On May 29, 2023, Texas's H.B. 4, also known as the Texas Data Privacy and Security Act ("Act"), passed in the Texas legislature. The bill will now land on the desk of Governor Greg Abbott for signature. The Texas Data Privacy and Security Act joins the growing number of states that have passed or enacted legislation in 2023, including Iowa, Indiana, Tennessee and Montana, and more are expected in the coming months. Five states already have comprehensive privacy laws in place or set to become effective soon - California, Virginia, Colorado, Connecticut, and Utah. This profusion of new data privacy legislation has engendered an increasingly challenging compliance landscape, with businesses having to account for new requirements of each successive law. If enacted, businesses will have less than a year to prepare for the Texas Data Privacy and Security Act before it goes into effect on March 1, 2024.
Scope: The scope of the Texas Data Privacy and Security Act is drawn somewhat differently, and more broadly, than existing state privacy laws. Unlike those laws, which generally apply to businesses that exceed certain revenue or data processing thresholds, the Texas Data Privacy and Security Act applies to persons (under Texas's Code Construction Act, a "[p]erson includes corporation, organization, government or governmental subdivision or agency, business trust, estate, trust, partnership, association, and any other legal entity") that:
- Conduct business in Texas or produce a product or service consumed by Texas residents
- Process personal data of Texas residents
- Are not a small business as defined by the US Small Business Administration (SBA)
This final criterion, depending as it does on the SBA definition of a small business, may produce disparate outcomes from existing privacy laws. For one, the Act has no data processing volume threshold. Additionally, while the SBA currently defines a small business as one having 500 or fewer employees, this definition may be subject to adjustment and there are myriad exceptions to the current SBA definition. For example, depending on the business's sector, the SBA may instead look to its revenue or utilize a different employee headcount limit in determining whether it is a small business. These factors introduce some degree of uncertainty regarding the extent and applicability of the Texas Data Privacy and Security Act, but it will likely apply to most Texas businesses. Organizations of all sizes should take note that, while the Act generally does not extend to small businesses, its prohibition against selling sensitive data without consent applies to all businesses that conduct business in Texas regardless of their SBA designation (see below).
The Texas Data Privacy and Security Act also features a familiar list of exceptions and exemptions. It does not apply to state agencies, GLBA- or HIPAA-governed entities, nonprofit organizations or institutions of higher education. The Texas Data Privacy and Security Act also contains a limited public utility exemption, which applies on to electric utilities, power generation companies, and a retail electric providers. Additionally, the Act only protects consumers acting in an individual or household capacity, and therefore is not applicable to employment or business-to-business (B2B) contexts.
Data Subject Rights: One of the cornerstones of the Texas Data Privacy and Security Act is the establishment of a set of rights that a consumer may exercise in respect of their data. These rights include a right to request that a controller:
- Confirms that the data controller is processing their data and to access their personal data
- Correct inaccuracies in their personal data
- Delete their personal data
- Obtain a copy of their data in a portable and readily usable format, such that it may be transmitted to another controller.
A data subject may also opt out of having their data processed for the purpose of targeted advertising, the sale of their data, or profiling that produces a legal or significant effect on the data subject.
Processing: Under the Texas Data Privacy and Security Act, data controllers are subject to certain conditions and restrictions regarding the processing of personal data. A controller may only collect data that is adequate, relevant, and reasonably necessary in relation to the disclosed purpose for which it is processed and may not process data for purposes that aren't reasonably necessary to or compatible with that purpose, except with the consumer's consent. Controllers are also prohibited from discriminating against data subjects who exercise their statutory rights (see above), such as by denying goods or services to such customers or by charging them higher prices. Sensitive data (defined as personal data revealing one's racial or ethnic, origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, genetic or biometric data, children's data, or precise geolocation data) may only be processed with the consumer's consent. Moreover, controllers must establish administrative, technical and physical measures for safeguarding data, commensurate with the volume and nature of the personal data. As noted above, a controller—even if it meets the SBA definition of a small business—may not sell sensitive data without the data subject's prior consent (under the Act sale includes an exchange for nonmonetary consideration). Interestingly, the Act prohibits a controller from using "dark patterns" (which is defined as "a user interface designed or manipulated with the effect of substantially subverting or impairing user autonomy, decision-making, or choice") to obtain consent for processing.
Privacy Notice: As with many other privacy laws, the Texas Data Privacy and Security Act requires controllers to display an accessible and clear privacy notice outlining how it uses personal data. In particular this notice should address:
- The categories of personal data being processed, including whether sensitive data is processed
- The purposes of the processing
- How consumers may exercise their rights
- The categories of data that is shared with third parties, as well as the categories of third parties with whom data is shared
Moreover, the Act prescribes specific wording must be used in the notice if a controller sells sensitive data or biometric data, respectively:
- "NOTICE: This website may sell your sensitive personal data."
- "NOTICE: This website may sell your biometric personal data."
Given that biometric data is a subset of sensitive data as defined by the Act, it is unclear if controllers selling biometric data (and no other forms of sensitive data) would be required to post both notices or whether the latter notice alone would suffice.
A controller must also disclose the process by which a data subject can opt out of the sale of their data for targeted advertising, if the controller sells personal data for that purpose.
Processor Obligations: Processors, entities that process personal data on the behalf of a controller, are also subject to certain requirements. Specifically, they must assist controllers in responding to data subject requests, reporting data breaches, and must provide information necessary to conduct a data protection assessment (see below). Controller-processor contracts must also include terms requiring that personal data is subject to a duty of confidentiality, that data be deleted or returned at the completion of the service, and that the processor makes all information available to the controller to comply with the Act or to perform a reasonable assessment. If a processor engages a subcontractor, it must ensure that the subcontractor meets the same requirements as the processor with respect to the data.
Data Protection Assessments: Before undertaking certain types of processing associated with higher risks of harm — including processing for targeted advertising, the sale of personal data, processing for the purpose of profiling that presents a risk of unfair or deceptive treatment, financial, physical or reputational injury, or physical or other intrusion, and the processing of sensitive data — a controller must complete a data protection assessment.
The data protection assessment should weigh the benefits of the contemplated processing to the consumer, controller and other stakeholders against the risks posed to the consumer. The assessment should account for the possibility of using de-identified data, reasonable consumer expectations, the context of the processing, and the relationship between the controller and the processor. A single assessment may be used to fulfill the obligations with respect to different laws or processing, as long as requirements and activities respectively are comparable. Although the assessment does not need to be submitted upon completion, it must be retained by the controller and may need to be produced in response to a civil investigative demand by the Attorney General.
Enforcement and Penalties: There is no private right of action under the Texas Data Privacy and Security Act, and there is an established cure period. The Texas Attorney General is the sole enforcement and investigative authority for the Texas Data Privacy and Security Act. The Attorney General will establish an online mechanism for consumers to submit complaints. Before bringing an action alleging a violation of the Act, the Attorney General must first notify the alleged offender and provide 30 days to cure the alleged violation. After the expiration of the cure period, the Attorney General may bring an action seeking up to USD 7,500 for each violation, as well as injunctive relief and attorney's fees and other expenses. To benefit from the cure period, the person must not only cure the alleged violation but e.g. also notify the consumer that the consumer's privacy violation was addressed.
Although its substantive provisions largely track prevailing trends in recent data privacy legislation, the Texas Data Privacy and Security Act's novel applicability provisions may mean that some organizations maybe be subject to the Act even if they are not caught by existing privacy laws. As a first step, businesses should work with counsel to determine which of the emerging privacy laws apply to them and to design a compliance program based on applicable requirements.