TDPSA requires compliance with the Children’s Online Privacy Protection Act (COPPA) for processing sensitive data from a known child, defined as a child whose age the controller knows or willfully disregards. Small businesses, although largely exempt, must still obtain consent before selling sensitive data.
- Privacy Notice: Controllers must provide a clear privacy notice that includes: Categories of personal data to be processed, including sensitive data. Purpose of processing. Methods for consumers to exercise their rights and appeal refusals. Categories of data shared with third parties. Categories of third parties with whom data is shared. At least two methods for consumers to submit requests.
- Unlike most state laws, the TDPSA requires specific disclosures if controllers sell sensitive data: “NOTICE: We may sell your sensitive personal data,” or biometric data: “NOTICE: We may sell your biometric personal data.”
Data Protection Assessments (DPAs): Similar to the laws in Virginia, California, and Colorado, the TDPSA mandates that controllers perform and document DPAs for specific processing activities. These activities include any processing that could pose a heightened risk of harm to consumers, such as:
- Processing for targeted advertising.
- Selling personal data.
- Processing for certain types of profiling.
- Processing sensitive data.
Processor Requirements: Processors must adhere to the instructions of controllers and assist them in fulfilling their obligations, which include:
- Responding to consumer rights requests.
- Ensuring data security and providing breach notifications.
- Conducting and documenting data protection assessments.
Similar to other state laws, the TDPSA requires a contract to define the controller-processor relationship. This contract must clearly outline instructions for data processing, the nature and duration of processing, the type of data being processed, and the rights and obligations of both parties.
Who Enforces the Law?
The TDPSA grants exclusive enforcement authority to the Texas Attorney General (AG). The AG can issue civil investigative demands and request relevant DPAs from controllers. The AG allows a 30-day cure period for violations, which does not expire. If violations are not cured, the AG can impose civil penalties of up to $7,500 per violation. The law also requires the AG to provide information about rights and responsibilities for controllers, processors, and consumers on the AG’s website, as well as an online portal for submitting complaints.
With Texas joining the ranks of states with comprehensive privacy laws, and the trend of state privacy legislation gaining momentum, businesses should prepare for increased regulatory scrutiny. Even companies that have been aligning their data practices with other U.S. or EU privacy laws need to carefully consider the broad applicability and unique aspects of the Texas law to ensure compliance by the July 1, 2024, effective date.