Texas, long lauded as one of the most “business-friendly” states, has passed a comprehensive privacy law that will bring new regulations to consumer personal data. The new Texas Data Privacy and Security Act (“TDPSA”), H.B. 4, was passed by the State Senate on May 10, 2023, was signed by Governor Greg Abbott on June 18, 2023, and will take effect on July 1, 2024.
The TDPSA is a comprehensive privacy law that was largely modeled on Virginia’s Consumer Data Protection Act (“VCDPA”), which went into effect on January 1, 2023. Similar to VCDPA and other state privacy laws, the TDPSA aims to establish a comprehensive framework for the interaction between consumers and businesses regarding the privacy and security of personal data, with the goal of maximizing consumer rights’ effectiveness.[1] Although one of the goals of the TDPSA is to maximize interoperability with other state privacy laws, there are key differences in definitions, provisions, and exemptions that place the Lone Star State’s new law in a category of its own.
Scope and Applicability
Unlike other U.S. state privacy laws that use business revenue and/or the volume of data the business processes to determine applicability, the TDPSA applies broadly to any business that (1) conducts business in Texas or produces a product or service consumed by Texas residents; (2) processes or engages in the sale of personal data; and (3) is not a small business as defined by the United States Small Business Administration,[2] unless it sells sensitive data.
- Entity-Level Exemptions
The TDPSA exempts the following at the entity level: (1) state agencies and political subdivisions; (2) financial institutions subject to the Gramm-Leach-Bliley Act (“GLBA”); (3) covered entities and business associates subject to the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”); (4) nonprofit organizations; (5) institutions of higher education; and (6) electric utilities, power generation companies, and retail electric providers.[3] The exemption of business associates is an interesting twist. They encompass a range of entities, from professional services firms to cloud service providers.
- Data-Level Exemptions
Additionally, the TDPSA exempts the following at the data level: (1) Protected Health Information under HIPAA; (2) Health Records; (3) patient-identifying information for purposes of 42 USC §290dd-2;[4] information for the purposes of research, health improvement, patient safety, as well as information derived from deidentified health care-related information;[5] (4) personal data subject to the Fair Credit Reporting Act (“FCRA”); (5) personal data subject to the Driver’s Privacy Protection Act (“DPPA”); (6) personal data subject to the Family Educational Rights and Privacy Act (“FERPA”); (7) personal data subject to the Farm Credit Act (“FCA”); (8) personal data in the employment context, including data related to job applications and benefits; (13) emergency contact information; and (14) personal data in the course of pure personal or household activity.
Key Definitions and Differences from Other U.S. State Privacy Laws
The TDPSA is based on VCDPA but departs from it in several key provisions, as we note below:
1. Personal Data – The TDPSA defines “personal data” as “any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.” “Pseudonymous data” is data that is “used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.” The TDPSA’s definition of “personal data” (similar to those of the privacy laws in Virginia, California, Colorado, Connecticut, and Utah) excludes “deidentified data or publicly available information.” Thus, businesses must carefully consider whether information is “deidentified” or merely “pseudonymous” as they work through whether that information is covered by the TDPSA.
This makes Texas the first U.S. state to include pseudonymous data in the definition of “personal data,” which is similar only to the definition of “personal data” in the European Union’s data privacy law, the General Data Protection Regulation (“GDPR”).
2. Definition of “Sale” – The TDPSA defines “sale” broadly, similarly to privacy laws in California, Colorado, and Connecticut, as “sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by a controller to a third party” (emphasis added). This departs from VCDPA’s definition, which is limited to “the exchange of personal data for monetary consideration by a controller to a third party.”
3. Sensitive Data and Privacy Notice for Sale of Sensitive Data and Biometric Data – “Sensitive data” is a category of personal data in the TDPSA that includes (1) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, or citizenship or immigration status; (2) genetic or biometric data that is processed for the purpose of uniquely identifying an individual; (3) personal data collected from a known child; and (4) precise geolocation data (which is not included in Colorado).
Lastly, the TDPSA specifically requires a controller that sells sensitive or biometric data to include the following notices verbatim:
“NOTICE: We may sell your sensitive personal data.”
“NOTICE: We may sell your biometric personal data.”
(emphasis added).
4. Processing Data of a “Known Child” – The TDPSA considers personal data collected from a known child as sensitive data and has specifically stated that any processing of a known child’s sensitive data must comply with the requirements of the Children’s Online Privacy Protection Act (“COPPA”), which is designed to protect children under the age of 13.[6] Thus, the TDPSA considers a controller in compliance if the controller complies with the verifiable parent consent requirement under COPPA.
Similar to VCDPA, the TDPSA defines “child” as an individual younger than 13 years old. Additionally, similar to VCDPA, the TDPSA uses the term “known child” instead of just plain “child” when describing the rights and responsibilities to a child under the law. However, the TDPSA is the first U.S. privacy law to actually define a “Known Child,” which is a “child under circumstances where a controller has actual knowledge of, or willfully disregards, the child’s age” (emphasis added). By defining “Known Child,” the TDPSA may have just reiterated that businesses have the affirmative responsibility when processing children’s data – in other words, businesses must put processes and procedures in place for circumstances and situations where children’s data may be exposed to data processing.
