The Texas Data Privacy Law: An Overview
On June 18, 2023, Texas became the eleventh state in the U.S. to enact comprehensive data privacy legislation with Texas Governor, Greg Abbott, signing HB 4, the Texas Data Privacy and Security Act (the Texas Data Privacy and Security Act or TXDPSA). The TXDPSA comes into effect on July 1, 2024. The TXDPSA joins other U.S. state data privacy laws that are either in effect or will soon come into force (together with the TXDPSA, the State Data Privacy Laws). This article summarizes key provisions of the TXDPSA.
Scope and Applicability
The TXDPSA applies to a person that
- conducts business in Texas or produces products or services that are consumed by Texas residents (which is likely broader than the "targeting" language seen in certain other State Data Privacy Laws)
- processes or engages in the sale of personal data
- is not a small business as defined by the United States Small Business Administration.
In contrast to most other State Data Privacy Laws, the TXDPSA does not expressly provide any data processing or revenue thresholds for applicability purposes.
However, the TXDPSA is similar to most other State Data Privacy Laws with respect to certain exclusions and exemptions. For example, the TXDPSA only applies to personal data collected from "an individual who is a resident of [the] state" and, like most State Data Privacy Laws other than the California Consumer Privacy Act and California Privacy Rights Act, expressly excludes personal data collected or processed from individuals acting in an employment or commercial context (e.g., business-to-business activities). The TXDPSA also expressly does not apply to the processing of personal data by a person "in the course of a purely personal or household activity."
The TXDPSA also includes exemptions in line with most other State Data Privacy Laws, such as for state political subdivisions or entities, nonprofit organizations, institutions of higher education, and any information or data regulated by certain other privacy laws, including the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act. Additionally, the TXDPSA contains a unique exemption for electric utility and power generation companies (as defined by the Texas Utilities Code).
Controller and Processor Regime
The TXDPSA, like certain other State Data Privacy Laws, contains the regulatory framework of the European Union's General Data Protection Regulation, which distinguishes roles and responsibilities between controllers and processors. The TXDPSA defines a "controller" as an individual or other person that, alone or jointly with others, determines the purpose and means of processing personal data and a "processor" as an individual who processes personal data on behalf of a controller.
The TXDPSA requires controllers to provide consumers with a reasonably accessible and clear privacy notice, which, among other things, discloses
- the categories of personal data processed by the controller and the purpose of such processing
- the categories of personal data and third parties with whom the controller shares personal data
- how consumers may exercise their privacy rights, including the appeals process. Controllers may only collect personal data that is "adequate, relevant, and reasonably necessary" for the purposes for which such personal data is processed. Controllers are also required to implement and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers.
Similar to certain other State Data Privacy Laws, the TXDPSA requires that controllers conduct and document data protection assessments in connection with certain processing activities, such as processing personal data for targeted advertising or certain profiling purposes, selling personal data, processing sensitive data, or any other processing activity that presents a heightened risk of harm to consumers. A data protection assessment must identify and weigh the benefits of the processing activity with potential risks to consumers (as mitigated by the safeguards employed by the controller related to such risks). Data protection assessment obligations under the TXDPSA apply to activities generated after July 1, 2024 (i.e., the statute's effective date), and are not retroactive. Controllers may use data protection assessments created pursuant to other laws with similar requirements, including other relevant State Date Privacy Laws, for TXDPSA compliance purposes.
Like most other State Data Privacy Laws, the TXDPSA requires controllers and processors to enter into a written contract, which governs the processor's data processing procedures performed on behalf of the controller. The TXDPSA requires contractual provisions that include clear instructions for the processing of applicable data, describe the type of data subject to and the duration, nature, and purpose of such processing, and specify the rights and obligations of each party. Processors must be subject to a duty of confidentiality with respect to the applicable data and enter into subcontracts with sub-processors to ensure similar protections. Processors also must assist controllers with complying with applicable obligations (1) under the TXDPSA (e.g., responding to consumer rights requests and completing data protection assessments) and (2) related to the security of personal data processing and notification of security breaches under Texas Code Chapter 521.
Consumer Rights and Requests
The TXDPSA provides a variety of individual consumer rights that align with most other State Data Privacy Laws. These rights provide consumers with a right to access, correct, delete, and obtain a copy of their personal data, and to opt-out of the selling of personal data and/or sharing of personal data for targeted advertising.
The TXDPSA also permits parents and guardians to exercise rights on behalf of their children (defined as individuals under the age of thirteen (13)). Children's data must be processed in accordance with the Children's Online Privacy Protection Act, 15 U.S.C. § 6501 et seq. (COPPA), which requires consent from parents or guardians.
