Texas Joins Other States in Passing a Comprehensive Privacy Law
On June 18, 2023, Governor Greg Abbott signed into law the Texas Data and Privacy Security Act (the “Texas Privacy Law”), which goes into effect July 1, 2024. With this law, Texas joins 10 other states that have also passed comprehensive privacy laws throughout the United States: California, Virginia, Colorado, Connecticut, Utah, Florida, Montana, Iowa, Tennessee, and Indiana.
Overall, while the Texas Privacy Law closely resembles the privacy model established by the non-California privacy laws, it has certain nuances. Nevertheless, any company that has already implemented compliance with other privacy laws should be able to leverage its existing privacy compliance program to address the Texas Privacy Law.
Described below are the key takeaways from the Texas Privacy Law, including noteworthy deviations from the other state privacy laws:
To whom does this apply?
Unlike the other state privacy laws—which are triggered if a business meets a certain revenue threshold, conducts a volume of personal data processing, or derives a certain revenue from the sale of personal data—the Texas Privacy Law applies to entities that: (1) conduct business in Texas or produce a product or service consumed by residents of the state, (2) process or sell any volume of personal data, and (3) are not a small business, as defined by the US Small Business Administration.1
The Texas Privacy Law also follows the naming convention used by the non-California privacy laws by referring to the entity that determines how and why personal data is processed as a “controller” and the entity that processes personal data on behalf of the controller as the “processor” (e.g., vendors performing services for a business).
What is covered?
Like the other state privacy laws (except for California), the Texas Privacy Law only applies to personal data collected from individuals acting in an individual or household context, and does not include persons who are interacting with a business in a commercial or employment setting. Thus, business-to-business and human resources data are not in scope. The Texas Privacy Law also contains a number of exemptions that are both common among the other state privacy laws and more expansive, including an exemption for financial institutions covered under the Gramm-Leach-Bliley Act, covered entities or business associates under the Health Insurance Portability and Accountability Act of 1996, non-profits, government entities, institutions of higher education, and electric utilities, power generation companies, or retail electric providers.
What rights are provided?
The Texas Privacy Law provides Texas residents rights available under most of the other state privacy laws, including the right to: (1) confirm whether a controller is processing personal data and to access the personal data; (2) correct inaccuracies in the personal data; (3) delete personal data; (4) obtain a copy of personal data; and (5) opt out of sale, targeted advertising and profiling.
Like the other state privacy laws, controllers have 45 days to respond to requests to exercise these rights, and consumers have the right to appeal a controller’s refusal to take action on a privacy rights request.
What are a controller’s obligations under the law?
Controllers subject to the Texas Privacy Law are required to: (1) provide consumers with a privacy notice; (2) limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purpose of processing as disclosed to the consumer; (3) safeguard personal data; (4) obtain consent before processing sensitive personal data;2 (5) avoid discriminating against consumers for exercising their rights; (6) enter into contracts containing specific provisions with processors, which is fairly consistent with the language required under other state privacy laws; (7) conduct data protection assessments for certain high-risk processing activities; and (8) clearly and conspicuously disclose any sale of personal data to third parties or processing of data for targeted advertising.
If a controller sells sensitive or biometric data, it must include the following language in its privacy notice: “NOTICE: We may sell your sensitive personal data” or “NOTICE: We may sell your biometric personal data.”
Who enforces this law?
There is no private cause of action under the Texas Privacy Law; the Texas Attorney General has exclusive authority to investigate and enforce the law. Municipal privacy laws and other requirements are preempted.
Before However, before bringing an enforcement action, the Texas Attorney General’s office must give the controller a notice and 30 days to cure the alleged violation. Setting the Texas Privacy Law apart from other state privacy laws is a more stringent cure requirement. Specifically, a controller must not only provide the attorney general a written statement confirming that the violation has been cured, but must also notify the consumer that the privacy violation was addressed, provide supporting documents evidencing cure, and, if necessary, adjust internal policies to prevent recurrence. If a controller fails to cure the alleged violation, it could face potential penalties of up to $7,500 for each violation and an injunction.
In conclusion, with the rapid expansion of state comprehensive privacy laws in the United States, it is important to develop , as much as possible, a harmonized and systematic approach for implementing privacy compliance. Fortunately, states—like Texas—have been generally following a common framework in developing their privacy laws, which helps companies adopt such a harmonized approach to compliance. With the legislative sessions open in other states, we may see more states pass comprehensive privacy laws in the absence of federal legislation.
The U.S. Small Business Association defines a small business as a business with fewer than 500 employees. For the industry-level definitions of small business used in government programs and contracting, see www. sba.gov/content/small-business-size-standards.
Under the Texas Privacy Law, small businesses may not sell sensitive data without the consumer’s prior consent.
1 The U.S. Small Business Association defines a small business as a business with fewer than 500 employees. For the industry-level definitions of small business used in government programs and contracting, see www. sba.gov/content/small-business-size-standards.
2 Under the Texas Privacy Law, small businesses may not sell sensitive data without the consumer’s prior consent.
