On June 18, Texas enacted the Texas Data Privacy and Security Act (TDPSA), becoming the tenth U.S. state to enact a comprehensive consumer data privacy law. Businesses regulated by the TDPSA have until July 1, 2024 to come into compliance with the law.
This post discusses the important aspects of applicability (including some unique characteristics of the TDPSA versus other state consumer privacy laws) and enforcement, and also provides a high-level summary of the requirements for businesses that will be subject to the law.
Scope and applicability
The TDPSA takes a novel approach to defining the types of businesses subject to the law. For example, other state privacy laws may apply only when businesses meet thresholds for gross annual revenue or process personal data about a certain number of state residents. These applicability requirements typically allow small businesses to fall outside of the scope of the privacy law.
Further, state privacy laws typically apply to businesses operating outside of the state only if they intentionally offer goods or services in that state.
The applicability analysis under the TDPSA differs from those under other state privacy laws in at least two ways. First, the TDPSA (with one limited exception) does not apply to “small businesses,” as that term is defined by the federal Small Business Administration (SBA). The definition of “small business” will change over time. Privacy experts with cheat sheets on revenue or data volume thresholds used by other privacy laws may need to enlist corporate law experts to advise the business on whether it is a “small business” under the TDPSA.
Second, the TDPSA likely applies to a larger swath of businesses than other state privacy laws because it may apply when a business“ produces a product or service that is consumed by a Texas resident.” Analyzing the applicability of the TDPSA could look like a first-year civil procedure question examining personal jurisdiction. It seems possible that a business without any operations in Texas or any desire to do business in Texas could be regulated by the TDPSA if an individual takes a product from another state and uses it in Texas.
Similar to other comprehensive state privacy laws, the TDPSA provides exemptions depending on characteristics of the business or the data, including exemptions for nonprofits and businesses or data regulated by certain federal laws.
Enforcement
The law will be enforced exclusively by the Texas attorney general. The TDPSA does not provide for a private right of action. Violations could result in a monetary penalty not to exceed $7,500 per violation. Helpful to businesses, the law provides a 30-day cure period after a notice of violation. Different from other state privacy laws, within the cure period, a business is required to submit a written response to the Texas attorney general documenting that the violation has been cured, policies and procedures are in place to prevent reoccurrence, and the consumer (if any) affected by the privacy violation was notified. Unlike other state laws, the Texas attorney general is not required to issue regulations or rules to aid in the enforcement of the TDPSA.
Core compliance obligations
A high-level summary of many of the core TDPSA requirements is below. Businesses that control personal data as well as those that handle personal data for other businesses may have compliance obligations.
Privacy notice: According to the TDPSA, businesses that control personal data are required to post a publicly available privacy notice that describes the categories of personal data collected, the uses of the personal data, the categories of third parties to whom the personal data is sold or disclosed, consumers’ rights with respect to their personal data, and how consumers can exercise those rights, including the right to opt out of certain uses and disclosures. Businesses (including businesses that are “small businesses” as defined by the SBA) that sell sensitive personal data, including health and biometric data, may be required to include additional, specific disclosures.
Limitations on use of personal data: The TDPSA imposes several obligations applicable to the processing of personal data, including:
- Data minimization: Limit the processing of personal data to the specified purpose for which the personal data was collected.
- Secondary use restriction: Do not process personal data for a purpose that is neither “reasonably necessary” nor “compatible” with the disclosed purpose of collecting the personal data.
- Non-discrimination: Do not discriminate against consumers who exercise their rights, including by denying goods or services, providing different pricing for goods and services, or providing a different level of quality of goods and services to the consumer. However, the TDPSA permits legitimate rewards and loyalty programs.
Individual rights and requests: Under the TDPSA, Texas consumers have the right to submit requests to certain businesses related to their personal data to:
- Confirm whether the business is processing the consumer’s personal data.
- Access, correct, and delete personal data collected about the consumer.
- Receive electronic personal data held about the individual in a portable, readily usable format.
- Opt out of certain processing, such as targeted advertising, the sale of their personal data to third parties, and profiling for decisions that have legal or similarly significant effects. Businesses may also be required to honor consumer opt-out requests through the use of an internet browser setting (such as the “Global Privacy Control” or “GPC Signal”) or other electronic method.
Contracts with vendors: Businesses are required to have certain contractual terms in place with vendors that will handle personal data, setting out clear processing instructions, the nature and purpose of processing, the types of individuals whose data is being processed, the duration of processing, and the rights and obligations of both parties.
Data protection assessments: Businesses may be required to conduct a written data protection assessment under the TDPSA when the business carries out any of the following: processing of personal data for the purpose of targeted advertising, the sale of personal data, profiling that presents substantial risk to consumers, processing of sensitive personal data, or processing activities that present a heightened risk of harm to consumers. Copies of the assessments must be provided to the Texas attorney general upon request.
Many businesses are now accustomed to state consumer privacy laws and should begin to add the unique elements of the Texas law into their privacy programs. As with the other state privacy laws, the TDPSA has its own unique features that should be carefully reviewed before adjusting existing privacy policies and procedures. Businesses that have determined they were not required to comply with other state consumer privacy laws could be pulled within the scope of the TDPSA given its unique applicability test. Therefore, any for-profit business that may have goods or services that are used in Texas should consider whether the TDPSA applies.
Client Alert 2023-136