The TXDPSA also grants consumers certain rights with respect to other "sensitive data." The TXDPSA's definition of "sensitive data" is similar to definitions seen in most other State Data Privacy Laws, which encompass a consumer's racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, citizenship or immigration status, genetic or biometric data, children's data, and precise geolocation data. Similar to certain other State Data Privacy Laws, like the Virginia Consumer Data Protection Act, the TXDPSA provides an "opt-in" regime with respect to the processing of sensitive data where controllers may not process a consumer's sensitive data "without obtaining the consumer's consent" (or in accordance with COPPA if the "sensitive data" is children's data).
Right to Appeal
Under the TXDPSA, a controller must respond to a consumer's request to exercise a right within forty-five (45) days of receipt of such request. A controller can extend the response period by an additional forty-five (45) days when reasonably necessary and in consideration of the complexity and number of consumer requests received within the initial forty-five (45) day period by providing notice and an explanation to the consumer. Like most other State Data Privacy Laws, if the controller denies a consumer's request, the controller must explain the justification for the denial and include instructions for appeal that are conspicuously available and similar to the process for submitting consumer rights requests. Within sixty (60) days of receipt of an appeal request, a controller must inform the consumer of any action taken or not taken in response to the appeal. If the appeal is denied, the controller must provide the consumer with an online mechanism through which the consumer may contact the Texas Attorney General to submit a complaint.
Selling Personal Data
The TXDPSA defines the "sale of personal data" as "the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party." The TXDPSA also provides exceptions to the "sale of personal data" in line with a number of other State Data Privacy Laws, including a controller's disclosure of personal data:
- to a processor that processes personal data on behalf of the controller
- to a third party for purposes of providing a product or service requested by the consumer
- to the controller's affiliates
- that the consumer intentionally made available to the general public and did not restrict to a specific audience
- to a third party as an asset that is part of a merger or acquisition.
As noted above, controllers must provide consumers with the ability to opt-out of the selling of their personal data, but the TXDPSA does not provide any additional guidance on how controllers must offer and process such consumer opt-out requests from a technical perspective. However, if a controller engages in the sale of sensitive data, the controller must include the following disclosure in its privacy notices: "NOTICE: We may sell your sensitive personal data".
Targeted Advertising
The TXDPSA defines "targeted advertising" as "displaying to a consumer an advertisement that is selected based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict the consumer's preferences or interests." Like most other State Data Privacy Laws, the TXDPSA expressly excludes certain activities from the definition of "targeted advertising," such as advertisements based on:
- activities within a controller's own websites or online applications
- the context of a consumer's current search query or visit to a website or online application
- the consumer's request for information or feedback; or
- processing that measures or reports advertising performance, reach, or frequency.
The TXDPSA also imposes the same opt-out requirements on controllers in connection with targeted advertising as it does with respect to the sale of personal data.
Deidentified and Pseudonymous Data
The TXDPSA defines "deidentified data" as data that cannot be reasonably linked to an identified or identifiable individual or device, and such data is expressly excluded from the definition of "personal data." Similar to certain other State Data Privacy Laws, the TXDPSA requires that controllers in possession of deidentified data take reasonable measures to ensure that such data cannot be associated with an individual and contractually obligate any recipients of deidentified data to comply with all applicable provisions of the TXDPSA. Additionally, like some other State Data Privacy Laws, such as the Virginia Consumer Data Protection Act, Utah Consumer Privacy Act, and Connecticut Data Privacy Act, the TXDPSA requires controllers to "publicly commit" not to re-identify deidentified data.
The TXDPSA defines "pseudonymous data" as any information that cannot be attributed to a specific individual without the use of additional information. Certain consumer rights (e.g., right to access, delete, opt-out, etc.) under the TXDPSA do not apply to pseudonymous data if the controller demonstrates that any additional information necessary to identify the consumer is kept separately and subject to effective technical and organizational controls that prevents the controller from accessing such information.
The TXDPSA requires controllers that disclose deidentified data and/or pseudonymous data to exercise reasonable oversight to monitor compliance with any contractual commitments with third parties related to such deidentified data (including avoiding attempts to re-identify such data) and/or pseudonymous data and to take appropriate actions to address any breaches of such contractual commitments.
Enforcement and Penalties
In contrast to the California Consumer Privacy Act and California Privacy Rights Act, the TXDPSA does not provide consumers with a private right of action and is not enforced by a dedicated privacy agency. Rather, the TXDPSA is enforced by the Texas Attorney General. Under the TXDPSA, the Texas Attorney General, prior to initiating an action, will provide a controller with thirty (30) days' written notice that identifies the specific provision(s) alleged to be violated. The controller and/or processor may cure such alleged violations within the thirty (30) day period. If uncured, the Texas Attorney General may initiate an action against the controller and/or processor and recover up to $7,500 in civil penalties per violation.