Businesses should assess compliance not only with COPPA and other state privacy laws but also with specific privacy laws for children, including those specified in the California Age-Appropriate Design Code Act (“CAADCA”).[7]
5. Data Subject Rights – Similar to other state privacy laws, the TDPSA includes five basic consumer rights: (i) Right to Access, (ii) Right to Correct, (iii) Right to Delete, (iv) Portability, and (v) Right to Opt Out (of targeted advertising, sale of personal data, and/or profiling). In addition, the TDPSA also gives consumers the Right to Appeal a controller’s decision regarding a consumer’s request.
6. Profiling –The TDPSA defines profiling as “any form of solely automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements” (emphasis added). This definition is similar to VCDPA but for the word “solely.”
The addition of “solely” presumably clarifies that profiling is limited to 100% automated processing and that any process that incorporates human intervention may not be considered “profiling” for purposes of extending the right to opt out of profiling to consumers.
7. Prior Consent Requirement Extends to Small Businesses – As discussed above, small businesses are not subject to the TDPSA. This makes Texas the first U.S. state to include the small business exception in state privacy law.
However, if the small business is selling consumer sensitive data, the small business is subject to the TDPSA but only to the extent that it is required to obtain prior consent before selling consumer sensitive data.
Practical Implications
Texas is now the 10th state[8] to have passed a comprehensive privacy law, and it certainly will not be the last. At least 20 states are introducing similar privacy bills in their legislature right now.[9] Given the emphasis on privacy at the regulator level, it is wise for businesses to revisit or double down on their compliance efforts. Companies doing business in the Lone Star State may need to revisit their privacy compliance (or lack thereof) and determine whether to create a compliance program for the second-most populous state or finally take a comprehensive approach to the privacy of U.S. consumers.
For businesses looking to start, some key efforts will help them comply with not only the TDPSA but other state privacy laws as well:
- Understand Applicability – Determine whether your business falls under the scope of the TDPSA. As mentioned above, the TDPSA applies broadly compared to other U.S. state privacy laws that use business revenue and/or the volume of data the business processes to determine applicability.
- Data Inventory – Conduct a comprehensive data inventory to identify what personal data your business collects, processes, and shares. This includes customer data, employee data, and data collected from third parties.
- Notice Requirements – Provide or revise your privacy notices. These privacy notices must be clear and easily accessible and include all the requirements under the TDPSA. If you already have privacy notices that aim to comply with privacy laws in California and Virginia, ascertain the commonalities and differences with the TDPSA for compliance.
- Consumer Privacy Rights – Implement or revise procedures to address individual consumer rights granted by the TDPSA. If processes and procedures are already in place, ascertain whether these mechanisms are in compliance with the TDPSA, specifically with regard to verifying and responding to consumer requests within the specified timelines.
- Consent and Opt-Out Mechanisms – Implement or revise procedures to address consent and right to opt out of certain processing of personal data. This includes obtaining opt-in consent for processing sensitive personal data, and creating mechanisms to honor a consumer’s request to opt out of targeted advertising, sale of personal data, and profiling.
- Vendor Management – Review your relationships with third-party vendors and service providers to ensure they are contractually obligated to comply with the TDPSA requirements and adequately protect personal data. Consider conducting due diligence on their privacy practices.
- Employee Training – Provide or update the business’s comprehensive training to employees on the requirements of the TDPSA, including data handling procedures, individual consumer rights, and incident response protocols. Foster a culture of privacy within your organization.
- Data Minimization – Review and assess your data collection practices, ensuring that you only collect and retain the minimum necessary personal information for the intended purposes. Minimize the data shared with third parties to mitigate risks.
- Data Protection Assessments – Conduct regular and comprehensive data protection assessments to evaluate compliance with applicable privacy laws and regulations. These assessments serve as a proactive measure to identify and mitigate potential risks, safeguard sensitive information, and maintain the trust of your customers and stakeholders.
- Ongoing Compliance – Lastly, since the TDPSA will not be the last state privacy law that your business will need to comply with, establish processes to regularly review and update your privacy practices to adapt to evolving state privacy laws’ requirements and guidance. Consider retaining a subject matter expert, including outside counsel and consultants.
[1] Bill Analysis, C.S.H.B. 4, Author’s/Sponsor’s Statement of Intent. “H.B. 4 seeks to do so by enacting the Texas Data Privacy and Security Act, which aims to maximize both the utility of the rights provided to consumers and interoperability with other states to minimize compliance costs for businesses.”
[2] Small business as defined by the United States Small Business Administration (“U.S. SBA”), which is “an independent business having fewer than 500 employees.” However, there are industry-level definitions of small business used in government programs and contracting. (See U.S. SBA – Size Standards.)
[3] As defined by Utilities Code §31.002.
[4] “Records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance use disorder education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.” (See 42 USC §290dd-2.)
[5] Identifiable private information for purposes of the federal policy for the protection of human subjects in research; Information and documents created for purposes of the Health Care Quality Improvement Act (“HCQIA”); Patient safety work product collected for purposes of the Patient Safety and Quality Improvement Act (“PSQIA”); and Information derived from any of the health care-related information that is deidentified in accordance with the requirements for deidentification under HIPAA.
[6] COPPA applies to operators of commercial websites and online services (including mobile apps and Internet of Things devices) directed to children under 13 that collect, use, or disclose personal information from children. It also applies to operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children. (See “Complying with COPPA, FAQs,” Federal Trade Commission, June 6, 2023.)
[7] Note: The CAADCA defines “Child” as a consumer or consumers who are under 18 years of age.
[8] California, Colorado, Connecticut, Indiana, Iowa, Montana, Tennessee, Utah, and Virginia state privacy laws. See IAPP State Privacy Legislation Tracker.
[9] Id.