Texas will soon join the growing list of states that have passed comprehensive data privacy legislation. House Bill 4, the Texas Data Privacy and Security Act (“TDPSA” or the “Act”), has a broad reach and will apply to all businesses operating in Texas or selling products or services to Texas residents and collecting personal information (other than small businesses, non-profits and others qualifying for exceptions to the TDPSA). The requirements of the TDPSA are extensive and the costs of failing to comply may be substantial.
To comply with the TDPSA, many businesses will need to implement several changes to their data privacy and security policies. Companies must be prepared to update and expand their privacy policies, inventory data that they collect, conduct a data protection assessment before processing certain data, and implement data processing agreements with subcontractors. These steps may be time intensive and require coordination between different business units.
The TDPSA passed the Texas House on April 5, 2023, by a vote of 146-0, and a Texas Senate version of the bill passed the Texas Senate on May 10, 2023, by a vote of 30-0. A reconciled version of the two bills passed both the Texas House and Senate and on May 30, 2023 was sent to Governor Abbott, who is expected to sign the legislation. The TDPSA is based on the Virginia Consumer Data Privacy Act (“VCDPA”), but also takes concepts from the California Privacy Rights Act (“CPRA”) and the European Economic Area’s General Data Protection Regulation (“GDPR”). The TDPSA does not create a private right of action for violations. If signed, the law will take effect on July 1, 2024 and will be enforced by the Texas Attorney General.
The TDPSA’s scope is broad: It applies to all persons conducting business in Texas or producing a product or service consumed by Texas residents that process or sell personal data and are not small businesses as defined by the U.S. Small Business Administration. This is unlike the VCDPA and CPRA, which limit their reach to businesses meeting financial and number-of-record thresholds.
Like the VCDPA, the TDPSA expressly excludes individuals acting in a commercial or employment context, so, unlike the CPRA, the Act will not apply to employee and contractor personal information. The Act also exempts state agencies, non-profits and entities subject to HIPAA or Gramm-Leach-Bliley.
Data Controllers and Processors
The Act uses the terms “controller” and “processor” to describe the parties involved in using and sharing data. A controller is “an individual or other person that, alone or jointly with others, determines the purpose and means of processing personal data.” The controller is the decision-maker. A processor is defined as an individual who processes data, and process is defined broadly to include the “collection, use, storage, disclosure, analysis, deletion, or modification of personal data.”
The Act requires that controllers contract with processors of data, with the contract governing how the processor will process the data. These contracts must include:
- clear instructions for processing data;
- the nature and purpose of processing;
- the type of data subject to processing;
- the duration of processing;
- the rights and obligations of both parties; and
- requirements that the processor:
- impose a duty of confidentiality on each person processing personal data,
- delete or return all personal data to the controller after the service is completed (with exception for where retention is required by law),
- provide information to the controller to assess compliance,
- facilitate audits or review of processor’s compliance, and
- require any subcontractors to enter into written agreement requiring them to meet the same requirements as the processor.
These terms may be added into a contract governing the relationship between a controller and processor, such as a services or licensing agreement. However, as state data privacy laws proliferate, many companies have begun using separate data processing agreements to simultaneously comply with multiple state data privacy laws at once. These agreements implement contractual terms that are required by law and can address the liability for and handling of data breaches of personal information.
The TDPSA prohibits “dark patterns” in obtaining consumer consent. Under the Act, a dark pattern is “a user interface designed or manipulated with the effect of substantially subverting or impairing user autonomy, decision-making, or choice” and also includes any practice the Federal Trade Commission (“FTC”) considers a dark pattern. Businesses should review their practices and look to FTC guidance to ensure their interfaces do not include dark patterns.
The TDPSA mirrors the VCDPA in recognizing five data-related rights of consumers including the rights to:
- Confirm the controller is processing the consumer’s personal data;
- Correct inaccuracies;
- Delete personal data;
- Obtain a copy of personal data; and
- Opt out of processing of personal data for targeted advertising, sale, or for the profiling of a consumer.
Under the Act, consumers may exercise these rights by sending a request to the controller, and the controller will have 45 days to respond to the request with certain limited opportunities for extension.
In addition to the above rights, and like the VCDPA, the TDPSA also creates a new category of data, termed “sensitive data,” which includes personal data related to:
- Racial or ethnic origin;
- Religious beliefs;
- Mental or physical health diagnoses;
- Sexuality; or
- Precise geolocation (within a radius of 1,750 feet).
While the five data rights are “opt-out” rights that require the consumer to contact the controller and exercise their rights, consumers must “opt-in” to the processing of sensitive personal information. Companies should prepare to get consent from consumers before processing sensitive personal information.
Data Protection Assessments
Before processing data for the purposes of targeted advertising, the sale of personal data, profiling of a consumer, processing of sensitive data, or any other processing activity involving personal data that presents a heightened risk of harm to consumers, businesses must conduct a data protection assessment. The data protection assessment must weigh the benefits and risks of processing data. To ease compliance, a single data protection assessment may address a similar set of processing operations, and an assessment produced to follow a different jurisdiction’s laws may fulfill this requirement if the assessment has a reasonably comparable scope and effect.
Sale of Personal Data
The sale of personal data is not prohibited, but it does trigger certain notice provisions and requires the controller to undergo a data protection assessment. The sale of sensitive personal information is prohibited without prior consent from the consumer. Notably, this provision also applies to small businesses, which are otherwise out of scope of the TDPSA.
Enforcement by Attorney General
The TDPSA does not create a private right of action like the CPRA, instead, the Act is enforced exclusively by the Texas Attorney General. Before bringing an action under the Act, the Attorney General must notify the person of the potential violations of the Act and then allow a 30-day cure period for the potential violator to remedy the violation. If a person or business is found to have violated the Act, then they are liable for a civil penalty of up to $7,500 per violation. A court may also order injunctive relief.
What This Means for You
It is important for organizations operating in Texas or selling products or services to Texas residents to realize that achieving compliance with the TDPSA may be time consuming and costly. Organizations should keep in mind that the TDPSA is broadly applicable and will apply to businesses operating in Texas that do not meet one of the narrow exceptions. If the Act applies to an organization, it should start early and allocate resources and time to implement the necessary changes to ensure compliance by July 1, 2024. For example, covered organizations should:
- create or update a comprehensive data inventory that provides insight into both the types of data involved and nature of each processing activity;
- take steps to segregate sensitive data;
- implement a framework for conducting data protection impact assessments;
- update their internal and external privacy policies; and
- assess whether they need data processing agreements with vendors and services providers.
Businesses that fail to comply may face a $7,500 fine per violation. “Violation” is as yet undefined but could be interpreted to mean each individual instance in which a company improperly processes or discloses personal information, as seen in connection with other data privacy legislation. If this interpretation is adopted, financial exposure could be significant.
As companies work to comply with the TDPSA, they should also keep in mind other privacy laws in effect or coming into effect in other states, such as the CPRA, CPA, VCDPA and UCPA, and be aware of the potential for adoption of additional state data privacy laws.