On June 18, Texas became the eleventh state to enact a comprehensive consumer privacy law by passing the Texas Data Privacy and Security Act (TDPSA) (HB 4). The TDPSA will take effect on July 1, 2024, which is the same day as the recently passed Florida Digital Bill of Rights.

The TDPSA contains many provisions that are similar to other state privacy laws, particularly the Virginia Consumer Data Protection Act (VCDPA), but the TDPSA applies to a much broader range of individuals and businesses (known as “controllers” under the statute) inside and outside of the state. Starting January 1, 2025, the TDPSA also requires all controllers to recognize universal opt-outs (e.g., web browser privacy settings or the use of designated electronic agents).

A New Standard of Applicability

Prior state privacy laws have limited their applicability to legal entities that are large, process a large amount of personal data, or are in the business of selling personal data or targeted advertising to individuals. The TDPSA applies much more broadly, pulling in individuals as well as businesses regardless of their revenues or the number of individuals whose personal data is processed or sold. The TDPSA applies to any individual or business that meets all of the following criteria:

  1. Conducts business in Texas or produces a product or service consumed by residents of Texas.
  2. Processes or engages in the sale of personal data.
  3. Is not a small business as defined by the United States Small Business Administration (SBA).

In addition, even small businesses must obtain a consumer’s consent for the sale of sensitive personal data.

This statute is another large step in the general movement of states broadly regulating businesses with only minimal contact with the state (see, for example, the California Consumer Privacy Act).

Determining Applicability

Unlike other privacy laws, the TDPSA is not focused on whether a business is targeted at Texas residents but rather whether any services or products are consumed by a resident of Texas. The second standard —whether the person or business engages in the “processing or sale of personal data,” further expands the applicability of the TDPSA to include individuals and businesses that engage in any operations on personal data, such as the “collection, use, storage, disclosure, analysis, deletion, or modification of personal data.” In short, collecting, storing or otherwise handling the personal data of any resident of Texas, or transferring that data for any consideration, will likely meet this standard. The third standard allows for an exemption for businesses that meet the SBA definition of a “small business.” Consider using the SBA’s resources linked here to determine if your business may apply.

In addition to small businesses, certain other businesses that would otherwise be subject to the law also may nonetheless fall into one of several general exemptions. These include nonprofits, healthcare entities subject to HIPAA, institutions of higher education, utility providers, and financial institutions. The TDPSA also does not apply to employee information and protected health information under HIPAA, which also may exempt information processed by a “business associate.”

Rights of Consumers

Unlike the unique applicability standard, the consumer rights granted in the TDPSA are generally consistent with the VCDPA and some other states. These consumer rights include:

  • The right to know whether a controller is processing the consumer’s personal data.
  • The right to receive a portable copy, in digital format, of the consumer’s personal data processed by the controller.
  • The right to request deletion of personal data provided by or obtained about the consumer.
  • The right to request a correction of inaccurate personal data.
  • The right to opt out of sales of personal data, targeted advertising, and profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.
  • The right to appeal any refusal to take action on any of the above requests.

Controllers Obligations

Controllers must practice data minimization (only using personal data as reasonably necessary) and avoid secondary uses. Controllers also should complete data protection assessments for some processing activities, e.g., those involving the sale of personal data, processing of sensitive data, or processing that presents a heightened risk of harm to consumers (including for purposes of targeted advertising).

A controller that is in possession of “deidentified” or “pseudonymous” data should take reasonable measures to ensure that the data cannot be associated with an individual, in addition to publicly committing to not re-identify the data. Furthermore, the controller must contractually obligate any recipient of the deidentified data to comply and should exercise reasonable oversight to monitor compliance with any contractual commitments to which the data is subject. This includes ensuring appropriate steps are taken to remedy any breach of these commitments.

Additionally, the TDPSA requires that controllers maintain both Data Processing Agreements and Privacy Policies. In the privacy policy, a controller is required to specify whether it sells sensitive personal data and/or biometric data. In order to satisfy this requirement, the controller must include a notice stating, “NOTICE: We may sell your sensitive personal data” and/or “NOTICE: We may sell your biometric data.”

Similar to the VCDPA, the TDPSA is missing specific provisions regarding children’s data. The TDPSA does not specify whether consent can be later revoked by consumers. Also, controllers are granted the right to authenticate opt-out requests.

Universal Opt-Outs

While most of the TDPSA takes effect on July 1, 2024, including the right of individuals to opt out of certain types of processing, the right to opt out of the sale of personal data, targeted advertising and profiling is expanded as of January 1, 2025. As of that date, controllers must permit consumers to exercise those opt-out rights using global technologies such as a link to an internet website, internet browser setting or extension, or a global setting on an electronic device. Controllers will be obligated to comply with all verifiable opt-out requests that are reasonably connected to a consumer.

Attorney General Enforcement

The Texas Attorney General (AG) has been given sole enforcement rights on any violation of the TDPSA. The AG must give 30 days’ notice to any person found in violation of the TDPSA and allow the person 30 days to cure the violation. The right to cure will apply only if the controller provides a written statement and supporting documentation that the violation has been cured and notifies consumers of the violation. The right to cure does not sunset. A person who breaches and fails to cure that breach within the 30-day cure period may incur a civil penalty of up to $7,500. The TDPSA does not provide for regulatory rulemaking.

Important Dates

July 1, 2024: Most provisions of the TDPSA take effect.

January 1, 2025: Controllers must begin recognizing universal opt-out methods.

Our team will continue to monitor the TDPSA. If you have any questions about the TDPSA or other state privacy laws and how they could affect your business, please contact the authors.