With the onslaught of state privacy laws passed earlier this spring and summer, the Texas Data Privacy and Security Act (the “TDPSA”) signed into law on June 18, 2023, may not have received its due. Although largely following the template set in other states, the Texas law is unique among the non-California comprehensive privacy laws in tying its scoping criteria to the size of a business rather than to a threshold number of data subjects whose information a business processes annually—typically 100,000 state residents. The company must also (1) conduct business in Texas or produce a product or service consumed in the state and (2) process or “sell” personal data (more on the definition of “sell” below, which would include many disclosures made through online advertising). As a result, many mid-market businesses that process smaller amounts of data (falling under the 100,000-resident threshold applicable in many states) could still be required to comply.
Texas is currently one of 12 states to have enacted a comprehensive consumer data privacy law, joining California, Colorado, Connecticut, Delaware, Iowa, Indiana, Montana, Oregon, Tennessee, Utah, and Virginia. The TDPSA is set to take effect on July 1, 2024, except for the global opt-out technology provisions, which will take effect on January 1, 2025.
Other special features of the Texas law include the following:
- “Sensitive data” is defined to include data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status; genetic or biometric data processed to identify an individual; personal data collected from a known child; or precise geolocation data.
- Businesses must respond to opt-out preference signals like Global Privacy Control, but only if they have “the ability to process the request” or “process[es] similar or identical requests” to comply with other state privacy laws.
- Small businesses as well as other businesses subject to the statute must obtain consent prior to “selling” sensitive personal data. This is in addition to the requirement applicable to medium- or large-sized businesses subject to the law, which must obtain consent prior to any processing of sensitive personal data, which is consistent with many other state laws.
- “Pseudonymized” or key-coded data are expressly considered “personal data” but only when used “in conjunction with additional information that reasonably links the data to an identified or identifiable individual.”
Applicability and Scope
As noted, the TDPSA has a unique approach to its scope, applying to for-profit entities that (1) conduct business in the state or produce a product or service consumed by residents of the state; (2) process or engage in the “sale” of personal data; and (3) are not a “small business” as defined by the U.S. Small Business Administration, which is determined through a combination of factors such as industry, annual revenue, and number of employees. Because the TDPSA uses the broad definition of “sale” also used in the California Consumer Privacy Act—i.e., any sharing or making available of personal data for monetary or other valuable consideration—many disclosures of personal data that would not ordinarily be treated as “sales” according to the ordinary usage of the term might still meet the definition. In particular, businesses that are engaged in online advertising or that use website analytics tools may unwittingly engage in data “sales.”
Like other state privacy laws, however, the TDPSA contains important exemptions. Critically for many medium-sized businesses, the law does not apply to data collected in the context of employment or applications for employment or to information collected in a business-to-business capacity (i.e., from the employees of other businesses). The TDPSA also creates entity-level exemptions for nonprofits, government entities, higher educational institutions, electricity providers, and organizations subject to the Gramm–Leach–Bliley Act, including asset managers. Covered entities and business associates subject to the Health Insurance Portability and Accountability Act also qualify for entity-level exemptions.
Similar to other comprehensive state privacy laws, the TDPSA includes requirements around consumer rights, privacy notices, principles of processing like data minimization, sensitive personal data, and data protection assessments.
Consumers have a number of privacy rights under the TDPSA, including the following: (1) the right to know; (2) the right to correct; (3) the right to delete; (4) the right to data portability; and (5) the right to opt out of targeted advertising, the sale of personal data, and profiling. Regulated entities must respond to consumer requests within 45 days of receipt, with a possible 45-day extension when reasonably necessary and with notice to the consumer.
Principles of Processing, Notice, and Sensitive Personal Data
Regulated businesses must comply with data minimization and processing limitations; anti‑discrimination laws; and reasonable administrative, technical, and physical data security practices. Like other states’ laws, the TDPSA also requires regulated businesses to provide consumers with a reasonably accessible and clear privacy notice. Businesses must obtain consumer consent before processing sensitive personal data, including biometric data. As noted, even “small businesses” are required to obtain consent prior to the “sale” of sensitive data. Many businesses may inadvertently disclose data collected on a website through the use of pixels and other technologies in ways that can be viewed as “sales.” Depending on the data collected through forms, this data could potentially include sensitive data (including where the processing involves children), and so even small businesses should be mindful of this requirement.
Data Protection Assessments
Under the TDPSA, businesses that process personal data must conduct and document data protection assessments for certain processing activities such as the following: targeted advertising, profiling, the sale of personal data, the processing of sensitive data, or any processing activities involving personal data that present a heightened risk of harm.
The TDPSA does not provide a private right of action for individuals. The state attorney general alone has the power to enforce the law. Businesses have a 30-day cure period to remedy any violations and must provide evidence of the cure and a written statement that no further violations will occur. Failure to cure can result in a civil penalty of up to $7,500 per violation.
Though Texas is not the first state to pass a comprehensive data privacy law, its unique approach to scope may require some businesses to comply that otherwise fall outside the thresholds or requirements of other privacy laws. Businesses, especially those with operations in Texas, are encouraged to assess their compliance programs and implement appropriate controls around their collection and use of personal data. Ropes & Gray will continue to track developments in this area.